lumma | de664956d799e59e1cca0788d545922ee420e3afdcf277442f148f52bc78df89

Analysis

max time kernel
24s
max time network
123s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
30-09-2024 04:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

404KB
MD5

38dabc7063c0a175a12c30bd44cf3dbc
SHA1

6d7aabebd8a417168e220c7497f4bc38c314da3b
SHA256

de664956d799e59e1cca0788d545922ee420e3afdcf277442f148f52bc78df89
SHA512

674760ad37cf7886ca4cd786e4d1966d3827fdad008a85a125e18bd474d073dae8d4296427253bb86e78d3173a300611ee5eb2e01c1f968700679350fc17a24d
SSDEEP

12288:XY1HgTKqPXxbx28l1ukOy325R4RQMJnJ9w6EO:XY1AtPB0KwkU5GRnJnxt

Score

10^/10

lumma vidar a669a86f8433a1e88901711c0f772c97 credential_access discovery spyware stealer

Malware Config

Extracted

Family

vidar

Version

Botnet

a669a86f8433a1e88901711c0f772c97

https://t.me/jamsemlg

https://steamcommunity.com/profiles/76561199780418869

https://t.me/ae5ed

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0

Extracted

Family

lumma

Extracted

Family

lumma

https://possiwreeste.site/api

https://underlinemdsj.site/api

https://chaptermusu.store/api

Signatures

Detect Vidar Stealer 17 IoCs

stealer

resource	yara_rule
behavioral1/memory/2160-9-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/2160-24-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/2160-21-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/2160-18-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/2160-16-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/2160-12-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/2160-10-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/2160-158-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/2160-177-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/2160-207-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/2160-226-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/2160-306-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/2160-358-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/2160-377-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/2160-420-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/2160-439-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/2160-681-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
1752	HIIIJDAAAA.exe
1544	JKEBFBFIEH.exe
1588	CAEHJEBKFC.exe

Loads dropped DLL 14 IoCs

pid	Process
2160	RegAsm.exe
2160	RegAsm.exe
2160	RegAsm.exe
2160	RegAsm.exe
2160	RegAsm.exe
2160	RegAsm.exe
2160	RegAsm.exe
2160	RegAsm.exe
2160	RegAsm.exe
2160	RegAsm.exe
2160	RegAsm.exe
2160	RegAsm.exe
2160	RegAsm.exe
2160	RegAsm.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2000 set thread context of 2160	2000	file.exe	31
PID 1752 set thread context of 2080	1752	HIIIJDAAAA.exe	37
PID 1544 set thread context of 344	1544	JKEBFBFIEH.exe	40
PID 1588 set thread context of 2132	1588	CAEHJEBKFC.exe	43

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JKEBFBFIEH.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CAEHJEBKFC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	file.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HIIIJDAAAA.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1144	timeout.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	RegAsm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	RegAsm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	RegAsm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2160	RegAsm.exe
2160	RegAsm.exe
2160	RegAsm.exe
2160	RegAsm.exe
2160	RegAsm.exe
2132	RegAsm.exe
2160	RegAsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2000 wrote to memory of 2160	2000	file.exe	31
PID 2000 wrote to memory of 2160	2000	file.exe	31
PID 2000 wrote to memory of 2160	2000	file.exe	31
PID 2000 wrote to memory of 2160	2000	file.exe	31
PID 2000 wrote to memory of 2160	2000	file.exe	31
PID 2000 wrote to memory of 2160	2000	file.exe	31
PID 2000 wrote to memory of 2160	2000	file.exe	31
PID 2000 wrote to memory of 2160	2000	file.exe	31
PID 2000 wrote to memory of 2160	2000	file.exe	31
PID 2000 wrote to memory of 2160	2000	file.exe	31
PID 2000 wrote to memory of 2160	2000	file.exe	31
PID 2000 wrote to memory of 2160	2000	file.exe	31
PID 2000 wrote to memory of 2160	2000	file.exe	31
PID 2000 wrote to memory of 2160	2000	file.exe	31
PID 2160 wrote to memory of 1752	2160	RegAsm.exe	35
PID 2160 wrote to memory of 1752	2160	RegAsm.exe	35
PID 2160 wrote to memory of 1752	2160	RegAsm.exe	35
PID 2160 wrote to memory of 1752	2160	RegAsm.exe	35
PID 1752 wrote to memory of 2080	1752	HIIIJDAAAA.exe	37
PID 1752 wrote to memory of 2080	1752	HIIIJDAAAA.exe	37
PID 1752 wrote to memory of 2080	1752	HIIIJDAAAA.exe	37
PID 1752 wrote to memory of 2080	1752	HIIIJDAAAA.exe	37
PID 1752 wrote to memory of 2080	1752	HIIIJDAAAA.exe	37
PID 1752 wrote to memory of 2080	1752	HIIIJDAAAA.exe	37
PID 1752 wrote to memory of 2080	1752	HIIIJDAAAA.exe	37
PID 1752 wrote to memory of 2080	1752	HIIIJDAAAA.exe	37
PID 1752 wrote to memory of 2080	1752	HIIIJDAAAA.exe	37
PID 1752 wrote to memory of 2080	1752	HIIIJDAAAA.exe	37
PID 1752 wrote to memory of 2080	1752	HIIIJDAAAA.exe	37
PID 1752 wrote to memory of 2080	1752	HIIIJDAAAA.exe	37
PID 1752 wrote to memory of 2080	1752	HIIIJDAAAA.exe	37
PID 2160 wrote to memory of 1544	2160	RegAsm.exe	38
PID 2160 wrote to memory of 1544	2160	RegAsm.exe	38
PID 2160 wrote to memory of 1544	2160	RegAsm.exe	38
PID 2160 wrote to memory of 1544	2160	RegAsm.exe	38
PID 1544 wrote to memory of 344	1544	JKEBFBFIEH.exe	40
PID 1544 wrote to memory of 344	1544	JKEBFBFIEH.exe	40
PID 1544 wrote to memory of 344	1544	JKEBFBFIEH.exe	40
PID 1544 wrote to memory of 344	1544	JKEBFBFIEH.exe	40
PID 1544 wrote to memory of 344	1544	JKEBFBFIEH.exe	40
PID 1544 wrote to memory of 344	1544	JKEBFBFIEH.exe	40
PID 1544 wrote to memory of 344	1544	JKEBFBFIEH.exe	40
PID 1544 wrote to memory of 344	1544	JKEBFBFIEH.exe	40
PID 1544 wrote to memory of 344	1544	JKEBFBFIEH.exe	40
PID 1544 wrote to memory of 344	1544	JKEBFBFIEH.exe	40
PID 1544 wrote to memory of 344	1544	JKEBFBFIEH.exe	40
PID 1544 wrote to memory of 344	1544	JKEBFBFIEH.exe	40
PID 1544 wrote to memory of 344	1544	JKEBFBFIEH.exe	40
PID 1544 wrote to memory of 344	1544	JKEBFBFIEH.exe	40
PID 2160 wrote to memory of 1588	2160	RegAsm.exe	41
PID 2160 wrote to memory of 1588	2160	RegAsm.exe	41
PID 2160 wrote to memory of 1588	2160	RegAsm.exe	41
PID 2160 wrote to memory of 1588	2160	RegAsm.exe	41
PID 1588 wrote to memory of 2132	1588	CAEHJEBKFC.exe	43
PID 1588 wrote to memory of 2132	1588	CAEHJEBKFC.exe	43
PID 1588 wrote to memory of 2132	1588	CAEHJEBKFC.exe	43
PID 1588 wrote to memory of 2132	1588	CAEHJEBKFC.exe	43
PID 1588 wrote to memory of 2132	1588	CAEHJEBKFC.exe	43
PID 1588 wrote to memory of 2132	1588	CAEHJEBKFC.exe	43
PID 1588 wrote to memory of 2132	1588	CAEHJEBKFC.exe	43
PID 1588 wrote to memory of 2132	1588	CAEHJEBKFC.exe	43
PID 1588 wrote to memory of 2132	1588	CAEHJEBKFC.exe	43
PID 1588 wrote to memory of 2132	1588	CAEHJEBKFC.exe	43
PID 1588 wrote to memory of 2132	1588	CAEHJEBKFC.exe	43

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2000
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2160
- - C:\ProgramData\HIIIJDAAAA.exe
    "C:\ProgramData\HIIIJDAAAA.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1752
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Modifies system certificate store
      PID:2080
- - C:\ProgramData\JKEBFBFIEH.exe
    "C:\ProgramData\JKEBFBFIEH.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1544
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:344
- - C:\ProgramData\CAEHJEBKFC.exe
    "C:\ProgramData\CAEHJEBKFC.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1588
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      PID:2132
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminCGHCGIIDGD.exe"
        5⤵
        
        PID:2964
      - C:\Users\AdminCGHCGIIDGD.exe
        
        "C:\Users\AdminCGHCGIIDGD.exe"
        6⤵
        
        PID:2188
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        
        PID:944
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminJJDGIIDHJE.exe"
        5⤵
        
        PID:3052
      - C:\Users\AdminJJDGIIDHJE.exe
        
        "C:\Users\AdminJJDGIIDHJE.exe"
        6⤵
        
        PID:1552
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        
        PID:1700
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\FHIJJJKKJJDA" & exit
    3⤵
    PID:1616
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 10
      4⤵
      Delays execution with timeout.exe
      PID:1144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\FHCGHJDB

Filesize
92KB

MD5
a58d87b023e155c10b4e15fdfc6fcb06

SHA1
0ee449b782aeac54c0406adde543f19ecd9dfd38

SHA256
331b040f0bd7731b64e72a837ad86943379ff02e239c305d200108fe7e3c8c61

SHA512
1965574101a71a640efb135a49c4a968fd5feb328779c33936047afb2209424b44fba3a1ccdacee959ce5a016f22b49c8b42dc543476b11f83df0feb1b080eae

Download Submit
C:\ProgramData\HIDAAKEGDBFIJJKFHCFB

Filesize
6KB

MD5
676f25f6ea05592c82c1bea7a8c5dc13

SHA1
720a91d27904520b459171393facbe9b181daa18

SHA256
ed6064e1cdb6ca69a0c99b8c2c888f3295e774aa2140cdf69d3d42b65c94d68a

SHA512
fc1a859da522868808c40db94d8ed25addc5b3dc5b0bd1e339e9dadbccd6eedbc5e7a984bb0039f84345647ca6efebb218fdf9b97ff4935f32e69050c5eb638e

Download Submit
C:\ProgramData\HIIIJDAAAA.exe

Filesize
371KB

MD5
32c2e31313c3df4a7a36c72503a5beba

SHA1
1c88051112dab0e306cadd9ee5d65f8dc229f079

SHA256
f1fa2872fcd33c6dbce8d974c0c0381c0762d46a53ceaca14a29727ad02baef3

SHA512
ee04d786e53f7fa203dbc4f8c018c72a907dabbd2d1c57e219b2ccc2dbd9d79a4ee8580b98f9b5c5024e628c0207cdd2bf93b9468e457f4ee00326c7c689f1ae

Download Submit
C:\ProgramData\IEHDBAAFIDGD\HDGDHC

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\ProgramData\IEHDBAAFIDGD\KKJKKJ

Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
C:\ProgramData\freebl3.dll

Filesize
174KB

MD5
caf45b51ed5bbd93fd7cbef417b22040

SHA1
69a10d4e98ef0d4268d56e9bf587a1d6dfa7f981

SHA256
d8cec7ef55aa69fec153ab74d329439a712e4190817aa42747ac15eb691277e7

SHA512
385790c2084c285ba6c89cc1ee62637f0f83f85a87abe7c5bc40c28f9d756b473db13cdc6bebe762772abd9e1991a842f9a994a5a00c07817315e8bd1d255a39

Download Submit
C:\ProgramData\msvcp140.dll

Filesize
13KB

MD5
e416a22acaeff6cec5aa36a72becbede

SHA1
9fefce2eafd2e79ce0f0c60e2174b0052bfd0d2f

SHA256
edc0250d8dfe5b4049a64b6171d12ad701784f4650484d35315ab5286384e79e

SHA512
8ab549504e9c7f787e4ace97bcce5eed5bd9758b8cc223eae537e5ba3dc0f22ddd84802b1c43c2e947aa0a97742793b8cd09a5563ccd21820fa00bb5c1294421

Download Submit
C:\ProgramData\nss3.dll

Filesize
7KB

MD5
850a06b0f2ba21d0bb154aed00b69db3

SHA1
82f4e4921aa97d3af4323ccc9ef4049210aff984

SHA256
84ea62cb868eba53bb43953bf623676db958cc15a3c26c4d63a9f1e483d3fd89

SHA512
9615408879787672393d5e205f596cb800217150679c76cb1fe4b37bd0d6be61057e9b4502a376e8bb253a2eea5e647c5655316543b9954b56aa4f581bbda391

Download Submit
C:\ProgramData\softokn3.dll

Filesize
174KB

MD5
e9b785d7be775ef83a5350ba209efedb

SHA1
af53cd55b4e46a9884d7b825d844b8fd5804c606

SHA256
e1824cddd2cb9bfbdb0eecec60cd0c4ec1a7b842dd5f837da6d33fa618e2213a

SHA512
3330872a3d13151748ac8118eae1eb4d9a33f030453d08380882866930cc5947aec3a47b999a7771967c8712aa6b5fcd02d7d0236855d54a5fb7a9e8554fed59

Download Submit
C:\ProgramData\vcruntime140.dll

Filesize
27KB

MD5
7a28f6711f49528bd8570d802691c347

SHA1
3f80fd332ecf46ae82cdc67aef8893e4309b3c54

SHA256
381d9b6771700cccf7c51c380b79fcea3b86fb88e231ed8f802b7b479e379fab

SHA512
8b395248619ad6fbda8fc54421ed1305925c5e16f30a23cb818c39e3720436b31bd2df22decafe07f51b12a6ca75a9acea8864d1f9e2a1560892151fafcc3889

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e9418e50f0eb7955c91b351611ce9c72

SHA1
06659ec5e0d202446bd1cb90c53018d6893ecc3f

SHA256
f40e59323d1dc631d31dab804c0cfd6b7a4d8cd647b6af01ebf60fd2ba4beaa4

SHA512
4e800f2f233cef891e8d4bd5510c0aab67868a0890eb7ac43f5bd63377ab129cfcc5a330d12fc95c31f65b39edd8ff2e68891bbe9ac68db4f517fe1e37ebd55d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4627cc6165a1814541aae541ac35503e

SHA1
d283001d40769b508613eb2feb0e1167133fd867

SHA256
34a75f7fbb5da41d2a51af37c054a3c180cec0e1117b96eaede4ea90ecc87229

SHA512
1a8c8ab6343ddaf081eb3a3bb3cd217019b506c78eb42e473a4ae998a691c99099cdb673b68cea283ac510812a627af74bddd478fc3f69fb78eb587bdd48a090

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
35a9118342c46035943645147ec50bab

SHA1
c248e8f992ba0e266532b33cfb32fc5bde3bf591

SHA256
0cb17f0a7bd403ee635a7c353022160677475e9b9c4a6296e52e5cbb84f0f1aa

SHA512
6de76e7a85d12e969e3b011a9bf7fda1dd01a979a745413835ac6a907d92f9547943f5d2eb12853a0cc652202388bd602bf0f1c0ae79392981af01ae911c0121

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UQFHO95Z\76561199780418869[1].htm

Filesize
33KB

MD5
03eb857acb0111cbf9d122b0393c5606

SHA1
bd7c5ce050034391512af397bd212f82b30fd73a

SHA256
4629e4c2fd99d4fe10c32369c098fec7bc796bed4d039a9ac19dab9a026ec456

SHA512
5a6f192779a595b30aabfcd2dbf3e6e12eb0843e5333651ce9c4848956e1e979036abfee98076c240fdfc75cf730eca6e8c1e16d04a1e1e3d343d206545876e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UQFHO95Z\76561199780418869[2].htm

Filesize
33KB

MD5
a25c03c06450a51158cf21170f550957

SHA1
d6fda4304d971a86fea091ccc158ae9221f540b0

SHA256
55d7066889a9739ea8a654db939b254ca972510cdcaa071a2c8ab316d8b3bccd

SHA512
13214e4a81e757bc0fa1a9eb2a0ddaef2381c3a355ee09a56dd92ec663768cbccfc56921f0289b0980ff883cd4a28c94bf06598c62b398fdc67d24b5a3121665

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC88F.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC8B1.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\ProgramData\CAEHJEBKFC.exe

Filesize
326KB

MD5
2832fbde1cf7ea83bd6fd6a4a5e8fe15

SHA1
1ced7a749d257091e0c3b75605fd3bc005e531de

SHA256
2b8bcd9d7d072feb114e0436dc10aa80fda52cdd46a4948ea1ae984f74898375

SHA512
c69f1197a0c74d057ab569d35c9af675fc465ce6abcc6c8fc32b316d3586871a426d7ab904c43827be7413748f0f45f7f3689076ca031fd858a4a8abf78b9299

Download Submit
\ProgramData\JKEBFBFIEH.exe

Filesize
404KB

MD5
38dabc7063c0a175a12c30bd44cf3dbc

SHA1
6d7aabebd8a417168e220c7497f4bc38c314da3b

SHA256
de664956d799e59e1cca0788d545922ee420e3afdcf277442f148f52bc78df89

SHA512
674760ad37cf7886ca4cd786e4d1966d3827fdad008a85a125e18bd474d073dae8d4296427253bb86e78d3173a300611ee5eb2e01c1f968700679350fc17a24d

Download Submit
\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
memory/1544-543-0x0000000000990000-0x00000000009FA000-memory.dmp

Filesize
424KB

Download
memory/1552-761-0x0000000000A60000-0x0000000000AC0000-memory.dmp

Filesize
384KB

Download
memory/1588-599-0x0000000000110000-0x0000000000166000-memory.dmp

Filesize
344KB

Download
memory/1752-493-0x00000000727CE000-0x00000000727CF000-memory.dmp

Filesize
4KB

Download
memory/1752-494-0x00000000011D0000-0x0000000001230000-memory.dmp

Filesize
384KB

Download
memory/2000-0-0x0000000073FAE000-0x0000000073FAF000-memory.dmp

Filesize
4KB

Download
memory/2000-1-0x00000000010D0000-0x000000000113A000-memory.dmp

Filesize
424KB

Download
memory/2000-19-0x0000000073FA0000-0x000000007468E000-memory.dmp

Filesize
6.9MB

Download
memory/2080-512-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2080-516-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2080-514-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2080-505-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2080-509-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2080-508-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2080-507-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2080-506-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2132-611-0x0000000000400000-0x0000000000661000-memory.dmp

Filesize
2.4MB

Download
memory/2132-609-0x0000000000400000-0x0000000000661000-memory.dmp

Filesize
2.4MB

Download
memory/2160-177-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2160-10-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2160-207-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2160-197-0x000000001DE20000-0x000000001E07F000-memory.dmp

Filesize
2.4MB

Download
memory/2160-358-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2160-306-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2160-439-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2160-158-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2160-5-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2160-7-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2160-681-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2160-226-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2160-12-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2160-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2160-16-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2160-18-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2160-420-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2160-377-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2160-21-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2160-24-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2160-9-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2160-3-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2188-718-0x0000000001370000-0x00000000013DA000-memory.dmp

Filesize
424KB

Download