lumma | 2161f38eb7e940f7dadbf1cff93e3219846ad9dd1d181aceadddd9b1f549bf70

Analysis

max time kernel
94s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01-10-2024 06:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2161f38eb7e940f7dadbf1cff93e3219846ad9dd1d181aceadddd9b1f549bf70N.exe
Size

404KB
MD5

07beff810640c60bf60464f5e1efb5b0
SHA1

2af2ee421ae26a98f9775bfe46821ffb47b406d3
SHA256

2161f38eb7e940f7dadbf1cff93e3219846ad9dd1d181aceadddd9b1f549bf70
SHA512

1ed5082b2652d1253c13803c3607afe4befa564c03f1203a6ad157f0187482382d7a1438e34a95667495c89a6ebe020d838fe61ec7f697de865fc55a3b031fa5
SSDEEP

12288:eQn647UR3tHxUAbjUgMhcdMnAXTwHqsEO:z647UTjXUgVXTrst

Score

10^/10

lumma stealc vidar 8b4d47586874b08947203f03e4db3962 c8450254a9a0920212cb81ae7f386da3 default credential_access discovery spyware stealer

Malware Config

Extracted

Family

vidar

Version

Botnet

c8450254a9a0920212cb81ae7f386da3

https://t.me/jamsemlg

https://steamcommunity.com/profiles/76561199780418869

https://t.me/ae5ed

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0

Extracted

Family

lumma

Extracted

Family

vidar

Version

Botnet

8b4d47586874b08947203f03e4db3962

https://steamcommunity.com/profiles/76561199780418869

https://t.me/ae5ed

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0

Extracted

Family

stealc

Botnet

default

http://46.8.231.109

Attributes

url_path
/c4754d4f680ead72.php

Extracted

Family

lumma

https://underlinemdsj.site/api

https://offeviablwke.site/api

Signatures

Detect Vidar Stealer 22 IoCs

stealer

resource	yara_rule
behavioral2/memory/4484-3-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/4484-8-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/4484-6-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/4484-29-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/4484-30-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/4484-46-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/4484-47-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/4484-63-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/4484-64-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/4484-89-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/4484-90-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/4484-97-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/4484-98-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/3240-151-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/3240-155-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/3240-153-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/3240-238-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/3240-239-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/3240-260-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/3240-266-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/840-284-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/840-285-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	RegAsm.exe

Executes dropped EXE 5 IoCs

pid	Process
2348	KFHJJDHJEG.exe
1832	KEGDBFIJKE.exe
2120	IEGCBFHJDH.exe
848	AdminEGHCBKKKFH.exe
4836	AdminIJEGHJECFC.exe

Loads dropped DLL 4 IoCs

pid	Process
4484	RegAsm.exe
4484	RegAsm.exe
4336	RegAsm.exe
4336	RegAsm.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 944 set thread context of 4484	944	2161f38eb7e940f7dadbf1cff93e3219846ad9dd1d181aceadddd9b1f549bf70N.exe	86
PID 2348 set thread context of 2920	2348	KFHJJDHJEG.exe	102
PID 1832 set thread context of 3240	1832	KEGDBFIJKE.exe	106
PID 2120 set thread context of 4336	2120	IEGCBFHJDH.exe	109
PID 848 set thread context of 840	848	AdminEGHCBKKKFH.exe	122
PID 4836 set thread context of 2684	4836	AdminIJEGHJECFC.exe	123

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KFHJJDHJEG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdminEGHCBKKKFH.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdminIJEGHJECFC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KEGDBFIJKE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEGCBFHJDH.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2161f38eb7e940f7dadbf1cff93e3219846ad9dd1d181aceadddd9b1f549bf70N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2272	timeout.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
4484	RegAsm.exe
4484	RegAsm.exe
4484	RegAsm.exe
4484	RegAsm.exe
4484	RegAsm.exe
4484	RegAsm.exe
4484	RegAsm.exe
4484	RegAsm.exe
3240	RegAsm.exe
3240	RegAsm.exe
4336	RegAsm.exe
4336	RegAsm.exe
4336	RegAsm.exe
4336	RegAsm.exe
3240	RegAsm.exe
3240	RegAsm.exe
840	RegAsm.exe
840	RegAsm.exe
840	RegAsm.exe
840	RegAsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 944 wrote to memory of 3028	944	2161f38eb7e940f7dadbf1cff93e3219846ad9dd1d181aceadddd9b1f549bf70N.exe	83
PID 944 wrote to memory of 3028	944	2161f38eb7e940f7dadbf1cff93e3219846ad9dd1d181aceadddd9b1f549bf70N.exe	83
PID 944 wrote to memory of 3028	944	2161f38eb7e940f7dadbf1cff93e3219846ad9dd1d181aceadddd9b1f549bf70N.exe	83
PID 944 wrote to memory of 3240	944	2161f38eb7e940f7dadbf1cff93e3219846ad9dd1d181aceadddd9b1f549bf70N.exe	84
PID 944 wrote to memory of 3240	944	2161f38eb7e940f7dadbf1cff93e3219846ad9dd1d181aceadddd9b1f549bf70N.exe	84
PID 944 wrote to memory of 3240	944	2161f38eb7e940f7dadbf1cff93e3219846ad9dd1d181aceadddd9b1f549bf70N.exe	84
PID 944 wrote to memory of 5076	944	2161f38eb7e940f7dadbf1cff93e3219846ad9dd1d181aceadddd9b1f549bf70N.exe	85
PID 944 wrote to memory of 5076	944	2161f38eb7e940f7dadbf1cff93e3219846ad9dd1d181aceadddd9b1f549bf70N.exe	85
PID 944 wrote to memory of 5076	944	2161f38eb7e940f7dadbf1cff93e3219846ad9dd1d181aceadddd9b1f549bf70N.exe	85
PID 944 wrote to memory of 4484	944	2161f38eb7e940f7dadbf1cff93e3219846ad9dd1d181aceadddd9b1f549bf70N.exe	86
PID 944 wrote to memory of 4484	944	2161f38eb7e940f7dadbf1cff93e3219846ad9dd1d181aceadddd9b1f549bf70N.exe	86
PID 944 wrote to memory of 4484	944	2161f38eb7e940f7dadbf1cff93e3219846ad9dd1d181aceadddd9b1f549bf70N.exe	86
PID 944 wrote to memory of 4484	944	2161f38eb7e940f7dadbf1cff93e3219846ad9dd1d181aceadddd9b1f549bf70N.exe	86
PID 944 wrote to memory of 4484	944	2161f38eb7e940f7dadbf1cff93e3219846ad9dd1d181aceadddd9b1f549bf70N.exe	86
PID 944 wrote to memory of 4484	944	2161f38eb7e940f7dadbf1cff93e3219846ad9dd1d181aceadddd9b1f549bf70N.exe	86
PID 944 wrote to memory of 4484	944	2161f38eb7e940f7dadbf1cff93e3219846ad9dd1d181aceadddd9b1f549bf70N.exe	86
PID 944 wrote to memory of 4484	944	2161f38eb7e940f7dadbf1cff93e3219846ad9dd1d181aceadddd9b1f549bf70N.exe	86
PID 944 wrote to memory of 4484	944	2161f38eb7e940f7dadbf1cff93e3219846ad9dd1d181aceadddd9b1f549bf70N.exe	86
PID 944 wrote to memory of 4484	944	2161f38eb7e940f7dadbf1cff93e3219846ad9dd1d181aceadddd9b1f549bf70N.exe	86
PID 4484 wrote to memory of 2348	4484	RegAsm.exe	92
PID 4484 wrote to memory of 2348	4484	RegAsm.exe	92
PID 4484 wrote to memory of 2348	4484	RegAsm.exe	92
PID 4484 wrote to memory of 1832	4484	RegAsm.exe	95
PID 4484 wrote to memory of 1832	4484	RegAsm.exe	95
PID 4484 wrote to memory of 1832	4484	RegAsm.exe	95
PID 2348 wrote to memory of 4748	2348	KFHJJDHJEG.exe	98
PID 2348 wrote to memory of 4748	2348	KFHJJDHJEG.exe	98
PID 2348 wrote to memory of 4748	2348	KFHJJDHJEG.exe	98
PID 2348 wrote to memory of 2212	2348	KFHJJDHJEG.exe	99
PID 2348 wrote to memory of 2212	2348	KFHJJDHJEG.exe	99
PID 2348 wrote to memory of 2212	2348	KFHJJDHJEG.exe	99
PID 2348 wrote to memory of 1116	2348	KFHJJDHJEG.exe	100
PID 2348 wrote to memory of 1116	2348	KFHJJDHJEG.exe	100
PID 2348 wrote to memory of 1116	2348	KFHJJDHJEG.exe	100
PID 2348 wrote to memory of 244	2348	KFHJJDHJEG.exe	101
PID 2348 wrote to memory of 244	2348	KFHJJDHJEG.exe	101
PID 2348 wrote to memory of 244	2348	KFHJJDHJEG.exe	101
PID 2348 wrote to memory of 2920	2348	KFHJJDHJEG.exe	102
PID 2348 wrote to memory of 2920	2348	KFHJJDHJEG.exe	102
PID 2348 wrote to memory of 2920	2348	KFHJJDHJEG.exe	102
PID 2348 wrote to memory of 2920	2348	KFHJJDHJEG.exe	102
PID 2348 wrote to memory of 2920	2348	KFHJJDHJEG.exe	102
PID 2348 wrote to memory of 2920	2348	KFHJJDHJEG.exe	102
PID 2348 wrote to memory of 2920	2348	KFHJJDHJEG.exe	102
PID 2348 wrote to memory of 2920	2348	KFHJJDHJEG.exe	102
PID 2348 wrote to memory of 2920	2348	KFHJJDHJEG.exe	102
PID 4484 wrote to memory of 2120	4484	RegAsm.exe	104
PID 4484 wrote to memory of 2120	4484	RegAsm.exe	104
PID 4484 wrote to memory of 2120	4484	RegAsm.exe	104
PID 1832 wrote to memory of 3240	1832	KEGDBFIJKE.exe	106
PID 1832 wrote to memory of 3240	1832	KEGDBFIJKE.exe	106
PID 1832 wrote to memory of 3240	1832	KEGDBFIJKE.exe	106
PID 1832 wrote to memory of 3240	1832	KEGDBFIJKE.exe	106
PID 1832 wrote to memory of 3240	1832	KEGDBFIJKE.exe	106
PID 1832 wrote to memory of 3240	1832	KEGDBFIJKE.exe	106
PID 1832 wrote to memory of 3240	1832	KEGDBFIJKE.exe	106
PID 1832 wrote to memory of 3240	1832	KEGDBFIJKE.exe	106
PID 1832 wrote to memory of 3240	1832	KEGDBFIJKE.exe	106
PID 1832 wrote to memory of 3240	1832	KEGDBFIJKE.exe	106
PID 2120 wrote to memory of 216	2120	IEGCBFHJDH.exe	107
PID 2120 wrote to memory of 216	2120	IEGCBFHJDH.exe	107
PID 2120 wrote to memory of 216	2120	IEGCBFHJDH.exe	107
PID 2120 wrote to memory of 4112	2120	IEGCBFHJDH.exe	108
PID 2120 wrote to memory of 4112	2120	IEGCBFHJDH.exe	108

C:\Users\Admin\AppData\Local\Temp\2161f38eb7e940f7dadbf1cff93e3219846ad9dd1d181aceadddd9b1f549bf70N.exe
"C:\Users\Admin\AppData\Local\Temp\2161f38eb7e940f7dadbf1cff93e3219846ad9dd1d181aceadddd9b1f549bf70N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:944
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:3028
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:3240
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:5076
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4484
- - C:\ProgramData\KFHJJDHJEG.exe
    "C:\ProgramData\KFHJJDHJEG.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2348
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:4748
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:2212
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:1116
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:244
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2920
- - C:\ProgramData\KEGDBFIJKE.exe
    "C:\ProgramData\KEGDBFIJKE.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1832
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      PID:3240
- - C:\ProgramData\IEGCBFHJDH.exe
    "C:\ProgramData\IEGCBFHJDH.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2120
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:216
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:4112
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      Checks computer location settings
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      PID:4336
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminEGHCBKKKFH.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2092
      - C:\Users\AdminEGHCBKKKFH.exe
        
        "C:\Users\AdminEGHCBKKKFH.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:848
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        
        PID:4648
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:840
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminIJEGHJECFC.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3504
      - C:\Users\AdminIJEGHJECFC.exe
        
        "C:\Users\AdminIJEGHJECFC.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4836
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2684
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\FHCBGIIJKEBF" & exit
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4528
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 10
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:2272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\CBGCGDBK

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\ProgramData\GHJDGDBFCBKFHJKFHCBK

Filesize
11KB

MD5
1a300e98435abf68b9a4621d985451db

SHA1
213b41df60598f01132c7c27e0abcca85f34ee63

SHA256
60f3039121f2ac64369521cee56e53a43fa88e11f3f00e5e4dd820af2035bd0d

SHA512
dfe8ba0ce52a5316aa3b28c7d86ed46506b1c4b817e7262bcf6408ca50e27ea582b6e08ccf488d2393c864d4bb2a7ea5d1e2c921aa631b03127a663927e56fac

Download Submit
C:\ProgramData\IEGCBFHJDH.exe

Filesize
327KB

MD5
dfd49d1326704cfeee9852999782e4b6

SHA1
4bd1c441c55ec55a1cac7ca2bfe786a739cb01a4

SHA256
2280a0c18708cb5fd0e093e2f42350e3afb8f3ca31fd3279fc797a6c535532ef

SHA512
fe9e9537f76bf36b6e6abd340ef135d5d017bb2b067239f6871f5a8952d2a5b823dd89838b8d31a928b40a1a70bd83010e5f3f49905672fbcd74b763d65504bf

Download Submit
C:\ProgramData\JJECAAEH

Filesize
114KB

MD5
2e5b34ca73bac7d39579ae5af5c50268

SHA1
910b0865cce750b73e308d0c9314edcdcf4162bb

SHA256
79f7541d73ed1744fbc041fdeaf95cae2e2a43cf9d73f6d9476b67a5c2ea9695

SHA512
95dcb404558da6bf1b58640440f3e26b13bf53b8fe05932e85b85dea7e629a544f2bfef094fdd23fd2ad0692297aad338e23c9e6e516e5c852d6d7c1c97249fc

Download Submit
C:\ProgramData\JJECAAEHCFIE\HDAKFC

Filesize
20KB

MD5
a603e09d617fea7517059b4924b1df93

SHA1
31d66e1496e0229c6a312f8be05da3f813b3fa9e

SHA256
ccd15f9c7a997ae2b5320ea856c7efc54b5055254d41a443d21a60c39c565cb7

SHA512
eadb844a84f8a660c578a2f8e65ebcb9e0b9ab67422be957f35492ff870825a4b363f96fd1c546eaacfd518f6812fcf57268ef03c149e5b1a7af145c7100e2cc

Download Submit
C:\ProgramData\JJECAAEHCFIE\JDBGDH

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\ProgramData\JJECAAEHCFIE\JDBGDH

Filesize
160KB

MD5
f310cf1ff562ae14449e0167a3e1fe46

SHA1
85c58afa9049467031c6c2b17f5c12ca73bb2788

SHA256
e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855

SHA512
1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

Download Submit
C:\ProgramData\KEGDBFIJKE.exe

Filesize
404KB

MD5
4f828f95c11479c61692052d9254022a

SHA1
68f1fbe839f2d41f434bdde176ccc3e6f38ec503

SHA256
00c39991e9994d94f4fc657f7072c7e4137baf5aa27961cf5451daf6b3cda75a

SHA512
91cc6dc01a62337c542c31337057653c5e41ae7b88621bc1041786a260a5b78fb834869ce8aeca05ab8263c45a41fa7833ee262440d157206b1ddae675d814f5

Download Submit
C:\ProgramData\KFHJJDHJEG.exe

Filesize
372KB

MD5
8a73502b83ceb6b31b9fefb595876844

SHA1
41094748fdc11cd79057c14c39210d6833a25323

SHA256
af60c2dd60ece7f8e83870b22b1c5c0e095c9c3669171c16eaaff406cda6eeb2

SHA512
e5bf9b9b78c8306c13df04db83bbe4c76f0914fffde4bd584a5b96da5150102167df61b1315382a5af68038c2d3cdbd2e2414082659757c402979d3c3772b82c

Download Submit
C:\ProgramData\mozglue.dll

Filesize
158KB

MD5
4a08d26f408f64a8e96fd73c508a5811

SHA1
a69b3de7d249ee16d98ed17bd63987b906b750e0

SHA256
f9009b0daa6b7f1d711d69d77a00622d07bf52a1633a3854f93b5feac64f94c5

SHA512
6303d2e90d572b6e16e529c4e2ab6e21de4f9875cd305eefa7b4b8170fcdfb0f42e282335c1fecd5033697c5e02c5f9b645a47a9d6fab2cf623c88c6a8e564f6

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\msvcp140.dll

Filesize
26KB

MD5
45d2d6c478948c7f7502cb21c7a9898d

SHA1
ab78c62d7b6540f0b78e3a906dfded5e065a46d7

SHA256
eff6334d37bedc27d252d1af88ecf05b84cad10e2323e9ee7f0a49aec3a45c69

SHA512
6a51a651aaf037f7fbb6685052feb68954982c1a075176fee122b44138af1d9bafbeca882c19e285f02b158eaa698cd1b764c61d20202ab83a0391da2394ed3d

Download Submit
C:\ProgramData\nss3.dll

Filesize
7KB

MD5
850a06b0f2ba21d0bb154aed00b69db3

SHA1
82f4e4921aa97d3af4323ccc9ef4049210aff984

SHA256
84ea62cb868eba53bb43953bf623676db958cc15a3c26c4d63a9f1e483d3fd89

SHA512
9615408879787672393d5e205f596cb800217150679c76cb1fe4b37bd0d6be61057e9b4502a376e8bb253a2eea5e647c5655316543b9954b56aa4f581bbda391

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\ProgramData\softokn3.dll

Filesize
165KB

MD5
83ad61a2e007b2237b48d9dd193a1f2d

SHA1
4075da1e8e3d12df5051d494819060f80e90a4f7

SHA256
215a341206f94e84521938b6dcd6c7978248785901e369d463e955c3dbe85a61

SHA512
e889e23a6bd8761364ae9b89ddaabe4266a3da2aeaa1c77b07125c89af17d5c01ae3140f98912c8f6b7c64a694a55b245a29546a7dc622688bf806c7cc19b0c4

Download Submit
C:\ProgramData\vcruntime140.dll

Filesize
78KB

MD5
a37ee36b536409056a86f50e67777dd7

SHA1
1cafa159292aa736fc595fc04e16325b27cd6750

SHA256
8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825

SHA512
3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619

Filesize
471B

MD5
53531d3b1632c42fbb5282b61f41eb70

SHA1
3e57dd0a3966162c6bf62d02cef4abcff03c1159

SHA256
b949b4e92e2803878a2b71476a58d2cbfd53c95ab7bb1583ce4e77398f135105

SHA512
60d25185037c526ac8a8c928891c2ea5fe3a5d8d24fd536b36bdaea07953350aa25c45038c5b0db4166912da3ea502a959dd4de7dd6f602d2d6cdd1d349c73b0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619

Filesize
400B

MD5
d7cd20e1e85ee22abc072b7a39ab7f1e

SHA1
3b36a0deffef214fe4c26db2b8dd610ef0555217

SHA256
dd755068adc326285c4fe9768f3d28589c805dbb6cee9d3e8471210400758c61

SHA512
e8f718e48c4b7170955545adbc867afbc409bd2f2850c312e90a09930851346e3ab34fc05c1bf2c0a9b3604e002055df4acf659625313d9337be3b53364b9bbf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AdminEGHCBKKKFH.exe.log

Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\KQ3665LB\76561199780418869[1].htm

Filesize
33KB

MD5
2baa9e1472f25fe9cc69b8831c316dbd

SHA1
d60b6159cd8d72997991ce0cb4b69ee8693a32ce

SHA256
f374fdce7513325cd231d493e16e68d4d60e6658505ce6a8ada3d2fff0525693

SHA512
50df3675690629065b754083f3a687446a1f88e3e227ff896b2cc39c48c929c7bb8cade14ed4a6314759c908d39047ea0c3b3097990a1d18e81050d579c062c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\T369AOZZ\76561199780418869[1].htm

Filesize
33KB

MD5
3bfdf0f600100f15af30424ae789b3cc

SHA1
94a2edc43f6197cf3b6de60d712c59c8634ae6c0

SHA256
6b84dfcb88455fd925fec9ec092167e2d04c41f410882f99f3713fc1d1559e1d

SHA512
6e8a9b8bf3ea1bc23850d6dc091e446b95afa2ccf58ef1b3137346379dcfedad1388b513d1fc95a8aac7627615d3de17ba123156033322e5fbef85ac14f0f37f

Download Submit
memory/840-284-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/840-285-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/944-71-0x0000000075390000-0x0000000075B40000-memory.dmp

Filesize
7.7MB

Download
memory/944-11-0x0000000075390000-0x0000000075B40000-memory.dmp

Filesize
7.7MB

Download
memory/944-1-0x0000000000750000-0x00000000007BA000-memory.dmp

Filesize
424KB

Download
memory/944-0-0x000000007539E000-0x000000007539F000-memory.dmp

Filesize
4KB

Download
memory/1832-131-0x0000000000900000-0x0000000000968000-memory.dmp

Filesize
416KB

Download
memory/2120-149-0x0000000000DA0000-0x0000000000DF6000-memory.dmp

Filesize
344KB

Download
memory/2348-132-0x0000000072BC0000-0x0000000073370000-memory.dmp

Filesize
7.7MB

Download
memory/2348-114-0x0000000072BC0000-0x0000000073370000-memory.dmp

Filesize
7.7MB

Download
memory/2348-112-0x0000000072BCE000-0x0000000072BCF000-memory.dmp

Filesize
4KB

Download
memory/2348-113-0x0000000000D50000-0x0000000000DB0000-memory.dmp

Filesize
384KB

Download
memory/2920-133-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2920-135-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2920-128-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/3240-239-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/3240-155-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/3240-151-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/3240-266-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/3240-153-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/3240-260-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/3240-246-0x0000000022510000-0x000000002276F000-memory.dmp

Filesize
2.4MB

Download
memory/3240-238-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/4336-159-0x0000000000400000-0x0000000000661000-memory.dmp

Filesize
2.4MB

Download
memory/4336-166-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/4336-161-0x0000000000400000-0x0000000000661000-memory.dmp

Filesize
2.4MB

Download
memory/4484-8-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/4484-3-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/4484-30-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/4484-90-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/4484-31-0x00000000221D0000-0x000000002242F000-memory.dmp

Filesize
2.4MB

Download
memory/4484-46-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/4484-47-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/4484-29-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/4484-97-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/4484-6-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/4484-89-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/4484-98-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/4484-63-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/4484-64-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download