General

  • Target

    https://www.youtube.com/redirect?event=channel_header&redir_token=QUFFLUhqa0U5S1Z3QmdoZEtMVzhqWUtJS0lOQXNtcThkQXxBQ3Jtc0ttSm9KLWpBZkdjYjk3V3FTS1VzS2ZITzNGMHlENmJDa1hqNVdQRWJSMTBuSnFMblZsSDdRVjZVaW1jZEhGQ2hiTTdGa0hXc183cVlPZ29QR1d1OTFUTmYtU0R5T056SXF2Q2hYaGdwNGRaUGlXWG5OUQ&q=https%3A%2F%2Fupload.advgroup.ru%2FmvWwiE4h

  • Sample

    240707-fn72csvajm

Malware Config

Extracted

Family

lumma

C2

https://bitchsafettyudjwu.shop/api

Targets

    • Target

      https://www.youtube.com/redirect?event=channel_header&redir_token=QUFFLUhqa0U5S1Z3QmdoZEtMVzhqWUtJS0lOQXNtcThkQXxBQ3Jtc0ttSm9KLWpBZkdjYjk3V3FTS1VzS2ZITzNGMHlENmJDa1hqNVdQRWJSMTBuSnFMblZsSDdRVjZVaW1jZEhGQ2hiTTdGa0hXc183cVlPZ29QR1d1OTFUTmYtU0R5T056SXF2Q2hYaGdwNGRaUGlXWG5OUQ&q=https%3A%2F%2Fupload.advgroup.ru%2FmvWwiE4h

    • Lumma Stealer

      An infostealer written in C++ first seen in August 2022.

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner payload

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Creates new service(s)

    • Stops running service(s)

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Power Settings

      powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks