Malware Analysis Report

2024-11-30 05:06

Sample ID 240228-yb9njacb93
Target acaef7a4ed87dc90ff181955ea7a2bbf
SHA256 555279cf7c7064b32bd5595f490702dba5c5aec6a0b58db22410880ad42b7106
Tags
themida lumma evasion stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

555279cf7c7064b32bd5595f490702dba5c5aec6a0b58db22410880ad42b7106

Threat Level: Known bad

The file acaef7a4ed87dc90ff181955ea7a2bbf was found to be: Known bad.

Malicious Activity Summary

themida lumma evasion stealer

Lumma Stealer

Modifies security service

Detect Lumma Stealer payload V4

Themida packer

Loads dropped DLL

Executes dropped EXE

Identifies Wine through registry keys

Drops file in System32 directory

Unsigned PE

Runs .reg file with regedit

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-28 19:37

Signatures

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-28 19:37

Reported

2024-02-28 19:40

Platform

win7-20240221-en

Max time kernel

146s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\acaef7a4ed87dc90ff181955ea7a2bbf.exe"

Signatures

Detect Lumma Stealer payload V4

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Lumma Stealer

stealer lumma

Modifies security service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine C:\Windows\SysWOW64\nodf64.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine C:\Windows\SysWOW64\nodf64.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\acaef7a4ed87dc90ff181955ea7a2bbf.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine C:\Windows\SysWOW64\nodf64.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine C:\Windows\SysWOW64\nodf64.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine C:\Windows\SysWOW64\nodf64.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine C:\Windows\SysWOW64\nodf64.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine C:\Windows\SysWOW64\nodf64.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine C:\Windows\SysWOW64\nodf64.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine C:\Windows\SysWOW64\nodf64.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine C:\Windows\SysWOW64\nodf64.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\nodf64.exe C:\Windows\SysWOW64\nodf64.exe N/A
File created C:\Windows\SysWOW64\nodf64.exe C:\Windows\SysWOW64\nodf64.exe N/A
File created C:\Windows\SysWOW64\nodf64.exe C:\Windows\SysWOW64\nodf64.exe N/A
File opened for modification C:\Windows\SysWOW64\nodf64.exe C:\Windows\SysWOW64\nodf64.exe N/A
File created C:\Windows\SysWOW64\nodf64.exe C:\Windows\SysWOW64\nodf64.exe N/A
File opened for modification C:\Windows\SysWOW64\nodf64.exe C:\Windows\SysWOW64\nodf64.exe N/A
File opened for modification C:\Windows\SysWOW64\nodf64.exe C:\Windows\SysWOW64\nodf64.exe N/A
File created C:\Windows\SysWOW64\nodf64.exe C:\Windows\SysWOW64\nodf64.exe N/A
File opened for modification C:\Windows\SysWOW64\nodf64.exe C:\Windows\SysWOW64\nodf64.exe N/A
File created C:\Windows\SysWOW64\nodf64.exe C:\Windows\SysWOW64\nodf64.exe N/A
File created C:\Windows\SysWOW64\nodf64.exe C:\Windows\SysWOW64\nodf64.exe N/A
File opened for modification C:\Windows\SysWOW64\nodf64.exe C:\Windows\SysWOW64\nodf64.exe N/A
File opened for modification C:\Windows\SysWOW64\nodf64.exe C:\Windows\SysWOW64\nodf64.exe N/A
File created C:\Windows\SysWOW64\nodf64.exe C:\Windows\SysWOW64\nodf64.exe N/A
File opened for modification C:\Windows\SysWOW64\nodf64.exe C:\Windows\SysWOW64\nodf64.exe N/A
File opened for modification C:\Windows\SysWOW64\nodf64.exe C:\Windows\SysWOW64\nodf64.exe N/A
File created C:\Windows\SysWOW64\nodf64.exe C:\Users\Admin\AppData\Local\Temp\acaef7a4ed87dc90ff181955ea7a2bbf.exe N/A
File opened for modification C:\Windows\SysWOW64\nodf64.exe C:\Users\Admin\AppData\Local\Temp\acaef7a4ed87dc90ff181955ea7a2bbf.exe N/A
File created C:\Windows\SysWOW64\nodf64.exe C:\Windows\SysWOW64\nodf64.exe N/A
File opened for modification C:\Windows\SysWOW64\nodf64.exe C:\Windows\SysWOW64\nodf64.exe N/A
File created C:\Windows\SysWOW64\nodf64.exe C:\Windows\SysWOW64\nodf64.exe N/A
File created C:\Windows\SysWOW64\nodf64.exe C:\Windows\SysWOW64\nodf64.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2228 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\acaef7a4ed87dc90ff181955ea7a2bbf.exe C:\Windows\SysWOW64\cmd.exe
PID 2228 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\acaef7a4ed87dc90ff181955ea7a2bbf.exe C:\Windows\SysWOW64\cmd.exe
PID 2228 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\acaef7a4ed87dc90ff181955ea7a2bbf.exe C:\Windows\SysWOW64\cmd.exe
PID 2228 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\acaef7a4ed87dc90ff181955ea7a2bbf.exe C:\Windows\SysWOW64\cmd.exe
PID 1608 wrote to memory of 2532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1608 wrote to memory of 2532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1608 wrote to memory of 2532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1608 wrote to memory of 2532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2228 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\acaef7a4ed87dc90ff181955ea7a2bbf.exe C:\Windows\SysWOW64\nodf64.exe
PID 2228 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\acaef7a4ed87dc90ff181955ea7a2bbf.exe C:\Windows\SysWOW64\nodf64.exe
PID 2228 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\acaef7a4ed87dc90ff181955ea7a2bbf.exe C:\Windows\SysWOW64\nodf64.exe
PID 2228 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\acaef7a4ed87dc90ff181955ea7a2bbf.exe C:\Windows\SysWOW64\nodf64.exe
PID 2640 wrote to memory of 2928 N/A C:\Windows\SysWOW64\nodf64.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 2928 N/A C:\Windows\SysWOW64\nodf64.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 2928 N/A C:\Windows\SysWOW64\nodf64.exe C:\Windows\SysWOW64\cmd.exe
PID 2640 wrote to memory of 2928 N/A C:\Windows\SysWOW64\nodf64.exe C:\Windows\SysWOW64\cmd.exe
PID 2928 wrote to memory of 2148 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2928 wrote to memory of 2148 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2928 wrote to memory of 2148 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2928 wrote to memory of 2148 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2640 wrote to memory of 772 N/A C:\Windows\SysWOW64\nodf64.exe C:\Windows\SysWOW64\nodf64.exe
PID 2640 wrote to memory of 772 N/A C:\Windows\SysWOW64\nodf64.exe C:\Windows\SysWOW64\nodf64.exe
PID 2640 wrote to memory of 772 N/A C:\Windows\SysWOW64\nodf64.exe C:\Windows\SysWOW64\nodf64.exe
PID 2640 wrote to memory of 772 N/A C:\Windows\SysWOW64\nodf64.exe C:\Windows\SysWOW64\nodf64.exe
PID 772 wrote to memory of 2616 N/A C:\Windows\SysWOW64\nodf64.exe C:\Windows\SysWOW64\cmd.exe
PID 772 wrote to memory of 2616 N/A C:\Windows\SysWOW64\nodf64.exe C:\Windows\SysWOW64\cmd.exe
PID 772 wrote to memory of 2616 N/A C:\Windows\SysWOW64\nodf64.exe C:\Windows\SysWOW64\cmd.exe
PID 772 wrote to memory of 2616 N/A C:\Windows\SysWOW64\nodf64.exe C:\Windows\SysWOW64\cmd.exe
PID 2616 wrote to memory of 2668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2616 wrote to memory of 2668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2616 wrote to memory of 2668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2616 wrote to memory of 2668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 772 wrote to memory of 2924 N/A C:\Windows\SysWOW64\nodf64.exe C:\Windows\SysWOW64\nodf64.exe
PID 772 wrote to memory of 2924 N/A C:\Windows\SysWOW64\nodf64.exe C:\Windows\SysWOW64\nodf64.exe
PID 772 wrote to memory of 2924 N/A C:\Windows\SysWOW64\nodf64.exe C:\Windows\SysWOW64\nodf64.exe
PID 772 wrote to memory of 2924 N/A C:\Windows\SysWOW64\nodf64.exe C:\Windows\SysWOW64\nodf64.exe
PID 2924 wrote to memory of 1404 N/A C:\Windows\SysWOW64\nodf64.exe C:\Windows\SysWOW64\cmd.exe
PID 2924 wrote to memory of 1404 N/A C:\Windows\SysWOW64\nodf64.exe C:\Windows\SysWOW64\cmd.exe
PID 2924 wrote to memory of 1404 N/A C:\Windows\SysWOW64\nodf64.exe C:\Windows\SysWOW64\cmd.exe
PID 2924 wrote to memory of 1404 N/A C:\Windows\SysWOW64\nodf64.exe C:\Windows\SysWOW64\cmd.exe
PID 1404 wrote to memory of 2280 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1404 wrote to memory of 2280 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1404 wrote to memory of 2280 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1404 wrote to memory of 2280 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2924 wrote to memory of 2900 N/A C:\Windows\SysWOW64\nodf64.exe C:\Windows\SysWOW64\nodf64.exe
PID 2924 wrote to memory of 2900 N/A C:\Windows\SysWOW64\nodf64.exe C:\Windows\SysWOW64\nodf64.exe
PID 2924 wrote to memory of 2900 N/A C:\Windows\SysWOW64\nodf64.exe C:\Windows\SysWOW64\nodf64.exe
PID 2924 wrote to memory of 2900 N/A C:\Windows\SysWOW64\nodf64.exe C:\Windows\SysWOW64\nodf64.exe
PID 2900 wrote to memory of 1260 N/A C:\Windows\SysWOW64\nodf64.exe C:\Windows\SysWOW64\cmd.exe
PID 2900 wrote to memory of 1260 N/A C:\Windows\SysWOW64\nodf64.exe C:\Windows\SysWOW64\cmd.exe
PID 2900 wrote to memory of 1260 N/A C:\Windows\SysWOW64\nodf64.exe C:\Windows\SysWOW64\cmd.exe
PID 2900 wrote to memory of 1260 N/A C:\Windows\SysWOW64\nodf64.exe C:\Windows\SysWOW64\cmd.exe
PID 1260 wrote to memory of 2364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1260 wrote to memory of 2364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1260 wrote to memory of 2364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1260 wrote to memory of 2364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2900 wrote to memory of 1160 N/A C:\Windows\SysWOW64\nodf64.exe C:\Windows\SysWOW64\nodf64.exe
PID 2900 wrote to memory of 1160 N/A C:\Windows\SysWOW64\nodf64.exe C:\Windows\SysWOW64\nodf64.exe
PID 2900 wrote to memory of 1160 N/A C:\Windows\SysWOW64\nodf64.exe C:\Windows\SysWOW64\nodf64.exe
PID 2900 wrote to memory of 1160 N/A C:\Windows\SysWOW64\nodf64.exe C:\Windows\SysWOW64\nodf64.exe
PID 1160 wrote to memory of 1032 N/A C:\Windows\SysWOW64\nodf64.exe C:\Windows\SysWOW64\cmd.exe
PID 1160 wrote to memory of 1032 N/A C:\Windows\SysWOW64\nodf64.exe C:\Windows\SysWOW64\cmd.exe
PID 1160 wrote to memory of 1032 N/A C:\Windows\SysWOW64\nodf64.exe C:\Windows\SysWOW64\cmd.exe
PID 1160 wrote to memory of 1032 N/A C:\Windows\SysWOW64\nodf64.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\acaef7a4ed87dc90ff181955ea7a2bbf.exe

"C:\Users\Admin\AppData\Local\Temp\acaef7a4ed87dc90ff181955ea7a2bbf.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\nodf64.exe

C:\Windows\system32\nodf64.exe 632 "C:\Users\Admin\AppData\Local\Temp\acaef7a4ed87dc90ff181955ea7a2bbf.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\nodf64.exe

C:\Windows\system32\nodf64.exe 720 "C:\Windows\SysWOW64\nodf64.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\nodf64.exe

C:\Windows\system32\nodf64.exe 716 "C:\Windows\SysWOW64\nodf64.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\nodf64.exe

C:\Windows\system32\nodf64.exe 724 "C:\Windows\SysWOW64\nodf64.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\nodf64.exe

C:\Windows\system32\nodf64.exe 732 "C:\Windows\SysWOW64\nodf64.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\nodf64.exe

C:\Windows\system32\nodf64.exe 728 "C:\Windows\SysWOW64\nodf64.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\nodf64.exe

C:\Windows\system32\nodf64.exe 740 "C:\Windows\SysWOW64\nodf64.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\nodf64.exe

C:\Windows\system32\nodf64.exe 736 "C:\Windows\SysWOW64\nodf64.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\nodf64.exe

C:\Windows\system32\nodf64.exe 748 "C:\Windows\SysWOW64\nodf64.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\nodf64.exe

C:\Windows\system32\nodf64.exe 744 "C:\Windows\SysWOW64\nodf64.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

Network

N/A

Files

memory/2228-0-0x0000000000400000-0x00000000007BB000-memory.dmp

memory/2228-2-0x0000000000260000-0x0000000000261000-memory.dmp

memory/2228-1-0x00000000007C0000-0x00000000008BA000-memory.dmp

C:\a.bat

MD5 0019a0451cc6b9659762c3e274bc04fb
SHA1 5259e256cc0908f2846e532161b989f1295f479b
SHA256 ce4674afd978d1401596d22a0961f90c8fb53c5bd55649684e1a999c8cf77876
SHA512 314c23ec37cb0cd4443213c019c4541df968447353b422ef6fff1e7ddf6c983c80778787408b7ca9b81e580a6a7f1589ca7f43c022e6fc16182973580ed4d904

memory/2228-10-0x0000000000400000-0x00000000007BB000-memory.dmp

memory/2228-119-0x0000000004320000-0x0000000004321000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 9e5db93bd3302c217b15561d8f1e299d
SHA1 95a5579b336d16213909beda75589fd0a2091f30
SHA256 f360fb5740172b6b4dd59c1ac30b480511665ae991196f833167e275d91f943e
SHA512 b5547e5047a3c43397ee846ff9d5979cba45ba44671db5c5df5536d9dc26262e27a8645a08e0cf35960a3601dc0f6f5fe8d47ae232c9ca44d6899e97d36fb25a

memory/2228-11-0x0000000004350000-0x0000000004351000-memory.dmp

memory/2228-120-0x0000000004520000-0x0000000004522000-memory.dmp

memory/2228-121-0x0000000004310000-0x0000000004311000-memory.dmp

memory/2228-123-0x00000000044F0000-0x00000000044F1000-memory.dmp

memory/2228-122-0x0000000004500000-0x0000000004501000-memory.dmp

memory/2228-124-0x00000000044C0000-0x00000000044C2000-memory.dmp

memory/2228-125-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/2228-126-0x0000000004510000-0x0000000004511000-memory.dmp

memory/2228-127-0x00000000042D0000-0x00000000042D1000-memory.dmp

memory/2228-128-0x0000000004530000-0x0000000004531000-memory.dmp

memory/2228-129-0x00000000044E0000-0x00000000044E1000-memory.dmp

memory/2228-130-0x00000000044D0000-0x00000000044D1000-memory.dmp

memory/2228-132-0x0000000004340000-0x0000000004341000-memory.dmp

memory/2228-131-0x0000000000900000-0x0000000000901000-memory.dmp

memory/2228-136-0x00000000042F0000-0x00000000042F2000-memory.dmp

memory/2228-137-0x00000000044A0000-0x00000000044A1000-memory.dmp

C:\Windows\SysWOW64\nodf64.exe

MD5 acaef7a4ed87dc90ff181955ea7a2bbf
SHA1 e0292a9243be088f673b151ddb9d81d34ed50c1e
SHA256 555279cf7c7064b32bd5595f490702dba5c5aec6a0b58db22410880ad42b7106
SHA512 b1383930888c5effe283617964cfad0753619863e3a9865c174a3dcaabf8e224fdf1ab6d69d7c3d41b2ebfc9d4fa8e2d8c15f10b68cd13a2bff3e0a4e7721536

memory/2228-147-0x0000000000400000-0x00000000007BB000-memory.dmp

memory/2228-146-0x0000000004BD0000-0x0000000004F8B000-memory.dmp

memory/2640-148-0x0000000000400000-0x00000000007BB000-memory.dmp

memory/2640-149-0x0000000000270000-0x0000000000271000-memory.dmp

memory/2640-158-0x0000000004490000-0x0000000004491000-memory.dmp

memory/2640-157-0x0000000000400000-0x00000000007BB000-memory.dmp

memory/2640-268-0x0000000004470000-0x0000000004471000-memory.dmp

memory/2640-269-0x0000000004530000-0x0000000004532000-memory.dmp

memory/2640-271-0x0000000004510000-0x0000000004511000-memory.dmp

memory/2640-272-0x0000000004500000-0x0000000004501000-memory.dmp

memory/2640-270-0x0000000004460000-0x0000000004461000-memory.dmp

memory/2640-273-0x00000000044C0000-0x00000000044C2000-memory.dmp

memory/2640-274-0x0000000004520000-0x0000000004521000-memory.dmp

memory/2640-275-0x00000000044F0000-0x00000000044F1000-memory.dmp

memory/2640-283-0x00000000044A0000-0x00000000044A1000-memory.dmp

memory/2640-282-0x0000000004480000-0x0000000004481000-memory.dmp

memory/2640-281-0x0000000004400000-0x0000000004401000-memory.dmp

memory/2640-280-0x00000000044D0000-0x00000000044D1000-memory.dmp

memory/2640-279-0x00000000044E0000-0x00000000044E1000-memory.dmp

memory/2640-278-0x0000000004540000-0x0000000004541000-memory.dmp

memory/2640-277-0x0000000004410000-0x0000000004411000-memory.dmp

memory/2640-276-0x00000000043F0000-0x00000000043F1000-memory.dmp

memory/2640-284-0x0000000004440000-0x0000000004441000-memory.dmp

memory/2640-285-0x0000000000400000-0x00000000007BB000-memory.dmp

memory/2640-289-0x0000000000400000-0x00000000007BB000-memory.dmp

memory/772-292-0x0000000000270000-0x0000000000271000-memory.dmp

memory/772-291-0x0000000000400000-0x00000000007BB000-memory.dmp

memory/2640-290-0x0000000000400000-0x00000000007BB000-memory.dmp

memory/772-311-0x0000000000400000-0x00000000007BB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 5002319f56002f8d7ceacecf8672ce25
SHA1 3b26b6801be4768cc7582e29bc93facdf2a74be3
SHA256 f23f4854d17525744e8028db6dde6eb7d5d664b0ee1b08870c9c01b639e0124c
SHA512 8eae0fabc7f5a7e452abacf988a3632874c556af409da5e60c5e529524732b40f22d4e1d860ccceae87642875c819fc8a8120eceaabd25861f920c8c066a9aef

memory/772-409-0x0000000004460000-0x0000000004461000-memory.dmp

memory/772-346-0x0000000004490000-0x0000000004491000-memory.dmp

memory/772-410-0x0000000004520000-0x0000000004522000-memory.dmp

memory/772-417-0x0000000004410000-0x0000000004411000-memory.dmp

memory/772-416-0x00000000043F0000-0x00000000043F1000-memory.dmp

memory/772-415-0x00000000044C0000-0x00000000044C2000-memory.dmp

memory/772-413-0x0000000004510000-0x0000000004511000-memory.dmp

memory/772-418-0x0000000004440000-0x0000000004441000-memory.dmp

memory/772-424-0x00000000044A0000-0x00000000044A1000-memory.dmp

memory/772-425-0x0000000004430000-0x0000000004432000-memory.dmp

memory/772-423-0x0000000004480000-0x0000000004481000-memory.dmp

memory/772-422-0x0000000004400000-0x0000000004401000-memory.dmp

memory/772-421-0x00000000044D0000-0x00000000044D1000-memory.dmp

memory/772-420-0x00000000044E0000-0x00000000044E1000-memory.dmp

memory/772-419-0x0000000004530000-0x0000000004531000-memory.dmp

memory/772-414-0x00000000044F0000-0x00000000044F1000-memory.dmp

memory/772-411-0x0000000004450000-0x0000000004451000-memory.dmp

memory/772-426-0x0000000000400000-0x00000000007BB000-memory.dmp

memory/772-432-0x0000000000400000-0x00000000007BB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 8a84d46ef81c793a90a80bc806cffdcf
SHA1 02fac9db9330040ffc613a325686ddca2678a7c5
SHA256 201891985252489d470c08e66c42a4cf5f9220be3051b9a167936c8f80a606c4
SHA512 b198b32fd9be872968644641248d4e3794aa095f446bab4e1c5a54b2c109df166bbdfb54d4fd8912d202f92ac69b1685ed0c30256e40f30d72e433ee987cc374

memory/2924-568-0x0000000000400000-0x00000000007BB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 d8be0d42e512d922804552250f01eb90
SHA1 cda2fd8fc9c4cdf15d5e2f07a4c633e21d11c9d3
SHA256 901619f668fe541b53d809cd550460f579985c3d2f3d899a557997e778eb1d82
SHA512 f53619e1ec3c9abc833f9fca1174529fb4a4723b64f7560059cd3147d74ea8fe945a7bd0034f6fb68c0e61b6782a26908d30a749a256e019031b5a6ac088eb97

memory/2900-704-0x0000000000400000-0x00000000007BB000-memory.dmp

memory/2900-710-0x0000000000400000-0x00000000007BB000-memory.dmp

memory/1160-847-0x0000000000400000-0x00000000007BB000-memory.dmp

\Windows\SysWOW64\nodf64.exe

MD5 a1af673b0245ce311e8ffeb2b607cdc9
SHA1 6e47c5c9dbbdce2410d70c42422e3380b929deb9
SHA256 392f3ee58c9aa4d5830f4ee5dd08e5decd700c07054023097e6da3361dc5c9be
SHA512 fe60a8c78b1a6fb5067c9c18db520e20b9ff2d88d89203db7ac587b136539bc0633c8e9a91b0510499b31891bca997fc149d58e7a1036d1191dd4e3313eb533c

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 d67d51b859c99a46a906a4c3a6ff6560
SHA1 b685cc703a1c86ba8ad681b545a6f3014b80d585
SHA256 33d0a27d49cd3cfa5a4ef5027d3defe60a3f7be1a3914870390b9829d360937a
SHA512 c986416a115ca162ee28d5dfd1159538d81a751e4961340415718c0d1f0ffa4d80675b4b698ed039eef86cbe1b2c0b01a0004dea39111056013d3e0a0179cedd

memory/2996-991-0x0000000000400000-0x00000000007BB000-memory.dmp

C:\Windows\SysWOW64\nodf64.exe

MD5 9d3c610a9349666a48ceb6a115656896
SHA1 ccb483b2b03719d756827146f1eac110ce9700f0
SHA256 21aa461efd55afe4d68a8c2594030a42422c61934da17118fd42fd9eca79824a
SHA512 14fc0def3455f0bcd544a32ed67bd3750d36af5d206944374a20c31b64caa827c82c48a50f76df01331dc9486e3a39316181caf8aea08573742b3b1dcb671f38

\Windows\SysWOW64\nodf64.exe

MD5 79d8cac956fef5a64bf0b826ddafdfae
SHA1 a24685b8eae89955440fed541b2298b40a8fb026
SHA256 f84ae172a21ebf5bcb1fe3086aa899c8c7252d989c652f67a59412276f529aef
SHA512 1c328200a1cad4cddc01c05a4cc4b012f8c32a40fa6e5aa23f755a60e435c6a5d831e506ce2463ec14d47de60d3472244d8e067edff1828de5e812f5eb6caa02

C:\Windows\SysWOW64\nodf64.exe

MD5 206f381696e1eb40fd1016f6cd5ea5fc
SHA1 12776abe7ac6360cc1fa69e9c6f28eb88dd46c3f
SHA256 5bed48c409bbca372d2dad0bbc827616b450b28a9fc365a36839ec04d7f053c3
SHA512 a8d30fc22bbc36e6bfafa09de09bf2930821ea25e44092e0f39407ffbd959adfbb2ff961f1d92d27b01128d34701987b50cb840186d73c7d09710abbca889da8

\Windows\SysWOW64\nodf64.exe

MD5 c8634aae6f8564a2f7f37d113f154239
SHA1 f2d05800bb926ad741e9ae393e8d5d1c1158477a
SHA256 199fe6ad4c65851b6ee6012832abb2de93123a90f2ee3c38a933154ae6854f80
SHA512 e641cd193574e6204f810f05d07792c72d87a1698866e0b94ef791cd85eaf05c936a867576db7fd94007ee308a053a41be4ef9c8bd57ebc57958bc5475057181

memory/464-1120-0x0000000000400000-0x00000000007BB000-memory.dmp

memory/3068-1245-0x0000000000400000-0x00000000007BB000-memory.dmp

\Windows\SysWOW64\nodf64.exe

MD5 bbc19778f7f1fd71fffcb94d18b2d7b4
SHA1 8beda72b59013f076b17e3a63aed9ca7734f0dfe
SHA256 3134ec921f164811a89e069f0f2e9c4a40be1ec3cfb0fc5fc6821db3faeead05
SHA512 925f1805a3d29d9f330e40f04245121e1d116d62834cff4001e7d6d4afe4e563eb8dc956b23b66db322a40316e44a2c7b540b0940be0cf60a7c72138e2bde98e

\Windows\SysWOW64\nodf64.exe

MD5 f42a840f264e9267931b4034b511ef02
SHA1 629c998934fd7e56cf51e3d2ce20cd5055d14f2f
SHA256 304e8acb1061db91d3980dbdb47677fbe962e16dc4506c7f452420571a15367a
SHA512 16697d9d814ccab0a1173ddc7c9a67d17a5092468bcc7ffa40c53f0889374ea0cea66b5ab0080dce8db87f40ad47ae4baa455c99335b7fd2b254998b9e2efc8e

C:\Windows\SysWOW64\nodf64.exe

MD5 87073dd9390665b126d8251370d72b6d
SHA1 a6dfb58a27f7c39eb8b259d45044456d5520e267
SHA256 9f89b7a73a4e9be7f3c1b549f7cd485985a09b4bd4e0e6c373e0a4dfcea6d0a7
SHA512 9370f8b2af99a7892ff44cadf9aeba0508ce2587cdc040825c13a7ad9e890526064c56d3c2de117a0e05ec02b631762e9843497f667617a4e0b6702321a5f738

memory/1872-1364-0x0000000000400000-0x00000000007BB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 5a466127fedf6dbcd99adc917bd74581
SHA1 a2e60b101c8789b59360d95a64ec07d0723c4d38
SHA256 8cd3b8dd28ac014cf973d9ab4b03af1c274bbc9b5ee0ee4ab8af0bdb01573b84
SHA512 695cafc932bc8f0a514bc515860cb275297665de63ca3394b55f42c457761ebf654d29d504674681a77b34e3356a469e8c5b97ff7efc24de330d5375f025cba5

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-28 19:37

Reported

2024-02-28 19:40

Platform

win10v2004-20240226-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\acaef7a4ed87dc90ff181955ea7a2bbf.exe"

Signatures

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\acaef7a4ed87dc90ff181955ea7a2bbf.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\acaef7a4ed87dc90ff181955ea7a2bbf.exe

"C:\Users\Admin\AppData\Local\Temp\acaef7a4ed87dc90ff181955ea7a2bbf.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 207.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 199.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 198.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 26.178.89.13.in-addr.arpa udp

Files

memory/228-0-0x0000000000400000-0x00000000007BB000-memory.dmp

memory/228-1-0x0000000000DF0000-0x0000000000DF1000-memory.dmp

memory/228-2-0x0000000002450000-0x000000000254A000-memory.dmp

memory/228-3-0x0000000000400000-0x00000000007BB000-memory.dmp