lumma | d79249047c64182675f0f3a6ad19b30b73ad935acb81ab00a98453e896453a47

Analysis

max time kernel
95s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14-09-2024 01:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fc810b97cdfebeaa268367812e5e94175e4b47c150a136a4c596c86a6432b4f1.exe
Size

282KB
MD5

7676e9e26e9d68ed4333b48962e246df
SHA1

8acf019a18dcf8e817a5665fcbb9a2e17e5d448a
SHA256

fc810b97cdfebeaa268367812e5e94175e4b47c150a136a4c596c86a6432b4f1
SHA512

4d8b18a648d5248291714868d0bfa56e8f3e051b8db18551c4c422278767111766e1dfdc373ccddd0d6139f932dc273258113a69aff79c057716e80a1b2f5c22
SSDEEP

6144:sobHX7AuhXt+uvGlAs5Y9hpgeGnXU0ms3HxpRxIEt4V68EO:lbHc2TeteqE0tXxpMECVZEO

Score

10^/10

lumma stealc vidar default credential_access discovery spyware stealer

Malware Config

Extracted

Family

vidar

https://t.me/edm0d

https://steamcommunity.com/profiles/76561199768374681

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 OPR/110.0.0.0

Extracted

Family

stealc

Botnet

default

http://46.8.231.109

Attributes

url_path
/c4754d4f680ead72.php

Extracted

Family

lumma

https://complainnykso.shop/api

https://basedsymsotp.shop/api

https://charistmatwio.shop/api

https://grassemenwji.shop/api

https://stitchmiscpaew.shop/api

https://commisionipwn.shop/api

Signatures

Detect Vidar Stealer 22 IoCs

stealer

resource	yara_rule
behavioral2/memory/4580-4-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral2/memory/4580-9-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral2/memory/4580-7-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral2/memory/4580-25-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral2/memory/4580-26-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral2/memory/4580-42-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral2/memory/4580-43-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral2/memory/4580-59-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral2/memory/4580-60-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral2/memory/4580-85-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral2/memory/4580-86-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral2/memory/4580-93-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral2/memory/4580-94-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral2/memory/4704-157-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral2/memory/4704-160-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral2/memory/4704-162-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral2/memory/4704-250-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral2/memory/4704-269-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral2/memory/4704-284-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral2/memory/4704-285-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral2/memory/4784-286-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral2/memory/4784-287-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	RegAsm.exe

Executes dropped EXE 5 IoCs

pid	Process
2292	JEGHJKFHJJ.exe
3760	DGCGDBGCAA.exe
4680	BGDAKEHIID.exe
2460	AdminIDHCGDAFBK.exe
808	AdminBGDAKEHIID.exe

Loads dropped DLL 4 IoCs

pid	Process
4580	RegAsm.exe
4580	RegAsm.exe
4196	RegAsm.exe
4196	RegAsm.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 1788 set thread context of 4580	1788	fc810b97cdfebeaa268367812e5e94175e4b47c150a136a4c596c86a6432b4f1.exe	86
PID 2292 set thread context of 3368	2292	JEGHJKFHJJ.exe	100
PID 3760 set thread context of 4196	3760	DGCGDBGCAA.exe	107
PID 4680 set thread context of 4704	4680	BGDAKEHIID.exe	110
PID 2460 set thread context of 2980	2460	AdminIDHCGDAFBK.exe	122
PID 808 set thread context of 4784	808	AdminBGDAKEHIID.exe	124

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DGCGDBGCAA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JEGHJKFHJJ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BGDAKEHIID.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdminIDHCGDAFBK.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdminBGDAKEHIID.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fc810b97cdfebeaa268367812e5e94175e4b47c150a136a4c596c86a6432b4f1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2560	timeout.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
4580	RegAsm.exe
4580	RegAsm.exe
4580	RegAsm.exe
4580	RegAsm.exe
4580	RegAsm.exe
4580	RegAsm.exe
4196	RegAsm.exe
4196	RegAsm.exe
4580	RegAsm.exe
4580	RegAsm.exe
4704	RegAsm.exe
4704	RegAsm.exe
4196	RegAsm.exe
4196	RegAsm.exe
4704	RegAsm.exe
4704	RegAsm.exe
4784	RegAsm.exe
4784	RegAsm.exe
4784	RegAsm.exe
4784	RegAsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1788 wrote to memory of 532	1788	fc810b97cdfebeaa268367812e5e94175e4b47c150a136a4c596c86a6432b4f1.exe	84
PID 1788 wrote to memory of 532	1788	fc810b97cdfebeaa268367812e5e94175e4b47c150a136a4c596c86a6432b4f1.exe	84
PID 1788 wrote to memory of 532	1788	fc810b97cdfebeaa268367812e5e94175e4b47c150a136a4c596c86a6432b4f1.exe	84
PID 1788 wrote to memory of 3088	1788	fc810b97cdfebeaa268367812e5e94175e4b47c150a136a4c596c86a6432b4f1.exe	85
PID 1788 wrote to memory of 3088	1788	fc810b97cdfebeaa268367812e5e94175e4b47c150a136a4c596c86a6432b4f1.exe	85
PID 1788 wrote to memory of 3088	1788	fc810b97cdfebeaa268367812e5e94175e4b47c150a136a4c596c86a6432b4f1.exe	85
PID 1788 wrote to memory of 4580	1788	fc810b97cdfebeaa268367812e5e94175e4b47c150a136a4c596c86a6432b4f1.exe	86
PID 1788 wrote to memory of 4580	1788	fc810b97cdfebeaa268367812e5e94175e4b47c150a136a4c596c86a6432b4f1.exe	86
PID 1788 wrote to memory of 4580	1788	fc810b97cdfebeaa268367812e5e94175e4b47c150a136a4c596c86a6432b4f1.exe	86
PID 1788 wrote to memory of 4580	1788	fc810b97cdfebeaa268367812e5e94175e4b47c150a136a4c596c86a6432b4f1.exe	86
PID 1788 wrote to memory of 4580	1788	fc810b97cdfebeaa268367812e5e94175e4b47c150a136a4c596c86a6432b4f1.exe	86
PID 1788 wrote to memory of 4580	1788	fc810b97cdfebeaa268367812e5e94175e4b47c150a136a4c596c86a6432b4f1.exe	86
PID 1788 wrote to memory of 4580	1788	fc810b97cdfebeaa268367812e5e94175e4b47c150a136a4c596c86a6432b4f1.exe	86
PID 1788 wrote to memory of 4580	1788	fc810b97cdfebeaa268367812e5e94175e4b47c150a136a4c596c86a6432b4f1.exe	86
PID 1788 wrote to memory of 4580	1788	fc810b97cdfebeaa268367812e5e94175e4b47c150a136a4c596c86a6432b4f1.exe	86
PID 1788 wrote to memory of 4580	1788	fc810b97cdfebeaa268367812e5e94175e4b47c150a136a4c596c86a6432b4f1.exe	86
PID 4580 wrote to memory of 2292	4580	RegAsm.exe	97
PID 4580 wrote to memory of 2292	4580	RegAsm.exe	97
PID 4580 wrote to memory of 2292	4580	RegAsm.exe	97
PID 2292 wrote to memory of 3368	2292	JEGHJKFHJJ.exe	100
PID 2292 wrote to memory of 3368	2292	JEGHJKFHJJ.exe	100
PID 2292 wrote to memory of 3368	2292	JEGHJKFHJJ.exe	100
PID 2292 wrote to memory of 3368	2292	JEGHJKFHJJ.exe	100
PID 2292 wrote to memory of 3368	2292	JEGHJKFHJJ.exe	100
PID 2292 wrote to memory of 3368	2292	JEGHJKFHJJ.exe	100
PID 2292 wrote to memory of 3368	2292	JEGHJKFHJJ.exe	100
PID 2292 wrote to memory of 3368	2292	JEGHJKFHJJ.exe	100
PID 2292 wrote to memory of 3368	2292	JEGHJKFHJJ.exe	100
PID 4580 wrote to memory of 3760	4580	RegAsm.exe	101
PID 4580 wrote to memory of 3760	4580	RegAsm.exe	101
PID 4580 wrote to memory of 3760	4580	RegAsm.exe	101
PID 3760 wrote to memory of 1332	3760	DGCGDBGCAA.exe	103
PID 3760 wrote to memory of 1332	3760	DGCGDBGCAA.exe	103
PID 3760 wrote to memory of 1332	3760	DGCGDBGCAA.exe	103
PID 3760 wrote to memory of 1868	3760	DGCGDBGCAA.exe	104
PID 3760 wrote to memory of 1868	3760	DGCGDBGCAA.exe	104
PID 3760 wrote to memory of 1868	3760	DGCGDBGCAA.exe	104
PID 3760 wrote to memory of 4312	3760	DGCGDBGCAA.exe	105
PID 3760 wrote to memory of 4312	3760	DGCGDBGCAA.exe	105
PID 3760 wrote to memory of 4312	3760	DGCGDBGCAA.exe	105
PID 3760 wrote to memory of 3784	3760	DGCGDBGCAA.exe	106
PID 3760 wrote to memory of 3784	3760	DGCGDBGCAA.exe	106
PID 3760 wrote to memory of 3784	3760	DGCGDBGCAA.exe	106
PID 3760 wrote to memory of 4196	3760	DGCGDBGCAA.exe	107
PID 3760 wrote to memory of 4196	3760	DGCGDBGCAA.exe	107
PID 3760 wrote to memory of 4196	3760	DGCGDBGCAA.exe	107
PID 3760 wrote to memory of 4196	3760	DGCGDBGCAA.exe	107
PID 3760 wrote to memory of 4196	3760	DGCGDBGCAA.exe	107
PID 3760 wrote to memory of 4196	3760	DGCGDBGCAA.exe	107
PID 3760 wrote to memory of 4196	3760	DGCGDBGCAA.exe	107
PID 3760 wrote to memory of 4196	3760	DGCGDBGCAA.exe	107
PID 3760 wrote to memory of 4196	3760	DGCGDBGCAA.exe	107
PID 4580 wrote to memory of 4680	4580	RegAsm.exe	108
PID 4580 wrote to memory of 4680	4580	RegAsm.exe	108
PID 4580 wrote to memory of 4680	4580	RegAsm.exe	108
PID 4680 wrote to memory of 4704	4680	BGDAKEHIID.exe	110
PID 4680 wrote to memory of 4704	4680	BGDAKEHIID.exe	110
PID 4680 wrote to memory of 4704	4680	BGDAKEHIID.exe	110
PID 4680 wrote to memory of 4704	4680	BGDAKEHIID.exe	110
PID 4680 wrote to memory of 4704	4680	BGDAKEHIID.exe	110
PID 4680 wrote to memory of 4704	4680	BGDAKEHIID.exe	110
PID 4680 wrote to memory of 4704	4680	BGDAKEHIID.exe	110
PID 4680 wrote to memory of 4704	4680	BGDAKEHIID.exe	110
PID 4680 wrote to memory of 4704	4680	BGDAKEHIID.exe	110

C:\Users\Admin\AppData\Local\Temp\fc810b97cdfebeaa268367812e5e94175e4b47c150a136a4c596c86a6432b4f1.exe
"C:\Users\Admin\AppData\Local\Temp\fc810b97cdfebeaa268367812e5e94175e4b47c150a136a4c596c86a6432b4f1.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1788
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:532
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:3088
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4580
- - C:\ProgramData\JEGHJKFHJJ.exe
    "C:\ProgramData\JEGHJKFHJJ.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2292
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3368
- - C:\ProgramData\DGCGDBGCAA.exe
    "C:\ProgramData\DGCGDBGCAA.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3760
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:1332
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:1868
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:4312
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:3784
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      Checks computer location settings
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      PID:4196
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminIDHCGDAFBK.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1368
      - C:\Users\AdminIDHCGDAFBK.exe
        
        "C:\Users\AdminIDHCGDAFBK.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2460
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2980
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminBGDAKEHIID.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4020
      - C:\Users\AdminBGDAKEHIID.exe
        
        "C:\Users\AdminBGDAKEHIID.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:808
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        
        PID:3432
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:4784
- - C:\ProgramData\BGDAKEHIID.exe
    "C:\ProgramData\BGDAKEHIID.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4680
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      PID:4704
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\JKKKJJJKJKFH" & exit
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1936
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 10
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:2560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\BGDAKEHIID.exe

Filesize
282KB

MD5
f31d21c664ded57509d1e2e1e2c73098

SHA1
58abbe186f2324eca451d3866b63ceeb924d3391

SHA256
44d0e959d4a9c31cc02dc12dacdf34b4fa4d0d9eda5a4c6d03dfff72045cda8b

SHA512
5aff27d9ffb0568072f52e51679bbd9cb3c063d7bb1c3fe658c10241b633a66738d6bd7ee2111e065a1b93098bdaa1e5da6b9b8d063fe3f1ff1de7d71d32aa53

Download Submit
C:\ProgramData\BGDAKEHIIDGD\EBAKFI

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\ProgramData\BGDAKEHIIDGD\EBAKFI

Filesize
20KB

MD5
a603e09d617fea7517059b4924b1df93

SHA1
31d66e1496e0229c6a312f8be05da3f813b3fa9e

SHA256
ccd15f9c7a997ae2b5320ea856c7efc54b5055254d41a443d21a60c39c565cb7

SHA512
eadb844a84f8a660c578a2f8e65ebcb9e0b9ab67422be957f35492ff870825a4b363f96fd1c546eaacfd518f6812fcf57268ef03c149e5b1a7af145c7100e2cc

Download Submit
C:\ProgramData\BGDAKEHIIDGD\EBAKFI

Filesize
160KB

MD5
f310cf1ff562ae14449e0167a3e1fe46

SHA1
85c58afa9049467031c6c2b17f5c12ca73bb2788

SHA256
e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855

SHA512
1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

Download Submit
C:\ProgramData\DGCGDBGCAA.exe

Filesize
206KB

MD5
68076ff4fb08f203da72e47f536db2d3

SHA1
c7d2df2f68fefa1b3b9ddc61809966eaa6daef49

SHA256
91f03b0ae9dcae932e3043b7cb19cf52541504e9a4510501d9cb2f1ddd6d10f4

SHA512
f400d2424839ae1ce5a362cddc759a46be3e0528d45ade309a182c202a03534acb24e90b9a02d17865c6f9a828d91d9d90927d0734ec8ffd8452a10b414ab5d6

Download Submit
C:\ProgramData\FBFCGIDA

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\ProgramData\FCGIJKJJKEBGHJKFIDGC

Filesize
11KB

MD5
cfc7db414ff51d131e2f3fc6add4fa90

SHA1
24cb8d55d4257b873f29a78b5d1e243ef9b556e2

SHA256
336ea702a673e2709914b03f9ed6a04de0716bd2a95ca3fa73e2ea74226f3473

SHA512
01dc638bee0f3a22165b760488c28db2e4cf7a6e3681c2b9b1f0e4d22cafb7e3e4c647536551541170d1e7315320db3c110cb121fae7aef8eed45d729e42088a

Download Submit
C:\ProgramData\HCFBAFID

Filesize
114KB

MD5
35fb57f056b0f47185c5dfb9a0939dba

SHA1
7c1b0bbbb77dbe46286078bca427202d494a5d36

SHA256
1dc436687ed65d9f2fcda9a68a812346f56f566f7671cbe1be0beaa157045294

SHA512
531351adffddc5a9c8c9d1fcba531d85747be0927156bae79106114b4bdc3f2fd2570c97bbfcec09265dcc87ed286655f2ab15fb3c7af0ad638a67a738f504c7

Download Submit
C:\ProgramData\JEGHJKFHJJ.exe

Filesize
321KB

MD5
5831ebced7b72207603126ed67601c28

SHA1
2ba46b54074675cc132b2c4eb6f310b21c7d7041

SHA256
02097348db100eb22d46dc474a1078b5ddbb56ee916cc81f24fadd0a6938ac58

SHA512
a9924ef2373851156d981bc3c5b5d533e8b510abf6c3f12e62af0c019e740f0d077efb8f7f93699d797335df33013c72fd9ead3b2253dd82f14b7b330faacb8e

Download Submit
C:\ProgramData\freebl3.dll

Filesize
177KB

MD5
9d63ac802a3eb229441b7ffee2c74d90

SHA1
050dd2c300255d02c83ce1eaba55e6cc054a81b4

SHA256
f0f79ec0f0d7066c85c30b20ce1307b1d4cb1d200acc75da5495e391c4d51c4e

SHA512
c9138307b7c4ae9d9e0b76b76ac20005bf858888be0c7c3a0b6220ca1fefefac7603dc0ef558f3477f1e7d2b1b420f6180f409e8e94abb37aa3f0f8800a5e9b7

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\msvcp140.dll

Filesize
13KB

MD5
e416a22acaeff6cec5aa36a72becbede

SHA1
9fefce2eafd2e79ce0f0c60e2174b0052bfd0d2f

SHA256
edc0250d8dfe5b4049a64b6171d12ad701784f4650484d35315ab5286384e79e

SHA512
8ab549504e9c7f787e4ace97bcce5eed5bd9758b8cc223eae537e5ba3dc0f22ddd84802b1c43c2e947aa0a97742793b8cd09a5563ccd21820fa00bb5c1294421

Download Submit
C:\ProgramData\nss3.dll

Filesize
115KB

MD5
c0294b7baeb5d4fdbb26d185c0e4748e

SHA1
894b988a13e6ce7f14d1acbb6d82a0921a568b95

SHA256
2a9ddf3a281dc29316fc5ed583c95d756963ce08b5819e7df10ee70084b81140

SHA512
e2e59d20a69088c80d7e332550912171719d81f22755588844b26a267a765e0654dd6362d068c10ef0d83713db13e6821ff07c8fb1962b4652a0649d286099b3

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\156887258BBD6E1FEF562837733EA04E_5BBC02CEDFD3F7AC9E268D830CF231EE

Filesize
2KB

MD5
ef96d5be97bde25484b4ead9e398f048

SHA1
43585d5aec977637219d0aa3b6afaff495ea107e

SHA256
6ae523a64f736d2653f2f62a183b4e28e3bf9f123883c21de5343899d05a8490

SHA512
f8d526c18e339b478162700113a35362a2e4ed4c17f011583d60ce3815565145ca16543ef88487aee37b06bded76a313b7ec54f0ae8f9f5ace1039affe04a109

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771

Filesize
2KB

MD5
20c76cb66f8445aae2e06a51d36214c3

SHA1
25fa813cac96b5075e0963de5dbc8ec5fb2d9126

SHA256
5ce954bfecef5d9967d1d3b5f05879615a75ec21af03940118ae7bcda569c823

SHA512
576f59686d06b06b9f2f46d6f3d703d9941208466b9d25f8ea54ef6b7faf20740eb4bb203ea0bae75dbea24b1553352d56c463d23540131053c179d96b83ae3d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D

Filesize
1KB

MD5
605ba5b9f6e318cf5ff7e04ca692d865

SHA1
bffb9580f2445fce2ecbbe7136df2c7a0bd4cab8

SHA256
229b386c2065cfa8333f26ec11eef5b310191e3ea3c4e2faf8e352af03bbcf85

SHA512
f9ff561285b6b2b13562e3c557edfd427380106126c3d9da23b0e9a883a517d47f2431cbd80717329921967e13a23425967252e2186d528e1452cb3bdaa75adb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\156887258BBD6E1FEF562837733EA04E_5BBC02CEDFD3F7AC9E268D830CF231EE

Filesize
458B

MD5
00abb5ffea9243cc2c77131a0237ffc8

SHA1
8e4094f3b98d3a5196415cb9de85b586d9b28d05

SHA256
0d97458502237fcfb5a61d6a28606ad4792036bbfc511d7e15c556a1ea5e7a8a

SHA512
28f40822400483543c035a0553b3d9146f23044c37dcbe3dca7bf52ef66fdb573619953ed971b82017d80a4061028385f503e0f89dfb35a304c101b9c68fcb7e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771

Filesize
450B

MD5
9b74bd1dc43c8125d535451406736952

SHA1
88acb4152cac1a4d3f65528c9f3bd7aa9ebacc0a

SHA256
d3f3480fe789c6f022f2ea86d40a894a406026d4e57777730b3e39fcaa13d3e9

SHA512
a1719ee708a0ddf42d80cdea1a0adce5738d135276671c6b59589a4cdc460b32efbc50b742a339e6fdc51ea23ba4e4b9d1f649eb3ce3e66207acd1e98a5541e0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D

Filesize
458B

MD5
71d016de1b606726bb2f4bbce1cce6ee

SHA1
6b3f0bb1afc0f8b42ff852cb52c31e355909dc9c

SHA256
9aedcc700bb36bbb2bdc54741e44946a24e026e289380d45cdd64578415f1db0

SHA512
37c0cbb130f3d84b1b956f6ab548ff2950a9b4eb235d08617fab1b30b7647ab724413b7495a29ab7910a88e34e9ec9284542470510560d820f35903316f1ee5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AdminIDHCGDAFBK.exe.log

Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
memory/1788-67-0x0000000075230000-0x00000000759E0000-memory.dmp

Filesize
7.7MB

Download
memory/1788-1-0x00000000008F0000-0x000000000093A000-memory.dmp

Filesize
296KB

Download
memory/1788-0-0x000000007523E000-0x000000007523F000-memory.dmp

Filesize
4KB

Download
memory/1788-13-0x0000000075230000-0x00000000759E0000-memory.dmp

Filesize
7.7MB

Download
memory/2292-120-0x0000000072180000-0x0000000072930000-memory.dmp

Filesize
7.7MB

Download
memory/2292-117-0x0000000072180000-0x0000000072930000-memory.dmp

Filesize
7.7MB

Download
memory/2292-108-0x000000007218E000-0x000000007218F000-memory.dmp

Filesize
4KB

Download
memory/2292-109-0x0000000000D20000-0x0000000000D74000-memory.dmp

Filesize
336KB

Download
memory/2980-257-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3368-112-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3368-115-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3368-119-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3760-134-0x0000000000EF0000-0x0000000000F28000-memory.dmp

Filesize
224KB

Download
memory/4196-137-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/4196-139-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/4196-165-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/4580-25-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/4580-86-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/4580-9-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/4580-43-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/4580-93-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/4580-4-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/4580-28-0x00000000226D0000-0x000000002292F000-memory.dmp

Filesize
2.4MB

Download
memory/4580-60-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/4580-85-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/4580-26-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/4580-94-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/4580-7-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/4580-59-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/4580-42-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/4680-154-0x0000000000FB0000-0x0000000000FFA000-memory.dmp

Filesize
296KB

Download
memory/4704-162-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/4704-269-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/4704-270-0x0000000022580000-0x00000000227DF000-memory.dmp

Filesize
2.4MB

Download
memory/4704-284-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/4704-160-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/4704-157-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/4704-250-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/4704-285-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/4784-286-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/4784-287-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download