lumma | de664956d799e59e1cca0788d545922ee420e3afdcf277442f148f52bc78df89

Resubmissions

03-10-2024 20:46

241003-zklthazamd 10

02-10-2024 15:16

241002-snmfwawhqd 10

01-10-2024 01:49

241001-b8w3davemp 10

Analysis

max time kernel
94s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01-10-2024 01:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

de664956d799e59e1cca0788d545922ee420e3afdcf277442f148f52bc78df89.exe
Size

404KB
MD5

38dabc7063c0a175a12c30bd44cf3dbc
SHA1

6d7aabebd8a417168e220c7497f4bc38c314da3b
SHA256

de664956d799e59e1cca0788d545922ee420e3afdcf277442f148f52bc78df89
SHA512

674760ad37cf7886ca4cd786e4d1966d3827fdad008a85a125e18bd474d073dae8d4296427253bb86e78d3173a300611ee5eb2e01c1f968700679350fc17a24d
SSDEEP

12288:XY1HgTKqPXxbx28l1ukOy325R4RQMJnJ9w6EO:XY1AtPB0KwkU5GRnJnxt

Score

10^/10

lumma stealc vidar 8b4d47586874b08947203f03e4db3962 a669a86f8433a1e88901711c0f772c97 default credential_access discovery spyware stealer

Malware Config

Extracted

Family

vidar

Version

Botnet

a669a86f8433a1e88901711c0f772c97

https://t.me/jamsemlg

https://steamcommunity.com/profiles/76561199780418869

https://t.me/ae5ed

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0

Extracted

Family

lumma

Extracted

Family

vidar

Version

Botnet

8b4d47586874b08947203f03e4db3962

https://steamcommunity.com/profiles/76561199780418869

https://t.me/ae5ed

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0

Extracted

Family

stealc

Botnet

default

http://46.8.231.109

Attributes

url_path
/c4754d4f680ead72.php

Extracted

Family

lumma

https://underlinemdsj.site/api

https://offeviablwke.site/api

Signatures

Detect Vidar Stealer 22 IoCs

stealer

resource	yara_rule
behavioral2/memory/1600-3-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/1600-8-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/1600-6-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/1600-12-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/1600-13-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/1600-30-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/1600-31-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/1600-47-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/1600-48-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/1600-78-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/1600-79-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/1600-86-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/1600-87-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/1068-141-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/1068-143-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/1068-145-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/1068-230-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/1068-234-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/1068-258-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/1068-259-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/4724-278-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/4724-279-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	RegAsm.exe

Executes dropped EXE 5 IoCs

pid	Process
396	EBKEHJJDAA.exe
1736	IECBGIDAEH.exe
720	GHDHJEBFBF.exe
2236	AdminHIIDGCGCBF.exe
400	AdminGHDHJEBFBF.exe

Loads dropped DLL 4 IoCs

pid	Process
1600	RegAsm.exe
1600	RegAsm.exe
4620	RegAsm.exe
4620	RegAsm.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 4420 set thread context of 1600	4420	de664956d799e59e1cca0788d545922ee420e3afdcf277442f148f52bc78df89.exe	84
PID 396 set thread context of 1820	396	EBKEHJJDAA.exe	95
PID 1736 set thread context of 1068	1736	IECBGIDAEH.exe	100
PID 720 set thread context of 4620	720	GHDHJEBFBF.exe	101
PID 2236 set thread context of 4724	2236	AdminHIIDGCGCBF.exe	120
PID 400 set thread context of 4840	400	AdminGHDHJEBFBF.exe	122

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	de664956d799e59e1cca0788d545922ee420e3afdcf277442f148f52bc78df89.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EBKEHJJDAA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdminHIIDGCGCBF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdminGHDHJEBFBF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IECBGIDAEH.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GHDHJEBFBF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4784	timeout.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
1600	RegAsm.exe
1600	RegAsm.exe
1600	RegAsm.exe
1600	RegAsm.exe
1600	RegAsm.exe
1600	RegAsm.exe
1600	RegAsm.exe
1600	RegAsm.exe
1068	RegAsm.exe
1068	RegAsm.exe
4620	RegAsm.exe
4620	RegAsm.exe
4620	RegAsm.exe
4620	RegAsm.exe
1068	RegAsm.exe
1068	RegAsm.exe
4724	RegAsm.exe
4724	RegAsm.exe
4724	RegAsm.exe
4724	RegAsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4420 wrote to memory of 4640	4420	de664956d799e59e1cca0788d545922ee420e3afdcf277442f148f52bc78df89.exe	83
PID 4420 wrote to memory of 4640	4420	de664956d799e59e1cca0788d545922ee420e3afdcf277442f148f52bc78df89.exe	83
PID 4420 wrote to memory of 4640	4420	de664956d799e59e1cca0788d545922ee420e3afdcf277442f148f52bc78df89.exe	83
PID 4420 wrote to memory of 1600	4420	de664956d799e59e1cca0788d545922ee420e3afdcf277442f148f52bc78df89.exe	84
PID 4420 wrote to memory of 1600	4420	de664956d799e59e1cca0788d545922ee420e3afdcf277442f148f52bc78df89.exe	84
PID 4420 wrote to memory of 1600	4420	de664956d799e59e1cca0788d545922ee420e3afdcf277442f148f52bc78df89.exe	84
PID 4420 wrote to memory of 1600	4420	de664956d799e59e1cca0788d545922ee420e3afdcf277442f148f52bc78df89.exe	84
PID 4420 wrote to memory of 1600	4420	de664956d799e59e1cca0788d545922ee420e3afdcf277442f148f52bc78df89.exe	84
PID 4420 wrote to memory of 1600	4420	de664956d799e59e1cca0788d545922ee420e3afdcf277442f148f52bc78df89.exe	84
PID 4420 wrote to memory of 1600	4420	de664956d799e59e1cca0788d545922ee420e3afdcf277442f148f52bc78df89.exe	84
PID 4420 wrote to memory of 1600	4420	de664956d799e59e1cca0788d545922ee420e3afdcf277442f148f52bc78df89.exe	84
PID 4420 wrote to memory of 1600	4420	de664956d799e59e1cca0788d545922ee420e3afdcf277442f148f52bc78df89.exe	84
PID 4420 wrote to memory of 1600	4420	de664956d799e59e1cca0788d545922ee420e3afdcf277442f148f52bc78df89.exe	84
PID 1600 wrote to memory of 396	1600	RegAsm.exe	89
PID 1600 wrote to memory of 396	1600	RegAsm.exe	89
PID 1600 wrote to memory of 396	1600	RegAsm.exe	89
PID 1600 wrote to memory of 1736	1600	RegAsm.exe	92
PID 1600 wrote to memory of 1736	1600	RegAsm.exe	92
PID 1600 wrote to memory of 1736	1600	RegAsm.exe	92
PID 396 wrote to memory of 1464	396	EBKEHJJDAA.exe	94
PID 396 wrote to memory of 1464	396	EBKEHJJDAA.exe	94
PID 396 wrote to memory of 1464	396	EBKEHJJDAA.exe	94
PID 396 wrote to memory of 1820	396	EBKEHJJDAA.exe	95
PID 396 wrote to memory of 1820	396	EBKEHJJDAA.exe	95
PID 396 wrote to memory of 1820	396	EBKEHJJDAA.exe	95
PID 396 wrote to memory of 1820	396	EBKEHJJDAA.exe	95
PID 396 wrote to memory of 1820	396	EBKEHJJDAA.exe	95
PID 396 wrote to memory of 1820	396	EBKEHJJDAA.exe	95
PID 396 wrote to memory of 1820	396	EBKEHJJDAA.exe	95
PID 396 wrote to memory of 1820	396	EBKEHJJDAA.exe	95
PID 396 wrote to memory of 1820	396	EBKEHJJDAA.exe	95
PID 1600 wrote to memory of 720	1600	RegAsm.exe	97
PID 1600 wrote to memory of 720	1600	RegAsm.exe	97
PID 1600 wrote to memory of 720	1600	RegAsm.exe	97
PID 1736 wrote to memory of 3000	1736	IECBGIDAEH.exe	99
PID 1736 wrote to memory of 3000	1736	IECBGIDAEH.exe	99
PID 1736 wrote to memory of 3000	1736	IECBGIDAEH.exe	99
PID 1736 wrote to memory of 1068	1736	IECBGIDAEH.exe	100
PID 1736 wrote to memory of 1068	1736	IECBGIDAEH.exe	100
PID 1736 wrote to memory of 1068	1736	IECBGIDAEH.exe	100
PID 1736 wrote to memory of 1068	1736	IECBGIDAEH.exe	100
PID 1736 wrote to memory of 1068	1736	IECBGIDAEH.exe	100
PID 1736 wrote to memory of 1068	1736	IECBGIDAEH.exe	100
PID 1736 wrote to memory of 1068	1736	IECBGIDAEH.exe	100
PID 1736 wrote to memory of 1068	1736	IECBGIDAEH.exe	100
PID 1736 wrote to memory of 1068	1736	IECBGIDAEH.exe	100
PID 1736 wrote to memory of 1068	1736	IECBGIDAEH.exe	100
PID 720 wrote to memory of 4620	720	GHDHJEBFBF.exe	101
PID 720 wrote to memory of 4620	720	GHDHJEBFBF.exe	101
PID 720 wrote to memory of 4620	720	GHDHJEBFBF.exe	101
PID 720 wrote to memory of 4620	720	GHDHJEBFBF.exe	101
PID 720 wrote to memory of 4620	720	GHDHJEBFBF.exe	101
PID 720 wrote to memory of 4620	720	GHDHJEBFBF.exe	101
PID 720 wrote to memory of 4620	720	GHDHJEBFBF.exe	101
PID 720 wrote to memory of 4620	720	GHDHJEBFBF.exe	101
PID 720 wrote to memory of 4620	720	GHDHJEBFBF.exe	101
PID 1600 wrote to memory of 392	1600	RegAsm.exe	102
PID 1600 wrote to memory of 392	1600	RegAsm.exe	102
PID 1600 wrote to memory of 392	1600	RegAsm.exe	102
PID 392 wrote to memory of 4784	392	cmd.exe	104
PID 392 wrote to memory of 4784	392	cmd.exe	104
PID 392 wrote to memory of 4784	392	cmd.exe	104
PID 4620 wrote to memory of 3212	4620	RegAsm.exe	107
PID 4620 wrote to memory of 3212	4620	RegAsm.exe	107

C:\Users\Admin\AppData\Local\Temp\de664956d799e59e1cca0788d545922ee420e3afdcf277442f148f52bc78df89.exe
"C:\Users\Admin\AppData\Local\Temp\de664956d799e59e1cca0788d545922ee420e3afdcf277442f148f52bc78df89.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4420
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:4640
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1600
- - C:\ProgramData\EBKEHJJDAA.exe
    "C:\ProgramData\EBKEHJJDAA.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:396
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:1464
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1820
- - C:\ProgramData\IECBGIDAEH.exe
    "C:\ProgramData\IECBGIDAEH.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1736
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:3000
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      PID:1068
- - C:\ProgramData\GHDHJEBFBF.exe
    "C:\ProgramData\GHDHJEBFBF.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:720
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      Checks computer location settings
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:4620
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminHIIDGCGCBF.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3212
      - C:\Users\AdminHIIDGCGCBF.exe
        
        "C:\Users\AdminHIIDGCGCBF.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2236
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        
        PID:1676
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        
        PID:3636
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        
        PID:1904
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        
        PID:1560
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        
        PID:3128
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:4724
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminGHDHJEBFBF.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3288
      - C:\Users\AdminGHDHJEBFBF.exe
        
        "C:\Users\AdminGHDHJEBFBF.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:400
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        
        PID:1396
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4840
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\CAEHJEBKFCAK" & exit
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:392
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 10
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:4784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AEBKKECBGIIJ\HDAFBG

Filesize
20KB

MD5
a603e09d617fea7517059b4924b1df93

SHA1
31d66e1496e0229c6a312f8be05da3f813b3fa9e

SHA256
ccd15f9c7a997ae2b5320ea856c7efc54b5055254d41a443d21a60c39c565cb7

SHA512
eadb844a84f8a660c578a2f8e65ebcb9e0b9ab67422be957f35492ff870825a4b363f96fd1c546eaacfd518f6812fcf57268ef03c149e5b1a7af145c7100e2cc

Download Submit
C:\ProgramData\AEBKKECBGIIJ\JECGII

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\ProgramData\AEBKKECBGIIJ\JECGII

Filesize
160KB

MD5
f310cf1ff562ae14449e0167a3e1fe46

SHA1
85c58afa9049467031c6c2b17f5c12ca73bb2788

SHA256
e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855

SHA512
1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

Download Submit
C:\ProgramData\EBGIDGCA

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\ProgramData\EBKEHJJDAA.exe

Filesize
372KB

MD5
8a73502b83ceb6b31b9fefb595876844

SHA1
41094748fdc11cd79057c14c39210d6833a25323

SHA256
af60c2dd60ece7f8e83870b22b1c5c0e095c9c3669171c16eaaff406cda6eeb2

SHA512
e5bf9b9b78c8306c13df04db83bbe4c76f0914fffde4bd584a5b96da5150102167df61b1315382a5af68038c2d3cdbd2e2414082659757c402979d3c3772b82c

Download Submit
C:\ProgramData\GHDHJEBFBF.exe

Filesize
327KB

MD5
dfd49d1326704cfeee9852999782e4b6

SHA1
4bd1c441c55ec55a1cac7ca2bfe786a739cb01a4

SHA256
2280a0c18708cb5fd0e093e2f42350e3afb8f3ca31fd3279fc797a6c535532ef

SHA512
fe9e9537f76bf36b6e6abd340ef135d5d017bb2b067239f6871f5a8952d2a5b823dd89838b8d31a928b40a1a70bd83010e5f3f49905672fbcd74b763d65504bf

Download Submit
C:\ProgramData\IECBGIDAEH.exe

Filesize
404KB

MD5
4f828f95c11479c61692052d9254022a

SHA1
68f1fbe839f2d41f434bdde176ccc3e6f38ec503

SHA256
00c39991e9994d94f4fc657f7072c7e4137baf5aa27961cf5451daf6b3cda75a

SHA512
91cc6dc01a62337c542c31337057653c5e41ae7b88621bc1041786a260a5b78fb834869ce8aeca05ab8263c45a41fa7833ee262440d157206b1ddae675d814f5

Download Submit
C:\ProgramData\KEHDBAEGIIIEBGCAAFHI

Filesize
11KB

MD5
37e78be30f64ed1e1bfee832438f3616

SHA1
32a325595601bd6d701378225b70879ad581eae4

SHA256
d5f0477754533125a7a554372d1f164767e6032511c1dc7c6da2b2becedd47b0

SHA512
ce9ab28c29fbbaec22b06548aa95d2782f08cfa7307298afc37c26a665eac3546dcb2c6ff73df3c126d0b731bf62703e1f626750c4c19e53a17103bacc442c2b

Download Submit
C:\ProgramData\KFIIJJJD

Filesize
114KB

MD5
503d6b554ee03ef54c8deb8c440f6012

SHA1
e306b2a07bf87e90c63418024c92933bcc3f4d7f

SHA256
4c407af4d5326d1ea43e89945eda0b86c81ad0d12bd5465b327c0fd1df56f7d4

SHA512
3490b51dfe2e8f6efa3cdeee7bc08c03072597861c1a2f88dc830139abb7611c671ddad345c2af97bb1e88927c09467ed92b5feafe6696d7e2b31b3bd3447437

Download Submit
C:\ProgramData\mozglue.dll

Filesize
10KB

MD5
3d276c5c9b5affb060ee95133691f50b

SHA1
a42554a87c576f1ab7e618ecea450153421836e0

SHA256
6126b4308622feafb09603f7f438f03479cbec18249c4e15779c3e829fdef393

SHA512
9900c365030b0dae338d36a30a8ffbd0beb29c38a413aef62bf362b225063d4b010fbf5b8b4c5586834028f1aa84073c492e0702f6617b29026223d09b7e7297

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\msvcp140.dll

Filesize
17KB

MD5
b3955789a00febf8ae9ca2932a9c6aee

SHA1
ade8fe8a38815fd679de3f08f0e6b6acabecd5af

SHA256
060e730081814ce2ab1389969c07917727da5ab0ab17a4d2e81bf651b9eb1f11

SHA512
0207d8ec4b9115a166201377441cb1baf46dc447380241c1668ef35979c89bcf0cb48bdcc2480fb9f56f609822e1269f30083e093ea78413c663fa5f2ea6ff41

Download Submit
C:\ProgramData\nss3.dll

Filesize
112KB

MD5
61a46f87ace15659aade26128927abdb

SHA1
2897bbe0d5ad9f11f549b5801eef4dee1de4eed8

SHA256
75941d72abfbd4b2d76c4a4b8a92405e10c253abee63a7a11b621594dab73676

SHA512
7691a513fecd5e0e49e76d548c994d7955bd77431b27121a4a33eeebba6abc5e195f3c6b11acea224fca3bcb71bdd16cc8d855190d7cbcc2861f8fcfa8208d3f

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\ProgramData\vcruntime140.dll

Filesize
78KB

MD5
a37ee36b536409056a86f50e67777dd7

SHA1
1cafa159292aa736fc595fc04e16325b27cd6750

SHA256
8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825

SHA512
3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619

Filesize
471B

MD5
53531d3b1632c42fbb5282b61f41eb70

SHA1
3e57dd0a3966162c6bf62d02cef4abcff03c1159

SHA256
b949b4e92e2803878a2b71476a58d2cbfd53c95ab7bb1583ce4e77398f135105

SHA512
60d25185037c526ac8a8c928891c2ea5fe3a5d8d24fd536b36bdaea07953350aa25c45038c5b0db4166912da3ea502a959dd4de7dd6f602d2d6cdd1d349c73b0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619

Filesize
400B

MD5
71c1501de002f341a45a0fb640abc475

SHA1
31e4b02431f529a6333f4ff648de3c7187ab0132

SHA256
36a4999268d5b62ba16a04144c15c256880361d0463ac5bae5045071f805188d

SHA512
dbdc75f5238b8da29cf0bc378e95f4e092dcdd6591c39ba78383e9c1af1cd1f3d022f34cfe212ffeb83dd5187360eef42f870a1b348605bbdcff2dfd907e653a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AdminHIIDGCGCBF.exe.log

Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\68XY2BI1\76561199780418869[1].htm

Filesize
33KB

MD5
b65188eea4d8a0d3f39a0ee13e7d4e04

SHA1
54c90417cb96cd7ec9a2df16b4cacaa5a99b5dfd

SHA256
2eb096864603076ca85b2d78463f4b4a82a0a36655f981fd2874c179c8e347e4

SHA512
cb7ef6aeac32dbe3ed6c0e2aab43bd3589deb6271612c76f7e2e00ef6e048c3b1231d1488233d6a507f59e0233adb3455647fbf5201d7b26c3fcfbf597d8f32e

Download Submit
memory/396-125-0x0000000072220000-0x00000000729D0000-memory.dmp

Filesize
7.7MB

Download
memory/396-103-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/396-104-0x0000000072220000-0x00000000729D0000-memory.dmp

Filesize
7.7MB

Download
memory/396-102-0x000000007222E000-0x000000007222F000-memory.dmp

Filesize
4KB

Download
memory/720-139-0x0000000000150000-0x00000000001A6000-memory.dmp

Filesize
344KB

Download
memory/1068-143-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/1068-259-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/1068-258-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/1068-244-0x0000000022920000-0x0000000022B7F000-memory.dmp

Filesize
2.4MB

Download
memory/1068-234-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/1068-230-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/1068-145-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/1068-141-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/1600-87-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/1600-78-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/1600-3-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/1600-8-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/1600-6-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/1600-86-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/1600-79-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/1600-13-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/1600-48-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/1600-47-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/1600-31-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/1600-30-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/1600-15-0x000000001FE20000-0x000000002007F000-memory.dmp

Filesize
2.4MB

Download
memory/1600-12-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/1736-118-0x00000000002F0000-0x0000000000358000-memory.dmp

Filesize
416KB

Download
memory/1820-122-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1820-120-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1820-124-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/4420-0-0x00000000748CE000-0x00000000748CF000-memory.dmp

Filesize
4KB

Download
memory/4420-11-0x00000000748C0000-0x0000000075070000-memory.dmp

Filesize
7.7MB

Download
memory/4420-91-0x00000000748C0000-0x0000000075070000-memory.dmp

Filesize
7.7MB

Download
memory/4420-1-0x0000000000D70000-0x0000000000DDA000-memory.dmp

Filesize
424KB

Download
memory/4620-156-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/4620-149-0x0000000000400000-0x0000000000661000-memory.dmp

Filesize
2.4MB

Download
memory/4620-151-0x0000000000400000-0x0000000000661000-memory.dmp

Filesize
2.4MB

Download
memory/4724-278-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/4724-279-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download