Analysis
-
max time kernel
126s -
max time network
132s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
28-04-2024 16:39
General
-
Target
beb0d0b717d39474cdc522eea925e437dc02c260626b43db1d235640a5d568e0.exe
-
Size
307KB
-
MD5
cf3c1c8bf8cb2a7c77f976c30bb1db06
-
SHA1
96660806f005a84bdac81a649a3118ac0f9605fc
-
SHA256
beb0d0b717d39474cdc522eea925e437dc02c260626b43db1d235640a5d568e0
-
SHA512
2fd14931d640159ffadc236482e8d36b5b16663b935d7bef273c149ddfd008fb9a5c280a2992a1b2f5c294ed4ce3e15101d7b7a9e05a5095b1362920033819a4
-
SSDEEP
3072:Y5a5vdqPp0ekxe4H0+3bLjP4wdRNpmsLP+p2uYPrBUeSoYI6iHEXiEI7I8NU:b+Ce8QQXvRNpmP8pBUe2I6mEXiEMNU
Malware Config
Extracted
smokeloader
pub1
Extracted
smokeloader
2022
http://trad-einmyus.com/index.php
http://tradein-myus.com/index.php
http://trade-inmyus.com/index.php
Extracted
lumma
https://accountasifkwosov.shop/api
https://productivelookewr.shop/api
https://tolerateilusidjukl.shop/api
https://shatterbreathepsw.shop/api
https://shortsvelventysjo.shop/api
https://incredibleextedwj.shop/api
https://alcojoldwograpciw.shop/api
https://liabilitynighstjsko.shop/api
https://demonstationfukewko.shop/api
Signatures
-
Lumma Stealer
An infostealer written in C++ first seen in August 2022.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
-
Deletes itself 1 IoCs
-
Executes dropped EXE 4 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Program crash 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
-
Suspicious use of WriteProcessMemory 16 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\beb0d0b717d39474cdc522eea925e437dc02c260626b43db1d235640a5d568e0.exe"C:\Users\Admin\AppData\Local\Temp\beb0d0b717d39474cdc522eea925e437dc02c260626b43db1d235640a5d568e0.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\49E5.bat" "1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 12⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\605C.bat" "1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1036 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:81⤵
-
C:\Users\Admin\AppData\Roaming\iwfbihdC:\Users\Admin\AppData\Roaming\iwfbihd1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\8D25.exeC:\Users\Admin\AppData\Local\Temp\8D25.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\9208.exeC:\Users\Admin\AppData\Local\Temp\9208.exe1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
-
C:\Users\Admin\AppData\Local\Temp\95A3.exeC:\Users\Admin\AppData\Local\Temp\95A3.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4696 -s 11762⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4696 -ip 46961⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\49E5.batFilesize
77B
MD555cc761bf3429324e5a0095cab002113
SHA12cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA51233f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155
-
C:\Users\Admin\AppData\Local\Temp\8D25.exeFilesize
9.9MB
MD52627387eb5495186ee3850fdc0b2ebde
SHA18c062c24ad34332f8033a8cac193e4519d3d7534
SHA2569e86e4796a51e2cae9487ec086aa2159b65a037808e70a0e7dbaf5a946a8801e
SHA5120c86e0b5de1b149913b7039fcc3fb8dcc17112617a5af731c3c90d6c822dbb7f2f5660e5790d0c134437383d5b6a71176839c0125c6c391f4ea26ffce0480b25
-
C:\Users\Admin\AppData\Local\Temp\9208.exeFilesize
421KB
MD59185b776b7a981d060b0bb0d7ffed201
SHA1427982fb520c099e8d2e831ace18294ade871aff
SHA25691a45c416324ed3a8c184e349214e7c82d6df0df4fe6d06f3c7818c0d322373b
SHA512cb46ca0c3156dc7b177fdb73869e13b229cbab8918dbb4b61a854765313fc9526aa5d7b944aa4b9acb77717c5ffd8fe955ba4eb48d75e2528ec844bfcf4aa5e8
-
C:\Users\Admin\AppData\Local\Temp\95A3.exeFilesize
394KB
MD58c4612c794f1f3e26f0daaf1f79f6de6
SHA1a35fc343200720fd83a8b4b55cbfb0ad67772c67
SHA256882c935d0940c60b5b9474ab3e911380cff690c2a46945e5aa0179712275003c
SHA51247297da97c4aa38a0fbc2cb7a61633f43dc2446d5e4c12568b06951c349aa7c77f41254f7c93d7752ab3f673262e338f4c3c2968ba0045ef0670095928dd9621
-
C:\Users\Admin\AppData\Roaming\iwfbihdFilesize
307KB
MD5cf3c1c8bf8cb2a7c77f976c30bb1db06
SHA196660806f005a84bdac81a649a3118ac0f9605fc
SHA256beb0d0b717d39474cdc522eea925e437dc02c260626b43db1d235640a5d568e0
SHA5122fd14931d640159ffadc236482e8d36b5b16663b935d7bef273c149ddfd008fb9a5c280a2992a1b2f5c294ed4ce3e15101d7b7a9e05a5095b1362920033819a4
-
memory/1188-52-0x00007FF70E8E0000-0x00007FF70F326000-memory.dmpFilesize
10.3MB
-
memory/2416-23-0x0000000001B80000-0x0000000001C80000-memory.dmpFilesize
1024KB
-
memory/2416-24-0x0000000000400000-0x0000000001A18000-memory.dmpFilesize
22.1MB
-
memory/2416-26-0x0000000000400000-0x0000000001A18000-memory.dmpFilesize
22.1MB
-
memory/3156-25-0x0000000002D30000-0x0000000002D46000-memory.dmpFilesize
88KB
-
memory/3156-4-0x0000000002F70000-0x0000000002F86000-memory.dmpFilesize
88KB
-
memory/3156-46-0x0000000002F60000-0x0000000002F61000-memory.dmpFilesize
4KB
-
memory/4268-7-0x0000000000400000-0x0000000001A18000-memory.dmpFilesize
22.1MB
-
memory/4268-1-0x0000000001CD0000-0x0000000001DD0000-memory.dmpFilesize
1024KB
-
memory/4268-8-0x0000000001B70000-0x0000000001B7B000-memory.dmpFilesize
44KB
-
memory/4268-3-0x0000000000400000-0x0000000001A18000-memory.dmpFilesize
22.1MB
-
memory/4268-2-0x0000000001B70000-0x0000000001B7B000-memory.dmpFilesize
44KB
-
memory/4696-51-0x0000000000400000-0x0000000001A2E000-memory.dmpFilesize
22.2MB