Overview
overview
10Static
static
10malware/EinTT.exe
windows7-x64
10malware/EinTT.exe
windows10-2004-x64
10malware/fox.exe
windows7-x64
3malware/fox.exe
windows10-2004-x64
3malware/guJPO.exe
windows7-x64
10malware/guJPO.exe
windows10-2004-x64
10malware/loader1.exe
windows7-x64
10malware/loader1.exe
windows10-2004-x64
7dnjdbaa.exe
windows7-x64
3dnjdbaa.exe
windows10-2004-x64
3malware/regasm.exe
windows7-x64
10malware/regasm.exe
windows10-2004-x64
10malware/vbc.exe
windows7-x64
10malware/vbc.exe
windows10-2004-x64
7rywcikv.exe
windows7-x64
3rywcikv.exe
windows10-2004-x64
3malware/vbc1.exe
windows7-x64
10malware/vbc1.exe
windows10-2004-x64
7eblupydfzx.exe
windows7-x64
3eblupydfzx.exe
windows10-2004-x64
3malware/vbc2.exe
windows7-x64
10malware/vbc2.exe
windows10-2004-x64
7ioatgumevw.exe
windows7-x64
3ioatgumevw.exe
windows10-2004-x64
3Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21-11-2024 20:32
Behavioral task
behavioral1
Sample
malware/EinTT.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
malware/EinTT.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
malware/fox.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
malware/fox.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
malware/guJPO.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
malware/guJPO.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
malware/loader1.exe
Resource
win7-20241010-en
Behavioral task
behavioral8
Sample
malware/loader1.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
dnjdbaa.exe
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
dnjdbaa.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
malware/regasm.exe
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
malware/regasm.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
malware/vbc.exe
Resource
win7-20241010-en
Behavioral task
behavioral14
Sample
malware/vbc.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
rywcikv.exe
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
rywcikv.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
malware/vbc1.exe
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
malware/vbc1.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
eblupydfzx.exe
Resource
win7-20241023-en
Behavioral task
behavioral20
Sample
eblupydfzx.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral21
Sample
malware/vbc2.exe
Resource
win7-20241010-en
Behavioral task
behavioral22
Sample
malware/vbc2.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral23
Sample
ioatgumevw.exe
Resource
win7-20240729-en
Behavioral task
behavioral24
Sample
ioatgumevw.exe
Resource
win10v2004-20241007-en
General
-
Target
malware/regasm.exe
-
Size
401KB
-
MD5
29b6f7f3043b17847283b694e6eecffc
-
SHA1
2dc63f5052eb2dbfd6c0c9192b92e1f53b32ccd8
-
SHA256
7500469c4541e998741549c72877eeda8d52ef698155cc5042eff21ed2bf8581
-
SHA512
be4b02c6f0b0fcf1155b3970557ab618dc4da26b77bacb75422da110d89458d89e927301b3f49a179466dcbea186435b8ad94bcc03b8c77fcd8158f4a9147684
-
SSDEEP
12288:Dp6Hg67Dy5dVoUSrcLM0bK5FMtm7+RslS:gRiHi3cwvnWQ+6l
Malware Config
Extracted
lokibot
http://mail.outlook-webpage-auth.ml/joe/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Lokibot family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2684 powershell.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook regasm.exe Key opened \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook regasm.exe Key opened \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook regasm.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1224 set thread context of 2696 1224 regasm.exe 35 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regasm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2676 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 1224 regasm.exe 1224 regasm.exe 1224 regasm.exe 1224 regasm.exe 1224 regasm.exe 1224 regasm.exe 1224 regasm.exe 2684 powershell.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2696 regasm.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1224 regasm.exe Token: SeDebugPrivilege 2684 powershell.exe Token: SeDebugPrivilege 2696 regasm.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 1224 wrote to memory of 2684 1224 regasm.exe 31 PID 1224 wrote to memory of 2684 1224 regasm.exe 31 PID 1224 wrote to memory of 2684 1224 regasm.exe 31 PID 1224 wrote to memory of 2684 1224 regasm.exe 31 PID 1224 wrote to memory of 2676 1224 regasm.exe 33 PID 1224 wrote to memory of 2676 1224 regasm.exe 33 PID 1224 wrote to memory of 2676 1224 regasm.exe 33 PID 1224 wrote to memory of 2676 1224 regasm.exe 33 PID 1224 wrote to memory of 2696 1224 regasm.exe 35 PID 1224 wrote to memory of 2696 1224 regasm.exe 35 PID 1224 wrote to memory of 2696 1224 regasm.exe 35 PID 1224 wrote to memory of 2696 1224 regasm.exe 35 PID 1224 wrote to memory of 2696 1224 regasm.exe 35 PID 1224 wrote to memory of 2696 1224 regasm.exe 35 PID 1224 wrote to memory of 2696 1224 regasm.exe 35 PID 1224 wrote to memory of 2696 1224 regasm.exe 35 PID 1224 wrote to memory of 2696 1224 regasm.exe 35 PID 1224 wrote to memory of 2696 1224 regasm.exe 35 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook regasm.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook regasm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\malware\regasm.exe"C:\Users\Admin\AppData\Local\Temp\malware\regasm.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1224 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\LhOPCK.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2684
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LhOPCK" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8A26.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2676
-
-
C:\Users\Admin\AppData\Local\Temp\malware\regasm.exe"C:\Users\Admin\AppData\Local\Temp\malware\regasm.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2696
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD58d8a5af4c59c8fec24a72f17c151193a
SHA168fa0123870fb8c9e86fb1a092c656ce2aa38dbf
SHA256b1aa8137948546cfae6bf616edc3e2a759edd1ce48a2be208939d07956924dec
SHA51229177cb271b91929bb9a1ffe8e37eeb5551c0a00d8e5bda1486fa62c5b718d5ad8f3b5cd6926adf8c25795bfb121b3b89630a429dc0fca99eddc9b32addee7ff
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-312935884-697965778-3955649944-1000\0f5007522459c86e95ffcc62f32308f1_1defa0c0-fc04-4155-83bc-b490dbaa3679
Filesize46B
MD5d898504a722bff1524134c6ab6a5eaa5
SHA1e0fdc90c2ca2a0219c99d2758e68c18875a3e11e
SHA256878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9
SHA51226a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61