Overview

overview

10

Static

static

1

QUOTATION.docx

windows7-x64

10

QUOTATION.docx

windows10-2004-x64

1

Analysis

  • max time kernel
    139s
  • max time network
    142s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    19-06-2024 11:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    QUOTATION.docx

  • Size

    16KB

  • MD5

    8cf5763fe122359455c73a0f9bd03c7b

  • SHA1

    9c59e9599cce6aa7b022e2238343c9893f281755

  • SHA256

    a7cc664fd3d5a4ee0171191c4be54a26aa9504bdf901dbcdbcde7f63450fb787

  • SHA512

    571ccba3c86ac994fe33de8acf454e7b67b4b914dc791c8a725f0bf4247befb324c77fbe56eb27b3102d677cdfe4b25c6c85f940f7e6e3b62f9b335e66d9de2b

  • SSDEEP

    384:IyXVd8FWss8PL8wi4OEwH8TIbE91r2fRwJYbvi6Zmnaa:IcVoz5P3DOqnYJ+avvZmnz

Score
10/10
lokibotcollectionexecutionspywarestealertrojan

Malware Config

Extracted

Family

lokibot

C2

http://midwestsoil.top/alpha/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

    trojanspywarestealerlokibot
  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Downloads MZ/PE file
  • Abuses OpenXML format to download file from external location
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

    exploit
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\QUOTATION.docx"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1740
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:540
    • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
      "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
      1⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Launches Equation Editor
      • Suspicious use of WriteProcessMemory
      PID:2896
      • C:\Users\Admin\AppData\Roaming\alpha12345.scr
        "C:\Users\Admin\AppData\Roaming\alpha12345.scr"
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1592
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\alpha12345.scr"
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:564
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\FKmvXQ.exe"
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1804
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FKmvXQ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp586C.tmp"
          3⤵
          • Scheduled Task/Job: Scheduled Task
          PID:1868
        • C:\Users\Admin\AppData\Roaming\alpha12345.scr
          "C:\Users\Admin\AppData\Roaming\alpha12345.scr"
          3⤵
          • Executes dropped EXE
          • Accesses Microsoft Outlook profiles
          • Suspicious use of AdjustPrivilegeToken
          • outlook_office_path
          • outlook_win_path
          PID:1548

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12
      Filesize

      1KB

      MD5

      2365869258df7a66a2121b802ca4afd9

      SHA1

      73acc30a2edeb9d6830de559bb8a74f35168135d

      SHA256

      d6b1932822bbd72a8e78c771717d992142348f67d625a42393719fefbe59b0ed

      SHA512

      795004bab536e128dbd81c188976d37c7b650efbfa5a80374df4c65a1049c27658f4620b7605583928eb167fcb69b4c99e4c8730c507b824a7bde9c7fb0e21f4

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8
      Filesize

      436B

      MD5

      1bfe0a81db078ea084ff82fe545176fe

      SHA1

      50b116f578bd272922fa8eae94f7b02fd3b88384

      SHA256

      5ba8817f13eee00e75158bad93076ab474a068c6b52686579e0f728fda68499f

      SHA512

      37c582f3f09f8d80529608c09041295d1644bcc9de6fb8c4669b05339b0dd870f9525abc5eed53ad06a94b51441275504bc943c336c5beb63b53460ba836ca8d

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12
      Filesize

      174B

      MD5

      9d7ef82062b742dc7da85d6b91d56afa

      SHA1

      fa38d151226dc8b37cf59e69bad875b3d308b8dd

      SHA256

      6bb5cd1d52932630856b8abd062acd1f2c42a0ac2e8f76848d9d9fc1fafb784d

      SHA512

      6197aaaf104221126b41b9b8c4c29a573a0ef1530a1eb4d086f1eb0bb7431880917795ca24a484779cc8188d2658697342b318e6709f590c3d71bfbb8288a62b

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      de4744340d8868b1a3b5e3b06a373b97

      SHA1

      ef4926f64fa182ba43264d4a0e6644d5753a61b7

      SHA256

      4e88d2d007ef479eebc4d5055c5cfc4de4341667a23940d9c9f81e91caedab94

      SHA512

      d8354de8a3e4d5cbb292ffca6f6fddd57da868d7343eaad1dfed667b83065d472caf8ae1bff3f21ce8888393b1346d12d36331c0036d6ecdbbf17539363024f6

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8
      Filesize

      170B

      MD5

      214a31acb520fed6663d6908fc7f0288

      SHA1

      e347cf320adac80256679b71fec0e68d3f47fc37

      SHA256

      78501279fd175b8250b1441c7e38bb268d2a59d0b069df70233eff2d8e17aa60

      SHA512

      68a27ce3c4eb18eed0328f992905ecfc19c90e04c64042d32d66e535a888213dd62f9603f934cf73c2e5a2fb9e57802e26748efaf5880dc5382395b38f8d5e96

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{4A7DA1F0-33F6-4513-8ED1-13835180DE65}.FSD
      Filesize

      128KB

      MD5

      4e9ef744c756621e074d56e21c4c1093

      SHA1

      be8caf31ae37614df14539e22d000a26758fe9e4

      SHA256

      d0a8491f2d6bb7b8f81de5f4e852ca003161304d39c3f05d512616dc5cab4c7f

      SHA512

      1955a42c9e2a5e1f33ba50dff9684a2383acb059364ae0806f2575efdf241831e37694b34266da3b04760557b44df9ac7b61abdc5d45bd18d5e6bcd29e400bf2

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
      Filesize

      128KB

      MD5

      a3ecdfdca1465696413d352c5f6fa645

      SHA1

      990cca251843a2ee1ae6a51a163455c888cb8b20

      SHA256

      edb4e02603aefd341ee8a2f32d367ac7c72e93895468767fd46df80434eed0b7

      SHA512

      6f5cc526745b97d23186ab25d64d959241a354743d09b062202bc4290026c70c8f6c64d0a4295cc5bf2e020630e7b2f837a18cd35b48c1304b20ad397deee562

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{B2AF0382-272D-47BC-87C9-4EF48416D8DA}.FSD
      Filesize

      128KB

      MD5

      87368bfc8ee2413424d46ecd6eb596f9

      SHA1

      19c3d515b2b9ef969928bb01ed93317172335e13

      SHA256

      34e3db1322ffa7fb1b0fea095f6548a888de04abcf0ee6eccd09738cb0190f78

      SHA512

      885125204b391423f5ad2124a0406a7e35862a82f7168baef34cb4ae77f2e1d821e6e837f8cbc1b782b06a19b3b18b49d6456468eb513131b28ac1ef604a9c13

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EDQW9R5V\alpha[1].doc
      Filesize

      530KB

      MD5

      835cb8595673f4322a8f661d80298e34

      SHA1

      196ac425a86f78e823b9540390ae2c9c5418a19f

      SHA256

      4c6f70966e8252fa390e9cd62fd382e6cded38f3334790f0d57f8ee87a229829

      SHA512

      70e930a9fb2d3dff8290b8435d545a21ecb69b88fb361cc52b8544b1b8ea7d12506068464418cddb864ed48c9b25b6e8e69fd33dbe18c6a6844e609ec463d375

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Cab2AA9.tmp
      Filesize

      65KB

      MD5

      ac05d27423a85adc1622c714f2cb6184

      SHA1

      b0fe2b1abddb97837ea0195be70ab2ff14d43198

      SHA256

      c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

      SHA512

      6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmp586C.tmp
      Filesize

      1KB

      MD5

      7da0d8c4d662588f90bd25548715699f

      SHA1

      9110b7aaff0b28e3723c5483bfb43a3a39f2908e

      SHA256

      ce638699bd03267c9e46dd74b348b979ff4cf9307689c2ee644504386c69e131

      SHA512

      0f14cb502c5b88421fcb7cd2e8842f410eca5a8b3efbdd3af433021de93bd1a930e919f36af6ed5019365f52343823d8eac30649e3676645123b00b5000a6c80

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\{130BC25D-228C-4127-B0CE-09401C3BDE16}
      Filesize

      128KB

      MD5

      16bc9a4e33c6d1018c4a44b50a5c647b

      SHA1

      70a05c82a914ae1fe189a079b746b0100ce1c453

      SHA256

      8002e5b4ba6ddeaf298a354e2e3ce3d3a7a2d3c2ab3880e6d2b1d53fe7c23095

      SHA512

      86667041acd97c376800b9654670dd687de7bc9e3d78eb75f8d89905e22b1dca8f789482c6dec504d7631b19194082a0e9a35115785e9250bd6a41d7ee9798bd

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2297530677-1229052932-2803917579-1000\0f5007522459c86e95ffcc62f32308f1_63be8c66-23f0-4400-84bb-c1a439222555
      Filesize

      46B

      MD5

      d898504a722bff1524134c6ab6a5eaa5

      SHA1

      e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

      SHA256

      878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

      SHA512

      26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2297530677-1229052932-2803917579-1000\0f5007522459c86e95ffcc62f32308f1_63be8c66-23f0-4400-84bb-c1a439222555
      Filesize

      46B

      MD5

      c07225d4e7d01d31042965f048728a0a

      SHA1

      69d70b340fd9f44c89adb9a2278df84faa9906b7

      SHA256

      8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

      SHA512

      23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
      Filesize

      20KB

      MD5

      99692cd1952037c287e38ef27588d44b

      SHA1

      2d4ecd03da808dd2cc839f96f3e28cc203a3753f

      SHA256

      ee67364cab098ac405c88c127cc6be364c8407e4ef0b6fbb24ba4f78f33c27aa

      SHA512

      b19d442a489b2726a20862818bd84841660ba2f31598a7d511ae22595bb064d8d6243eecdbd608ef5c6057e14a405fd8790dbd4d7c949f7d65b67869f8e44a9b

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex
      Filesize

      2B

      MD5

      f3b25701fe362ec84616a93a45ce9998

      SHA1

      d62636d8caec13f04e28442a0a6fa1afeb024bbb

      SHA256

      b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

      SHA512

      98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\N1TG8HFK9PJ2VTJZ5U8W.temp
      Filesize

      7KB

      MD5

      cd2a2a9d6b735b3339b18b76e67aa9a1

      SHA1

      a566fc5016c431915d9ba9739619fd79108a86f1

      SHA256

      5b80cdc99f7f95d259169338f2a563706f8c34bf3e2773cc8d1535093619e826

      SHA512

      37d56db9ddebe95f5ecb07980578973caa83ac4ed4837c0a2d2dcd3a12697c415479a774c073939a4e902541ceedf6d1b4373fb69eca31cdc63b749ab418985b

      Download Submit

    • C:\Users\Admin\AppData\Roaming\alpha12345.scr
      Filesize

      490KB

      MD5

      208c31479a014536a9fe9c13acc0d403

      SHA1

      e9e082b4a5cbd4ce17168d4164dfa6fab84bf2cd

      SHA256

      98e1aa492f377611e489361fbcf1fced75fe6c9028a214aeba35fa7ac577790b

      SHA512

      c1835226ae6bafd4309806773dbfd782dd39f71ffc760a74a822559b017457d9ac1b4f7e53f53bde1bd16150b454d7732855588eba6fc8513ff2a4ac00e98b2a

      Download Submit

    • memory/1548-165-0x0000000000400000-0x00000000004A2000-memory.dmp

      Filesize

      648KB

      Download

    • memory/1548-162-0x0000000000400000-0x00000000004A2000-memory.dmp

      Filesize

      648KB

      Download

    • memory/1548-196-0x0000000000400000-0x00000000004A2000-memory.dmp

      Filesize

      648KB

      Download

    • memory/1548-187-0x0000000000400000-0x00000000004A2000-memory.dmp

      Filesize

      648KB

      Download

    • memory/1548-160-0x0000000000400000-0x00000000004A2000-memory.dmp

      Filesize

      648KB

      Download

    • memory/1548-154-0x0000000000400000-0x00000000004A2000-memory.dmp

      Filesize

      648KB

      Download

    • memory/1548-167-0x0000000000400000-0x00000000004A2000-memory.dmp

      Filesize

      648KB

      Download

    • memory/1548-158-0x0000000000400000-0x00000000004A2000-memory.dmp

      Filesize

      648KB

      Download

    • memory/1548-157-0x0000000000400000-0x00000000004A2000-memory.dmp

      Filesize

      648KB

      Download

    • memory/1548-164-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1592-140-0x0000000000420000-0x000000000042C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/1592-128-0x00000000003B0000-0x00000000003C2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1592-123-0x0000000000FF0000-0x000000000106E000-memory.dmp

      Filesize

      504KB

      Download

    • memory/1592-139-0x0000000000400000-0x0000000000408000-memory.dmp

      Filesize

      32KB

      Download

    • memory/1592-141-0x0000000004AD0000-0x0000000004B32000-memory.dmp

      Filesize

      392KB

      Download

    • memory/1740-0-0x000000002FD91000-0x000000002FD92000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1740-2-0x0000000070F2D000-0x0000000070F38000-memory.dmp

      Filesize

      44KB

      Download

    • memory/1740-188-0x0000000070F2D000-0x0000000070F38000-memory.dmp

      Filesize

      44KB

      Download

    • memory/1740-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1740-221-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1740-222-0x0000000070F2D000-0x0000000070F38000-memory.dmp

      Filesize

      44KB

      Download