eeff87f3b345b9b42f721cfdd82fa81e229c7599ef4a24d3af914e2740a7a44c

Analysis

max time kernel
157s
max time network
124s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
21-11-2023 02:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

231121-15-Lokibot-a3aaf4.exe
Size

472KB
MD5

083b1af53ba0a7406195f5a592c8097e
SHA1

a3aaf49572e6981a7d2536abb2ed3ee5f3d2390b
SHA256

e7ec3396aede8095c2c834212499f1dccb475d7456f20043325518503de83f49
SHA512

68f773bcbcda347a2475a5191fce5b607ae6552a3b151e4a20c53289528d0102ebad0fa38ec069aee5af5c945120c8ad2d96928400dead8c347d5f115f393a21
SSDEEP

12288:oytsJ8EzmvCe9esuvMfRD9KrknDk1I8sCtNfPvHoAx7HAVnM:5qeCILnD98rLPvoAFHAlM

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2772 schtasks.exe

pid	process
2772	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

231121-15-Lokibot-a3aaf4.exepowershell.exepowershell.exe

pid	process
2792	231121-15-Lokibot-a3aaf4.exe
2716	powershell.exe
2636	powershell.exe
2792	231121-15-Lokibot-a3aaf4.exe
2792	231121-15-Lokibot-a3aaf4.exe
2792	231121-15-Lokibot-a3aaf4.exe
2792	231121-15-Lokibot-a3aaf4.exe
2792	231121-15-Lokibot-a3aaf4.exe
2792	231121-15-Lokibot-a3aaf4.exe
2792	231121-15-Lokibot-a3aaf4.exe
2792	231121-15-Lokibot-a3aaf4.exe
2792	231121-15-Lokibot-a3aaf4.exe
2792	231121-15-Lokibot-a3aaf4.exe
2792	231121-15-Lokibot-a3aaf4.exe
2792	231121-15-Lokibot-a3aaf4.exe
2792	231121-15-Lokibot-a3aaf4.exe
2792	231121-15-Lokibot-a3aaf4.exe
2792	231121-15-Lokibot-a3aaf4.exe
2792	231121-15-Lokibot-a3aaf4.exe
2792	231121-15-Lokibot-a3aaf4.exe
2792	231121-15-Lokibot-a3aaf4.exe
2792	231121-15-Lokibot-a3aaf4.exe
2792	231121-15-Lokibot-a3aaf4.exe
2792	231121-15-Lokibot-a3aaf4.exe
2792	231121-15-Lokibot-a3aaf4.exe
2792	231121-15-Lokibot-a3aaf4.exe
2792	231121-15-Lokibot-a3aaf4.exe
2792	231121-15-Lokibot-a3aaf4.exe
2792	231121-15-Lokibot-a3aaf4.exe
2792	231121-15-Lokibot-a3aaf4.exe
2792	231121-15-Lokibot-a3aaf4.exe
2792	231121-15-Lokibot-a3aaf4.exe
2792	231121-15-Lokibot-a3aaf4.exe
2792	231121-15-Lokibot-a3aaf4.exe
2792	231121-15-Lokibot-a3aaf4.exe
2792	231121-15-Lokibot-a3aaf4.exe
2792	231121-15-Lokibot-a3aaf4.exe
2792	231121-15-Lokibot-a3aaf4.exe
2792	231121-15-Lokibot-a3aaf4.exe
2792	231121-15-Lokibot-a3aaf4.exe
2792	231121-15-Lokibot-a3aaf4.exe
2792	231121-15-Lokibot-a3aaf4.exe
2792	231121-15-Lokibot-a3aaf4.exe
2792	231121-15-Lokibot-a3aaf4.exe
2792	231121-15-Lokibot-a3aaf4.exe
2792	231121-15-Lokibot-a3aaf4.exe
2792	231121-15-Lokibot-a3aaf4.exe
2792	231121-15-Lokibot-a3aaf4.exe
2792	231121-15-Lokibot-a3aaf4.exe
2792	231121-15-Lokibot-a3aaf4.exe
2792	231121-15-Lokibot-a3aaf4.exe
2792	231121-15-Lokibot-a3aaf4.exe
2792	231121-15-Lokibot-a3aaf4.exe
2792	231121-15-Lokibot-a3aaf4.exe
2792	231121-15-Lokibot-a3aaf4.exe
2792	231121-15-Lokibot-a3aaf4.exe
2792	231121-15-Lokibot-a3aaf4.exe
2792	231121-15-Lokibot-a3aaf4.exe
2792	231121-15-Lokibot-a3aaf4.exe
2792	231121-15-Lokibot-a3aaf4.exe
2792	231121-15-Lokibot-a3aaf4.exe
2792	231121-15-Lokibot-a3aaf4.exe
2792	231121-15-Lokibot-a3aaf4.exe
2792	231121-15-Lokibot-a3aaf4.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

231121-15-Lokibot-a3aaf4.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2792	231121-15-Lokibot-a3aaf4.exe
Token: SeDebugPrivilege	2716	powershell.exe
Token: SeDebugPrivilege	2636	powershell.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

231121-15-Lokibot-a3aaf4.exe

description	pid	process	target process
PID 2792 wrote to memory of 2716	2792	231121-15-Lokibot-a3aaf4.exe	powershell.exe
PID 2792 wrote to memory of 2716	2792	231121-15-Lokibot-a3aaf4.exe	powershell.exe
PID 2792 wrote to memory of 2716	2792	231121-15-Lokibot-a3aaf4.exe	powershell.exe
PID 2792 wrote to memory of 2716	2792	231121-15-Lokibot-a3aaf4.exe	powershell.exe
PID 2792 wrote to memory of 2636	2792	231121-15-Lokibot-a3aaf4.exe	powershell.exe
PID 2792 wrote to memory of 2636	2792	231121-15-Lokibot-a3aaf4.exe	powershell.exe
PID 2792 wrote to memory of 2636	2792	231121-15-Lokibot-a3aaf4.exe	powershell.exe
PID 2792 wrote to memory of 2636	2792	231121-15-Lokibot-a3aaf4.exe	powershell.exe
PID 2792 wrote to memory of 2772	2792	231121-15-Lokibot-a3aaf4.exe	schtasks.exe
PID 2792 wrote to memory of 2772	2792	231121-15-Lokibot-a3aaf4.exe	schtasks.exe
PID 2792 wrote to memory of 2772	2792	231121-15-Lokibot-a3aaf4.exe	schtasks.exe
PID 2792 wrote to memory of 2772	2792	231121-15-Lokibot-a3aaf4.exe	schtasks.exe
PID 2792 wrote to memory of 2140	2792	231121-15-Lokibot-a3aaf4.exe	231121-15-Lokibot-a3aaf4.exe
PID 2792 wrote to memory of 2140	2792	231121-15-Lokibot-a3aaf4.exe	231121-15-Lokibot-a3aaf4.exe
PID 2792 wrote to memory of 2140	2792	231121-15-Lokibot-a3aaf4.exe	231121-15-Lokibot-a3aaf4.exe
PID 2792 wrote to memory of 2140	2792	231121-15-Lokibot-a3aaf4.exe	231121-15-Lokibot-a3aaf4.exe
PID 2792 wrote to memory of 2140	2792	231121-15-Lokibot-a3aaf4.exe	231121-15-Lokibot-a3aaf4.exe

C:\Users\Admin\AppData\Local\Temp\231121-15-Lokibot-a3aaf4.exe
"C:\Users\Admin\AppData\Local\Temp\231121-15-Lokibot-a3aaf4.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2792
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\231121-15-Lokibot-a3aaf4.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2716
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\aDHvfHJuXcrYef.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2636
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aDHvfHJuXcrYef" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB4FD.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:2772
- C:\Users\Admin\AppData\Local\Temp\231121-15-Lokibot-a3aaf4.exe
  "C:\Users\Admin\AppData\Local\Temp\231121-15-Lokibot-a3aaf4.exe"
  2⤵
  PID:2140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpB4FD.tmp

Filesize
1KB

MD5
8b1f8183d064c47baab78158c368ca96

SHA1
dc81c79b9d54b0246cda3421a9070d77e7f6b969

SHA256
f67ec0b515340baa8ed4c46c0918abd8b10a0293875017b086708e5e906e869d

SHA512
50a732a9f5c3c5a968d655ba3b28860edd754aa215331cb18962dc514beb8e1064f1b9e4ac9d0a0b1ed3928ef212c8afe5154c72fceeb6a52509e5d9b77dbfa8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\0CEGPM7IUEYBEZMPD6IV.temp

Filesize
7KB

MD5
568577493a0a90f3201dc421459f9fe3

SHA1
b1b07c7d6229433aff33d204a545181adc1a7bee

SHA256
863f6976c2737ce6ca76b98bb852db6046bc8e79a759e16887723c787eae64d5

SHA512
058668950deb6a0ba52b4487138e3d04aa1e766cbc0d1c4a93982d89b30e001922466a4d92c374199ec833bf499e3f4bd4c284b43c43b3861ee984c8832737fd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
568577493a0a90f3201dc421459f9fe3

SHA1
b1b07c7d6229433aff33d204a545181adc1a7bee

SHA256
863f6976c2737ce6ca76b98bb852db6046bc8e79a759e16887723c787eae64d5

SHA512
058668950deb6a0ba52b4487138e3d04aa1e766cbc0d1c4a93982d89b30e001922466a4d92c374199ec833bf499e3f4bd4c284b43c43b3861ee984c8832737fd

Download Submit
memory/2140-22-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2140-20-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2636-36-0x000000006BB70000-0x000000006C11B000-memory.dmp

Filesize
5.7MB

Download
memory/2636-26-0x000000006BB70000-0x000000006C11B000-memory.dmp

Filesize
5.7MB

Download
memory/2636-34-0x00000000025A0000-0x00000000025E0000-memory.dmp

Filesize
256KB

Download
memory/2636-27-0x00000000025A0000-0x00000000025E0000-memory.dmp

Filesize
256KB

Download
memory/2636-30-0x00000000025A0000-0x00000000025E0000-memory.dmp

Filesize
256KB

Download
memory/2716-32-0x0000000002450000-0x0000000002490000-memory.dmp

Filesize
256KB

Download
memory/2716-29-0x000000006BB70000-0x000000006C11B000-memory.dmp

Filesize
5.7MB

Download
memory/2716-28-0x0000000002450000-0x0000000002490000-memory.dmp

Filesize
256KB

Download
memory/2716-31-0x0000000002450000-0x0000000002490000-memory.dmp

Filesize
256KB

Download
memory/2716-25-0x000000006BB70000-0x000000006C11B000-memory.dmp

Filesize
5.7MB

Download
memory/2716-35-0x000000006BB70000-0x000000006C11B000-memory.dmp

Filesize
5.7MB

Download
memory/2792-6-0x0000000004E10000-0x0000000004E50000-memory.dmp

Filesize
256KB

Download
memory/2792-23-0x0000000074360000-0x0000000074A4E000-memory.dmp

Filesize
6.9MB

Download
memory/2792-7-0x0000000000730000-0x000000000078A000-memory.dmp

Filesize
360KB

Download
memory/2792-0-0x0000000000D10000-0x0000000000D8C000-memory.dmp

Filesize
496KB

Download
memory/2792-5-0x0000000000280000-0x000000000028A000-memory.dmp

Filesize
40KB

Download
memory/2792-4-0x0000000000270000-0x0000000000278000-memory.dmp

Filesize
32KB

Download
memory/2792-33-0x0000000004E10000-0x0000000004E50000-memory.dmp

Filesize
256KB

Download
memory/2792-3-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2792-2-0x0000000004E10000-0x0000000004E50000-memory.dmp

Filesize
256KB

Download
memory/2792-1-0x0000000074360000-0x0000000074A4E000-memory.dmp

Filesize
6.9MB

Download
memory/2792-37-0x0000000004E10000-0x0000000004E50000-memory.dmp

Filesize
256KB

Download