Analysis

  • max time kernel
    152s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-02-2024 23:56

General

  • Target

    636c32103ef487d1c30df530296f014b.exe

  • Size

    163KB

  • MD5

    636c32103ef487d1c30df530296f014b

  • SHA1

    f280007f3c78b0823d8978bec1c1cdf792bf5fc6

  • SHA256

    c79f0b410c62adbad0d697c85f0f6cf786c61e1a1244090650440d8a09b90bbd

  • SHA512

    2a01b0fb459a710c4d8ffb20fe2907bbb5ca091769cb8b3216d909208ee662f9c2f6f035fa1c8aeb9222ee7018c6da15615414b2556e02f0bbcc3bd05337f604

  • SSDEEP

    3072:eQ37N6u0D0i+zGJKHZj+4M48iIp2WZnFzw0I:eK8u0Qi+yQHZEiIttw

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://selebration17io.io/index.php

http://vacantion18ffeu.cc/index.php

http://valarioulinity1.net/index.php

http://buriatiarutuhuob.net/index.php

http://cassiosssionunu.me/index.php

http://sulugilioiu19.net/index.php

http://goodfooggooftool.net/index.php

rc4.i32
rc4.i32

Extracted

Family

lumma

C2

https://resergvearyinitiani.shop/api

https://technologyenterdo.shop/api

https://detectordiscusser.shop/api

https://turkeyunlikelyofw.shop/api

https://associationokeo.shop/api

Signatures

  • Lumma Stealer

    An infostealer written in C++ first seen in August 2022.

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\636c32103ef487d1c30df530296f014b.exe
    "C:\Users\Admin\AppData\Local\Temp\636c32103ef487d1c30df530296f014b.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:4864
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4128 --field-trial-handle=2256,i,18272763564106695635,11201593968620719822,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:960
    • C:\Users\Admin\AppData\Local\Temp\EAA9.exe
      C:\Users\Admin\AppData\Local\Temp\EAA9.exe
      1⤵
      • Executes dropped EXE
      PID:3248

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\EAA9.exe

      Filesize

      3.4MB

      MD5

      8bf81aa03a788ed190e0e607425d0329

      SHA1

      be7ebc1dce27f2579ed86715dfa1783937d5b671

      SHA256

      655f549e5bf785a06fcd9d20531f00fa3253f1049b4cd2a119ae67974d2cac37

      SHA512

      e1af6ad59a121db2a3b5a2632cb402fa6a1e47f8e6bdb479e70f5085c4ac181fc724146a5fe09796f82f584e25183f793b19a0cb6fdfedb213ca3d7d67b9af54

    • C:\Users\Admin\AppData\Local\Temp\EAA9.exe

      Filesize

      3.6MB

      MD5

      6e77de23d0dcb595423561ce9d804999

      SHA1

      c0fe23308f2e2601619d499c3c7674ab1728e460

      SHA256

      d67c5846be34108443e5fd796c3597a748a7f5c1300122023d5a3f614f225df6

      SHA512

      7e9a0d97c06e41f5b04b781068f893adc80ed6915dc8f3783ebe562c1e8e600116813023ce01704c08f3276bcaf60b5de1a78153ad0b589a85e74f5df796096e

    • memory/3248-23-0x00000000007A0000-0x00000000007A1000-memory.dmp

      Filesize

      4KB

    • memory/3248-22-0x00000000007A0000-0x00000000007A1000-memory.dmp

      Filesize

      4KB

    • memory/3248-25-0x00000000009B0000-0x000000000125F000-memory.dmp

      Filesize

      8.7MB

    • memory/3248-21-0x00000000007A0000-0x00000000007A1000-memory.dmp

      Filesize

      4KB

    • memory/3248-24-0x00000000007A0000-0x00000000007D2000-memory.dmp

      Filesize

      200KB

    • memory/3248-16-0x0000000000790000-0x0000000000791000-memory.dmp

      Filesize

      4KB

    • memory/3248-17-0x00000000009B0000-0x000000000125F000-memory.dmp

      Filesize

      8.7MB

    • memory/3248-18-0x00000000009B0000-0x000000000125F000-memory.dmp

      Filesize

      8.7MB

    • memory/3248-20-0x00000000007A0000-0x00000000007A1000-memory.dmp

      Filesize

      4KB

    • memory/3316-4-0x0000000002840000-0x0000000002856000-memory.dmp

      Filesize

      88KB

    • memory/4864-3-0x0000000000400000-0x00000000022D1000-memory.dmp

      Filesize

      30.8MB

    • memory/4864-1-0x00000000024E0000-0x00000000025E0000-memory.dmp

      Filesize

      1024KB

    • memory/4864-2-0x0000000002480000-0x000000000248B000-memory.dmp

      Filesize

      44KB

    • memory/4864-8-0x0000000002480000-0x000000000248B000-memory.dmp

      Filesize

      44KB

    • memory/4864-6-0x0000000000400000-0x00000000022D1000-memory.dmp

      Filesize

      30.8MB