lumma | ed59e78a2d10d6efec14c037d13d029d43a38f5a0ec1d441b3490e105a620913

Analysis

max time kernel
69s
max time network
76s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28-09-2024 03:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

5.4MB
MD5

021d0c04cb4de2638dbd89de7625f9b7
SHA1

054945dca5b06ea8cdb7f00571084d406a3ff95c
SHA256

ed59e78a2d10d6efec14c037d13d029d43a38f5a0ec1d441b3490e105a620913
SHA512

d20da669fc476ff5ba15fcb4e57d620b2b1769406c653abd647eeb67cf77d3dce087c97789a175de47dd15bdce72c5ea8d1e0df58939854c1b21ff5ad66a4357
SSDEEP

98304:igaE6aTO7kajvPkgKBS58lw6CN5HY0qxG1drEqNXn6NyjeftKFPksryk:i0XTPK5B+cN1Y0qxMdRNXnXCtK7ek

Score

10^/10

lumma vidar 0076b6a02eb028dde461f6494f955b49 ffa0fc7713f6625bf874f947bcf3df53 credential_access discovery spyware stealer

Malware Config

Extracted

Family

vidar

Version

Botnet

0076b6a02eb028dde461f6494f955b49

https://t.me/jamsemlg

https://steamcommunity.com/profiles/76561199780418869

https://t.me/ae5ed

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0

Extracted

Family

lumma

https://reinforcenh.shop/api

https://stogeneratmns.shop/api

https://fragnantbui.shop/api

https://drawzhotdog.shop/api

https://vozmeatillu.shop/api

https://offensivedzvju.shop/api

https://ghostreedmnu.shop/api

https://gutterydhowi.shop/api

Extracted

Family

vidar

Version

Botnet

ffa0fc7713f6625bf874f947bcf3df53

https://t.me/jamsemlg

https://steamcommunity.com/profiles/76561199780418869

https://t.me/ae5ed

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0

Extracted

Family

lumma

https://offensivedzvju.shop/api

Signatures

Detect Vidar Stealer 18 IoCs

stealer

resource	yara_rule
behavioral1/memory/2804-15-0x0000000000400000-0x0000000000B77000-memory.dmp	family_vidar_v7
behavioral1/memory/2804-20-0x0000000000400000-0x0000000000B77000-memory.dmp	family_vidar_v7
behavioral1/memory/2804-22-0x0000000000400000-0x0000000000B77000-memory.dmp	family_vidar_v7
behavioral1/memory/2804-26-0x0000000000400000-0x0000000000B77000-memory.dmp	family_vidar_v7
behavioral1/memory/2804-12-0x0000000000400000-0x0000000000B77000-memory.dmp	family_vidar_v7
behavioral1/memory/2804-10-0x0000000000400000-0x0000000000B77000-memory.dmp	family_vidar_v7
behavioral1/memory/2804-18-0x0000000000400000-0x0000000000B77000-memory.dmp	family_vidar_v7
behavioral1/memory/2804-168-0x0000000000400000-0x0000000000B77000-memory.dmp	family_vidar_v7
behavioral1/memory/2804-213-0x0000000000400000-0x0000000000B77000-memory.dmp	family_vidar_v7
behavioral1/memory/2804-222-0x0000000000400000-0x0000000000B77000-memory.dmp	family_vidar_v7
behavioral1/memory/2804-276-0x0000000000400000-0x0000000000B77000-memory.dmp	family_vidar_v7
behavioral1/memory/2804-287-0x0000000000400000-0x0000000000B77000-memory.dmp	family_vidar_v7
behavioral1/memory/2804-306-0x0000000000400000-0x0000000000B77000-memory.dmp	family_vidar_v7
behavioral1/memory/2804-472-0x0000000000400000-0x0000000000B77000-memory.dmp	family_vidar_v7
behavioral1/memory/1600-485-0x0000000000400000-0x0000000000B77000-memory.dmp	family_vidar_v7
behavioral1/memory/1600-489-0x0000000000400000-0x0000000000B77000-memory.dmp	family_vidar_v7
behavioral1/memory/1600-483-0x0000000000400000-0x0000000000B77000-memory.dmp	family_vidar_v7
behavioral1/memory/1600-481-0x0000000000400000-0x0000000000B77000-memory.dmp	family_vidar_v7

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
1244	GCFBAKKJDB.exe
1104	HDGIJJDGCB.exe

Loads dropped DLL 8 IoCs

pid	Process
2804	RegAsm.exe
2804	RegAsm.exe
2804	RegAsm.exe
2804	RegAsm.exe
2804	RegAsm.exe
2804	RegAsm.exe
2804	RegAsm.exe
2804	RegAsm.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2888 set thread context of 2804	2888	file.exe	30
PID 1244 set thread context of 1000	1244	GCFBAKKJDB.exe	35
PID 1104 set thread context of 1600	1104	HDGIJJDGCB.exe	41

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	file.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GCFBAKKJDB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HDGIJJDGCB.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1100	timeout.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	RegAsm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	RegAsm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2804	RegAsm.exe
2804	RegAsm.exe
2804	RegAsm.exe
2804	RegAsm.exe
1600	RegAsm.exe
1600	RegAsm.exe
1600	RegAsm.exe
1600	RegAsm.exe
1600	RegAsm.exe
1600	RegAsm.exe
1600	RegAsm.exe
1600	RegAsm.exe

Suspicious use of WriteProcessMemory 57 IoCs

description	pid	Process	procid_target
PID 2888 wrote to memory of 2804	2888	file.exe	30
PID 2888 wrote to memory of 2804	2888	file.exe	30
PID 2888 wrote to memory of 2804	2888	file.exe	30
PID 2888 wrote to memory of 2804	2888	file.exe	30
PID 2888 wrote to memory of 2804	2888	file.exe	30
PID 2888 wrote to memory of 2804	2888	file.exe	30
PID 2888 wrote to memory of 2804	2888	file.exe	30
PID 2888 wrote to memory of 2804	2888	file.exe	30
PID 2888 wrote to memory of 2804	2888	file.exe	30
PID 2888 wrote to memory of 2804	2888	file.exe	30
PID 2888 wrote to memory of 2804	2888	file.exe	30
PID 2888 wrote to memory of 2804	2888	file.exe	30
PID 2888 wrote to memory of 2804	2888	file.exe	30
PID 2888 wrote to memory of 2804	2888	file.exe	30
PID 2804 wrote to memory of 1244	2804	RegAsm.exe	33
PID 2804 wrote to memory of 1244	2804	RegAsm.exe	33
PID 2804 wrote to memory of 1244	2804	RegAsm.exe	33
PID 2804 wrote to memory of 1244	2804	RegAsm.exe	33
PID 1244 wrote to memory of 1000	1244	GCFBAKKJDB.exe	35
PID 1244 wrote to memory of 1000	1244	GCFBAKKJDB.exe	35
PID 1244 wrote to memory of 1000	1244	GCFBAKKJDB.exe	35
PID 1244 wrote to memory of 1000	1244	GCFBAKKJDB.exe	35
PID 1244 wrote to memory of 1000	1244	GCFBAKKJDB.exe	35
PID 1244 wrote to memory of 1000	1244	GCFBAKKJDB.exe	35
PID 1244 wrote to memory of 1000	1244	GCFBAKKJDB.exe	35
PID 1244 wrote to memory of 1000	1244	GCFBAKKJDB.exe	35
PID 1244 wrote to memory of 1000	1244	GCFBAKKJDB.exe	35
PID 1244 wrote to memory of 1000	1244	GCFBAKKJDB.exe	35
PID 1244 wrote to memory of 1000	1244	GCFBAKKJDB.exe	35
PID 1244 wrote to memory of 1000	1244	GCFBAKKJDB.exe	35
PID 1244 wrote to memory of 1000	1244	GCFBAKKJDB.exe	35
PID 2804 wrote to memory of 1104	2804	RegAsm.exe	36
PID 2804 wrote to memory of 1104	2804	RegAsm.exe	36
PID 2804 wrote to memory of 1104	2804	RegAsm.exe	36
PID 2804 wrote to memory of 1104	2804	RegAsm.exe	36
PID 2804 wrote to memory of 1496	2804	RegAsm.exe	38
PID 2804 wrote to memory of 1496	2804	RegAsm.exe	38
PID 2804 wrote to memory of 1496	2804	RegAsm.exe	38
PID 2804 wrote to memory of 1496	2804	RegAsm.exe	38
PID 1496 wrote to memory of 1100	1496	cmd.exe	40
PID 1496 wrote to memory of 1100	1496	cmd.exe	40
PID 1496 wrote to memory of 1100	1496	cmd.exe	40
PID 1496 wrote to memory of 1100	1496	cmd.exe	40
PID 1104 wrote to memory of 1600	1104	HDGIJJDGCB.exe	41
PID 1104 wrote to memory of 1600	1104	HDGIJJDGCB.exe	41
PID 1104 wrote to memory of 1600	1104	HDGIJJDGCB.exe	41
PID 1104 wrote to memory of 1600	1104	HDGIJJDGCB.exe	41
PID 1104 wrote to memory of 1600	1104	HDGIJJDGCB.exe	41
PID 1104 wrote to memory of 1600	1104	HDGIJJDGCB.exe	41
PID 1104 wrote to memory of 1600	1104	HDGIJJDGCB.exe	41
PID 1104 wrote to memory of 1600	1104	HDGIJJDGCB.exe	41
PID 1104 wrote to memory of 1600	1104	HDGIJJDGCB.exe	41
PID 1104 wrote to memory of 1600	1104	HDGIJJDGCB.exe	41
PID 1104 wrote to memory of 1600	1104	HDGIJJDGCB.exe	41
PID 1104 wrote to memory of 1600	1104	HDGIJJDGCB.exe	41
PID 1104 wrote to memory of 1600	1104	HDGIJJDGCB.exe	41
PID 1104 wrote to memory of 1600	1104	HDGIJJDGCB.exe	41

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2888
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2804
- - C:\ProgramData\GCFBAKKJDB.exe
    "C:\ProgramData\GCFBAKKJDB.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1244
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1000
- - C:\ProgramData\HDGIJJDGCB.exe
    "C:\ProgramData\HDGIJJDGCB.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1104
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      PID:1600
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\BFIJKEBFBFHI" & exit
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1496
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 10
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:1100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\DBFBFBGDBKJJ\FCAAAA

Filesize
148KB

MD5
90a1d4b55edf36fa8b4cc6974ed7d4c4

SHA1
aba1b8d0e05421e7df5982899f626211c3c4b5c1

SHA256
7cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c

SHA512
ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
030d99fd05e6f42d8863342ac9a5a463

SHA1
a9b7830eca2fdc5e383fd006da0bfd263eee0bc0

SHA256
cefff59f96b12466fee14e10307f63c88b32189c4d83fb3ef2b0146e8f34315d

SHA512
d97560a4863a2e0d23aefdfe9afc6b782b0582a4e832cd78738c3a11e0cb55177624b37133ba953d1086be59e2b433438c4ab33427cf27b6fbc7410fd11fb9a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1e37e924324c6c331da65b1f195adb55

SHA1
a8696194f5ed3da13d1c350351812350786caf1d

SHA256
38c20a9a117d443c63e355472bb988c93737ee3bb2c740318c491bfce53081d9

SHA512
acd10382ef965f3dc2e2e6b7d1fd4194b545408f2008ccccf5aa6dc7cada492afbf07ca46ccaec418853daa2acbdb4374a17da1037fd9493ec6eb4116c1d9674

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b9dd233f23c232ab3457ab8c0887646a

SHA1
967bef16f5e39ee137d987f49054bd23dded9cd3

SHA256
042908b598fc8a2076e2b8eb7049f32780ae99a43014978fe8a028cc6c5bcbc4

SHA512
a72bd7d87b3b48f9295d7280a36dab0f5533dda725826ac337a93a47cd574e7c8e6c66c68740fc7370c83baf95e318fa293bfff365ae9f7a083b92f533f582ba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ca1099fe7c3d3081053a46051099120d

SHA1
5d9c77900702b721331a3530c45c5bb3f5fdba8a

SHA256
273414d1ec875e8e5364fd95f30b7e7cb4672bd2f1a0736f6cf9dce1768a17b6

SHA512
d08ae25623146e3fd4e0b484ba3fb3fa27ee3ac1f06bccf82086f9452ce74044cde2a892ae0909cb21e31182bfbcb6937c25c044fba5a19a658f04a82d4cc6a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\56KJ964X\76561199780418869[1].htm

Filesize
33KB

MD5
c31be5c54b6c09a9812fa1955734ef43

SHA1
9f49a4b9367f3bb3abfc3a246bdd433071e00ef0

SHA256
cfc32bf59a7db83db4db4589c206b4d7fc39a52dff8d665b38a2f98eabe4ca23

SHA512
e0e1a9fc0ee406817035335253dd079596207e73fa2acf32bd1a75906da0b65893b1e5253e8ca900ee439d931e45b94ab7b7d63616416a29421c7d2461066345

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1B02.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1BA1.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\ProgramData\GCFBAKKJDB.exe

Filesize
371KB

MD5
687846a623c1fe1da95f0fa2fe4479df

SHA1
6609d10980800b669e723d4c660c421e27695a29

SHA256
bfc7b367d52504b184d127e385219006c1efc7e985d608c000e5eb3a204fc779

SHA512
fe150d4f02532ca3d5aa37c6d14741a0a9c0290854ac6924da282ad6585b47bf98e8443aa4281ea89788b8e906f8d11d49b3e88a11e10d4d67b6e2605004a9c3

Download Submit
\ProgramData\HDGIJJDGCB.exe

Filesize
5.4MB

MD5
8d556f35d2768d27b334d0e76d4d3295

SHA1
33f2fbfe5c2b3d3d470bbf28c20e15283e20717c

SHA256
2bdab82a67299ff24cca7e0884c17fab80f45b364ba718142c80bdfbd573b581

SHA512
eadec8014bc15d1f72c44e5a45a2546a450d3c529aecc21d850ea50ebda1b5d47d569b4c6aef4215c402db87efbac7550736d28bc101d920f900ea80f83bc4ea

Download Submit
memory/1000-401-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1000-400-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1000-409-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1000-411-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1000-397-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1000-406-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1000-404-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1000-398-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1000-399-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1104-447-0x0000000000980000-0x0000000000EEA000-memory.dmp

Filesize
5.4MB

Download
memory/1244-407-0x0000000073140000-0x000000007382E000-memory.dmp

Filesize
6.9MB

Download
memory/1244-410-0x0000000073140000-0x000000007382E000-memory.dmp

Filesize
6.9MB

Download
memory/1244-385-0x0000000000030000-0x0000000000090000-memory.dmp

Filesize
384KB

Download
memory/1244-384-0x000000007314E000-0x000000007314F000-memory.dmp

Filesize
4KB

Download
memory/1600-481-0x0000000000400000-0x0000000000B77000-memory.dmp

Filesize
7.5MB

Download
memory/1600-479-0x0000000000400000-0x0000000000B77000-memory.dmp

Filesize
7.5MB

Download
memory/1600-483-0x0000000000400000-0x0000000000B77000-memory.dmp

Filesize
7.5MB

Download
memory/1600-489-0x0000000000400000-0x0000000000B77000-memory.dmp

Filesize
7.5MB

Download
memory/1600-485-0x0000000000400000-0x0000000000B77000-memory.dmp

Filesize
7.5MB

Download
memory/1600-477-0x0000000000400000-0x0000000000B77000-memory.dmp

Filesize
7.5MB

Download
memory/1600-486-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2804-18-0x0000000000400000-0x0000000000B77000-memory.dmp

Filesize
7.5MB

Download
memory/2804-12-0x0000000000400000-0x0000000000B77000-memory.dmp

Filesize
7.5MB

Download
memory/2804-287-0x0000000000400000-0x0000000000B77000-memory.dmp

Filesize
7.5MB

Download
memory/2804-276-0x0000000000400000-0x0000000000B77000-memory.dmp

Filesize
7.5MB

Download
memory/2804-222-0x0000000000400000-0x0000000000B77000-memory.dmp

Filesize
7.5MB

Download
memory/2804-213-0x0000000000400000-0x0000000000B77000-memory.dmp

Filesize
7.5MB

Download
memory/2804-187-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/2804-168-0x0000000000400000-0x0000000000B77000-memory.dmp

Filesize
7.5MB

Download
memory/2804-4-0x0000000000400000-0x0000000000B77000-memory.dmp

Filesize
7.5MB

Download
memory/2804-7-0x0000000000400000-0x0000000000B77000-memory.dmp

Filesize
7.5MB

Download
memory/2804-10-0x0000000000400000-0x0000000000B77000-memory.dmp

Filesize
7.5MB

Download
memory/2804-306-0x0000000000400000-0x0000000000B77000-memory.dmp

Filesize
7.5MB

Download
memory/2804-472-0x0000000000400000-0x0000000000B77000-memory.dmp

Filesize
7.5MB

Download
memory/2804-26-0x0000000000400000-0x0000000000B77000-memory.dmp

Filesize
7.5MB

Download
memory/2804-22-0x0000000000400000-0x0000000000B77000-memory.dmp

Filesize
7.5MB

Download
memory/2804-16-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2804-20-0x0000000000400000-0x0000000000B77000-memory.dmp

Filesize
7.5MB

Download
memory/2804-6-0x0000000000400000-0x0000000000B77000-memory.dmp

Filesize
7.5MB

Download
memory/2804-15-0x0000000000400000-0x0000000000B77000-memory.dmp

Filesize
7.5MB

Download
memory/2888-25-0x0000000074440000-0x0000000074B2E000-memory.dmp

Filesize
6.9MB

Download
memory/2888-9-0x0000000074440000-0x0000000074B2E000-memory.dmp

Filesize
6.9MB

Download
memory/2888-0-0x000000007444E000-0x000000007444F000-memory.dmp

Filesize
4KB

Download
memory/2888-1-0x0000000000A10000-0x0000000000F7A000-memory.dmp

Filesize
5.4MB

Download