Overview
overview
10Static
static
33d2c39385f...87.exe
windows7-x64
103d2c39385f...87.exe
windows10-2004-x64
10$PLUGINSDIR/INetC.dll
windows7-x64
3$PLUGINSDIR/INetC.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...ec.dll
windows7-x64
3$PLUGINSDI...ec.dll
windows10-2004-x64
3$PLUGINSDI...ll.dll
windows7-x64
3$PLUGINSDI...ll.dll
windows10-2004-x64
3$PLUGINSDI...ry.dll
windows7-x64
3$PLUGINSDI...ry.dll
windows10-2004-x64
3Lucasrt.exe
windows7-x64
10Lucasrt.exe
windows10-2004-x64
10libeay32.dll
windows7-x64
1libeay32.dll
windows10-2004-x64
1ssleay32.dll
windows7-x64
1ssleay32.dll
windows10-2004-x64
1Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
06-05-2024 08:36
Static task
static1
Behavioral task
behavioral1
Sample
3d2c39385f1d4b1ab690c524091644f344dac8abc8249af9c8ac54d0b2d51b87.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
3d2c39385f1d4b1ab690c524091644f344dac8abc8249af9c8ac54d0b2d51b87.exe
Resource
win10v2004-20240419-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/INetC.dll
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/INetC.dll
Resource
win10v2004-20240419-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240419-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/nsExec.dll
Resource
win7-20240215-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/nsExec.dll
Resource
win10v2004-20240419-en
Behavioral task
behavioral9
Sample
$PLUGINSDIR/nsisFirewall.dll
Resource
win7-20231129-en
Behavioral task
behavioral10
Sample
$PLUGINSDIR/nsisFirewall.dll
Resource
win10v2004-20240419-en
Behavioral task
behavioral11
Sample
$PLUGINSDIR/registry.dll
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
$PLUGINSDIR/registry.dll
Resource
win10v2004-20240419-en
Behavioral task
behavioral13
Sample
Lucasrt.exe
Resource
win7-20240220-en
Behavioral task
behavioral14
Sample
Lucasrt.exe
Resource
win10v2004-20240419-en
Behavioral task
behavioral15
Sample
libeay32.dll
Resource
win7-20240419-en
Behavioral task
behavioral16
Sample
libeay32.dll
Resource
win10v2004-20240419-en
Behavioral task
behavioral17
Sample
ssleay32.dll
Resource
win7-20240221-en
Behavioral task
behavioral18
Sample
ssleay32.dll
Resource
win10v2004-20240419-en
General
-
Target
3d2c39385f1d4b1ab690c524091644f344dac8abc8249af9c8ac54d0b2d51b87.exe
-
Size
4.0MB
-
MD5
fb0674fb9aac68ea53ec651f88d182c4
-
SHA1
841e243b1b5f409fc1c7c8e8cd273b1db405e445
-
SHA256
3d2c39385f1d4b1ab690c524091644f344dac8abc8249af9c8ac54d0b2d51b87
-
SHA512
c84467779c8c37ff6daf268707e4bdb9b6c1baa0a99cd8771f52d2a5bddbf9ea6f82fa83bf787d42fc41a02366ef08c10be9397c4fcd6ff1f9809df3c771bc12
-
SSDEEP
98304:C3dlA1MK9St7zGBYFXdou9kN98oVB0iPBziWI:Y6jJYFRaoiZS
Malware Config
Extracted
Protocol: ftp- Host:
files.000webhost.com - Port:
21 - Username:
peg-top-hub
Signatures
-
Manipulates Digital Signatures 1 TTPs 3 IoCs
Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.1!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_CA_REVOCATION" certutil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.2!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_END_REVOCATION" certutil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.3!7\Name = "szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL" certutil.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation Lucasrt.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Lucasrt.lnk 3d2c39385f1d4b1ab690c524091644f344dac8abc8249af9c8ac54d0b2d51b87.exe -
Executes dropped EXE 2 IoCs
pid Process 3692 Lucasrt.exe 3920 Lucasrt.exe -
Loads dropped DLL 11 IoCs
pid Process 4204 3d2c39385f1d4b1ab690c524091644f344dac8abc8249af9c8ac54d0b2d51b87.exe 3692 Lucasrt.exe 3692 Lucasrt.exe 3920 Lucasrt.exe 3920 Lucasrt.exe 4204 3d2c39385f1d4b1ab690c524091644f344dac8abc8249af9c8ac54d0b2d51b87.exe 4204 3d2c39385f1d4b1ab690c524091644f344dac8abc8249af9c8ac54d0b2d51b87.exe 4204 3d2c39385f1d4b1ab690c524091644f344dac8abc8249af9c8ac54d0b2d51b87.exe 4204 3d2c39385f1d4b1ab690c524091644f344dac8abc8249af9c8ac54d0b2d51b87.exe 4204 3d2c39385f1d4b1ab690c524091644f344dac8abc8249af9c8ac54d0b2d51b87.exe 4204 3d2c39385f1d4b1ab690c524091644f344dac8abc8249af9c8ac54d0b2d51b87.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Lucasrt = "\"C:\\Program Files (x86)\\Lucasrt\\Lucasrt\"" 3d2c39385f1d4b1ab690c524091644f344dac8abc8249af9c8ac54d0b2d51b87.exe -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files (x86)\Lucasrt\Lucasrt.exe 3d2c39385f1d4b1ab690c524091644f344dac8abc8249af9c8ac54d0b2d51b87.exe File created C:\Program Files (x86)\Lucasrt\ssleay32.dll 3d2c39385f1d4b1ab690c524091644f344dac8abc8249af9c8ac54d0b2d51b87.exe File created C:\Program Files (x86)\Lucasrt\libeay32.dll 3d2c39385f1d4b1ab690c524091644f344dac8abc8249af9c8ac54d0b2d51b87.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3036 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 3692 Lucasrt.exe 3692 Lucasrt.exe 3692 Lucasrt.exe 3692 Lucasrt.exe 3692 Lucasrt.exe 3692 Lucasrt.exe 3692 Lucasrt.exe 3692 Lucasrt.exe 3920 Lucasrt.exe 3920 Lucasrt.exe 3920 Lucasrt.exe 3920 Lucasrt.exe 3920 Lucasrt.exe 3920 Lucasrt.exe 3920 Lucasrt.exe 3920 Lucasrt.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 3692 Lucasrt.exe Token: SeTakeOwnershipPrivilege 3920 Lucasrt.exe Token: SeTcbPrivilege 3920 Lucasrt.exe Token: SeTcbPrivilege 3920 Lucasrt.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 3692 Lucasrt.exe 3692 Lucasrt.exe 3692 Lucasrt.exe 3692 Lucasrt.exe 3920 Lucasrt.exe 3920 Lucasrt.exe 3920 Lucasrt.exe 3920 Lucasrt.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 4204 wrote to memory of 3692 4204 3d2c39385f1d4b1ab690c524091644f344dac8abc8249af9c8ac54d0b2d51b87.exe 84 PID 4204 wrote to memory of 3692 4204 3d2c39385f1d4b1ab690c524091644f344dac8abc8249af9c8ac54d0b2d51b87.exe 84 PID 4204 wrote to memory of 3692 4204 3d2c39385f1d4b1ab690c524091644f344dac8abc8249af9c8ac54d0b2d51b87.exe 84 PID 4204 wrote to memory of 2172 4204 3d2c39385f1d4b1ab690c524091644f344dac8abc8249af9c8ac54d0b2d51b87.exe 99 PID 4204 wrote to memory of 2172 4204 3d2c39385f1d4b1ab690c524091644f344dac8abc8249af9c8ac54d0b2d51b87.exe 99 PID 4204 wrote to memory of 2172 4204 3d2c39385f1d4b1ab690c524091644f344dac8abc8249af9c8ac54d0b2d51b87.exe 99 PID 2172 wrote to memory of 5088 2172 cmd.exe 101 PID 2172 wrote to memory of 5088 2172 cmd.exe 101 PID 2172 wrote to memory of 5088 2172 cmd.exe 101 PID 4204 wrote to memory of 3656 4204 3d2c39385f1d4b1ab690c524091644f344dac8abc8249af9c8ac54d0b2d51b87.exe 102 PID 4204 wrote to memory of 3656 4204 3d2c39385f1d4b1ab690c524091644f344dac8abc8249af9c8ac54d0b2d51b87.exe 102 PID 4204 wrote to memory of 3656 4204 3d2c39385f1d4b1ab690c524091644f344dac8abc8249af9c8ac54d0b2d51b87.exe 102 PID 3656 wrote to memory of 3036 3656 cmd.exe 104 PID 3656 wrote to memory of 3036 3656 cmd.exe 104 PID 3656 wrote to memory of 3036 3656 cmd.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\3d2c39385f1d4b1ab690c524091644f344dac8abc8249af9c8ac54d0b2d51b87.exe"C:\Users\Admin\AppData\Local\Temp\3d2c39385f1d4b1ab690c524091644f344dac8abc8249af9c8ac54d0b2d51b87.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4204 -
C:\Program Files (x86)\Lucasrt\Lucasrt.exe"C:\Program Files (x86)\Lucasrt\Lucasrt.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3692 -
C:\Program Files (x86)\Lucasrt\Lucasrt.exe"C:\Program Files (x86)\Lucasrt\Lucasrt.exe" -second3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3920
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c certutil -f -decodehex C:\Users\Admin\AppData\Local\Temp\ID.txt C:\Users\Admin\AppData\Local\Temp\ID.txt>nul2⤵
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\SysWOW64\certutil.execertutil -f -decodehex C:\Users\Admin\AppData\Local\Temp\ID.txt C:\Users\Admin\AppData\Local\Temp\ID.txt3⤵
- Manipulates Digital Signatures
PID:5088
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c SchTasks /create /f /XML %temp%\LogFile.xml /TN \microsoft\windows\defrag\scheduleddefrag && schtasks /Change /TN \microsoft\windows\defrag\scheduleddefrag /ENABLE && schtasks /run /TN \microsoft\windows\defrag\scheduleddefrag2⤵
- Suspicious use of WriteProcessMemory
PID:3656 -
C:\Windows\SysWOW64\schtasks.exeSchTasks /create /f /XML C:\Users\Admin\AppData\Local\Temp\LogFile.xml /TN \microsoft\windows\defrag\scheduleddefrag3⤵
- Creates scheduled task(s)
PID:3036
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11.2MB
MD551ffec7d16d89f59784e7cfad795df3c
SHA11c0a5ad4fd9c74f829b63e7b8bfe897120d24f00
SHA256dae52d89f6b61329c806fd90b0e13fc3c3cf2cb5761b50321039b838ac0bc343
SHA5125936e9d854c070e5d3ff8b31937729574a3d6cf69967558d8e6dc0096c720e44df0d59bf5ab419b73c44909d3e04f9b8da47f64c960ac338ff5e73f8749bba5d
-
Filesize
1.3MB
MD54cb2e1b9294ddae1bf7dcaaf42b365d1
SHA1a225f53a8403d9b73d77bcbb075194520cce5a14
SHA256a8124500cae0aba3411428c2c6df2762ea11cc11c312abed415d3f3667eb6884
SHA51246cf4abf9121c865c725ca159df71066e0662595915d653914e4ec047f94e2ab3823f85c9e0e0c1311304c460c90224bd3141da62091c733dcaa5dccf64c04bb
-
Filesize
337KB
MD55c268ca919854fc22d85f916d102ee7f
SHA10957cf86e0334673eb45945985b5c033b412be0e
SHA2561f4b3efc919af1106f348662ee9ad95ab019058ff502e3d68e1b5f7abff91b56
SHA51276d0abad1d7d0856ec1b8e598b05a2a6eece220ea39d74e7f6278a4219e22c75b7f618160ce41810daa57d5d4d534afd78f5cc1bd6de927dbb6a551aca2f8310
-
Filesize
818B
MD5848c499236ffa20d740b173e146603d7
SHA1017772b5cb43fb11beebbb143cea5b878f9ecf63
SHA2561784861dfd67e58fd454b789a1f4b5e7a18b1ef215a3be768f40529a798251e2
SHA5123d44bc0313dcd67e889e91fd10ff4f6baa7ef9f3ed1df56c5a6b72cc7e4769f1b2882aa4a21af240e7435604fb3a5d1fa63953525505d5e7973391f7b58976af
-
Filesize
409B
MD57f2aa10e1263463c98741016ac78d7f6
SHA1de6f9d85aff9a7a85afdb6ec0cc46fae4c1d0bec
SHA2562627fce97173889fcac2efe723d4f2e6cc783a715d73b38af1bce867b33b8989
SHA512ede1bc77cd7d1354324d9cb164ffe27f1f9ec9dc6666435a09858f018103df9c82b29c90a3223d28a4e3ea354b7cabe114d50e123fce3dab6092f37e1bb3b5f8
-
Filesize
21KB
MD52b342079303895c50af8040a91f30f71
SHA1b11335e1cb8356d9c337cb89fe81d669a69de17e
SHA2562d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f
SHA512550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47
-
Filesize
11KB
MD50063d48afe5a0cdc02833145667b6641
SHA1e7eb614805d183ecb1127c62decb1a6be1b4f7a8
SHA256ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7
SHA51271cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0
-
Filesize
6KB
MD5293165db1e46070410b4209519e67494
SHA1777b96a4f74b6c34d43a4e7c7e656757d1c97f01
SHA25649b7477db8dd22f8cf2d41ee2d79ce57797f02e8c7b9e799951a6c710384349a
SHA51297012139f2da5868fe8731c0b0bcb3cfda29ed10c2e6e2336b504480c9cd9fb8f4728cca23f1e0bd577d75daa542e59f94d1d341f4e8aaeebc7134bf61288c19
-
Filesize
8KB
MD569f2e8c6fd141e9e720b2c4c366a8154
SHA1a6279d93a102b6d7608dced32a36ddcd3e51994c
SHA2562e204ee4f1d12b4ca35c8205cea0cabe354f2e79a471863cfb76a7cee83cf107
SHA512bf23a5f3ce98e6a1c04fe8ae6b6f385483ceed62470cd109017c97f37c23adbf0203bfb43d09b007c6925aeb5da9617f33bc5c478618f00cc91da83a48cacaf2
-
Filesize
24KB
MD52b7007ed0262ca02ef69d8990815cbeb
SHA12eabe4f755213666dbbbde024a5235ddde02b47f
SHA2560b25b20f26de5d5bd795f934c70447112b4981343fcb2dfab3374a4018d28c2d
SHA512aa75ee59ca0b8530eb7298b74e5f334ae9d14129f603b285a3170b82103cfdcc175af8185317e6207142517769e69a24b34fcdf0f58ed50a4960cbe8c22a0aca