lumma | cc51b2cc0e9293186c8e4d11531f28e66ceeed868ee9b6eef1ba267446e543df

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
15-07-2023 08:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cc51b2cc0e9293186c8e4d11531f28e66ceeed868ee9b6eef1ba267446e543df.exe
Size

187KB
MD5

9837c3f3238d85d6bc07935cbe764206
SHA1

33b273680cb8647e137f8bbb43dbc53380fdec53
SHA256

cc51b2cc0e9293186c8e4d11531f28e66ceeed868ee9b6eef1ba267446e543df
SHA512

533a64cd597bd139063f8da6cf4fabbb202f6165a38e9ce8d0279fc7401dc255d68bc89f45538df8c0b043673cea9f0bfd8e4a09a1c8bf0da8da91f55dbbce8b
SSDEEP

3072:uMLgD6NIYVsjEwh0YhWvivt0xoJdW20m2JAj5AeVHC:5LgOijI28Kvt0CPW3m2JnW

Score

10^/10

lumma phobos rhadamanthys smokeloader summ backdoor collection discovery persistence ransomware spyware stealer trojan

Malware Config

Extracted

Family

smokeloader

Botnet

summ

Extracted

Family

smokeloader

Version

2022

http://stalagmijesarl.com/

http://ukdantist-sarl.com/

http://cpcorprotationltd.com/

rc4.i32

Extracted

Family

lumma

gstatic-node.io

Signatures

Detect rhadamanthys stealer shellcode 7 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1648-204-0x00000000024F0000-0x00000000028F0000-memory.dmp	family_rhadamanthys
behavioral1/memory/1648-205-0x00000000024F0000-0x00000000028F0000-memory.dmp	family_rhadamanthys
behavioral1/memory/1648-206-0x00000000024F0000-0x00000000028F0000-memory.dmp	family_rhadamanthys
behavioral1/memory/1648-208-0x00000000024F0000-0x00000000028F0000-memory.dmp	family_rhadamanthys
behavioral1/memory/1648-222-0x00000000024F0000-0x00000000028F0000-memory.dmp	family_rhadamanthys
behavioral1/memory/1648-360-0x00000000024F0000-0x00000000028F0000-memory.dmp	family_rhadamanthys
behavioral1/memory/1648-422-0x00000000024F0000-0x00000000028F0000-memory.dmp	family_rhadamanthys

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
Phobos
Phobos ransomware appeared at the beginning of 2019.
ransomware phobos
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

AF85.exe

description pid process target process

PID 1648 created 3092 1648 AF85.exe Explorer.EXE
Downloads MZ/PE file
Drops startup file 1 IoCs

Processes:

ceMjVhm.exe

description ioc process

File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\ceMjVhm.exe ceMjVhm.exe
Executes dropped EXE 9 IoCs

Processes:

AF85.exeB811.exeBEB9.exevgejgvrRwzZ3.execeMjVhm.exerL4d.exeRwzZ3.execeMjVhm.exe

pid process

1648 AF85.exe
3888 B811.exe
2884 BEB9.exe
4060 vgejgvr
2824 RwzZ3.exe
3428 ceMjVhm.exe
4404 rL4d.exe
776 RwzZ3.exe
4400 ceMjVhm.exe
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

description	pid	process	target process
PID 1648 created 3092	1648	AF85.exe	Explorer.EXE

description	ioc	process
File created	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\ceMjVhm.exe	ceMjVhm.exe

pid	process
1648	AF85.exe
3888	B811.exe
2884	BEB9.exe
4060	vgejgvr
2824	RwzZ3.exe
3428	ceMjVhm.exe
4404	rL4d.exe
776	RwzZ3.exe
4400	ceMjVhm.exe

Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs

collection

Email Collection

T1114

Processes:

certreq.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	certreq.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ceMjVhm.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ceMjVhm = "C:\\Users\\Admin\\AppData\\Local\\ceMjVhm.exe"	ceMjVhm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ceMjVhm = "C:\\Users\\Admin\\AppData\\Local\\ceMjVhm.exe"	ceMjVhm.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Drops desktop.ini file(s) 1 IoCs

Processes:

ceMjVhm.exe

description ioc process

File opened for modification C:\$Recycle.Bin\S-1-5-21-1498570331-2313266200-788959944-1000\desktop.ini ceMjVhm.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of SetThreadContext 1 IoCs

Processes:

RwzZ3.exe

description pid process target process

PID 2824 set thread context of 776 2824 RwzZ3.exe RwzZ3.exe
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

632 1648 WerFault.exe AF85.exe
1600 3888 WerFault.exe B811.exe

description	ioc	process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1498570331-2313266200-788959944-1000\desktop.ini	ceMjVhm.exe

description	pid	process	target process
PID 2824 set thread context of 776	2824	RwzZ3.exe	RwzZ3.exe

pid	pid_target	process	target process
632	1648	WerFault.exe	AF85.exe
1600	3888	WerFault.exe	B811.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

cc51b2cc0e9293186c8e4d11531f28e66ceeed868ee9b6eef1ba267446e543df.exeRwzZ3.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	cc51b2cc0e9293186c8e4d11531f28e66ceeed868ee9b6eef1ba267446e543df.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	RwzZ3.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	RwzZ3.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	RwzZ3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	cc51b2cc0e9293186c8e4d11531f28e66ceeed868ee9b6eef1ba267446e543df.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	cc51b2cc0e9293186c8e4d11531f28e66ceeed868ee9b6eef1ba267446e543df.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

certreq.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	certreq.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	certreq.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

cc51b2cc0e9293186c8e4d11531f28e66ceeed868ee9b6eef1ba267446e543df.exeExplorer.EXE

pid	process
3756	cc51b2cc0e9293186c8e4d11531f28e66ceeed868ee9b6eef1ba267446e543df.exe
3756	cc51b2cc0e9293186c8e4d11531f28e66ceeed868ee9b6eef1ba267446e543df.exe
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3092 Explorer.EXE

pid	process
3092	Explorer.EXE

Suspicious behavior: MapViewOfSection 20 IoCs

Processes:

cc51b2cc0e9293186c8e4d11531f28e66ceeed868ee9b6eef1ba267446e543df.exeExplorer.EXERwzZ3.exe

pid	process
3756	cc51b2cc0e9293186c8e4d11531f28e66ceeed868ee9b6eef1ba267446e543df.exe
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
3092	Explorer.EXE
776	RwzZ3.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

BEB9.exeExplorer.EXEceMjVhm.exe

description	pid	process
Token: SeDebugPrivilege	2884	BEB9.exe
Token: SeShutdownPrivilege	3092	Explorer.EXE
Token: SeCreatePagefilePrivilege	3092	Explorer.EXE
Token: SeShutdownPrivilege	3092	Explorer.EXE
Token: SeCreatePagefilePrivilege	3092	Explorer.EXE
Token: SeShutdownPrivilege	3092	Explorer.EXE
Token: SeCreatePagefilePrivilege	3092	Explorer.EXE
Token: SeShutdownPrivilege	3092	Explorer.EXE
Token: SeCreatePagefilePrivilege	3092	Explorer.EXE
Token: SeDebugPrivilege	3428	ceMjVhm.exe

Suspicious use of WriteProcessMemory 56 IoCs

Processes:

Explorer.EXEAF85.exeRwzZ3.execeMjVhm.exe

description	pid	process	target process
PID 3092 wrote to memory of 1648	3092	Explorer.EXE	AF85.exe
PID 3092 wrote to memory of 1648	3092	Explorer.EXE	AF85.exe
PID 3092 wrote to memory of 1648	3092	Explorer.EXE	AF85.exe
PID 3092 wrote to memory of 3888	3092	Explorer.EXE	B811.exe
PID 3092 wrote to memory of 3888	3092	Explorer.EXE	B811.exe
PID 3092 wrote to memory of 3888	3092	Explorer.EXE	B811.exe
PID 3092 wrote to memory of 2884	3092	Explorer.EXE	BEB9.exe
PID 3092 wrote to memory of 2884	3092	Explorer.EXE	BEB9.exe
PID 3092 wrote to memory of 2884	3092	Explorer.EXE	BEB9.exe
PID 3092 wrote to memory of 2212	3092	Explorer.EXE	explorer.exe
PID 3092 wrote to memory of 2212	3092	Explorer.EXE	explorer.exe
PID 3092 wrote to memory of 2212	3092	Explorer.EXE	explorer.exe
PID 3092 wrote to memory of 2212	3092	Explorer.EXE	explorer.exe
PID 3092 wrote to memory of 3408	3092	Explorer.EXE	explorer.exe
PID 3092 wrote to memory of 3408	3092	Explorer.EXE	explorer.exe
PID 3092 wrote to memory of 3408	3092	Explorer.EXE	explorer.exe
PID 3092 wrote to memory of 4592	3092	Explorer.EXE	explorer.exe
PID 3092 wrote to memory of 4592	3092	Explorer.EXE	explorer.exe
PID 3092 wrote to memory of 4592	3092	Explorer.EXE	explorer.exe
PID 3092 wrote to memory of 4592	3092	Explorer.EXE	explorer.exe
PID 3092 wrote to memory of 3416	3092	Explorer.EXE	explorer.exe
PID 3092 wrote to memory of 3416	3092	Explorer.EXE	explorer.exe
PID 3092 wrote to memory of 3416	3092	Explorer.EXE	explorer.exe
PID 3092 wrote to memory of 3376	3092	Explorer.EXE	explorer.exe
PID 3092 wrote to memory of 3376	3092	Explorer.EXE	explorer.exe
PID 3092 wrote to memory of 3376	3092	Explorer.EXE	explorer.exe
PID 3092 wrote to memory of 3376	3092	Explorer.EXE	explorer.exe
PID 3092 wrote to memory of 1680	3092	Explorer.EXE	explorer.exe
PID 3092 wrote to memory of 1680	3092	Explorer.EXE	explorer.exe
PID 3092 wrote to memory of 1680	3092	Explorer.EXE	explorer.exe
PID 3092 wrote to memory of 1680	3092	Explorer.EXE	explorer.exe
PID 3092 wrote to memory of 1100	3092	Explorer.EXE	explorer.exe
PID 3092 wrote to memory of 1100	3092	Explorer.EXE	explorer.exe
PID 3092 wrote to memory of 1100	3092	Explorer.EXE	explorer.exe
PID 3092 wrote to memory of 1100	3092	Explorer.EXE	explorer.exe
PID 3092 wrote to memory of 4748	3092	Explorer.EXE	explorer.exe
PID 3092 wrote to memory of 4748	3092	Explorer.EXE	explorer.exe
PID 3092 wrote to memory of 4748	3092	Explorer.EXE	explorer.exe
PID 3092 wrote to memory of 2640	3092	Explorer.EXE	explorer.exe
PID 3092 wrote to memory of 2640	3092	Explorer.EXE	explorer.exe
PID 3092 wrote to memory of 2640	3092	Explorer.EXE	explorer.exe
PID 3092 wrote to memory of 2640	3092	Explorer.EXE	explorer.exe
PID 1648 wrote to memory of 4916	1648	AF85.exe	certreq.exe
PID 1648 wrote to memory of 4916	1648	AF85.exe	certreq.exe
PID 1648 wrote to memory of 4916	1648	AF85.exe	certreq.exe
PID 1648 wrote to memory of 4916	1648	AF85.exe	certreq.exe
PID 2824 wrote to memory of 776	2824	RwzZ3.exe	RwzZ3.exe
PID 2824 wrote to memory of 776	2824	RwzZ3.exe	RwzZ3.exe
PID 2824 wrote to memory of 776	2824	RwzZ3.exe	RwzZ3.exe
PID 2824 wrote to memory of 776	2824	RwzZ3.exe	RwzZ3.exe
PID 2824 wrote to memory of 776	2824	RwzZ3.exe	RwzZ3.exe
PID 2824 wrote to memory of 776	2824	RwzZ3.exe	RwzZ3.exe
PID 3428 wrote to memory of 3344	3428	ceMjVhm.exe	cmd.exe
PID 3428 wrote to memory of 3344	3428	ceMjVhm.exe	cmd.exe
PID 3428 wrote to memory of 1752	3428	ceMjVhm.exe	cmd.exe
PID 3428 wrote to memory of 1752	3428	ceMjVhm.exe	cmd.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

Processes:

certreq.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	certreq.exe

outlook_win_path 1 IoCs

Processes:

certreq.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	certreq.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3092

C:\Users\Admin\AppData\Local\Temp\cc51b2cc0e9293186c8e4d11531f28e66ceeed868ee9b6eef1ba267446e543df.exe
"C:\Users\Admin\AppData\Local\Temp\cc51b2cc0e9293186c8e4d11531f28e66ceeed868ee9b6eef1ba267446e543df.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3756

C:\Users\Admin\AppData\Local\Temp\AF85.exe
C:\Users\Admin\AppData\Local\Temp\AF85.exe
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1648 -s 948
3⤵
- Program crash
PID:632

C:\Users\Admin\AppData\Local\Temp\B811.exe
C:\Users\Admin\AppData\Local\Temp\B811.exe
2⤵
- Executes dropped EXE
PID:3888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3888 -s 3340
3⤵
- Program crash
PID:1600

C:\Users\Admin\AppData\Local\Temp\BEB9.exe
C:\Users\Admin\AppData\Local\Temp\BEB9.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2884

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:2212

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:3408

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:4592

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:3416

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:3376

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:1680

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:1100

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:4748

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:2640

C:\Windows\system32\certreq.exe
"C:\Windows\system32\certreq.exe"
2⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- outlook_office_path
- outlook_win_path
PID:4916

C:\Users\Admin\AppData\Roaming\vgejgvr
C:\Users\Admin\AppData\Roaming\vgejgvr
1⤵
- Executes dropped EXE
PID:4060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1648 -ip 1648
1⤵
PID:264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3888 -ip 3888
1⤵
PID:4240

C:\Users\Admin\AppData\Local\Microsoft\RwzZ3.exe
"C:\Users\Admin\AppData\Local\Microsoft\RwzZ3.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2824

C:\Users\Admin\AppData\Local\Microsoft\RwzZ3.exe
"C:\Users\Admin\AppData\Local\Microsoft\RwzZ3.exe"
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:776

C:\Users\Admin\AppData\Local\Microsoft\ceMjVhm.exe
"C:\Users\Admin\AppData\Local\Microsoft\ceMjVhm.exe"
1⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3428

C:\Users\Admin\AppData\Local\Microsoft\ceMjVhm.exe
"C:\Users\Admin\AppData\Local\Microsoft\ceMjVhm.exe"
2⤵
- Executes dropped EXE
PID:4400

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
PID:3344

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
PID:1752

C:\Users\Admin\AppData\Local\Microsoft\rL4d.exe
"C:\Users\Admin\AppData\Local\Microsoft\rL4d.exe"
1⤵
- Executes dropped EXE
PID:4404

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\RwzZ3.exe

Filesize
164KB

MD5
9203fe10fe63b5f71ab4bfa7b6a48a49

SHA1
73f600a7ba889d9cd04c479966b037db8b1082ec

SHA256
03380255147ce21c3f835cbb2a51933337b07015d527a127c2a8e20e99b2cd1e

SHA512
ea40b704aee0c59b8a5fbdb49d41f89f6ad8f75c72fa63fba30e1b17f3165b019114c8f538f4c75d349f6559e7365255c8dc129b458006f126057088e1775cc9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\RwzZ3.exe

Filesize
164KB

MD5
9203fe10fe63b5f71ab4bfa7b6a48a49

SHA1
73f600a7ba889d9cd04c479966b037db8b1082ec

SHA256
03380255147ce21c3f835cbb2a51933337b07015d527a127c2a8e20e99b2cd1e

SHA512
ea40b704aee0c59b8a5fbdb49d41f89f6ad8f75c72fa63fba30e1b17f3165b019114c8f538f4c75d349f6559e7365255c8dc129b458006f126057088e1775cc9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\RwzZ3.exe

Filesize
164KB

MD5
9203fe10fe63b5f71ab4bfa7b6a48a49

SHA1
73f600a7ba889d9cd04c479966b037db8b1082ec

SHA256
03380255147ce21c3f835cbb2a51933337b07015d527a127c2a8e20e99b2cd1e

SHA512
ea40b704aee0c59b8a5fbdb49d41f89f6ad8f75c72fa63fba30e1b17f3165b019114c8f538f4c75d349f6559e7365255c8dc129b458006f126057088e1775cc9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\ceMjVhm.exe

Filesize
163KB

MD5
34f108f02f597ef5d4a838f76bd4777d

SHA1
f992c0b6282ebdfb4a059a16142177201534a89c

SHA256
89c65668def919cdf677df2774c5646540fee498031f7ecd5c7a6be7b62e9953

SHA512
1722dc18036cdc11aab0e8fdb1e9106132d644247029a72dd97806e28091bf757a516e31daeb9eff14041fabe975d08ccf21fa10d2b837770a3fe855c7f05de3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\ceMjVhm.exe

Filesize
163KB

MD5
34f108f02f597ef5d4a838f76bd4777d

SHA1
f992c0b6282ebdfb4a059a16142177201534a89c

SHA256
89c65668def919cdf677df2774c5646540fee498031f7ecd5c7a6be7b62e9953

SHA512
1722dc18036cdc11aab0e8fdb1e9106132d644247029a72dd97806e28091bf757a516e31daeb9eff14041fabe975d08ccf21fa10d2b837770a3fe855c7f05de3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\ceMjVhm.exe

Filesize
163KB

MD5
34f108f02f597ef5d4a838f76bd4777d

SHA1
f992c0b6282ebdfb4a059a16142177201534a89c

SHA256
89c65668def919cdf677df2774c5646540fee498031f7ecd5c7a6be7b62e9953

SHA512
1722dc18036cdc11aab0e8fdb1e9106132d644247029a72dd97806e28091bf757a516e31daeb9eff14041fabe975d08ccf21fa10d2b837770a3fe855c7f05de3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\rL4d.exe

Filesize
164KB

MD5
5aaa271e450f4be6a269af69aefb2768

SHA1
64465c850b883c9dee5dfe9877b2a03d72bc3f3b

SHA256
a79846e5685f2e79e36614a9f8c17476c6eb140b44954234a8842590cd7e7c29

SHA512
7a7981016391eb7bebb155711ac40c9808b9ad7464daaed850793f37c8fd404878e493c8894049b125fb7b03c92e64da62794b6fbdd481e2753ab62a0bc20213

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\rL4d.exe

Filesize
164KB

MD5
5aaa271e450f4be6a269af69aefb2768

SHA1
64465c850b883c9dee5dfe9877b2a03d72bc3f3b

SHA256
a79846e5685f2e79e36614a9f8c17476c6eb140b44954234a8842590cd7e7c29

SHA512
7a7981016391eb7bebb155711ac40c9808b9ad7464daaed850793f37c8fd404878e493c8894049b125fb7b03c92e64da62794b6fbdd481e2753ab62a0bc20213

Download Submit
C:\Users\Admin\AppData\Local\Temp\AF85.exe

Filesize
374KB

MD5
ce37162e61f8f28063218694d623447f

SHA1
14353dcfec3432a3fdbcde8f895a51434b57f7ee

SHA256
437254cf9cf1247e0c8abc2b917b785f77bc5b7caffeb45ed6e46ac4f874e2cb

SHA512
5b6056bd22cfe1fc8039cd65a91033864dbac0811a13cb8ae3a30e4519c6d8abcc5f3651ffb51dd9ec66f4e0b74663e011e5f778c23adbf7af415d35a4f68ca6

Download Submit
C:\Users\Admin\AppData\Local\Temp\AF85.exe

Filesize
374KB

MD5
ce37162e61f8f28063218694d623447f

SHA1
14353dcfec3432a3fdbcde8f895a51434b57f7ee

SHA256
437254cf9cf1247e0c8abc2b917b785f77bc5b7caffeb45ed6e46ac4f874e2cb

SHA512
5b6056bd22cfe1fc8039cd65a91033864dbac0811a13cb8ae3a30e4519c6d8abcc5f3651ffb51dd9ec66f4e0b74663e011e5f778c23adbf7af415d35a4f68ca6

Download Submit
C:\Users\Admin\AppData\Local\Temp\B811.exe

Filesize
290KB

MD5
6d35d4cb11e99f8645441b0f1f96da3d

SHA1
3b6e12da0c1c37d38db867ab6330ace34461c56a

SHA256
9066d830ae21197499f19a044054b0ea96f5be17cbb246714e15f36f32312204

SHA512
01b5b75ce608f55f70c6471bb20f0a248116ef902f4bd602b5cf11fed747e0af9b811fbe74d393895672806f2b525900c6cef0ce889229d27032683a5e591aa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\B811.exe

Filesize
290KB

MD5
6d35d4cb11e99f8645441b0f1f96da3d

SHA1
3b6e12da0c1c37d38db867ab6330ace34461c56a

SHA256
9066d830ae21197499f19a044054b0ea96f5be17cbb246714e15f36f32312204

SHA512
01b5b75ce608f55f70c6471bb20f0a248116ef902f4bd602b5cf11fed747e0af9b811fbe74d393895672806f2b525900c6cef0ce889229d27032683a5e591aa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\BEB9.exe

Filesize
389KB

MD5
114cbc53c9897969ccf2186555acc352

SHA1
4553de569c4a3543495740ff07b91ecaaef4f4f8

SHA256
98dfef6425e72b931ce52346f8cd279bb4367d68544017cf31c2853fce634849

SHA512
779f124be27936c1ce033bbf1c10bbae03020ce53ba41a88b25074b56827acc15a1fafc8a697b188ea8f1f8e3ec7c21fc5e24491964760a3b396ecbd7e082849

Download Submit
C:\Users\Admin\AppData\Local\Temp\BEB9.exe

Filesize
389KB

MD5
114cbc53c9897969ccf2186555acc352

SHA1
4553de569c4a3543495740ff07b91ecaaef4f4f8

SHA256
98dfef6425e72b931ce52346f8cd279bb4367d68544017cf31c2853fce634849

SHA512
779f124be27936c1ce033bbf1c10bbae03020ce53ba41a88b25074b56827acc15a1fafc8a697b188ea8f1f8e3ec7c21fc5e24491964760a3b396ecbd7e082849

Download Submit
C:\Users\Admin\AppData\Roaming\vgejgvr

Filesize
187KB

MD5
9837c3f3238d85d6bc07935cbe764206

SHA1
33b273680cb8647e137f8bbb43dbc53380fdec53

SHA256
cc51b2cc0e9293186c8e4d11531f28e66ceeed868ee9b6eef1ba267446e543df

SHA512
533a64cd597bd139063f8da6cf4fabbb202f6165a38e9ce8d0279fc7401dc255d68bc89f45538df8c0b043673cea9f0bfd8e4a09a1c8bf0da8da91f55dbbce8b

Download Submit
C:\Users\Admin\AppData\Roaming\vgejgvr

Filesize
187KB

MD5
9837c3f3238d85d6bc07935cbe764206

SHA1
33b273680cb8647e137f8bbb43dbc53380fdec53

SHA256
cc51b2cc0e9293186c8e4d11531f28e66ceeed868ee9b6eef1ba267446e543df

SHA512
533a64cd597bd139063f8da6cf4fabbb202f6165a38e9ce8d0279fc7401dc255d68bc89f45538df8c0b043673cea9f0bfd8e4a09a1c8bf0da8da91f55dbbce8b

Download Submit
memory/1100-197-0x00000000001E0000-0x00000000001E6000-memory.dmp

Filesize
24KB

Download
memory/1100-187-0x00000000001D0000-0x00000000001DB000-memory.dmp

Filesize
44KB

Download
memory/1100-186-0x00000000001E0000-0x00000000001E6000-memory.dmp

Filesize
24KB

Download
memory/1100-184-0x00000000001D0000-0x00000000001DB000-memory.dmp

Filesize
44KB

Download
memory/1648-215-0x0000000000650000-0x0000000000750000-memory.dmp

Filesize
1024KB

Download
memory/1648-206-0x00000000024F0000-0x00000000028F0000-memory.dmp

Filesize
4.0MB

Download
memory/1648-222-0x00000000024F0000-0x00000000028F0000-memory.dmp

Filesize
4.0MB

Download
memory/1648-200-0x0000000000650000-0x0000000000750000-memory.dmp

Filesize
1024KB

Download
memory/1648-208-0x00000000024F0000-0x00000000028F0000-memory.dmp

Filesize
4.0MB

Download
memory/1648-207-0x0000000000400000-0x0000000000517000-memory.dmp

Filesize
1.1MB

Download
memory/1648-203-0x00000000021C0000-0x00000000021C7000-memory.dmp

Filesize
28KB

Download
memory/1648-201-0x0000000002120000-0x0000000002191000-memory.dmp

Filesize
452KB

Download
memory/1648-205-0x00000000024F0000-0x00000000028F0000-memory.dmp

Filesize
4.0MB

Download
memory/1648-421-0x0000000000400000-0x0000000000517000-memory.dmp

Filesize
1.1MB

Download
memory/1648-202-0x0000000000400000-0x0000000000517000-memory.dmp

Filesize
1.1MB

Download
memory/1648-360-0x00000000024F0000-0x00000000028F0000-memory.dmp

Filesize
4.0MB

Download
memory/1648-422-0x00000000024F0000-0x00000000028F0000-memory.dmp

Filesize
4.0MB

Download
memory/1648-204-0x00000000024F0000-0x00000000028F0000-memory.dmp

Filesize
4.0MB

Download
memory/1680-182-0x0000000000AD0000-0x0000000000AD9000-memory.dmp

Filesize
36KB

Download
memory/1680-181-0x0000000000AE0000-0x0000000000AE5000-memory.dmp

Filesize
20KB

Download
memory/1680-179-0x0000000000AD0000-0x0000000000AD9000-memory.dmp

Filesize
36KB

Download
memory/2212-164-0x0000000000D80000-0x0000000000D87000-memory.dmp

Filesize
28KB

Download
memory/2212-183-0x0000000000D70000-0x0000000000D7B000-memory.dmp

Filesize
44KB

Download
memory/2212-180-0x0000000000D80000-0x0000000000D87000-memory.dmp

Filesize
28KB

Download
memory/2212-166-0x0000000000D70000-0x0000000000D7B000-memory.dmp

Filesize
44KB

Download
memory/2640-192-0x0000000000780000-0x000000000078B000-memory.dmp

Filesize
44KB

Download
memory/2640-194-0x0000000000790000-0x0000000000798000-memory.dmp

Filesize
32KB

Download
memory/2640-195-0x0000000000780000-0x000000000078B000-memory.dmp

Filesize
44KB

Download
memory/2640-199-0x0000000000790000-0x0000000000798000-memory.dmp

Filesize
32KB

Download
memory/2884-254-0x0000000002750000-0x00000000027CA000-memory.dmp

Filesize
488KB

Download
memory/2884-245-0x0000000002750000-0x00000000027CA000-memory.dmp

Filesize
488KB

Download
memory/2884-541-0x00000000027E0000-0x00000000027F0000-memory.dmp

Filesize
64KB

Download
memory/2884-437-0x00000000027E0000-0x00000000027F0000-memory.dmp

Filesize
64KB

Download
memory/2884-415-0x0000000073870000-0x0000000074020000-memory.dmp

Filesize
7.7MB

Download
memory/2884-351-0x00000000006A0000-0x00000000007A0000-memory.dmp

Filesize
1024KB

Download
memory/2884-272-0x0000000002750000-0x00000000027CA000-memory.dmp

Filesize
488KB

Download
memory/2884-270-0x0000000002750000-0x00000000027CA000-memory.dmp

Filesize
488KB

Download
memory/2884-268-0x0000000002750000-0x00000000027CA000-memory.dmp

Filesize
488KB

Download
memory/2884-266-0x0000000002750000-0x00000000027CA000-memory.dmp

Filesize
488KB

Download
memory/2884-264-0x0000000002750000-0x00000000027CA000-memory.dmp

Filesize
488KB

Download
memory/2884-262-0x0000000002750000-0x00000000027CA000-memory.dmp

Filesize
488KB

Download
memory/2884-260-0x0000000002750000-0x00000000027CA000-memory.dmp

Filesize
488KB

Download
memory/2884-258-0x0000000002750000-0x00000000027CA000-memory.dmp

Filesize
488KB

Download
memory/2884-256-0x0000000002750000-0x00000000027CA000-memory.dmp

Filesize
488KB

Download
memory/2884-251-0x0000000002750000-0x00000000027CA000-memory.dmp

Filesize
488KB

Download
memory/2884-249-0x0000000002750000-0x00000000027CA000-memory.dmp

Filesize
488KB

Download
memory/2884-217-0x00000000005E0000-0x0000000000642000-memory.dmp

Filesize
392KB

Download
memory/2884-218-0x0000000000400000-0x000000000051B000-memory.dmp

Filesize
1.1MB

Download
memory/2884-216-0x00000000006A0000-0x00000000007A0000-memory.dmp

Filesize
1024KB

Download
memory/2884-247-0x0000000002750000-0x00000000027CA000-memory.dmp

Filesize
488KB

Download
memory/2884-220-0x0000000073870000-0x0000000074020000-memory.dmp

Filesize
7.7MB

Download
memory/2884-221-0x00000000027E0000-0x00000000027F0000-memory.dmp

Filesize
64KB

Download
memory/2884-243-0x0000000002750000-0x00000000027CA000-memory.dmp

Filesize
488KB

Download
memory/2884-223-0x00000000027E0000-0x00000000027F0000-memory.dmp

Filesize
64KB

Download
memory/2884-224-0x0000000004F20000-0x00000000054C4000-memory.dmp

Filesize
5.6MB

Download
memory/2884-225-0x0000000002750000-0x00000000027CA000-memory.dmp

Filesize
488KB

Download
memory/2884-226-0x0000000002750000-0x00000000027CA000-memory.dmp

Filesize
488KB

Download
memory/2884-228-0x0000000002750000-0x00000000027CA000-memory.dmp

Filesize
488KB

Download
memory/2884-241-0x0000000002750000-0x00000000027CA000-memory.dmp

Filesize
488KB

Download
memory/2884-231-0x0000000002750000-0x00000000027CA000-memory.dmp

Filesize
488KB

Download
memory/2884-235-0x0000000002750000-0x00000000027CA000-memory.dmp

Filesize
488KB

Download
memory/2884-239-0x0000000002750000-0x00000000027CA000-memory.dmp

Filesize
488KB

Download
memory/2884-237-0x0000000002750000-0x00000000027CA000-memory.dmp

Filesize
488KB

Download
memory/3092-137-0x0000000000CB0000-0x0000000000CC6000-memory.dmp

Filesize
88KB

Download
memory/3376-176-0x0000000000530000-0x0000000000557000-memory.dmp

Filesize
156KB

Download
memory/3376-196-0x0000000000560000-0x0000000000582000-memory.dmp

Filesize
136KB

Download
memory/3376-178-0x0000000000530000-0x0000000000557000-memory.dmp

Filesize
156KB

Download
memory/3376-177-0x0000000000560000-0x0000000000582000-memory.dmp

Filesize
136KB

Download
memory/3408-168-0x0000000000730000-0x0000000000739000-memory.dmp

Filesize
36KB

Download
memory/3408-167-0x0000000000720000-0x000000000072F000-memory.dmp

Filesize
60KB

Download
memory/3408-185-0x0000000000730000-0x0000000000739000-memory.dmp

Filesize
36KB

Download
memory/3408-169-0x0000000000720000-0x000000000072F000-memory.dmp

Filesize
60KB

Download
memory/3416-175-0x0000000000B40000-0x0000000000B4C000-memory.dmp

Filesize
48KB

Download
memory/3416-173-0x0000000000B40000-0x0000000000B4C000-memory.dmp

Filesize
48KB

Download
memory/3416-193-0x0000000000B50000-0x0000000000B56000-memory.dmp

Filesize
24KB

Download
memory/3416-174-0x0000000000B50000-0x0000000000B56000-memory.dmp

Filesize
24KB

Download
memory/3756-135-0x0000000002230000-0x0000000002239000-memory.dmp

Filesize
36KB

Download
memory/3756-134-0x00000000005E0000-0x00000000006E0000-memory.dmp

Filesize
1024KB

Download
memory/3756-136-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/3756-141-0x0000000002230000-0x0000000002239000-memory.dmp

Filesize
36KB

Download
memory/3756-138-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/3888-219-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/3888-232-0x0000000002040000-0x0000000002095000-memory.dmp

Filesize
340KB

Download
memory/3888-233-0x0000000000560000-0x0000000000660000-memory.dmp

Filesize
1024KB

Download
memory/3888-211-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/3888-925-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/3888-209-0x0000000002040000-0x0000000002095000-memory.dmp

Filesize
340KB

Download
memory/3888-210-0x0000000000560000-0x0000000000660000-memory.dmp

Filesize
1024KB

Download
memory/4592-189-0x0000000000850000-0x0000000000855000-memory.dmp

Filesize
20KB

Download
memory/4592-170-0x0000000000840000-0x0000000000849000-memory.dmp

Filesize
36KB

Download
memory/4592-171-0x0000000000850000-0x0000000000855000-memory.dmp

Filesize
20KB

Download
memory/4592-172-0x0000000000840000-0x0000000000849000-memory.dmp

Filesize
36KB

Download
memory/4748-191-0x0000000000B30000-0x0000000000B3D000-memory.dmp

Filesize
52KB

Download
memory/4748-190-0x0000000000B40000-0x0000000000B47000-memory.dmp

Filesize
28KB

Download
memory/4748-188-0x0000000000B30000-0x0000000000B3D000-memory.dmp

Filesize
52KB

Download
memory/4748-198-0x0000000000B40000-0x0000000000B47000-memory.dmp

Filesize
28KB

Download
memory/4916-3276-0x00007FF43A220000-0x00007FF43A34D000-memory.dmp

Filesize
1.2MB

Download
memory/4916-3705-0x00007FFCAAEF0000-0x00007FFCAB0E5000-memory.dmp

Filesize
2.0MB

Download
memory/4916-2237-0x00007FFCAAEF0000-0x00007FFCAB0E5000-memory.dmp

Filesize
2.0MB

Download
memory/4916-2228-0x00007FF43A220000-0x00007FF43A34D000-memory.dmp

Filesize
1.2MB

Download
memory/4916-2224-0x00007FF43A220000-0x00007FF43A34D000-memory.dmp

Filesize
1.2MB

Download
memory/4916-2197-0x0000018E133F0000-0x0000018E133F7000-memory.dmp

Filesize
28KB

Download
memory/4916-252-0x0000018E11340000-0x0000018E11343000-memory.dmp

Filesize
12KB

Download