Overview

overview

10

Static

static

3

SWU5109523I.exe

windows7-x64

10

SWU5109523I.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    154s
  • max time network
    160s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-06-2024 10:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SWU5109523I.exe

  • Size

    1.8MB

  • MD5

    1af02455b4d35d282469dde4144cbd07

  • SHA1

    bcd8d182b9d8036ce3b31c4fac14cb1d074e45ff

  • SHA256

    2407da1627f35dafc162c06c93c95d612ac0349488241d297152e41d0f8af7a0

  • SHA512

    9ab046b3c20985290f155e07441ea97ac84bc064b8f237b2883cb65280bcf9f0b174924e8e20eb22be5b10693b20be02bdaa3ab4f9e9e79c71ded6f031af8c0a

  • SSDEEP

    49152:mOD+bTI6YTDml4HJPHDQkOBU0f9iygcrxZ3aU5ZdIrRo2ht1K1YvkUw:rv85

Score
10/10
lokibotcollectionpersistencespywarestealertrojan

Malware Config

Extracted

Family

lokibot

C2

http://sssteell-com.pro/kedu/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

    trojanspywarestealerlokibot
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Suspicious use of SetThreadContext 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 29 IoCs
  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3240
      • C:\Users\Admin\AppData\Local\Temp\SWU5109523I.exe
        "C:\Users\Admin\AppData\Local\Temp\SWU5109523I.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:3696
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
          3⤵
            PID:3480
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"
            3⤵
            • Accesses Microsoft Outlook profiles
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            • outlook_office_path
            • outlook_win_path
            PID:448
            • C:\Users\Admin\AppData\Roaming\Jnae3OU.exe
              "C:\Users\Admin\AppData\Roaming\Jnae3OU.exe"
              4⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious use of WriteProcessMemory
              PID:2992
              • C:\Program Files (x86)\Windows Media Player\wmplayer.exe
                "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
                5⤵
                • Suspicious use of SetThreadContext
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious behavior: MapViewOfSection
                • Suspicious use of WriteProcessMemory
                PID:2720
                • C:\Windows\SysWOW64\TapiUnattend.exe
                  "C:\Windows\SysWOW64\TapiUnattend.exe"
                  6⤵
                  • Adds policy Run key to start application
                  • Suspicious use of SetThreadContext
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious behavior: MapViewOfSection
                  PID:2412
              • C:\Program Files (x86)\Windows Media Player\wmplayer.exe
                "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
                5⤵
                  PID:5032
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3736 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:8
          1⤵
            PID:1708

          Network

          MITRE ATT&CK Matrix ATT&CK v13

          Initial Access

          Execution

          Persistence

          Boot or Logon Autostart Execution

          1
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Privilege Escalation

          Boot or Logon Autostart Execution

          1
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Defense Evasion

          Modify Registry

          1
          T1112

          Credential Access

          Discovery

          Lateral Movement

          Collection

          Email Collection

          1
          T1114

          Exfiltration

          Command and Control

          Impact

          Resource Development

          Reconnaissance

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Roaming\Jnae3OU.exe
            Filesize

            1.6MB

            MD5

            0815923728c22dbce41267fcc92aa214

            SHA1

            e9fff8ffde4368dc589398dabb509ae3b13fc4d7

            SHA256

            30b4e1df558507997345b1409de5a1ea4f777af6b185d5d860c28a3fdfd6e079

            SHA512

            ef16b7be0fcc7500719b9008d840532ab9137cbc22bd9bdb56aebdf4d321ff055701f97ed220c5eb66146651d604470df717ca116706ffd12398ed3a597e136b

            Download Submit
          • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3808065738-1666277613-1125846146-1000\0f5007522459c86e95ffcc62f32308f1_2397ee06-28fe-4eaa-8777-f7014368c353
            Filesize

            46B

            MD5

            d898504a722bff1524134c6ab6a5eaa5

            SHA1

            e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

            SHA256

            878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

            SHA512

            26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

            Download Submit
          • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3808065738-1666277613-1125846146-1000\0f5007522459c86e95ffcc62f32308f1_2397ee06-28fe-4eaa-8777-f7014368c353
            Filesize

            46B

            MD5

            c07225d4e7d01d31042965f048728a0a

            SHA1

            69d70b340fd9f44c89adb9a2278df84faa9906b7

            SHA256

            8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

            SHA512

            23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

            Download Submit
          • memory/448-0-0x0000000000400000-0x00000000004A2000-memory.dmp
            Filesize

            648KB

            Download
          • memory/448-2-0x0000000000400000-0x00000000004A2000-memory.dmp
            Filesize

            648KB

            Download
          • memory/448-6-0x0000000000400000-0x00000000004A2000-memory.dmp
            Filesize

            648KB

            Download
          • memory/448-24-0x0000000000400000-0x00000000004A2000-memory.dmp
            Filesize

            648KB

            Download
          • memory/448-31-0x0000000000400000-0x00000000004A2000-memory.dmp
            Filesize

            648KB

            Download
          • memory/448-47-0x0000000000400000-0x00000000004A2000-memory.dmp
            Filesize

            648KB

            Download
          • memory/2412-52-0x0000000000AE0000-0x0000000000B1F000-memory.dmp
            Filesize

            252KB

            Download
          • memory/2412-50-0x0000000000AE0000-0x0000000000B1F000-memory.dmp
            Filesize

            252KB

            Download
          • memory/2720-40-0x0000000001980000-0x0000000001CCA000-memory.dmp
            Filesize

            3.3MB

            Download
          • memory/2720-37-0x0000000000400000-0x0000000000443000-memory.dmp
            Filesize

            268KB

            Download
          • memory/2720-39-0x0000000000400000-0x0000000000443000-memory.dmp
            Filesize

            268KB

            Download
          • memory/2720-49-0x0000000000400000-0x0000000000443000-memory.dmp
            Filesize

            268KB

            Download
          • memory/2720-51-0x0000000000400000-0x0000000000443000-memory.dmp
            Filesize

            268KB

            Download
          • memory/2992-38-0x00007FFFD6020000-0x00007FFFD6AE1000-memory.dmp
            Filesize

            10.8MB

            Download
          • memory/2992-36-0x00000167B48A0000-0x00000167B493A000-memory.dmp
            Filesize

            616KB

            Download
          • memory/2992-35-0x00007FFFD6020000-0x00007FFFD6AE1000-memory.dmp
            Filesize

            10.8MB

            Download
          • memory/2992-34-0x00000167B2AC0000-0x00000167B2AC8000-memory.dmp
            Filesize

            32KB

            Download
          • memory/2992-33-0x00007FFFD6023000-0x00007FFFD6025000-memory.dmp
            Filesize

            8KB

            Download