Analysis
-
max time kernel
147s -
max time network
111s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
06-03-2023 20:07
General
-
Target
Rust LoL Accounts Checker.bin.exe
-
Size
5.6MB
-
MD5
bded213b6ad8b501a9a8769498c06858
-
SHA1
3927ded7ffee7ab8f400d00bcb3b5479ffa3abfb
-
SHA256
4bc5ade40ab56113ce9709c0da15416628e089e838864a6756ceca90b8ffaf5b
-
SHA512
01fae25d7d0865ea0bd3b2f4d8f51d192a3ae9b7af5ab23ea55b34cadc3618ad66f53aec865776a50c98a7fb8076e71335d180ebf6e8ad02cf4a74799d780ee3
-
SSDEEP
98304:QxD6iw63xsDaup/EMGVxpE581oyzEY6JvRdZjYZPqXEla15YYO:QR6b6+HE25ZyzEX9jaqzv2
Malware Config
Extracted
C:\Users\Admin\3D Objects\RESTORE-MY-FILES.txt
http://solidb2jco63vbhx4sfimnqmwhtdjk4jbbgq7a24cmzzkfse4rduxgid.onion
Signatures
-
Luca Stealer
Info stealer written in Rust first seen in July 2022.
-
Luca Stealer payload 2 IoCs
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
-
Deletes backup catalog 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
-
Modifies extensions of user files 6 IoCs
Ransomware generally changes the extension on encrypted files.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 2 IoCs
-
Executes dropped EXE 3 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Drops desktop.ini file(s) 64 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Modifies registry class 14 IoCs
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
-
Suspicious use of AdjustPrivilegeToken 53 IoCs
-
Suspicious use of WriteProcessMemory 56 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Rust LoL Accounts Checker.bin.exe"C:\Users\Admin\AppData\Local\Temp\Rust LoL Accounts Checker.bin.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c powershell -Command "Add-Type -AssemblyName System.Windows.Forms;[System.Windows.Forms.MessageBox]::Show('Loading Rust Components. It can take up to 5 minutes, please wait.','Error','OK','Error')"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-Type -AssemblyName System.Windows.Forms;[System.Windows.Forms.MessageBox]::Show('Loading Rust Components. It can take up to 5 minutes, please wait.','Error','OK','Error')"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c start "" "C:\Users\Admin\AppData\Local\Temp\LoL Checker x64.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\LoL Checker x64.exe"C:\Users\Admin\AppData\Local\Temp\LoL Checker x64.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c start "" "C:\Users\Admin\AppData\Local\Temp\Runtime64.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Runtime64.exe"C:\Users\Admin\AppData\Local\Temp\Runtime64.exe"5⤵
- Modifies extensions of user files
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet7⤵
- Interacts with shadow copies
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete7⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures7⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no7⤵
- Modifies boot configuration data using bcdedit
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet7⤵
- Deletes backup catalog
-
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c start "" "C:\Users\Admin\AppData\Local\Temp\LoL Account Checker.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\LoL Account Checker.exe"C:\Users\Admin\AppData\Local\Temp\LoL Account Checker.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
727B
MD5d9c2422005aa6f97e3f1ff059b28bacf
SHA14b3b55544366656b082ce9e26b03526ba8598f8a
SHA2568f7495dd7a09a2e1a4c8c4bfa1628684148aeeca4dc35d228fc19f6c58d2acd4
SHA51257c1e4eb20ca98732cd48c6f796c2f3c6225bc2549cb68c3bcc4af057e729a46d2b560e0080e96d4a7cc5a733b03d75ea21ce75eec6eb6c5c771f207f463e8e9
-
Filesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
Filesize
18KB
MD515f3be1d67171bda545ab1e427ff1ddb
SHA130bf19166a8089c34d834997ad0b85754d39e5ed
SHA256cbe2bc682bd48d5b95914dda2471ce13995b669f60165383529c3b48dd28c3b1
SHA512aac4a58c75dc5edcb3bb2c7dbc8c2cce6c12704cf6e31a5cdb5a816ce74b4ec73708339a2f1793863c4eecb490637844207ea5c69a9ce853b65df314e1dda1ff
-
Filesize
18KB
MD5290c741d67f47033bc634184d4044049
SHA1bc36ee4dc07132c0f05dba2f19e923f5697e2024
SHA2567604be4ec282d85fb48bebff338a409e467d01898bc0af0068b71e913f229949
SHA512ddd1d0921ca924157cb20a52ce3bbde53aaf78c31bce08d765a166593989c2dcc12b6a0445a2f1920b3130a7d8ff380c8d2db83678365cddeae97147657e30e4
-
Filesize
18KB
MD5290c741d67f47033bc634184d4044049
SHA1bc36ee4dc07132c0f05dba2f19e923f5697e2024
SHA2567604be4ec282d85fb48bebff338a409e467d01898bc0af0068b71e913f229949
SHA512ddd1d0921ca924157cb20a52ce3bbde53aaf78c31bce08d765a166593989c2dcc12b6a0445a2f1920b3130a7d8ff380c8d2db83678365cddeae97147657e30e4
-
Filesize
18KB
MD5e2c2fc9c5107169bedd0823f4139c394
SHA1906de28e68883e0bfcb5b0f56f25b2a3fe214741
SHA2569b33127ac0e96088ff3113b2bcb1833ef9f0c04e111e93f0a358e59767549633
SHA512a2525cfae7419bce66c76e0a6b7598d4015996f67f4553adcfe767e99f1b1e4adbbb3944818becf5c3f433a2cf91f7635a56d975bbbfe89e823480005570a378
-
Filesize
4.2MB
MD5737d5f15ce6f25fd35748317f418228e
SHA1ce770614c55fd78247e81073739a65a4859af95a
SHA25605e13b81086568e323aa2a00d3c63f8df46f679a1d22a7a35062384f51342820
SHA5124913be2a1797ffc4b6be68a95bde091897a31490aec701580bf9978f5a76b3bc3d69655e500dac97ff5776d1325c97fe0ceae66982b84179f05ffd30ff4c3c9e
-
Filesize
4.2MB
MD5737d5f15ce6f25fd35748317f418228e
SHA1ce770614c55fd78247e81073739a65a4859af95a
SHA25605e13b81086568e323aa2a00d3c63f8df46f679a1d22a7a35062384f51342820
SHA5124913be2a1797ffc4b6be68a95bde091897a31490aec701580bf9978f5a76b3bc3d69655e500dac97ff5776d1325c97fe0ceae66982b84179f05ffd30ff4c3c9e
-
Filesize
257KB
MD5872be464e8b07144dd04ead953d26fec
SHA16908505f45adf61875f78e4e3e374da2d380b3b8
SHA25642105689f3974b93b06d56c81d4a6852e0ab7759eaa63834941be7ad4290ff60
SHA512a9b082aea81a7801f77588ba8834b71ddbd64f43169e9f381f8f43145470e3ed5442551e2483e2c88b7a596d5ccf9cfeb3f5d900ce2c4baa2a6742baa924f5a4
-
Filesize
257KB
MD5872be464e8b07144dd04ead953d26fec
SHA16908505f45adf61875f78e4e3e374da2d380b3b8
SHA25642105689f3974b93b06d56c81d4a6852e0ab7759eaa63834941be7ad4290ff60
SHA512a9b082aea81a7801f77588ba8834b71ddbd64f43169e9f381f8f43145470e3ed5442551e2483e2c88b7a596d5ccf9cfeb3f5d900ce2c4baa2a6742baa924f5a4
-
Filesize
252KB
MD53c9bd0d16cea39a29132136d93c0b2ec
SHA15ffdf5cb39cc0e51753843e9e0aa14a201472fe4
SHA256f96e95622e7ef19947169f534f792b660cf9ba8209a3b5de0ff7a22e2d5b1e86
SHA512314cccc5f00952d19819363342a149fae3ca73db1bff31253a267142537890ea6fab7461c25ff5d0bf530631beac477905ee93a06ef3fafd98ee398bf3aa9fd4
-
Filesize
252KB
MD53c9bd0d16cea39a29132136d93c0b2ec
SHA15ffdf5cb39cc0e51753843e9e0aa14a201472fe4
SHA256f96e95622e7ef19947169f534f792b660cf9ba8209a3b5de0ff7a22e2d5b1e86
SHA512314cccc5f00952d19819363342a149fae3ca73db1bff31253a267142537890ea6fab7461c25ff5d0bf530631beac477905ee93a06ef3fafd98ee398bf3aa9fd4
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
213KB
MD5b7a568181393a6a0aa0f556e268cd65d
SHA1eb107f4ea0c3885295144d28cd85a8313c6022f6
SHA2562b1f3494e2939931b28e5a297e08c5143554ca6b96f56f772cbc625766c9ad77
SHA51230b80cdb8239788daddbdea5646b0b2c7c0981b1bbf3ee90eb693f48f62a1d8c6cc7621bb5d2a16d15ae9fe7d48eb179c21fe87f8870db4d50aee7133b072fa6
-
Filesize
1B
MD5d1457b72c3fb323a2671125aef3eab5d
SHA15bab61eb53176449e25c2c82f172b82cb13ffb9d
SHA2568a8de823d5ed3e12746a62ef169bcf372be0ca44f0a1236abc35df05d96928e1
SHA512ca63c07ad35d8c9fb0c92d6146759b122d4ec5d3f67ebe2f30ddb69f9e6c9fd3bf31a5e408b08f1d4d9cd68120cced9e57f010bef3cde97653fed5470da7d1a0
-
Filesize
496KB
-
Filesize
2.1MB
-
Filesize
1.6MB
-
Filesize
5.6MB
-
Filesize
488KB
-
Filesize
5.6MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
304KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
600KB
-
Filesize
200KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
216KB
-
Filesize
40KB
-
Filesize
64KB
-
Filesize
56KB
-
Filesize
104KB
-
Filesize
32KB
-
Filesize
120KB
-
Filesize
64KB
-
Filesize
408KB
-
Filesize
304KB
-
Filesize
120KB
-
Filesize
64KB
-
Filesize
304KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
304KB
-
Filesize
64KB
-
Filesize
584KB
-
Filesize
104KB
-
Filesize
64KB
-
Filesize
408KB
-
Filesize
6.5MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
5.6MB
-
Filesize
136KB
-
Filesize
6.2MB
-
Filesize
272KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
