Analysis
-
max time kernel
68s -
max time network
166s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
22-04-2024 14:02
General
-
Target
FieroHack.exe
-
Size
676.2MB
-
MD5
76a3bd6e846f46f5e8b6c7b2f0d29c57
-
SHA1
cb78a890bdfdb2f499e3d734f9caa0153bf9add0
-
SHA256
d41b139970b0bab5449bc61bf9d79cd0287e04a7267d19df87dc7b295718cdcf
-
SHA512
791f68758768373950df5e4dc77385e1f84fa0ac001846b5d4baeb7e330a03bc1b62048c17cfe5f2818b5b8fc06ab5b9c7d3e3b856498be7f11c05db2dd4bf6d
-
SSDEEP
196608:OY9faXEN+pIePaH5Yl38xc0l6zedTuSkM0da2o:OY+EN+KeyHm6B6z4TuSk5M2o
Malware Config
Extracted
lumma
https://productivelookewr.shop/api
https://tolerateilusidjukl.shop/api
https://shatterbreathepsw.shop/api
https://shortsvelventysjo.shop/api
https://incredibleextedwj.shop/api
https://alcojoldwograpciw.shop/api
https://liabilitynighstjsko.shop/api
https://demonstationfukewko.shop/api
Signatures
-
Lumma Stealer
An infostealer written in C++ first seen in August 2022.
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
XMRig Miner payload 9 IoCs
-
Creates new service(s) 1 TTPs
-
Stops running service(s) 3 TTPs
-
Executes dropped EXE 3 IoCs
-
Drops file in System32 directory 3 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Launches sc.exe 14 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 46 IoCs
-
Suspicious behavior: EnumeratesProcesses 23 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 27 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\FieroHack.exe"C:\Users\Admin\AppData\Local\Temp\FieroHack.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Sirus.exeC:\Users\Admin\AppData\Roaming\Sirus.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart4⤵
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc3⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc3⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv3⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits3⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc3⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "PDWIFJZS"3⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "PDWIFJZS" binpath= "C:\ProgramData\yofgvjmxzlhk\qrehadfoimfm.exe" start= "auto"3⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog3⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "PDWIFJZS"3⤵
- Launches sc.exe
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Sirus.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
-
-
-
C:\Users\Admin\AppData\Roaming\LoadeSirus.exeC:\Users\Admin\AppData\Roaming\LoadeSirus.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1412 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:81⤵
-
C:\ProgramData\yofgvjmxzlhk\qrehadfoimfm.exeC:\ProgramData\yofgvjmxzlhk\qrehadfoimfm.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart3⤵
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc2⤵
- Launches sc.exe
-
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe2⤵
-
-
C:\Windows\explorer.exeexplorer.exe2⤵
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
178.4MB
MD51d9f607abbcd6f95c4c6cb9224e4a55f
SHA1bcaf583ff813831538e461f1b375b9dd3d7a68c0
SHA2564c4fc09b7e4ab4250ba94669c51f49978b4c130368a4114332ebdceba092d738
SHA512c21d46e19529fd9c0249c8ad89fcbb5e49acbbf921b3dd50a9274153e75856b9d32286103e344efb378959dcaa4a45ef3b552d8b2c9451e47970db5999804169
-
Filesize
179.4MB
MD5d783172172989512000776864f9efd78
SHA1287eb4d5128ed0419f0259435b9112bece6115b5
SHA256eb7cd19c24d73a8fd1c74cee48aa9de9600315232d956657039c8fe352af8e9a
SHA5120649df9c5cb02e3d999c03791923eee2cb76f96292e4915d803b9763279b91466e995ab3c56e3b2a150e8061a8e58f45e9cf8b988be89a080c99ed2379159c1b
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
252.1MB
MD5e126d25dff143bd28f23d1a2b3585d43
SHA1cf5cea086003a46dc2896553585e9969a84ea482
SHA256c155666a36630cfdf8d87414b01c9fe4f1da6ee4442867ea627a55f8d754911a
SHA512f37ed49475418e3122cfa3dba0f7bfd422052b4cc9ad577e25384083e31b29e872b3b59b349bec7de6e24033e950efc1e475ca72ede1d66efeb21f227f246f1b
-
Filesize
252.4MB
MD5b5e500d806dceaf86d1b5eb64cef3650
SHA1db96af3891fd0a62195d9baf5bd0cb9f83cdb22e
SHA256f8e50008637a098cc1f123ec79929abb493c5cacc9f7fd4fa17ef34b37cc10ec
SHA512292caa05f3acba1bae495fa14c5b1db74c9066c91732b52aa6b40ee1f34e4bb96105b9d35feda811e4a2c84185586a28edc51918a6626becc2d34ab7d67f0bf3
-
Filesize
273.6MB
MD57b010ec56ff47b983eb4941a1e6b545c
SHA19b60730daab56f176e9c0ebf70e977df0ab14950
SHA256265fe4639695ceaeb236714625f6cd8cfae5961d88cde5eb79b7b0689a9c62d6
SHA5126290930fccd6b3c02237f0bf9f3a52e07e4f0bb68dd68b62ce2df21368628afc75fac8a99c39ce52a0d9e16ae53200e54e8ff25433896e0c7a20ff727eb6750c
-
Filesize
273.9MB
MD517a1e4c00cc515aba03d3e473a8b62b1
SHA1750b796ab81f3a8717ed0bf9a51eda4f8ffdc2af
SHA25685a119284a7ea4b3d9bb5f2dbeff7159ea003e05bfa096fa4554ab2613ccb5eb
SHA5126473fc6fc7c82fda311e56742936d01bdc37f609e7a9deba4c999b4d784820c3c6d5d80e641eefb149dd04efa80b2ad48cb85edf1bc0f7a5ffb6b023f4ea5d45
-
Filesize
112KB
-
Filesize
24KB
-
Filesize
40KB
-
Filesize
112KB
-
Filesize
40KB
-
Filesize
104KB
-
Filesize
32KB
-
Filesize
724KB
-
Filesize
40KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
8.2MB
-
Filesize
8.2MB
-
Filesize
8.2MB
-
Filesize
8.2MB
-
Filesize
8.2MB
-
Filesize
8.2MB
-
Filesize
8.2MB
-
Filesize
8.2MB
-
Filesize
8.2MB
-
Filesize
8.2MB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
312KB
-
Filesize
312KB
-
Filesize
312KB
-
Filesize
312KB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
136KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
632KB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
2.8MB
-
Filesize
2.0MB
-
Filesize
632KB
-
Filesize
12.3MB
-
Filesize
276KB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
2.0MB
-
Filesize
12.3MB
-
Filesize
276KB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
276KB
-
Filesize
632KB
-
Filesize
4KB
-
Filesize
12.3MB
-
Filesize
2.8MB
-
Filesize
632KB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
276KB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
276KB
-
Filesize
632KB
-
Filesize
2.0MB
-
Filesize
12.3MB
-
Filesize
2.0MB
-
Filesize
2.8MB
-
Filesize
12.3MB
-
Filesize
276KB
-
Filesize
632KB