Overview

overview

10

Static

static

1

425ef5b31a...b.docx

windows7-x64

10

425ef5b31a...b.docx

windows10-2004-x64

1

Analysis

  • max time kernel
    139s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    10-06-2024 09:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    425ef5b31a93a014e2ff74d66c148a7b73b0fb2a57ab2e015576cb2272db5dfb.docx

  • Size

    16KB

  • MD5

    58fa856ae520dc6c6e47f4b459e2de5b

  • SHA1

    89c76a3bcb6a83cb1b343f5ea03cfc2da2214e97

  • SHA256

    425ef5b31a93a014e2ff74d66c148a7b73b0fb2a57ab2e015576cb2272db5dfb

  • SHA512

    9f7f17693948a76f679bc076464e4c71408a3dc6a31b14861eed0fe987032ef9a1402c34ab8905aa31d3e373c4f50ac5148a121ca3e4498cb7fd31786318acd3

  • SSDEEP

    384:IyXnXK3Wgs8PL8wi4OEwH8TIbE91r2fRcJYzviML2nkPt:Icnyb5P3DOqnYJamvtL2nkF

Score
10/10
lokibotcollectionexecutionspywarestealertrojan

Malware Config

Extracted

Family

lokibot

C2

http://alphabetllc.top/alpha/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

    trojanspywarestealerlokibot
  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Downloads MZ/PE file
  • Abuses OpenXML format to download file from external location
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

    exploit
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\425ef5b31a93a014e2ff74d66c148a7b73b0fb2a57ab2e015576cb2272db5dfb.docx"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1664
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:540
    • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
      "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
      1⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Launches Equation Editor
      • Suspicious use of WriteProcessMemory
      PID:2772
      • C:\Users\Admin\AppData\Roaming\alpha73882.scr
        "C:\Users\Admin\AppData\Roaming\alpha73882.scr"
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1808
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\alpha73882.scr"
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:668
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\xaFodrmIsC.exe"
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1724
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xaFodrmIsC" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4D65.tmp"
          3⤵
          • Creates scheduled task(s)
          PID:1716
        • C:\Users\Admin\AppData\Roaming\alpha73882.scr
          "C:\Users\Admin\AppData\Roaming\alpha73882.scr"
          3⤵
          • Executes dropped EXE
          • Accesses Microsoft Outlook profiles
          • Suspicious use of AdjustPrivilegeToken
          • outlook_office_path
          • outlook_win_path
          PID:3032

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
      Filesize

      1KB

      MD5

      5563b3a80c29851fdc23ac15a51f4465

      SHA1

      c396ab4b7021d35191755a236058bea7eca8dc6b

      SHA256

      da725244df230f451bb9e10e719b618a618245474a9fd9907303c6a1b4306283

      SHA512

      61893b080c2f677ac700eb4a1ae8d4200a413ef57045261a4192ad1908bff8d4ec6d7cd6e3faeca0e7bf1fe28c9348081653b56d2d31bc8aa747bdea9d4ddf18

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
      Filesize

      724B

      MD5

      8202a1cd02e7d69597995cabbe881a12

      SHA1

      8858d9d934b7aa9330ee73de6c476acf19929ff6

      SHA256

      58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

      SHA512

      97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
      Filesize

      410B

      MD5

      90c32f0cb675a4cc397e5d23b88d3883

      SHA1

      38f9743dca002d8f327723de7024c4b58f2333f0

      SHA256

      f3a8390a0b89211c0162d0c57a953b06efcb8fd2488daf163c882a8a1349de94

      SHA512

      85f42e1a77a93a1876d686955256e1badae205b5a399c073406315ab12d6039a262573cf11e7f861334b9ef32917e21abc30e41a3971b212b04698589b10ae39

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      845f5cd9f393b07ab3f33584d95208bc

      SHA1

      5f8143a69955b366577dcb740e8ea075c3593ccc

      SHA256

      d8753d975ca12f00dd104bd6984ff5325ef53f3fae54fc5590878d418250a892

      SHA512

      a2a5a118906f0918dcbae2dcd21d19b94a0e4298224e1b26f289cf89c20b0e7a7b4e631d784f259bcb6239d929136e15f53e395946d0969e24b5bdc367e688a1

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
      Filesize

      392B

      MD5

      646f56c18450b0d12807c1797b96fb34

      SHA1

      2421b4de315943e3caf8740ba10cd710826ace86

      SHA256

      9e31013cde01c922d4af928157d323066af3ba87325a4856d88ae0b1bd82fad4

      SHA512

      8949cac3de918b479962cdd789c44fd8c33bfe8d85c7545aac9053c6191308ee47228e97fcabe834880baba5df5773959add2b973d808b5cc4b863e9c0a0ade9

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{A74EEB82-E2C7-401D-B80F-61BE15E846EF}.FSD
      Filesize

      128KB

      MD5

      9324d4b05192e78eea60041cb28e1a82

      SHA1

      e7e84ba33ef81d5417905b0f6bb690eecd086b47

      SHA256

      d818220a780dd3845ccf300d28752440b3756193f232c8dbd58e869cee203977

      SHA512

      edb60e676b47cd3eb501fcc9f9c74f0397a321a5b44eb6e9dcb41557c77a57b8495147ab90940896c04fb01d0a8dcdee6846b98ad52f7d055e62766ca12334f4

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
      Filesize

      128KB

      MD5

      91de291d841d16178399e5aec45ed0b2

      SHA1

      bcee644ff0df9c5733aa2e050c9e1348094dfa24

      SHA256

      3a546fc233731fc266d781ff740b5c90e490f23c3c255adc2d5ca55c52fcb19a

      SHA512

      9e479c43913d15b19d24300b9efe90cfb0a287b35f482509781edd9df81ec63cbba7c1b8fc6d4192e252eae9031a4c0d7e00ea15316d8947506fa0bbfd8ce134

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{1392C8B6-E5D1-48BB-8E59-EA4CF186305D}.FSD
      Filesize

      128KB

      MD5

      6134b4355496a65643f5553762ddd738

      SHA1

      fe5db9e0b06c5f2474b96a0522d61774ba272714

      SHA256

      de8cb7f401c7c50a90e96ca4d203c0c09f54682867d60219b95cc02b65537647

      SHA512

      89c8b1534a819baba0ed72674f094179192fd85c01d3ed2b6d17eb0c86f7711524e2b249ecdce632152c6c0a9b97fdfe6ed3541a4044f25b27d7955564c196b7

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OOWQLMJV\alpha[1].doc
      Filesize

      421KB

      MD5

      4447ab2143a08d8b67f131c4cbd9c316

      SHA1

      d2eb154acb987942e6bcaafe2400b7f3926f0422

      SHA256

      f743a86539017023aae3ea9c35d42f092b42dc9ea8bc90154e4b88c6f57fd1f1

      SHA512

      0ae047e0e08cf5ad18497a1da997fcfd3b0b78ed07c5b9f9f42bfb556a7a85288692c227f724df8e87a619945eae5058fbf90bfadaff38e9f30472259da82ddc

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Cab20CA.tmp
      Filesize

      65KB

      MD5

      ac05d27423a85adc1622c714f2cb6184

      SHA1

      b0fe2b1abddb97837ea0195be70ab2ff14d43198

      SHA256

      c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

      SHA512

      6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmp4D65.tmp
      Filesize

      1KB

      MD5

      c041d8a55afeb761806a976707231039

      SHA1

      ade09c90fb336918374b744b517ac24d553d2b91

      SHA256

      5896bf2595f785a978ffdcff295ce5a15c47eb0f696d35413fe95d19390be624

      SHA512

      2babfb00d30bba4aa4a2669df2fb471c8c238333a1501cb2bf66270f91e64670e566a745ef36c0b90a3b44e7916619c19bc112bd6fba4d56318a0ece08578e18

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\{C613C07C-AA69-4BBC-9A96-822D5B858861}
      Filesize

      128KB

      MD5

      7d085d77ae7f5ec38e39500b59fdc521

      SHA1

      ca21c35479b524a7ac62921ffd88063cac40f34c

      SHA256

      66415ed8c7484b54c63a188943b017d6db57711ee5897c6fb6ab1cda44b8cebf

      SHA512

      e83cf4048b269b9a532a93e1b204d214a9e089805be1e3d509212216b05db981f316fb7737baa8cef8a0a4fc271c0d5d4670bbe29397452ae6225867e3068f85

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2248906074-2862704502-246302768-1000\0f5007522459c86e95ffcc62f32308f1_01c44f94-ed50-49f5-a690-d8e8ea9b0bf2
      Filesize

      46B

      MD5

      d898504a722bff1524134c6ab6a5eaa5

      SHA1

      e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

      SHA256

      878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

      SHA512

      26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2248906074-2862704502-246302768-1000\0f5007522459c86e95ffcc62f32308f1_01c44f94-ed50-49f5-a690-d8e8ea9b0bf2
      Filesize

      46B

      MD5

      c07225d4e7d01d31042965f048728a0a

      SHA1

      69d70b340fd9f44c89adb9a2278df84faa9906b7

      SHA256

      8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

      SHA512

      23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex
      Filesize

      2B

      MD5

      f3b25701fe362ec84616a93a45ce9998

      SHA1

      d62636d8caec13f04e28442a0a6fa1afeb024bbb

      SHA256

      b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

      SHA512

      98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
      Filesize

      7KB

      MD5

      a84ead6ef0e6432a98c64119f15385bd

      SHA1

      fa2d1adcad4bbcab084bfdfe51eb7144da06175c

      SHA256

      25cc17c7092afadccc5f8c423199c3e6c9ce75f7e6458c19951c199ddd0f4ca4

      SHA512

      c3fa5144ec1defb03fbe0c0d534081da4b8123c1ac50e04b4cbd0aba461d5c4be0e973c403664858d917ef040c2522843b58607d6738e01e41514a461144d166

      Download Submit

    • \Users\Admin\AppData\Roaming\alpha73882.scr
      Filesize

      579KB

      MD5

      9077f5266ac853566779a80d08baefe5

      SHA1

      b6acf7eb2ed2202754cdc38eb98275f286a7aa2b

      SHA256

      91a9acd38a970ddf7fe35f9477d415e9b9befc760c85a4f8e15b045b42a9d689

      SHA512

      21ea3f031607fc6f824746681db019a500a1ef5b8b84364e7157d5237457d6a8d80d7e63d358876219a17e2be59de5494a0acf55da120000582fd84138c025a7

      Download Submit

    • memory/1664-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1664-2-0x00000000712AD000-0x00000000712B8000-memory.dmp

      Filesize

      44KB

      Download

    • memory/1664-187-0x00000000712AD000-0x00000000712B8000-memory.dmp

      Filesize

      44KB

      Download

    • memory/1664-0-0x000000002F641000-0x000000002F642000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1808-128-0x00000000005B0000-0x00000000005D2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/1808-140-0x0000000000C10000-0x0000000000C72000-memory.dmp

      Filesize

      392KB

      Download

    • memory/1808-122-0x0000000000C70000-0x0000000000D02000-memory.dmp

      Filesize

      584KB

      Download

    • memory/1808-139-0x0000000000250000-0x0000000000260000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3032-164-0x0000000000400000-0x00000000004A2000-memory.dmp

      Filesize

      648KB

      Download

    • memory/3032-159-0x0000000000400000-0x00000000004A2000-memory.dmp

      Filesize

      648KB

      Download

    • memory/3032-157-0x0000000000400000-0x00000000004A2000-memory.dmp

      Filesize

      648KB

      Download

    • memory/3032-155-0x0000000000400000-0x00000000004A2000-memory.dmp

      Filesize

      648KB

      Download

    • memory/3032-153-0x0000000000400000-0x00000000004A2000-memory.dmp

      Filesize

      648KB

      Download

    • memory/3032-163-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3032-161-0x0000000000400000-0x00000000004A2000-memory.dmp

      Filesize

      648KB

      Download

    • memory/3032-185-0x0000000000400000-0x00000000004A2000-memory.dmp

      Filesize

      648KB

      Download

    • memory/3032-166-0x0000000000400000-0x00000000004A2000-memory.dmp

      Filesize

      648KB

      Download

    • memory/3032-195-0x0000000000400000-0x00000000004A2000-memory.dmp

      Filesize

      648KB

      Download