lokibot | 9634a4f19306cf8e57396c40e99612888f2663cfe261e3640b836ad488cfe95b

Analysis

max time kernel
144s
max time network
141s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
24-07-2024 02:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9634a4f19306cf8e57396c40e99612888f2663cfe261e3640b836ad488cfe95b.xls
Size

751KB
MD5

32eb79369e1e7e135906f146b9d35457
SHA1

cf00749dc8097014fa6f94dba1b400e600cd92d8
SHA256

9634a4f19306cf8e57396c40e99612888f2663cfe261e3640b836ad488cfe95b
SHA512

808b364e5688dc85565411933fb03dbed3b21d0043776585e133f4ad817079fee36c02f1b530fbc0b260e4970ed3b13f6d5deacf39b9cd7a85420dec50c14904
SSDEEP

12288:0qFzu4LSZU2QdSZKHuntvZctbyyWgFfX202BToNcq7nqDljjTvyd8NPi9zS+i:Nzu4LLxdSZw0vZEbciX20KTZ++ljjTDD

Score

10^/10

lokibot collection credential_access discovery spyware stealer trojan

Malware Config

Extracted

Family

lokibot

http://overclockingmachines.info/bally/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Blocklisted process makes network request 1 IoCs

flow	pid	Process
11	2428	EQNEDT32.EXE

Downloads MZ/PE file

Abuses OpenXML format to download file from external location 2 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Office\Common\Offline\Files\http://tny.wtf/iFpoP	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE

Executes dropped EXE 2 IoCs

pid	Process
1632	winiti.exe
2356	winiti.exe

Loads dropped DLL 1 IoCs

pid	Process
2428	EQNEDT32.EXE

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	winiti.exe
Key opened	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	winiti.exe
Key opened	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	winiti.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1632 set thread context of 2356	1632	winiti.exe	35

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winiti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EQNEDT32.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winiti.exe

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
2428	EQNEDT32.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1596	EXCEL.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2356	winiti.exe
Token: SeShutdownPrivilege	2980	WINWORD.EXE

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1596	EXCEL.EXE
1596	EXCEL.EXE
1596	EXCEL.EXE
2980	WINWORD.EXE
2980	WINWORD.EXE

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2428 wrote to memory of 1632	2428	EQNEDT32.EXE	33
PID 2428 wrote to memory of 1632	2428	EQNEDT32.EXE	33
PID 2428 wrote to memory of 1632	2428	EQNEDT32.EXE	33
PID 2428 wrote to memory of 1632	2428	EQNEDT32.EXE	33
PID 2980 wrote to memory of 2868	2980	WINWORD.EXE	34
PID 2980 wrote to memory of 2868	2980	WINWORD.EXE	34
PID 2980 wrote to memory of 2868	2980	WINWORD.EXE	34
PID 2980 wrote to memory of 2868	2980	WINWORD.EXE	34
PID 1632 wrote to memory of 2356	1632	winiti.exe	35
PID 1632 wrote to memory of 2356	1632	winiti.exe	35
PID 1632 wrote to memory of 2356	1632	winiti.exe	35
PID 1632 wrote to memory of 2356	1632	winiti.exe	35
PID 1632 wrote to memory of 2356	1632	winiti.exe	35
PID 1632 wrote to memory of 2356	1632	winiti.exe	35
PID 1632 wrote to memory of 2356	1632	winiti.exe	35
PID 1632 wrote to memory of 2356	1632	winiti.exe	35
PID 1632 wrote to memory of 2356	1632	winiti.exe	35
PID 1632 wrote to memory of 2356	1632	winiti.exe	35

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	winiti.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	winiti.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\9634a4f19306cf8e57396c40e99612888f2663cfe261e3640b836ad488cfe95b.xls
1⤵
- Abuses OpenXML format to download file from external location
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1596

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" -Embedding
1⤵
- Abuses OpenXML format to download file from external location
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2980
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2868

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2428
- C:\Users\Admin\AppData\Roaming\winiti.exe
  "C:\Users\Admin\AppData\Roaming\winiti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1632
- - C:\Users\Admin\AppData\Roaming\winiti.exe
    "C:\Users\Admin\AppData\Roaming\winiti.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:2356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{CD66C841-DE7F-4F3C-B63A-076580BD3A25}.FSD

Filesize
128KB

MD5
bdc19006c75450d4c7b4eb967785767b

SHA1
814d3a9b396abcba3a8f68f25fe774597eed4e58

SHA256
cf10955b8f82949e6e25b7b4b51d6f847781e898a8ebced715e5bf260343d631

SHA512
56e594b75c839b40e6785741f0499d84a8bca1aa243aeb9ebffaeb32e2501564a4640809ff99acd2948e184b4328f5afd651c4486a4b85e5e6252f3ae5cc79e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{CD66C841-DE7F-4F3C-B63A-076580BD3A25}.FSD

Filesize
128KB

MD5
77301830894b928614cad18f0ac7f36c

SHA1
fb0bf77a5b4fa502464f84e58d60e50f42065228

SHA256
29af49fa9f3a7f860109911c180d1a07bf2302e721cf11e034bb023da73d8f9b

SHA512
86b07f47655775b44c324f4f4a573a172187a776507696ebb4cd7dea53b3dd950759d10265b7eac923e058a55f11c0f8eb9d8a8f00c091955c125fcea0c02d2e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
269fb89a30e0e29abc94ea7051403dd1

SHA1
1f2eaf8d468a5a54ea8268a1947a2e7cb23f9f4f

SHA256
342bba75531d59afd5e5977b61727b8a2b84b1cab46a908efd2d4e95b2e694fa

SHA512
16699623fdb7b55bc1d9260b721c2df5f5ac9245360277d0fdadbd194157e9c880f3fbf99fd844f6e88ef34929668db85ecc0beeeaa50b238e8dfa4f67dfdc19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{6A0D838C-57CC-4319-A4D0-6D5EC5136F0A}.FSD

Filesize
128KB

MD5
e507baad21c562cd1456a73248f8637c

SHA1
e6644012cd6e8e17bb72dc501778aba96206f080

SHA256
51b5e8d8cf0bbce73a9934f99b4c7d865abb95297c7dde814597dc7ca67f02e3

SHA512
f5df20786fa1552ae451926931b3e8ffa557957e65210d79b2b3c722eb5f8941afba4e1c93011d484e6ce8e00c2d03bbcd2d1d06260cf261d9cad081cf037b71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\X761FPIN\megreatwithyourlovertothinkaboutthenewconceptgreaterthanbefore_________ireallylovingthisbewbeautytoinvolvethestructure[1].doc

Filesize
87KB

MD5
29b3fc11ab9d647ec19d3e02364355b2

SHA1
bcacc163004990d917d6402942e3e34609fa33e5

SHA256
2f7014c598a900f828893aeb0c0724d9f48c37c6987dfc12847525df174e0e81

SHA512
68752b58c102c4816859f4e06a9e676509ffba01cbe2772d5694e76da37f4dcdf74bd62d8ecaa33ed42f773693aaf135ad1b4bd940ae2277a7900f0105c57ba0

Download Submit
C:\Users\Admin\AppData\Local\Temp\{BD760AA3-1E61-4A62-BD40-C63A41026D69}

Filesize
128KB

MD5
28ba071c390ca7f958a5e403456fc4de

SHA1
267eceb5fdba3b7431b32fc8b8ca14abf78078fe

SHA256
e81d3a01316b6694e1d7c4946e2cef271ce9796c332ee8a3074159c42ae68084

SHA512
7c123148541b7ee021466be3dc08518338a16bee634019738e03718eb45d74981cc813d379d0ee9f97124deacf1d8662f003ec1108b896a645547408a6e19e1a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2958949473-3205530200-1453100116-1000\0f5007522459c86e95ffcc62f32308f1_de01a861-90ab-43d5-9b99-39b9435908f3

Filesize
46B

MD5
d898504a722bff1524134c6ab6a5eaa5

SHA1
e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

SHA256
878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

SHA512
26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2958949473-3205530200-1453100116-1000\0f5007522459c86e95ffcc62f32308f1_de01a861-90ab-43d5-9b99-39b9435908f3

Filesize
46B

MD5
c07225d4e7d01d31042965f048728a0a

SHA1
69d70b340fd9f44c89adb9a2278df84faa9906b7

SHA256
8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

SHA512
23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

Download Submit
C:\Users\Admin\AppData\Roaming\winiti.exe

Filesize
545KB

MD5
33f3dc03864d8d5cce813683d49ad2dd

SHA1
e8dfde644b945723e2fa9744f114bdd84be8068b

SHA256
84fb2ec298bec7a70493394b6d6caabcd0522a8f5f7753d8e725118c7e08da4e

SHA512
7723efdf7655847710fdf142477d5ff1496cec97f8043a3a14c82a554eb0f56bd1d96b420b118aa265636f59debfb721d950e71c21aec44bf5765e5710d68ded

Download Submit
memory/1596-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1596-8-0x0000000002440000-0x0000000002442000-memory.dmp

Filesize
8KB

Download
memory/1596-131-0x000000007201D000-0x0000000072028000-memory.dmp

Filesize
44KB

Download
memory/1596-1-0x000000007201D000-0x0000000072028000-memory.dmp

Filesize
44KB

Download
memory/1632-94-0x0000000000990000-0x000000000099A000-memory.dmp

Filesize
40KB

Download
memory/1632-93-0x00000000005C0000-0x00000000005D4000-memory.dmp

Filesize
80KB

Download
memory/1632-95-0x00000000009A0000-0x00000000009AE000-memory.dmp

Filesize
56KB

Download
memory/1632-92-0x0000000001010000-0x000000000109E000-memory.dmp

Filesize
568KB

Download
memory/1632-96-0x0000000000D80000-0x0000000000DE2000-memory.dmp

Filesize
392KB

Download
memory/2356-103-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2356-101-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2356-108-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2356-107-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2356-99-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2356-105-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2356-97-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2356-110-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2356-140-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2356-129-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2980-5-0x000000007201D000-0x0000000072028000-memory.dmp

Filesize
44KB

Download
memory/2980-3-0x000000002FB41000-0x000000002FB42000-memory.dmp

Filesize
4KB

Download
memory/2980-132-0x000000007201D000-0x0000000072028000-memory.dmp

Filesize
44KB

Download
memory/2980-7-0x0000000003750000-0x0000000003752000-memory.dmp

Filesize
8KB

Download
memory/2980-155-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2980-156-0x000000007201D000-0x0000000072028000-memory.dmp

Filesize
44KB

Download