Analysis Overview
SHA256
3bab54a2bc096159964f2ddbcce93437dd97f3d9e00bca81dc37d5938afebe99
Threat Level: Known bad
The file 3bab54a2bc096159964f2ddbcce93437dd97f3d9e00bca81dc37d5938afebe99 was found to be: Known bad.
Malicious Activity Summary
Lokibot
Checks computer location settings
Suspicious use of SetThreadContext
Unsigned PE
Enumerates physical storage devices
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Uses Task Scheduler COM API
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-17 13:36
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-17 13:36
Reported
2024-04-17 13:40
Platform
win7-20240221-en
Max time kernel
205s
Max time network
46s
Command Line
Signatures
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ed0060d90610311944437da9ecc113e293b2800b903e5617b115d5bc48c379bd.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\ed0060d90610311944437da9ecc113e293b2800b903e5617b115d5bc48c379bd.exe
"C:\Users\Admin\AppData\Local\Temp\ed0060d90610311944437da9ecc113e293b2800b903e5617b115d5bc48c379bd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ed0060d90610311944437da9ecc113e293b2800b903e5617b115d5bc48c379bd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\tLWNXdp.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tLWNXdp" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6B22.tmp"
Network
Files
memory/2296-0-0x000007FEF5310000-0x000007FEF5CFC000-memory.dmp
memory/2296-1-0x000000013F370000-0x000000013F408000-memory.dmp
memory/2296-2-0x000007FEF5310000-0x000007FEF5CFC000-memory.dmp
memory/2296-3-0x000000001AE70000-0x000000001AEF0000-memory.dmp
memory/2296-4-0x0000000000820000-0x000000000083A000-memory.dmp
memory/2296-5-0x000000001AE70000-0x000000001AEF0000-memory.dmp
memory/2296-6-0x0000000000190000-0x00000000001A2000-memory.dmp
memory/2296-7-0x0000000000710000-0x0000000000720000-memory.dmp
memory/2296-8-0x0000000002640000-0x00000000026A0000-memory.dmp
memory/580-13-0x000000001B2D0000-0x000000001B5B2000-memory.dmp
memory/580-14-0x0000000002290000-0x0000000002298000-memory.dmp
memory/580-20-0x00000000026E0000-0x0000000002760000-memory.dmp
memory/580-22-0x00000000026E0000-0x0000000002760000-memory.dmp
memory/580-21-0x000007FEED830000-0x000007FEEE1CD000-memory.dmp
memory/580-23-0x00000000026E0000-0x0000000002760000-memory.dmp
memory/580-18-0x000007FEED830000-0x000007FEEE1CD000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 63e732a96c9c3546f69d2cc3849b2d97 |
| SHA1 | 235213fd843192720848c2fc6a6a2c10e673cddb |
| SHA256 | 219ebd91f85fba608c3004e47eca2580f86b9955b4f2588301979b954c2393be |
| SHA512 | 17f3946cf6987ce11f6852898c37c1a27ffb6ca7dfe6c1149fea5de976a8479d470e75c1f22d6e124ee3ce487c2554c457568819365701c1426f2fd2521e5c61 |
memory/1364-29-0x000007FEED830000-0x000007FEEE1CD000-memory.dmp
memory/1364-30-0x0000000002480000-0x0000000002500000-memory.dmp
memory/1364-31-0x000007FEED830000-0x000007FEEE1CD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp6B22.tmp
| MD5 | b694b62ad09cc303ddbe614b20935e93 |
| SHA1 | c0b63ab11869dc79964f415660a7fd5ada197591 |
| SHA256 | dc62bf68c317462c90284730b6fd88f96cc217721283916116fcb110b284963f |
| SHA512 | 7ef2fc087a83ac261d501e611833e8229608583c840cbbbab1f87faf2fcaeda67942143eb0a9c316bea152fc958216d2ba1673b1a04b5c495d168ffeafcd23e7 |
memory/1364-32-0x0000000002480000-0x0000000002500000-memory.dmp
memory/1364-34-0x0000000002480000-0x0000000002500000-memory.dmp
memory/580-35-0x000007FEED830000-0x000007FEEE1CD000-memory.dmp
memory/1364-36-0x000007FEED830000-0x000007FEEE1CD000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-17 13:36
Reported
2024-04-17 13:39
Platform
win10v2004-20240226-en
Max time kernel
140s
Max time network
163s
Command Line
Signatures
Lokibot
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ed0060d90610311944437da9ecc113e293b2800b903e5617b115d5bc48c379bd.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3192 set thread context of 2432 | N/A | C:\Users\Admin\AppData\Local\Temp\ed0060d90610311944437da9ecc113e293b2800b903e5617b115d5bc48c379bd.exe | C:\Users\Admin\AppData\Local\Temp\ed0060d90610311944437da9ecc113e293b2800b903e5617b115d5bc48c379bd.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ed0060d90610311944437da9ecc113e293b2800b903e5617b115d5bc48c379bd.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\ed0060d90610311944437da9ecc113e293b2800b903e5617b115d5bc48c379bd.exe
"C:\Users\Admin\AppData\Local\Temp\ed0060d90610311944437da9ecc113e293b2800b903e5617b115d5bc48c379bd.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4140 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:8
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ed0060d90610311944437da9ecc113e293b2800b903e5617b115d5bc48c379bd.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\tLWNXdp.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tLWNXdp" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD983.tmp"
C:\Users\Admin\AppData\Local\Temp\ed0060d90610311944437da9ecc113e293b2800b903e5617b115d5bc48c379bd.exe
C:\Users\Admin\AppData\Local\Temp\ed0060d90610311944437da9ecc113e293b2800b903e5617b115d5bc48c379bd.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 239.249.30.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 13.107.253.64:443 | tcp | |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.139.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.65.42.20.in-addr.arpa | udp |
Files
memory/3192-0-0x0000000000DD0000-0x0000000000E68000-memory.dmp
memory/3192-1-0x00007FFED7BA0000-0x00007FFED8661000-memory.dmp
memory/3192-2-0x000000001CB30000-0x000000001CB40000-memory.dmp
memory/3192-3-0x0000000001860000-0x000000000187A000-memory.dmp
memory/3192-4-0x00007FFED7BA0000-0x00007FFED8661000-memory.dmp
memory/3192-5-0x000000001CB30000-0x000000001CB40000-memory.dmp
memory/3192-6-0x0000000001E70000-0x0000000001E82000-memory.dmp
memory/3192-7-0x00000000039F0000-0x0000000003A00000-memory.dmp
memory/3192-8-0x000000001E6C0000-0x000000001E720000-memory.dmp
memory/2116-11-0x00007FFED7BA0000-0x00007FFED8661000-memory.dmp
memory/2116-13-0x00000277B4250000-0x00000277B4260000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_o1qrazjo.qof.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2116-24-0x00000277B4220000-0x00000277B4242000-memory.dmp
memory/3620-25-0x00007FFED7BA0000-0x00007FFED8661000-memory.dmp
memory/2116-26-0x00000277B4250000-0x00000277B4260000-memory.dmp
memory/3620-27-0x000001C66A410000-0x000001C66A420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpD983.tmp
| MD5 | 20ab84e669198b9e93d3603f116c27e0 |
| SHA1 | 610dcdc6e7e14cb8dc272d59ac713cee25822bc9 |
| SHA256 | f1babbd4f160778d2fa2faa959bddea1d4c18c1da9cc6b3e6df3e331a555c57d |
| SHA512 | 057b78ee9da31a52c9c969682db1b53e802ed0f67f992202b06260e81f04c9fa85a0f0600cc67336ca5a0fd1368cec87fc13bb8c26799b304387ef5289be7a17 |
memory/3192-38-0x000000001D9C0000-0x000000001DA62000-memory.dmp
memory/3192-41-0x00007FFED7BA0000-0x00007FFED8661000-memory.dmp
memory/2116-42-0x00000277B4250000-0x00000277B4260000-memory.dmp
memory/3620-43-0x000001C66A410000-0x000001C66A420000-memory.dmp
memory/2116-46-0x00007FFED7BA0000-0x00007FFED8661000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 6d3e9c29fe44e90aae6ed30ccf799ca8 |
| SHA1 | c7974ef72264bbdf13a2793ccf1aed11bc565dce |
| SHA256 | 2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d |
| SHA512 | 60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
memory/3620-50-0x00007FFED7BA0000-0x00007FFED8661000-memory.dmp