lumma | dd2e52949ee517d8a0079b3847a9911abef05e2d6dfcc1bbae49ad5495de9a01

Analysis

max time kernel
25s
max time network
62s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
02-10-2024 01:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dd2e52949ee517d8a0079b3847a9911abef05e2d6dfcc1bbae49ad5495de9a01.exe
Size

404KB
MD5

9a95bf64bb82802b60c903d8c870f61d
SHA1

d889bcfdd4228927887e2eadfeb4030ea5424e13
SHA256

dd2e52949ee517d8a0079b3847a9911abef05e2d6dfcc1bbae49ad5495de9a01
SHA512

57f5baaea6a32468ab1c13771a9974b6986a308f3f98c7d26b78ae085d6ba5596ed2a46b43fb42b5834e0d8e086a110989ed929591941ae213019d19ca352111
SSDEEP

6144:lLhXbAjomx3DQIW4k283tPTw5hO8uNzPIE9TYFwjJUJZqAEuAQXEO:lL9bpmxDQIbkdwKrIGiwj0ZoQXEO

Score

10^/10

lumma vidar 8b4d47586874b08947203f03e4db3962 c7664db1b2143bb72073c634fc34cfef credential_access discovery spyware stealer

Malware Config

Extracted

Family

vidar

Version

Botnet

c7664db1b2143bb72073c634fc34cfef

https://steamcommunity.com/profiles/76561199780418869

https://t.me/ae5ed

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0

Extracted

Family

lumma

Extracted

Family

vidar

Version

Botnet

8b4d47586874b08947203f03e4db3962

https://steamcommunity.com/profiles/76561199780418869

https://t.me/ae5ed

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0

Signatures

Detect Vidar Stealer 20 IoCs

stealer

resource	yara_rule
behavioral1/memory/2548-8-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/2548-11-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/2548-16-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/2548-14-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/2548-10-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/2548-19-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/2548-160-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/2548-179-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/2548-209-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/2548-228-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/2548-359-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/2548-378-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/2548-421-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/2548-440-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/1420-569-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/1420-579-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/1420-577-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/1420-576-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/1420-573-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/1420-571-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
2176	EBKJDBAAKJ.exe
468	BGIJDGCAEB.exe
1712	BFHDAEHDAK.exe

Loads dropped DLL 11 IoCs

pid	Process
2548	RegAsm.exe
2548	RegAsm.exe
2548	RegAsm.exe
2548	RegAsm.exe
2548	RegAsm.exe
2548	RegAsm.exe
2548	RegAsm.exe
2548	RegAsm.exe
2548	RegAsm.exe
2548	RegAsm.exe
2548	RegAsm.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 332 set thread context of 2548	332	dd2e52949ee517d8a0079b3847a9911abef05e2d6dfcc1bbae49ad5495de9a01.exe	31
PID 2176 set thread context of 1800	2176	EBKJDBAAKJ.exe	37
PID 468 set thread context of 1420	468	BGIJDGCAEB.exe	41
PID 1712 set thread context of 3068	1712	BFHDAEHDAK.exe	44

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1184	1800	WerFault.exe	37

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EBKJDBAAKJ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BGIJDGCAEB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BFHDAEHDAK.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dd2e52949ee517d8a0079b3847a9911abef05e2d6dfcc1bbae49ad5495de9a01.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2732	timeout.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	RegAsm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	RegAsm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2548	RegAsm.exe
2548	RegAsm.exe
2548	RegAsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 332 wrote to memory of 2548	332	dd2e52949ee517d8a0079b3847a9911abef05e2d6dfcc1bbae49ad5495de9a01.exe	31
PID 332 wrote to memory of 2548	332	dd2e52949ee517d8a0079b3847a9911abef05e2d6dfcc1bbae49ad5495de9a01.exe	31
PID 332 wrote to memory of 2548	332	dd2e52949ee517d8a0079b3847a9911abef05e2d6dfcc1bbae49ad5495de9a01.exe	31
PID 332 wrote to memory of 2548	332	dd2e52949ee517d8a0079b3847a9911abef05e2d6dfcc1bbae49ad5495de9a01.exe	31
PID 332 wrote to memory of 2548	332	dd2e52949ee517d8a0079b3847a9911abef05e2d6dfcc1bbae49ad5495de9a01.exe	31
PID 332 wrote to memory of 2548	332	dd2e52949ee517d8a0079b3847a9911abef05e2d6dfcc1bbae49ad5495de9a01.exe	31
PID 332 wrote to memory of 2548	332	dd2e52949ee517d8a0079b3847a9911abef05e2d6dfcc1bbae49ad5495de9a01.exe	31
PID 332 wrote to memory of 2548	332	dd2e52949ee517d8a0079b3847a9911abef05e2d6dfcc1bbae49ad5495de9a01.exe	31
PID 332 wrote to memory of 2548	332	dd2e52949ee517d8a0079b3847a9911abef05e2d6dfcc1bbae49ad5495de9a01.exe	31
PID 332 wrote to memory of 2548	332	dd2e52949ee517d8a0079b3847a9911abef05e2d6dfcc1bbae49ad5495de9a01.exe	31
PID 332 wrote to memory of 2548	332	dd2e52949ee517d8a0079b3847a9911abef05e2d6dfcc1bbae49ad5495de9a01.exe	31
PID 332 wrote to memory of 2548	332	dd2e52949ee517d8a0079b3847a9911abef05e2d6dfcc1bbae49ad5495de9a01.exe	31
PID 332 wrote to memory of 2548	332	dd2e52949ee517d8a0079b3847a9911abef05e2d6dfcc1bbae49ad5495de9a01.exe	31
PID 332 wrote to memory of 2548	332	dd2e52949ee517d8a0079b3847a9911abef05e2d6dfcc1bbae49ad5495de9a01.exe	31
PID 2548 wrote to memory of 2176	2548	RegAsm.exe	34
PID 2548 wrote to memory of 2176	2548	RegAsm.exe	34
PID 2548 wrote to memory of 2176	2548	RegAsm.exe	34
PID 2548 wrote to memory of 2176	2548	RegAsm.exe	34
PID 2176 wrote to memory of 2128	2176	EBKJDBAAKJ.exe	36
PID 2176 wrote to memory of 2128	2176	EBKJDBAAKJ.exe	36
PID 2176 wrote to memory of 2128	2176	EBKJDBAAKJ.exe	36
PID 2176 wrote to memory of 2128	2176	EBKJDBAAKJ.exe	36
PID 2176 wrote to memory of 2128	2176	EBKJDBAAKJ.exe	36
PID 2176 wrote to memory of 2128	2176	EBKJDBAAKJ.exe	36
PID 2176 wrote to memory of 2128	2176	EBKJDBAAKJ.exe	36
PID 2176 wrote to memory of 1800	2176	EBKJDBAAKJ.exe	37
PID 2176 wrote to memory of 1800	2176	EBKJDBAAKJ.exe	37
PID 2176 wrote to memory of 1800	2176	EBKJDBAAKJ.exe	37
PID 2176 wrote to memory of 1800	2176	EBKJDBAAKJ.exe	37
PID 2176 wrote to memory of 1800	2176	EBKJDBAAKJ.exe	37
PID 2176 wrote to memory of 1800	2176	EBKJDBAAKJ.exe	37
PID 2176 wrote to memory of 1800	2176	EBKJDBAAKJ.exe	37
PID 2176 wrote to memory of 1800	2176	EBKJDBAAKJ.exe	37
PID 2176 wrote to memory of 1800	2176	EBKJDBAAKJ.exe	37
PID 2176 wrote to memory of 1800	2176	EBKJDBAAKJ.exe	37
PID 2176 wrote to memory of 1800	2176	EBKJDBAAKJ.exe	37
PID 2176 wrote to memory of 1800	2176	EBKJDBAAKJ.exe	37
PID 2176 wrote to memory of 1800	2176	EBKJDBAAKJ.exe	37
PID 1800 wrote to memory of 1184	1800	RegAsm.exe	38
PID 1800 wrote to memory of 1184	1800	RegAsm.exe	38
PID 1800 wrote to memory of 1184	1800	RegAsm.exe	38
PID 1800 wrote to memory of 1184	1800	RegAsm.exe	38
PID 2548 wrote to memory of 468	2548	RegAsm.exe	39
PID 2548 wrote to memory of 468	2548	RegAsm.exe	39
PID 2548 wrote to memory of 468	2548	RegAsm.exe	39
PID 2548 wrote to memory of 468	2548	RegAsm.exe	39
PID 468 wrote to memory of 1420	468	BGIJDGCAEB.exe	41
PID 468 wrote to memory of 1420	468	BGIJDGCAEB.exe	41
PID 468 wrote to memory of 1420	468	BGIJDGCAEB.exe	41
PID 468 wrote to memory of 1420	468	BGIJDGCAEB.exe	41
PID 468 wrote to memory of 1420	468	BGIJDGCAEB.exe	41
PID 468 wrote to memory of 1420	468	BGIJDGCAEB.exe	41
PID 468 wrote to memory of 1420	468	BGIJDGCAEB.exe	41
PID 468 wrote to memory of 1420	468	BGIJDGCAEB.exe	41
PID 468 wrote to memory of 1420	468	BGIJDGCAEB.exe	41
PID 468 wrote to memory of 1420	468	BGIJDGCAEB.exe	41
PID 468 wrote to memory of 1420	468	BGIJDGCAEB.exe	41
PID 468 wrote to memory of 1420	468	BGIJDGCAEB.exe	41
PID 468 wrote to memory of 1420	468	BGIJDGCAEB.exe	41
PID 468 wrote to memory of 1420	468	BGIJDGCAEB.exe	41
PID 2548 wrote to memory of 1712	2548	RegAsm.exe	42
PID 2548 wrote to memory of 1712	2548	RegAsm.exe	42
PID 2548 wrote to memory of 1712	2548	RegAsm.exe	42
PID 2548 wrote to memory of 1712	2548	RegAsm.exe	42

C:\Users\Admin\AppData\Local\Temp\dd2e52949ee517d8a0079b3847a9911abef05e2d6dfcc1bbae49ad5495de9a01.exe
"C:\Users\Admin\AppData\Local\Temp\dd2e52949ee517d8a0079b3847a9911abef05e2d6dfcc1bbae49ad5495de9a01.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:332
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2548
- - C:\ProgramData\EBKJDBAAKJ.exe
    "C:\ProgramData\EBKJDBAAKJ.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2176
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:2128
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1800
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 252
        5⤵
        Program crash
        
        PID:1184
- - C:\ProgramData\BGIJDGCAEB.exe
    "C:\ProgramData\BGIJDGCAEB.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:468
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1420
- - C:\ProgramData\BFHDAEHDAK.exe
    "C:\ProgramData\BFHDAEHDAK.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:1712
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3068
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminFBGCAAAAFB.exe"
        5⤵
        
        PID:2584
      - C:\Users\AdminFBGCAAAAFB.exe
        
        "C:\Users\AdminFBGCAAAAFB.exe"
        6⤵
        
        PID:2276
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        
        PID:2704
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminGDBKKFHIEG.exe"
        5⤵
        
        PID:2792
      - C:\Users\AdminGDBKKFHIEG.exe
        
        "C:\Users\AdminGDBKKFHIEG.exe"
        6⤵
        
        PID:1932
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        
        PID:2148
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        
        PID:2172
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\AFHDAKJKFCFB" & exit
    3⤵
    PID:680
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 10
      4⤵
      Delays execution with timeout.exe
      PID:2732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\BFHDAEHDAK.exe

Filesize
336KB

MD5
022cc85ed0f56a3f3e8aec4ae3b80a71

SHA1
a89b9c39c5f6fcb6e770cea9491bf7a97f0f012d

SHA256
bb28bb63ed34a3b4f97a0a26bda8a7a7c60f961010c795007edc52576b89e4d3

SHA512
ac549b9cf50e631bae01152db4523fdab55f426ee77177af900b088244665e28de03c10784fe9db33a2478bee0d96bd50e5a668d2a2bfdff3e8706aa8f5d71a2

Download Submit
C:\ProgramData\CFIIIJJKJKFHIDGDBAKJ

Filesize
6KB

MD5
aff489327a7487688b00346480449c02

SHA1
9ef31fb8fc1d0a7eca9339ae8adf260b9437d739

SHA256
ca562a6b8e3d26826c8e29a0262af227f207094ae158663903326e1215947deb

SHA512
2e9412da8a3021dd2bc8ccfe6a6d0e38eff39b51ed437ebb0ce2fe0227f873e607ed7c1a7bae093a6f2a0cc3b29655256138f725142823b4082a0e7a72353c5e

Download Submit
C:\ProgramData\KJEGCFBGDHJJ\BAFBFC

Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
C:\ProgramData\KJEGCFBGDHJJ\KJDGIJ

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\ProgramData\KKFCAAKF

Filesize
92KB

MD5
2c87b2d541eecd3b4a69f502e63a5783

SHA1
c3d1777df678cf4ef89ec8330f4d64f07fb26f9e

SHA256
eae2daadf140785ff98f48909f57ec24b3138fc0744018ec84a4ff8932c3d638

SHA512
502bd68d3ead4d794969b1db7dde114e0d3ded7fc52d81ab4e50c9d59ba74a0279426b54502301e2589929802b91ff8aa32d7e3d02a79d98209e540b40f7304c

Download Submit
C:\ProgramData\freebl3.dll

Filesize
18KB

MD5
128611e9434c4e83e0624c64c9e43f9b

SHA1
bc56fbaef16056fc74f8cd27eefdf449f0b295b2

SHA256
3de6681ce68e4598cac8f00bab65956a3d5d3f2968bdbbd9631d5d337994c04a

SHA512
f4412d52cef46a8463b46c8d746c58c3ad4c0dba2cfe65b8557e7ed6d056c8290f622ab207e5eb4c15b6c45c77b20dc5499278146757d7aacd11feb82a7cd210

Download Submit
C:\ProgramData\mozglue.dll

Filesize
1024B

MD5
ef8872dbb1e0de26c4daadb4e2ba1231

SHA1
3d2931acbf70418c2e5d997efb92191a0aa1c370

SHA256
3c3473cd478011ef47a57b88ec6fda2427c944085bbb929bbde6ed88ba4cd624

SHA512
68aafdca48c3830d035fecec97fecfbe11f7691561e53cd9b8c126bc0a9675056f807869f6248ad9e3d8f6dcf0a5d7ce8355490aec7e2a09376ac0673a6392c4

Download Submit
C:\ProgramData\softokn3.dll

Filesize
4KB

MD5
8c49c037824664b50743959d08a62cf9

SHA1
5a4a65ca453f72fb47979bf93ffa3086923a7383

SHA256
f4e3fabda42981ece37397a4a3a574b0f76ede8ce9f50d00a2a1994ccc9c2e88

SHA512
f9957696722b7126ecfb64e351ec026a1e8ccc1098807680a87f20de9f31119cd059ee4909f6f1be14db1160064596a709ecfaa877ea46a572b5c2fe6f682d8e

Download Submit
C:\ProgramData\vcruntime140.dll

Filesize
78KB

MD5
a37ee36b536409056a86f50e67777dd7

SHA1
1cafa159292aa736fc595fc04e16325b27cd6750

SHA256
8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825

SHA512
3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619

Filesize
471B

MD5
c7f2d90f5c90ba421c96700249027a64

SHA1
826e331f623ac31cb6d8c470b2b4b64417a69fec

SHA256
83957f6b41bae1ee8467d9ba21754f82212b733b2496be9b8fdbe88dda46738c

SHA512
8fe79d5578b7ab3ee4b24a130d50a7bb167ffb343f425ccaa26da89c94bed281c9a7dde0a716c36c472bc305330ae6477314c3275b00a877a4d0a3d313182dd9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d222e8f3f163ab423d6438e6e9d93f11

SHA1
cbaabbc5a9719bdfd4d399ceecad29d2b7a4d184

SHA256
191da688da7760b8bc7ead51932f155c8246bb051aa060df3eae51c27ce6d558

SHA512
f682898d82cf77c14cf6ff4637412e215cdeaa66b742fa3d6923440856ea59a0d8a2c9e91e0f819bd082d1e242c5973608550ba275c785d88cdc9ee2465b846d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
340f7583184ea159f219e1acf01ff494

SHA1
c268e25c2553b8efd6e8d13cf090feff65719ae4

SHA256
c05f43ff09fee1078a941cfa4fd31d112f64cbb7427e38888f823fcd24c8c445

SHA512
e3c34f20f21a79510beb25796cd3a60d95d47ea0bc162a0c49d534a59a96e8d45022b15320e5abc9f6a2ad8e6c20d339f425cc0e0288df8c61aac6c3d729babf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619

Filesize
400B

MD5
7c8711f7301d132f0c3f0dc2bbd104c1

SHA1
89d58adaffff878539c49052e7f54e00f1013b41

SHA256
85a17b1a99ee9ef9a3c70e3a65b2b49dcb643165d4777dd62d9d8f2f282b0f34

SHA512
d1c9eda959353f1173fc82b322edfe77b834664c560c5ac99de9c2ac96491c81fab604f67b4a1650bedfbc3544b8b87d9afd50979717a1a972d022fd711349cb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
89810f039fb57948e94b829aabf8c341

SHA1
771b7d6c227e63083eeb62ee32ce8eea1ec56f84

SHA256
923c5a645d5790697fe757ac74ff1d9717e22d2ff7dbc582117156d453b4066c

SHA512
16a90e323689e9f7bd7090fe7cc407bd646d2ba81e4a1cb6d3f7b34bb73837a7d572978e975789a94987fd87d2cbeb96a5778f312fe56439cb7e7465a6140f15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6XUZ2JLF\76561199780418869[1].htm

Filesize
34KB

MD5
adfbc24cbe02063e7d39c747ae16c074

SHA1
ed99dfe2f7939cbec0851033a94caa63e4622005

SHA256
3e2a8f347663540644039a22b3251fd004cd76ab8c32a97312e083f047f34086

SHA512
13abe25400f9b969b81b9be2cd283bc7dcd3f94871baada5bebb0c79df6e549c109da6b440f5a00acb925612ae1121e85b110b368c6eb5f091fe1ea5c94f4780

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WHDSWW5V\76561199780418869[1].htm

Filesize
34KB

MD5
630c74cb435052d2b8118de93501d0ef

SHA1
4e1d8a1a67f8523f5a81ec173a1e3ac10a0c2c1c

SHA256
856748fc0303ac184550324507e7812c531f9c095ccc6f6c90986089367e5764

SHA512
aafb3fc4320a3c4fab37c4c364aa2710fb8f69ea570e372fac4c1b454d7743e58ad8c7d63c1f97f05777fe7f72a7ac5d66a71c7ab47bea7f3ae6448004576531

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabAA93.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarAAC5.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\ProgramData\BGIJDGCAEB.exe

Filesize
413KB

MD5
237af39f8b579aad0205f6174bb96239

SHA1
7aad40783be4f593a2883b6a66f66f5f624d4550

SHA256
836ce1411f26919f8fb95548d03c2f4dfd658fc525dfe21c7be8ed65f81a5957

SHA512
df46993a2029b22cbc88b289398265494c5a8f54ea803e15b7b12f4a7bc98152df298916d341e3c3590329b35a806788ae294bae2e6832f2a2ac426d0145504d

Download Submit
\ProgramData\EBKJDBAAKJ.exe

Filesize
381KB

MD5
c7e7cfc3ed17aef6c67c265389593ee3

SHA1
44aaea45a59f194f33ff435a430fcbd9e7434ad5

SHA256
0ddebb36beb37631df17f68a14c90519f93ba7c200c62003527273119442e1ff

SHA512
6c5f7a6626aac4b583d1165c4ea3bc69e315cdce94d3e1d3442dc9643e0983f2a80e0495bac79d4aa0e4db309f0aab373d917e6af12ffaad333aba21e16249d2

Download Submit
\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
memory/332-17-0x00000000743C0000-0x0000000074AAE000-memory.dmp

Filesize
6.9MB

Download
memory/332-2-0x00000000743C0000-0x0000000074AAE000-memory.dmp

Filesize
6.9MB

Download
memory/332-6-0x00000000743C0000-0x0000000074AAE000-memory.dmp

Filesize
6.9MB

Download
memory/332-0-0x00000000743CE000-0x00000000743CF000-memory.dmp

Filesize
4KB

Download
memory/332-1-0x0000000000830000-0x0000000000898000-memory.dmp

Filesize
416KB

Download
memory/468-543-0x0000000000FA0000-0x0000000001008000-memory.dmp

Filesize
416KB

Download
memory/1420-565-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/1420-567-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/1420-571-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/1420-573-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/1420-576-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/1420-577-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/1420-579-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/1420-569-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/1712-605-0x0000000000930000-0x0000000000986000-memory.dmp

Filesize
344KB

Download
memory/1800-519-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1800-522-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1800-526-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1800-514-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1800-516-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1800-517-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1800-518-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1932-863-0x0000000000030000-0x0000000000090000-memory.dmp

Filesize
384KB

Download
memory/2176-523-0x0000000072D20000-0x000000007340E000-memory.dmp

Filesize
6.9MB

Download
memory/2176-494-0x0000000072D20000-0x000000007340E000-memory.dmp

Filesize
6.9MB

Download
memory/2176-492-0x0000000072D2E000-0x0000000072D2F000-memory.dmp

Filesize
4KB

Download
memory/2176-493-0x0000000000170000-0x00000000001D0000-memory.dmp

Filesize
384KB

Download
memory/2176-524-0x0000000072D20000-0x000000007340E000-memory.dmp

Filesize
6.9MB

Download
memory/2276-856-0x0000000000E00000-0x0000000000E68000-memory.dmp

Filesize
416KB

Download
memory/2548-179-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2548-160-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2548-4-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2548-5-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2548-440-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2548-421-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2548-378-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2548-359-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2548-228-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2548-209-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2548-199-0x0000000020470000-0x00000000206CF000-memory.dmp

Filesize
2.4MB

Download
memory/2548-8-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2548-19-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2548-10-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2548-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2548-14-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2548-16-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2548-11-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2548-7-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/3068-619-0x0000000000400000-0x0000000000661000-memory.dmp

Filesize
2.4MB

Download
memory/3068-621-0x0000000000400000-0x0000000000661000-memory.dmp

Filesize
2.4MB

Download
memory/3068-617-0x0000000000400000-0x0000000000661000-memory.dmp

Filesize
2.4MB

Download