Malware Analysis Report

2025-04-03 09:47

Sample ID 240330-wc3khaah8v
Target 7cc872c2db97ac517a53904af50ad37dd08ca934fd1a48d4ebbd4c593c9cf528.zip
SHA256 823266766e404bba77e7b98721cc503cbf6bfb2b6303c1b1c4c9f23a3ccc9ec2
Tags
lokibot spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

823266766e404bba77e7b98721cc503cbf6bfb2b6303c1b1c4c9f23a3ccc9ec2

Threat Level: Known bad

The file 7cc872c2db97ac517a53904af50ad37dd08ca934fd1a48d4ebbd4c593c9cf528.zip was found to be: Known bad.

Malicious Activity Summary

lokibot spyware stealer trojan

Lokibot

Checks computer location settings

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-30 17:47

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-30 17:47

Reported

2024-03-30 17:50

Platform

win7-20240221-en

Max time kernel

120s

Max time network

129s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7cc872c2db97ac517a53904af50ad37dd08ca934fd1a48d4ebbd4c593c9cf528.exe"

Signatures

Lokibot

trojan spyware stealer lokibot

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7cc872c2db97ac517a53904af50ad37dd08ca934fd1a48d4ebbd4c593c9cf528.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2976 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\7cc872c2db97ac517a53904af50ad37dd08ca934fd1a48d4ebbd4c593c9cf528.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2976 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\7cc872c2db97ac517a53904af50ad37dd08ca934fd1a48d4ebbd4c593c9cf528.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2976 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\7cc872c2db97ac517a53904af50ad37dd08ca934fd1a48d4ebbd4c593c9cf528.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2976 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\7cc872c2db97ac517a53904af50ad37dd08ca934fd1a48d4ebbd4c593c9cf528.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2976 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\7cc872c2db97ac517a53904af50ad37dd08ca934fd1a48d4ebbd4c593c9cf528.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2976 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\7cc872c2db97ac517a53904af50ad37dd08ca934fd1a48d4ebbd4c593c9cf528.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2976 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\7cc872c2db97ac517a53904af50ad37dd08ca934fd1a48d4ebbd4c593c9cf528.exe C:\Windows\System32\schtasks.exe
PID 2976 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\7cc872c2db97ac517a53904af50ad37dd08ca934fd1a48d4ebbd4c593c9cf528.exe C:\Windows\System32\schtasks.exe
PID 2976 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\7cc872c2db97ac517a53904af50ad37dd08ca934fd1a48d4ebbd4c593c9cf528.exe C:\Windows\System32\schtasks.exe
PID 2976 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\7cc872c2db97ac517a53904af50ad37dd08ca934fd1a48d4ebbd4c593c9cf528.exe C:\Users\Admin\AppData\Local\Temp\7cc872c2db97ac517a53904af50ad37dd08ca934fd1a48d4ebbd4c593c9cf528.exe
PID 2976 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\7cc872c2db97ac517a53904af50ad37dd08ca934fd1a48d4ebbd4c593c9cf528.exe C:\Users\Admin\AppData\Local\Temp\7cc872c2db97ac517a53904af50ad37dd08ca934fd1a48d4ebbd4c593c9cf528.exe
PID 2976 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\7cc872c2db97ac517a53904af50ad37dd08ca934fd1a48d4ebbd4c593c9cf528.exe C:\Users\Admin\AppData\Local\Temp\7cc872c2db97ac517a53904af50ad37dd08ca934fd1a48d4ebbd4c593c9cf528.exe
PID 2976 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\7cc872c2db97ac517a53904af50ad37dd08ca934fd1a48d4ebbd4c593c9cf528.exe C:\Users\Admin\AppData\Local\Temp\7cc872c2db97ac517a53904af50ad37dd08ca934fd1a48d4ebbd4c593c9cf528.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\7cc872c2db97ac517a53904af50ad37dd08ca934fd1a48d4ebbd4c593c9cf528.exe

"C:\Users\Admin\AppData\Local\Temp\7cc872c2db97ac517a53904af50ad37dd08ca934fd1a48d4ebbd4c593c9cf528.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\7cc872c2db97ac517a53904af50ad37dd08ca934fd1a48d4ebbd4c593c9cf528.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\FGZscboXVnu.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FGZscboXVnu" /XML "C:\Users\Admin\AppData\Local\Temp\tmp11EB.tmp"

C:\Users\Admin\AppData\Local\Temp\7cc872c2db97ac517a53904af50ad37dd08ca934fd1a48d4ebbd4c593c9cf528.exe

C:\Users\Admin\AppData\Local\Temp\7cc872c2db97ac517a53904af50ad37dd08ca934fd1a48d4ebbd4c593c9cf528.exe

Network

N/A

Files

memory/2976-0-0x0000000000210000-0x000000000029C000-memory.dmp

memory/2976-1-0x000007FEF5D80000-0x000007FEF676C000-memory.dmp

memory/2976-2-0x000000001BDE0000-0x000000001BE60000-memory.dmp

memory/2976-3-0x0000000000410000-0x000000000042A000-memory.dmp

memory/2976-4-0x0000000000430000-0x0000000000442000-memory.dmp

memory/2976-5-0x0000000000440000-0x0000000000450000-memory.dmp

memory/2976-6-0x000000001B3B0000-0x000000001B410000-memory.dmp

memory/2976-7-0x000007FEF5D80000-0x000007FEF676C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp11EB.tmp

MD5 a71c60f0857fcae16844b76282e18857
SHA1 18094387e04150e11471dcff56cda7278f858608
SHA256 0c130fcc7814372a8f342459cc63726fe53f9092b28d645b8b5b5a018b3f0b87
SHA512 f69dfa1a2e9abc91758bcb247636c809e16eab31f298035b50df0198d77830f0c05fe2e1025909675f3027579d8852bc9543680c1fdb45c3ecf9e7870c06adb5

memory/2452-17-0x000000001B310000-0x000000001B5F2000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\OUE4C179U8EBYS8PJMDL.temp

MD5 6b66e48609639471b0d73b8eb98c58c9
SHA1 44635e8a19b0a231112ec305d24b79eff8ad0a62
SHA256 2a4a645f93ed1f7146aadc0b98d4a56d9e7ae3751eb134b4c4d37ce6b941895b
SHA512 a32ba078c2466f2c919e77ba28cec7c0eecd3b0f1f552d1f2cef645bb51e87d5b67e49a56cb15eba60c9196e176d43a988d3e2b19af83f4c5ec6c829074fdc81

memory/2452-23-0x0000000001F40000-0x0000000001F48000-memory.dmp

memory/2976-24-0x000000001BD60000-0x000000001BE02000-memory.dmp

memory/2772-25-0x000007FFFFFD8000-0x000007FFFFFD9000-memory.dmp

memory/2976-29-0x000007FEF5D80000-0x000007FEF676C000-memory.dmp

memory/2452-28-0x000007FEEE2B0000-0x000007FEEEC4D000-memory.dmp

memory/2452-30-0x0000000002AB0000-0x0000000002B30000-memory.dmp

memory/2452-31-0x000007FEEE2B0000-0x000007FEEEC4D000-memory.dmp

memory/2452-32-0x0000000002AB0000-0x0000000002B30000-memory.dmp

memory/1644-33-0x000007FEEE2B0000-0x000007FEEEC4D000-memory.dmp

memory/1644-34-0x0000000002780000-0x0000000002800000-memory.dmp

memory/1644-35-0x000007FEEE2B0000-0x000007FEEEC4D000-memory.dmp

memory/1644-36-0x0000000002780000-0x0000000002800000-memory.dmp

memory/1644-37-0x0000000002780000-0x0000000002800000-memory.dmp

memory/2452-38-0x0000000002AB0000-0x0000000002B30000-memory.dmp

memory/2452-39-0x000007FEEE2B0000-0x000007FEEEC4D000-memory.dmp

memory/1644-40-0x000007FEEE2B0000-0x000007FEEEC4D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-30 17:47

Reported

2024-03-30 17:50

Platform

win10v2004-20240226-en

Max time kernel

94s

Max time network

99s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7cc872c2db97ac517a53904af50ad37dd08ca934fd1a48d4ebbd4c593c9cf528.exe"

Signatures

Lokibot

trojan spyware stealer lokibot

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7cc872c2db97ac517a53904af50ad37dd08ca934fd1a48d4ebbd4c593c9cf528.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7cc872c2db97ac517a53904af50ad37dd08ca934fd1a48d4ebbd4c593c9cf528.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3216 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\7cc872c2db97ac517a53904af50ad37dd08ca934fd1a48d4ebbd4c593c9cf528.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3216 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\7cc872c2db97ac517a53904af50ad37dd08ca934fd1a48d4ebbd4c593c9cf528.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3216 wrote to memory of 632 N/A C:\Users\Admin\AppData\Local\Temp\7cc872c2db97ac517a53904af50ad37dd08ca934fd1a48d4ebbd4c593c9cf528.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3216 wrote to memory of 632 N/A C:\Users\Admin\AppData\Local\Temp\7cc872c2db97ac517a53904af50ad37dd08ca934fd1a48d4ebbd4c593c9cf528.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3216 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\7cc872c2db97ac517a53904af50ad37dd08ca934fd1a48d4ebbd4c593c9cf528.exe C:\Windows\System32\schtasks.exe
PID 3216 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\7cc872c2db97ac517a53904af50ad37dd08ca934fd1a48d4ebbd4c593c9cf528.exe C:\Windows\System32\schtasks.exe
PID 3216 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\7cc872c2db97ac517a53904af50ad37dd08ca934fd1a48d4ebbd4c593c9cf528.exe C:\Users\Admin\AppData\Local\Temp\7cc872c2db97ac517a53904af50ad37dd08ca934fd1a48d4ebbd4c593c9cf528.exe
PID 3216 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\7cc872c2db97ac517a53904af50ad37dd08ca934fd1a48d4ebbd4c593c9cf528.exe C:\Users\Admin\AppData\Local\Temp\7cc872c2db97ac517a53904af50ad37dd08ca934fd1a48d4ebbd4c593c9cf528.exe
PID 3216 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\7cc872c2db97ac517a53904af50ad37dd08ca934fd1a48d4ebbd4c593c9cf528.exe C:\Users\Admin\AppData\Local\Temp\7cc872c2db97ac517a53904af50ad37dd08ca934fd1a48d4ebbd4c593c9cf528.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\7cc872c2db97ac517a53904af50ad37dd08ca934fd1a48d4ebbd4c593c9cf528.exe

"C:\Users\Admin\AppData\Local\Temp\7cc872c2db97ac517a53904af50ad37dd08ca934fd1a48d4ebbd4c593c9cf528.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\7cc872c2db97ac517a53904af50ad37dd08ca934fd1a48d4ebbd4c593c9cf528.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\FGZscboXVnu.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FGZscboXVnu" /XML "C:\Users\Admin\AppData\Local\Temp\tmp97AC.tmp"

C:\Users\Admin\AppData\Local\Temp\7cc872c2db97ac517a53904af50ad37dd08ca934fd1a48d4ebbd4c593c9cf528.exe

C:\Users\Admin\AppData\Local\Temp\7cc872c2db97ac517a53904af50ad37dd08ca934fd1a48d4ebbd4c593c9cf528.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 218.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 41.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 219.135.221.88.in-addr.arpa udp

Files

memory/3216-0-0x0000000000520000-0x00000000005AC000-memory.dmp

memory/3216-1-0x00007FFCBDFF0000-0x00007FFCBEAB1000-memory.dmp

memory/3216-2-0x000000001C010000-0x000000001C020000-memory.dmp

memory/3216-3-0x000000001BFD0000-0x000000001BFEA000-memory.dmp

memory/3216-4-0x00007FFCBDFF0000-0x00007FFCBEAB1000-memory.dmp

memory/3216-5-0x000000001BFF0000-0x000000001C002000-memory.dmp

memory/3216-6-0x000000001C000000-0x000000001C010000-memory.dmp

memory/3216-7-0x000000001CE40000-0x000000001CEA0000-memory.dmp

memory/3216-8-0x000000001C010000-0x000000001C020000-memory.dmp

memory/632-13-0x00007FFCBDFF0000-0x00007FFCBEAB1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp97AC.tmp

MD5 1edeea425e84e9a622fa9e595b2af1fd
SHA1 ab9b8642167ee6deadc6920c20eda79475d4d0d1
SHA256 235fe459da235f83891d1706f0f4134195e08de3d6a91a963a08eeefc96ba527
SHA512 0c3e7c591d12a2ecbbc699b4301e34098a0c7f873d9dba9f2e5749fbbd29d2b514bce2ce105ad5a56fb723d8ba28b50aa5d0a09e3cf4f112477cea8bfc8ab03f

memory/632-15-0x0000020DC7D60000-0x0000020DC7D70000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jtyfb1tc.aao.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/632-16-0x0000020DC7D60000-0x0000020DC7D70000-memory.dmp

memory/3908-29-0x0000026766EC0000-0x0000026766ED0000-memory.dmp

memory/632-28-0x0000020DC7D30000-0x0000020DC7D52000-memory.dmp

memory/3908-17-0x0000026766EC0000-0x0000026766ED0000-memory.dmp

memory/3216-23-0x000000001DA10000-0x000000001DAB2000-memory.dmp

memory/3908-31-0x00007FFCBDFF0000-0x00007FFCBEAB1000-memory.dmp

memory/3216-42-0x00007FFCBDFF0000-0x00007FFCBEAB1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d28a889fd956d5cb3accfbaf1143eb6f
SHA1 157ba54b365341f8ff06707d996b3635da8446f7
SHA256 21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA512 0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

memory/632-48-0x00007FFCBDFF0000-0x00007FFCBEAB1000-memory.dmp

memory/3908-49-0x00007FFCBDFF0000-0x00007FFCBEAB1000-memory.dmp