Analysis
-
max time kernel
143s -
max time network
170s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
-
submitted
16-01-2023 01:42
General
-
Target
file.exe
-
Size
210KB
-
MD5
0d0655ac3327465e342c8643e0aec261
-
SHA1
3b60b63f926a4ef0821bc359858fec339327517f
-
SHA256
19533506a74a8fd80ba932ca930c0805d0f69095d5820683ff757785dbb4359e
-
SHA512
1b00d21f5de948ef4d5be4a5593eb9a83dcccb84d1bd5ded3c2846a606e731f8d14074cfaaa5511c0a57651239de1870bab314ff5f8fea56022c2b3bc878f970
-
SSDEEP
3072:rMX15/9Gxad5gWGzaBUOxqNk7EWVRS8Nw4i:rIdGxbaBNx5EsSL
Malware Config
Extracted
lumma
77.73.134.68
Signatures
-
Detects Smokeloader packer 1 IoCs
-
Lumma Stealer
An infostealer written in C++ first seen in August 2022.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Blocklisted process makes network request 3 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
-
Sets DLL path for service in the registry 2 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
-
Loads dropped DLL 3 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
-
Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 4 IoCs
-
Drops file in Program Files directory 24 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 64 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies Internet Explorer settings 1 TTPs 4 IoCs
-
Modifies registry class 48 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 57 IoCs
-
Suspicious use of FindShellTrayWindow 12 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 28 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\DF92.exeC:\Users\Admin\AppData\Local\Temp\DF92.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Sdaaysrpyefiy.tmp",Qowsuiaedfeupa2⤵
- Blocklisted process makes network request
- Sets DLL path for service in the registry
- Sets service image path in registry
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 186573⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 186573⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 186573⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask3⤵
- Checks processor information in registry
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3168 -s 5562⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3168 -ip 31681⤵
-
C:\Users\Admin\AppData\Local\Temp\E44.exeC:\Users\Admin\AppData\Local\Temp\E44.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1360 -s 13362⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1360 -ip 13601⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k LocalService1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\rss.dll",ST8KV05MVjE22⤵
- Loads dropped DLL
- Checks processor information in registry
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
774KB
MD58ba56be13ae7a847c6b27fd468bd0280
SHA18359d6b35b355ec57818ff5800ab7934c9a115ce
SHA256c97f6737d043d8edcec9fb6b2705a888d864ab1f19a40b6fc36a5c099bfac2f2
SHA512638cdff91479b035035484a98d1bc65c0c743227afd649f40f005dd55906ad0c16945b5500b2e807153188e3a355cbf6b277c8687cceba12b37b5ae214a50e94
-
Filesize
774KB
MD58ba56be13ae7a847c6b27fd468bd0280
SHA18359d6b35b355ec57818ff5800ab7934c9a115ce
SHA256c97f6737d043d8edcec9fb6b2705a888d864ab1f19a40b6fc36a5c099bfac2f2
SHA512638cdff91479b035035484a98d1bc65c0c743227afd649f40f005dd55906ad0c16945b5500b2e807153188e3a355cbf6b277c8687cceba12b37b5ae214a50e94
-
Filesize
256KB
MD564852277754d0707fccd9c64753c42a4
SHA1e9cb057db03d84200299651d9817fa66b78e9a5a
SHA25673a10cd69944d5c765e076c652020f0c15d8864b68bf281e4d61f279c71e1ebc
SHA512abdac10eeae4fbe8a4a50d63d6af77ea1bcf27339096ce5e9a4f7189f17f00c3516d0fa94adc71d76567251e05a08ecb280681767b4a117e43d72f7b86b627a1
-
Filesize
5KB
MD57ac38dcc72989ac01bd1a67d484af471
SHA1458224b5c1c1696d8255a355a6100a4652fd7bd7
SHA256923335d4d6399bd1bc2d44d264183cba0e2a2c3ecb1d18472003e787275d7e46
SHA512ae5f247648411df8657a2806e5a9ff8e48bf79cf19d2b4101ef67fa78d7b55e37248190ed1d60f58255fe5ceff38017764b0a0d73108150dd4666dde75c0ce14
-
Filesize
12KB
MD52d995c7aa8d041ffa18821c898bc2cb7
SHA1f16ef806d79bffeec76f27102bd8e1273a0f3747
SHA256614e99dbea133397b0b4ee8a222df8502f8f782fbcdd44651793c1c894281948
SHA51281dcbfa24e216bf2a06379ca7d830bd6e16b58c16cd595704903a636f770eb70ca2146ec682559b48e9ff2518cbf3e1ed693050938a9a2b2e478eba6b86959e6
-
Filesize
3.5MB
MD5cf020d76a6e19b1e7f20f818aaee2d84
SHA19d16e77380443c74c1ec65d5e1734c7af69add51
SHA256c30f79cfeef7b4727f0a922dc61215fffb348d64508509af666fa47e415d89ce
SHA5124772be90804c975d2942dee31640559063242baccff11a4513f65ee1bbf8db182e7118f9dc1cb24077b03487a92cbcb76c7c0b7cc9a49da0e2376a6b238f9d28
-
Filesize
126KB
MD59adaf3a844ce0ce36bfed07fa2d7ef66
SHA13a804355d5062a6d2ed9653d66e9e4aebaf90bc0
SHA256d3e8d47e8c1622ec10adef672ca7a8992748c4f0a4e75f877462e7e661069698
SHA512e6988737153a0996b14e6baa45e8010ff46714fe7679d05a2676cc18e1c653e99227e7507cdae4f2b6a99b3c31478630e7e1ae13d0f7c12525406d8cf9867ca5
-
Filesize
1KB
MD566963736ebb1e54dc596701206eaed3f
SHA118bc8dfc779d407398af193f3d265ff93f253bc2
SHA256fd5f68b59aa2b3e80b1a3d97b1dc5028e0fb512d26003fffce146209fedc814b
SHA51296aef899ecfb48d1df6e8c7655d59fb80b3c65f18857692894598b78c14b5587433d5f58a2d9bbd74d635956a9e6f1948916bd354e6d438450f37ec11cc3b598
-
Filesize
62KB
MD58f6abfe0c274c41c3ad3c1becf2317f5
SHA16dc69b46e569ca11e3ec081293df69a6d115674c
SHA256d660f44fb7efbfdcec4cba821fea1be0977e3f66cc709b313edf9ead575994a5
SHA512ed474a6d52df65b5bf7a1bd81d54458a1258571f16b28ce043189815bf6dc57c49cb31c6f48fed9791de6b69f93331282a0c6e76e54d488ddad7e30d2333a1b2
-
Filesize
66KB
MD54896c2ad8ca851419425b06ec0fd95f2
SHA17d52e9355998f1b4487f8ef2b1b3785dec35d981
SHA2561160a3a774b52f07453bde44755fbf76a8b1534c5ade19402f05857c249056b3
SHA512271f40a273bc98738d450a8585cc84d097d88bbb6417fd20b4417d31b4e19b1b8fe860d044f70a3e4096588b9615c8cc588b1cab651ab1b4320d7ce1d74eb8f2
-
Filesize
128B
MD573f303800be636585f9ec14701cd8d5e
SHA1456304dc888d5eaa159fa0fa34fc9bcc3bacb633
SHA256c8e3762853e17a3bd49882b0d36afa285bed5639f8f9e88f716c3942e28b6ace
SHA5128a80ee6d1b074d68a55bbb3d5be251cfaae89b0345a6b0e84a6359e8c1453c8bf0969e6d33a7d0523d30d586c46c1eede9e71f7a89f7bc67ea0ad866671b81b4
-
Filesize
1.1MB
MD5de3dcb40231ca68617243ab3bd2777cd
SHA1d01496824a45e5ad2846d6143ccdf4e1d1cb4e50
SHA2565b640da222c602b0b3a3f14c85afe969eb4a94d1cf3c0b531845e072ba2492d2
SHA512542bb8dbbf70742266b6c3bf656d7c6745658c5fa8c235257c74e27d376e0b1f4bc1e379143813462cf4cffd6baa7ae606dcf4861b95264131ebf624eaab756d
-
Filesize
1.1MB
MD5de3dcb40231ca68617243ab3bd2777cd
SHA1d01496824a45e5ad2846d6143ccdf4e1d1cb4e50
SHA2565b640da222c602b0b3a3f14c85afe969eb4a94d1cf3c0b531845e072ba2492d2
SHA512542bb8dbbf70742266b6c3bf656d7c6745658c5fa8c235257c74e27d376e0b1f4bc1e379143813462cf4cffd6baa7ae606dcf4861b95264131ebf624eaab756d
-
Filesize
248KB
MD5e2d40676fa2b1dd7966d50ccbf5acbde
SHA1e54498df173d571cff586b7594762b054ced5ea6
SHA2567b9e17219d79e0535177f413836088cf5fafb5854f3d2b18856a9834e0ef2084
SHA5123b70d0ad0b660360381654a63bc4989a982ba505ae2183bc4b31573c083eb703c8c01ae57df7c48a4dde937774067fbd7680054c90b50abcb7e056bc445059df
-
Filesize
248KB
MD5e2d40676fa2b1dd7966d50ccbf5acbde
SHA1e54498df173d571cff586b7594762b054ced5ea6
SHA2567b9e17219d79e0535177f413836088cf5fafb5854f3d2b18856a9834e0ef2084
SHA5123b70d0ad0b660360381654a63bc4989a982ba505ae2183bc4b31573c083eb703c8c01ae57df7c48a4dde937774067fbd7680054c90b50abcb7e056bc445059df
-
Filesize
774KB
MD5e06fb66bfbe1444cc091f0297b8d32db
SHA1c3e13e3edcbbf30cdc51ce96cc7a802fc88e83af
SHA256b282eb3f05d375d3487d20596d783fa52aa27013e8b2b407db32d9a3a751319d
SHA512c639b62f417d46148c3a84ae5ff2cc7018c653424cc1d643a983c41d4a12f6015df0f4359c5e078c2c3e5b1d42de18acfb6aab432266a8c4e37aa5449e961d95
-
Filesize
774KB
MD5e06fb66bfbe1444cc091f0297b8d32db
SHA1c3e13e3edcbbf30cdc51ce96cc7a802fc88e83af
SHA256b282eb3f05d375d3487d20596d783fa52aa27013e8b2b407db32d9a3a751319d
SHA512c639b62f417d46148c3a84ae5ff2cc7018c653424cc1d643a983c41d4a12f6015df0f4359c5e078c2c3e5b1d42de18acfb6aab432266a8c4e37aa5449e961d95
-
Filesize
774KB
MD58ba56be13ae7a847c6b27fd468bd0280
SHA18359d6b35b355ec57818ff5800ab7934c9a115ce
SHA256c97f6737d043d8edcec9fb6b2705a888d864ab1f19a40b6fc36a5c099bfac2f2
SHA512638cdff91479b035035484a98d1bc65c0c743227afd649f40f005dd55906ad0c16945b5500b2e807153188e3a355cbf6b277c8687cceba12b37b5ae214a50e94
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
-
Filesize
68KB
-
Filesize
39.6MB
-
Filesize
39.6MB
-
Filesize
36KB
-
Filesize
39.6MB
-
Filesize
39.6MB
-
-
Filesize
100KB
-
Filesize
168KB
-
Filesize
39.6MB
-
Filesize
100KB
-
Filesize
1.2MB
-
-
Filesize
2.7MB
-
Filesize
1.2MB
-
-
Filesize
1.2MB
-
Filesize
928KB
-
-
Filesize
40.5MB
-
Filesize
40.5MB
-
-
Filesize
11.3MB
-
Filesize
11.3MB
-
Filesize
11.3MB
-
-
-
Filesize
2.7MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
2.6MB
-
Filesize
2.7MB
-
-
Filesize
11.3MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
11.3MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
11.3MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
11.3MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
11.3MB
-
Filesize
1.2MB
-
Filesize
10.2MB
-
-
-
Filesize
11.3MB
-
Filesize
11.3MB
-
Filesize
11.3MB
-
