lumma | beb0d0b717d39474cdc522eea925e437dc02c260626b43db1d235640a5d568e0

General

Target

beb0d0b717d39474cdc522eea925e437dc02c260626b43db1d235640a5d568e0.exe
Size

307KB
MD5

cf3c1c8bf8cb2a7c77f976c30bb1db06
SHA1

96660806f005a84bdac81a649a3118ac0f9605fc
SHA256

beb0d0b717d39474cdc522eea925e437dc02c260626b43db1d235640a5d568e0
SHA512

2fd14931d640159ffadc236482e8d36b5b16663b935d7bef273c149ddfd008fb9a5c280a2992a1b2f5c294ed4ce3e15101d7b7a9e05a5095b1362920033819a4
SSDEEP

3072:Y5a5vdqPp0ekxe4H0+3bLjP4wdRNpmsLP+p2uYPrBUeSoYI6iHEXiEI7I8NU:b+Ce8QQXvRNpmP8pBUe2I6mEXiEMNU

Score

10^/10

lumma smokeloader pub1 backdoor bootkit persistence stealer trojan

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Version

2022

C2

http://trad-einmyus.com/index.php

http://tradein-myus.com/index.php

http://trade-inmyus.com/index.php

rc4.i32

Extracted

Family

lumma

C2

https://accountasifkwosov.shop/api

https://productivelookewr.shop/api

https://tolerateilusidjukl.shop/api

https://shatterbreathepsw.shop/api

https://shortsvelventysjo.shop/api

https://incredibleextedwj.shop/api

https://alcojoldwograpciw.shop/api

https://liabilitynighstjsko.shop/api

https://demonstationfukewko.shop/api

Signatures

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Deletes itself 1 IoCs

Processes:

pid process

3156
Executes dropped EXE 4 IoCs

Processes:

iwfbihd8D25.exe9208.exe95A3.exe

pid process

2416 iwfbihd
1188 8D25.exe
208 9208.exe
4696 95A3.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service
T1102

Processes:

flow ioc

56 drive.google.com
82 raw.githubusercontent.com
84 raw.githubusercontent.com
55 drive.google.com
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

9208.exe

description ioc process

File opened for modification \??\PHYSICALDRIVE0 9208.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4924 4696 WerFault.exe 95A3.exe

pid	process
3156

pid	process
2416	iwfbihd
1188	8D25.exe
208	9208.exe
4696	95A3.exe

flow	ioc
56	drive.google.com
82	raw.githubusercontent.com
84	raw.githubusercontent.com
55	drive.google.com

description	ioc	process
File opened for modification	\??\PHYSICALDRIVE0	9208.exe

pid	pid_target	process	target process
4924	4696	WerFault.exe	95A3.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

iwfbihdbeb0d0b717d39474cdc522eea925e437dc02c260626b43db1d235640a5d568e0.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	iwfbihd
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	iwfbihd
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	iwfbihd
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	beb0d0b717d39474cdc522eea925e437dc02c260626b43db1d235640a5d568e0.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	beb0d0b717d39474cdc522eea925e437dc02c260626b43db1d235640a5d568e0.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	beb0d0b717d39474cdc522eea925e437dc02c260626b43db1d235640a5d568e0.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

beb0d0b717d39474cdc522eea925e437dc02c260626b43db1d235640a5d568e0.exe

pid	process
4268	beb0d0b717d39474cdc522eea925e437dc02c260626b43db1d235640a5d568e0.exe
4268	beb0d0b717d39474cdc522eea925e437dc02c260626b43db1d235640a5d568e0.exe
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156
3156

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

beb0d0b717d39474cdc522eea925e437dc02c260626b43db1d235640a5d568e0.exeiwfbihd

pid process

4268 beb0d0b717d39474cdc522eea925e437dc02c260626b43db1d235640a5d568e0.exe
2416 iwfbihd

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

explorer.exe

description	pid	process
Token: SeShutdownPrivilege	3156
Token: SeCreatePagefilePrivilege	3156
Token: SeShutdownPrivilege	3156
Token: SeCreatePagefilePrivilege	3156
Token: SeShutdownPrivilege	1356	explorer.exe
Token: SeCreatePagefilePrivilege	1356	explorer.exe
Token: SeShutdownPrivilege	1356	explorer.exe
Token: SeCreatePagefilePrivilege	1356	explorer.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

cmd.execmd.exe

description	pid	process	target process
PID 3156 wrote to memory of 2188	3156		cmd.exe
PID 3156 wrote to memory of 2188	3156		cmd.exe
PID 2188 wrote to memory of 4620	2188	cmd.exe	reg.exe
PID 2188 wrote to memory of 4620	2188	cmd.exe	reg.exe
PID 3156 wrote to memory of 4520	3156		cmd.exe
PID 3156 wrote to memory of 4520	3156		cmd.exe
PID 4520 wrote to memory of 2652	4520	cmd.exe	reg.exe
PID 4520 wrote to memory of 2652	4520	cmd.exe	reg.exe
PID 3156 wrote to memory of 1188	3156		8D25.exe
PID 3156 wrote to memory of 1188	3156		8D25.exe
PID 3156 wrote to memory of 208	3156		9208.exe
PID 3156 wrote to memory of 208	3156		9208.exe
PID 3156 wrote to memory of 208	3156		9208.exe
PID 3156 wrote to memory of 4696	3156		95A3.exe
PID 3156 wrote to memory of 4696	3156		95A3.exe
PID 3156 wrote to memory of 4696	3156		95A3.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\beb0d0b717d39474cdc522eea925e437dc02c260626b43db1d235640a5d568e0.exe
"C:\Users\Admin\AppData\Local\Temp\beb0d0b717d39474cdc522eea925e437dc02c260626b43db1d235640a5d568e0.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\49E5.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
  2⤵
  PID:4620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\605C.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:4520
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
  2⤵
  PID:2652

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1036 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:8
1⤵
PID:4992

C:\Users\Admin\AppData\Roaming\iwfbihd
C:\Users\Admin\AppData\Roaming\iwfbihd
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2416

C:\Users\Admin\AppData\Local\Temp\8D25.exe
C:\Users\Admin\AppData\Local\Temp\8D25.exe
1⤵
- Executes dropped EXE
PID:1188

C:\Users\Admin\AppData\Local\Temp\9208.exe
C:\Users\Admin\AppData\Local\Temp\9208.exe
1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:208

C:\Users\Admin\AppData\Local\Temp\95A3.exe
C:\Users\Admin\AppData\Local\Temp\95A3.exe
1⤵
- Executes dropped EXE
PID:4696
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4696 -s 1176
  2⤵
  - Program crash
  PID:4924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4696 -ip 4696
1⤵
PID:4952

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Suspicious use of AdjustPrivilegeToken
PID:1356

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1476

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\49E5.bat

Filesize
77B

MD5
55cc761bf3429324e5a0095cab002113

SHA1
2cc1ef4542a4e92d4158ab3978425d517fafd16d

SHA256
d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a

SHA512
33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

Download Submit
C:\Users\Admin\AppData\Local\Temp\8D25.exe

Filesize
9.9MB

MD5
2627387eb5495186ee3850fdc0b2ebde

SHA1
8c062c24ad34332f8033a8cac193e4519d3d7534

SHA256
9e86e4796a51e2cae9487ec086aa2159b65a037808e70a0e7dbaf5a946a8801e

SHA512
0c86e0b5de1b149913b7039fcc3fb8dcc17112617a5af731c3c90d6c822dbb7f2f5660e5790d0c134437383d5b6a71176839c0125c6c391f4ea26ffce0480b25

Download Submit
C:\Users\Admin\AppData\Local\Temp\9208.exe

Filesize
421KB

MD5
9185b776b7a981d060b0bb0d7ffed201

SHA1
427982fb520c099e8d2e831ace18294ade871aff

SHA256
91a45c416324ed3a8c184e349214e7c82d6df0df4fe6d06f3c7818c0d322373b

SHA512
cb46ca0c3156dc7b177fdb73869e13b229cbab8918dbb4b61a854765313fc9526aa5d7b944aa4b9acb77717c5ffd8fe955ba4eb48d75e2528ec844bfcf4aa5e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\95A3.exe

Filesize
394KB

MD5
8c4612c794f1f3e26f0daaf1f79f6de6

SHA1
a35fc343200720fd83a8b4b55cbfb0ad67772c67

SHA256
882c935d0940c60b5b9474ab3e911380cff690c2a46945e5aa0179712275003c

SHA512
47297da97c4aa38a0fbc2cb7a61633f43dc2446d5e4c12568b06951c349aa7c77f41254f7c93d7752ab3f673262e338f4c3c2968ba0045ef0670095928dd9621

Download Submit
C:\Users\Admin\AppData\Roaming\iwfbihd

Filesize
307KB

MD5
cf3c1c8bf8cb2a7c77f976c30bb1db06

SHA1
96660806f005a84bdac81a649a3118ac0f9605fc

SHA256
beb0d0b717d39474cdc522eea925e437dc02c260626b43db1d235640a5d568e0

SHA512
2fd14931d640159ffadc236482e8d36b5b16663b935d7bef273c149ddfd008fb9a5c280a2992a1b2f5c294ed4ce3e15101d7b7a9e05a5095b1362920033819a4

Download Submit
memory/1188-52-0x00007FF70E8E0000-0x00007FF70F326000-memory.dmp

Filesize
10.3MB

Download
memory/2416-23-0x0000000001B80000-0x0000000001C80000-memory.dmp

Filesize
1024KB

Download
memory/2416-24-0x0000000000400000-0x0000000001A18000-memory.dmp

Filesize
22.1MB

Download
memory/2416-26-0x0000000000400000-0x0000000001A18000-memory.dmp

Filesize
22.1MB

Download
memory/3156-25-0x0000000002D30000-0x0000000002D46000-memory.dmp

Filesize
88KB

Download
memory/3156-4-0x0000000002F70000-0x0000000002F86000-memory.dmp

Filesize
88KB

Download
memory/3156-46-0x0000000002F60000-0x0000000002F61000-memory.dmp

Filesize
4KB

Download
memory/4268-7-0x0000000000400000-0x0000000001A18000-memory.dmp

Filesize
22.1MB

Download
memory/4268-1-0x0000000001CD0000-0x0000000001DD0000-memory.dmp

Filesize
1024KB

Download
memory/4268-8-0x0000000001B70000-0x0000000001B7B000-memory.dmp

Filesize
44KB

Download
memory/4268-3-0x0000000000400000-0x0000000001A18000-memory.dmp

Filesize
22.1MB

Download
memory/4268-2-0x0000000001B70000-0x0000000001B7B000-memory.dmp

Filesize
44KB

Download
memory/4696-51-0x0000000000400000-0x0000000001A2E000-memory.dmp

Filesize
22.2MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads