lumma | 0d32dd29b0a5a4e593651b4f0ffba9d7ba7c6d243666bbdfa83eabe9d3aa5119

Analysis

max time kernel
30s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03-10-2024 01:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0d32dd29b0a5a4e593651b4f0ffba9d7ba7c6d243666bbdfa83eabe9d3aa5119.exe
Size

413KB
MD5

03cba9d84f72262d5de29968fd428514
SHA1

e8d35aebdd401108a67bf519c90b19033fb1f02f
SHA256

0d32dd29b0a5a4e593651b4f0ffba9d7ba7c6d243666bbdfa83eabe9d3aa5119
SHA512

72be8db459012db13efcc73f5a55d7965b48f2fda6e083dc1d76b8cc7d792483306dcc30e7a0b2ec88625bea3c7cf5feb90e05f691e8bed2a38434d0ff6ffef0
SSDEEP

12288:KLjV2QOQ/F8cRg7C2iajglWPlKS5KbtjmGnEO:+XO6BK7fiM6+ENRaot

Score

10^/10

lumma vidar 8b4d47586874b08947203f03e4db3962 ac3f3299a35695efca009a30beb2c332 credential_access discovery spyware stealer

Malware Config

Extracted

Family

vidar

Version

Botnet

ac3f3299a35695efca009a30beb2c332

https://steamcommunity.com/profiles/76561199780418869

https://t.me/ae5ed

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0

Extracted

Family

lumma

Extracted

Family

vidar

Version

Botnet

8b4d47586874b08947203f03e4db3962

https://steamcommunity.com/profiles/76561199780418869

https://t.me/ae5ed

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0

Extracted

Family

lumma

https://questionsmw.store/api

https://soldiefieop.site/api

https://abnomalrkmu.site/api

https://treatynreit.site/api

https://snarlypagowo.site/api

https://mysterisop.site/api

Signatures

Detect Vidar Stealer 20 IoCs

stealer

resource	yara_rule
behavioral1/memory/2376-9-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/2376-8-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/2376-11-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/2376-20-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/2376-18-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/2376-15-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/2376-161-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/2376-180-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/2376-210-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/2376-229-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/2376-360-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/2376-379-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/2376-422-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/2376-441-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/1044-585-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/1044-583-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/1044-582-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/1044-579-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/1044-577-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/1044-575-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
408	JDBKJJKEBG.exe
2512	GHDBKJKJKK.exe
2780	HCAFIJDGHC.exe

Loads dropped DLL 11 IoCs

pid	Process
2376	RegAsm.exe
2376	RegAsm.exe
2376	RegAsm.exe
2376	RegAsm.exe
2376	RegAsm.exe
2376	RegAsm.exe
2376	RegAsm.exe
2376	RegAsm.exe
2376	RegAsm.exe
2376	RegAsm.exe
2376	RegAsm.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2336 set thread context of 2376	2336	0d32dd29b0a5a4e593651b4f0ffba9d7ba7c6d243666bbdfa83eabe9d3aa5119.exe	31
PID 408 set thread context of 904	408	JDBKJJKEBG.exe	37
PID 2512 set thread context of 1044	2512	GHDBKJKJKK.exe	40
PID 2780 set thread context of 1784	2780	HCAFIJDGHC.exe	43

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HCAFIJDGHC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0d32dd29b0a5a4e593651b4f0ffba9d7ba7c6d243666bbdfa83eabe9d3aa5119.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JDBKJJKEBG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GHDBKJKJKK.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2504	timeout.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	RegAsm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2376	RegAsm.exe
2376	RegAsm.exe
2376	RegAsm.exe
2376	RegAsm.exe
1784	RegAsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2336 wrote to memory of 2376	2336	0d32dd29b0a5a4e593651b4f0ffba9d7ba7c6d243666bbdfa83eabe9d3aa5119.exe	31
PID 2336 wrote to memory of 2376	2336	0d32dd29b0a5a4e593651b4f0ffba9d7ba7c6d243666bbdfa83eabe9d3aa5119.exe	31
PID 2336 wrote to memory of 2376	2336	0d32dd29b0a5a4e593651b4f0ffba9d7ba7c6d243666bbdfa83eabe9d3aa5119.exe	31
PID 2336 wrote to memory of 2376	2336	0d32dd29b0a5a4e593651b4f0ffba9d7ba7c6d243666bbdfa83eabe9d3aa5119.exe	31
PID 2336 wrote to memory of 2376	2336	0d32dd29b0a5a4e593651b4f0ffba9d7ba7c6d243666bbdfa83eabe9d3aa5119.exe	31
PID 2336 wrote to memory of 2376	2336	0d32dd29b0a5a4e593651b4f0ffba9d7ba7c6d243666bbdfa83eabe9d3aa5119.exe	31
PID 2336 wrote to memory of 2376	2336	0d32dd29b0a5a4e593651b4f0ffba9d7ba7c6d243666bbdfa83eabe9d3aa5119.exe	31
PID 2336 wrote to memory of 2376	2336	0d32dd29b0a5a4e593651b4f0ffba9d7ba7c6d243666bbdfa83eabe9d3aa5119.exe	31
PID 2336 wrote to memory of 2376	2336	0d32dd29b0a5a4e593651b4f0ffba9d7ba7c6d243666bbdfa83eabe9d3aa5119.exe	31
PID 2336 wrote to memory of 2376	2336	0d32dd29b0a5a4e593651b4f0ffba9d7ba7c6d243666bbdfa83eabe9d3aa5119.exe	31
PID 2336 wrote to memory of 2376	2336	0d32dd29b0a5a4e593651b4f0ffba9d7ba7c6d243666bbdfa83eabe9d3aa5119.exe	31
PID 2336 wrote to memory of 2376	2336	0d32dd29b0a5a4e593651b4f0ffba9d7ba7c6d243666bbdfa83eabe9d3aa5119.exe	31
PID 2336 wrote to memory of 2376	2336	0d32dd29b0a5a4e593651b4f0ffba9d7ba7c6d243666bbdfa83eabe9d3aa5119.exe	31
PID 2336 wrote to memory of 2376	2336	0d32dd29b0a5a4e593651b4f0ffba9d7ba7c6d243666bbdfa83eabe9d3aa5119.exe	31
PID 2376 wrote to memory of 408	2376	RegAsm.exe	35
PID 2376 wrote to memory of 408	2376	RegAsm.exe	35
PID 2376 wrote to memory of 408	2376	RegAsm.exe	35
PID 2376 wrote to memory of 408	2376	RegAsm.exe	35
PID 408 wrote to memory of 904	408	JDBKJJKEBG.exe	37
PID 408 wrote to memory of 904	408	JDBKJJKEBG.exe	37
PID 408 wrote to memory of 904	408	JDBKJJKEBG.exe	37
PID 408 wrote to memory of 904	408	JDBKJJKEBG.exe	37
PID 408 wrote to memory of 904	408	JDBKJJKEBG.exe	37
PID 408 wrote to memory of 904	408	JDBKJJKEBG.exe	37
PID 408 wrote to memory of 904	408	JDBKJJKEBG.exe	37
PID 408 wrote to memory of 904	408	JDBKJJKEBG.exe	37
PID 408 wrote to memory of 904	408	JDBKJJKEBG.exe	37
PID 408 wrote to memory of 904	408	JDBKJJKEBG.exe	37
PID 408 wrote to memory of 904	408	JDBKJJKEBG.exe	37
PID 408 wrote to memory of 904	408	JDBKJJKEBG.exe	37
PID 408 wrote to memory of 904	408	JDBKJJKEBG.exe	37
PID 2376 wrote to memory of 2512	2376	RegAsm.exe	38
PID 2376 wrote to memory of 2512	2376	RegAsm.exe	38
PID 2376 wrote to memory of 2512	2376	RegAsm.exe	38
PID 2376 wrote to memory of 2512	2376	RegAsm.exe	38
PID 2512 wrote to memory of 1044	2512	GHDBKJKJKK.exe	40
PID 2512 wrote to memory of 1044	2512	GHDBKJKJKK.exe	40
PID 2512 wrote to memory of 1044	2512	GHDBKJKJKK.exe	40
PID 2512 wrote to memory of 1044	2512	GHDBKJKJKK.exe	40
PID 2512 wrote to memory of 1044	2512	GHDBKJKJKK.exe	40
PID 2512 wrote to memory of 1044	2512	GHDBKJKJKK.exe	40
PID 2512 wrote to memory of 1044	2512	GHDBKJKJKK.exe	40
PID 2512 wrote to memory of 1044	2512	GHDBKJKJKK.exe	40
PID 2512 wrote to memory of 1044	2512	GHDBKJKJKK.exe	40
PID 2512 wrote to memory of 1044	2512	GHDBKJKJKK.exe	40
PID 2512 wrote to memory of 1044	2512	GHDBKJKJKK.exe	40
PID 2512 wrote to memory of 1044	2512	GHDBKJKJKK.exe	40
PID 2512 wrote to memory of 1044	2512	GHDBKJKJKK.exe	40
PID 2512 wrote to memory of 1044	2512	GHDBKJKJKK.exe	40
PID 2376 wrote to memory of 2780	2376	RegAsm.exe	41
PID 2376 wrote to memory of 2780	2376	RegAsm.exe	41
PID 2376 wrote to memory of 2780	2376	RegAsm.exe	41
PID 2376 wrote to memory of 2780	2376	RegAsm.exe	41
PID 2780 wrote to memory of 1784	2780	HCAFIJDGHC.exe	43
PID 2780 wrote to memory of 1784	2780	HCAFIJDGHC.exe	43
PID 2780 wrote to memory of 1784	2780	HCAFIJDGHC.exe	43
PID 2780 wrote to memory of 1784	2780	HCAFIJDGHC.exe	43
PID 2780 wrote to memory of 1784	2780	HCAFIJDGHC.exe	43
PID 2780 wrote to memory of 1784	2780	HCAFIJDGHC.exe	43
PID 2780 wrote to memory of 1784	2780	HCAFIJDGHC.exe	43
PID 2780 wrote to memory of 1784	2780	HCAFIJDGHC.exe	43
PID 2780 wrote to memory of 1784	2780	HCAFIJDGHC.exe	43
PID 2780 wrote to memory of 1784	2780	HCAFIJDGHC.exe	43
PID 2780 wrote to memory of 1784	2780	HCAFIJDGHC.exe	43

C:\Users\Admin\AppData\Local\Temp\0d32dd29b0a5a4e593651b4f0ffba9d7ba7c6d243666bbdfa83eabe9d3aa5119.exe
"C:\Users\Admin\AppData\Local\Temp\0d32dd29b0a5a4e593651b4f0ffba9d7ba7c6d243666bbdfa83eabe9d3aa5119.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2376
- - C:\ProgramData\JDBKJJKEBG.exe
    "C:\ProgramData\JDBKJJKEBG.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:408
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:904
- - C:\ProgramData\GHDBKJKJKK.exe
    "C:\ProgramData\GHDBKJKJKK.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2512
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1044
- - C:\ProgramData\HCAFIJDGHC.exe
    "C:\ProgramData\HCAFIJDGHC.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2780
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      PID:1784
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminHIIIIEGHDG.exe"
        5⤵
        
        PID:896
      - C:\Users\AdminHIIIIEGHDG.exe
        
        "C:\Users\AdminHIIIIEGHDG.exe"
        6⤵
        
        PID:1496
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        
        PID:2720
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminAFIIEBGCAA.exe"
        5⤵
        
        PID:2404
      - C:\Users\AdminAFIIEBGCAA.exe
        
        "C:\Users\AdminAFIIEBGCAA.exe"
        6⤵
        
        PID:1380
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        
        PID:1244
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\FBFHJJJDAFBK" & exit
    3⤵
    PID:2964
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 10
      4⤵
      Delays execution with timeout.exe
      PID:2504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\FHDHCAAKECFIDHIEBAKF

Filesize
6KB

MD5
0570f5f45800939f770cab33219fd340

SHA1
bab94b1736432bee725a3a2a8d8c0608e2a009c2

SHA256
3fdb17957163ae50952685f2cbee4ddfd2824a2aee77e7ab1eb7405ab7ed260d

SHA512
84c3fa134e4cd0e1a29f847139a1072f17cc532fdd2227eb7a3c6457c36e2fe8d93f2adcc6d138eac863a967caac9b420d2fa13529c7951ac53b081db9b557ca

Download Submit
C:\ProgramData\GIJJKFCGDGHD\AKJDGI

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\ProgramData\GIJJKFCGDGHD\EGIJKE

Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
C:\ProgramData\JJKEBGHJ

Filesize
92KB

MD5
0040f587d31c3c0be57da029997f9978

SHA1
d4729f8ed094797bd54ea8a9987aaa7058e7eaa2

SHA256
a285e3bc24d218869afd114c236f0aafebeba96d4105ddd379ae31f03b26079b

SHA512
3e4ffca2ff979b5f91a0c8d5d1fa52f0ab47ff63e50b1cc5e7708c4ba8359ee8505a9259f329da5733048e953f0778af73ce76735b481d558dd05a2cb45a5977

Download Submit
C:\ProgramData\freebl3.dll

Filesize
104KB

MD5
802076ba0f8e35e293a84fef49f54075

SHA1
ce10c69d5eba164adc1a428384ea238a9fe58e50

SHA256
8c12dfa1dbaf564ed47e43cd22d15ca8a80983d1dfa4d9e478d122bfe3d0192c

SHA512
59e7823a67c7239b94cc32c879f828380be991478f235cf74caafcbd4c0cceb6fcc743f71709a7174401631353f9c35ee9f0c04f1809c4774899231ef13ce0c3

Download Submit
C:\ProgramData\mozglue.dll

Filesize
6KB

MD5
c6e08bac0f6c26f1630bf2f74b1c9ca4

SHA1
be2516f41edaf3fb7a8f142400d177338d880f1d

SHA256
5733d2250190da9e12660a6f0470b1f28782968e4d68b7967e027d1f40e2c685

SHA512
e2f0bf814b7e053899c0146a2d3a5e03feadd03cf30513f3c5e349b5cb3cea638c33aac3bc5954f9fd0002b76746ce4b92863be662220f5f5705b9a2286c9b23

Download Submit
C:\ProgramData\msvcp140.dll

Filesize
19KB

MD5
683449b8301b79551001cddab9819806

SHA1
dc6eb714fbdb1db928a58b1ab234bca3b9c3c2ec

SHA256
8a4747bf5fb0e8c1cc74eb5af9d08786d92ac18afac70fbc9ca0491cf6d2b88b

SHA512
1f778ad34333a45df3b1d61c79b93ddc52675b80bf1a2509860a339696edbe65a884cf666f6ecc9153a86a54f007c3d5b13294da53b6f00f27d4be2270860631

Download Submit
C:\ProgramData\nss3.dll

Filesize
5KB

MD5
fff8bb74ff31eb63f0386737a00b6d0a

SHA1
eaf6b3268e69a783aee4f97c4a2daa9bd153d6fe

SHA256
fdbb1e867d9aff33fa30c8e2d1f0cf18faa97c27851767720035b05e67100cc6

SHA512
dc77574ca6d10edc96901776022b1d10bd2b0295647c61ea97dd806b744a217d807edbea13af13fbd458a3f3c8553924df46d4ebff829a02f191c63142f6699a

Download Submit
C:\ProgramData\softokn3.dll

Filesize
20KB

MD5
e960f5a0c7419b1910a75a4102b5f5e6

SHA1
a64c4ac2f4b87849255631d39786403253049fda

SHA256
0cc21b24f13ad1c9e32e49a3aa827994c463801e19fd6cda0c341f145971e58b

SHA512
6ff7cbc3f8de70502cb23b0d1c19db354b40b1e49c574bcf62c497c6c60b3531ceb3637555dd655bab27a25393247669f085336448fb19561d886b8e2be0558e

Download Submit
C:\ProgramData\vcruntime140.dll

Filesize
19KB

MD5
4756ab8d5f7443c9c6e89cbcadf1eb7b

SHA1
cfccab0f78afeb6024d290702150cf6760443ae4

SHA256
63d9980bf41887a4ffe4efefa7ffc4bc09fa1101da886e212637281762938a30

SHA512
c524d36628fcfdf5c0436fb13bef357a55bec13c7812768448dc13f7eb187689d85033db692efe96bf8f8b43eec7611102b293113d8a72677025c1ae9ee61a32

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619

Filesize
471B

MD5
77a62d348e54cc211e9aa26ebd38e6d5

SHA1
ab6d4a8b6af34769af97fe2fe87da19fe9ef951d

SHA256
a8a6381599bb8718708c697ed89ea41d4cab44dd9c5f092d6fd2fc040b96a9f8

SHA512
bcb4f4e78d8c659d299cdcac7f9ec04a55e0a271d87474e1080a0a58dc2130d727b8db718a7c9a40f1e797309042e66c156ed184ce42d3df8e982ac444f7a688

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4b9b70a28126b503a55534bb58f67aa6

SHA1
7c159d9556c26f417e0f679c4492c78b3fec3219

SHA256
7516a645c7d275ca88194d7d2db02df690e77caf3e295e1cd6031ded160f6dcf

SHA512
5b561f458ca6bde054f4dbed644e77c89a72120dffddb38a0ba29ac85c5f2ca8621c61b0f14dc0199dac7bbb492e69c45f41fd9ba13fa71ec62bf02fb2f6ed8f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
28612d670a10c21a6fdeb7bab96ca1f2

SHA1
5674cd23daa257b52c9cf7966e29f65a374f516e

SHA256
75fc35f583b999f1f719b3fec6b2bfc2df823c21b0f5d448dac15f85a4ffcd70

SHA512
dcf85648bf6678ab9bcd9160d902e581528b9ec688adef8ee87225f3b350ef3c13e8352895ce717c9764e5fd0803d33f9fad1daaa9e49b71dd83d659dea3ffdc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619

Filesize
400B

MD5
7c9eeed3b7801092c7b0f5a8883d9976

SHA1
fde3c2e4384d92bee13fdfe19ab61d7cda70c8a3

SHA256
f8a54f90d80915f7c389a38c089b3f0bc6d16d42e041410014075849b8e8416a

SHA512
d221550c60da535cdd2049f7637f7bc8faa0ce0757f33bb4efbc6a8c414e2ac994acf53223eb06c977a862f50924f334371ac564ebafa79727b12d4b8e2835a5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
593f547558d7a88cea3c0e3f6f20aa5e

SHA1
2d255333689f492913168d153e017ebed2b6aa59

SHA256
051876c1828586bd2adfb02fcff48e223aefb783e97fe9259e66a1f875d81f9d

SHA512
778412d7ffc5550384aae4126d0c476e6305c6437e0a951f0ed29360778bee5044b309cd118e059388b914075155a53f7cad10a1789e84c5ba2e92d984a2e419

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EOYL2MRI\76561199780418869[1].htm

Filesize
34KB

MD5
58e7babeeb84ccf7b17807ab7c506edb

SHA1
7582f03fbedd17f96f85d704ac9d85e27760b550

SHA256
60baa61379f62fe7ca99b80d81ae334d65d0973b60e56e6cb9c92764e1ceabc1

SHA512
56c9f5c0bf7015d89aa83df0f8b048803c1a22bb84d14b63102e301e25376ab6238e4b87e8466a038b0437a559d43d53eeac2b541c94227d824ce17433b71d25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M4TQDAHL\76561199780418869[1].htm

Filesize
34KB

MD5
c06b6636423859e2e92376791fc133b4

SHA1
5aa6e44f8775b4caa4d7792949e9be4c616c087d

SHA256
b3e6a2254ebc80ef238f86cbdb8f6ecc68d0e5c6b0cfcf5015b60ea46a9705a6

SHA512
b31c5918a572c6dfc1db76a7225bed06414bd8813b5a5cf089f25e3f2a5b98c7f08190360b9172081d0ea448dc0d6c92414976b521ec29f6f7522bfcb4bc35d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabAE7A.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarAE8C.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\ProgramData\GHDBKJKJKK.exe

Filesize
413KB

MD5
237af39f8b579aad0205f6174bb96239

SHA1
7aad40783be4f593a2883b6a66f66f5f624d4550

SHA256
836ce1411f26919f8fb95548d03c2f4dfd658fc525dfe21c7be8ed65f81a5957

SHA512
df46993a2029b22cbc88b289398265494c5a8f54ea803e15b7b12f4a7bc98152df298916d341e3c3590329b35a806788ae294bae2e6832f2a2ac426d0145504d

Download Submit
\ProgramData\HCAFIJDGHC.exe

Filesize
336KB

MD5
022cc85ed0f56a3f3e8aec4ae3b80a71

SHA1
a89b9c39c5f6fcb6e770cea9491bf7a97f0f012d

SHA256
bb28bb63ed34a3b4f97a0a26bda8a7a7c60f961010c795007edc52576b89e4d3

SHA512
ac549b9cf50e631bae01152db4523fdab55f426ee77177af900b088244665e28de03c10784fe9db33a2478bee0d96bd50e5a668d2a2bfdff3e8706aa8f5d71a2

Download Submit
\ProgramData\JDBKJJKEBG.exe

Filesize
381KB

MD5
c7e7cfc3ed17aef6c67c265389593ee3

SHA1
44aaea45a59f194f33ff435a430fcbd9e7434ad5

SHA256
0ddebb36beb37631df17f68a14c90519f93ba7c200c62003527273119442e1ff

SHA512
6c5f7a6626aac4b583d1165c4ea3bc69e315cdce94d3e1d3442dc9643e0983f2a80e0495bac79d4aa0e4db309f0aab373d917e6af12ffaad333aba21e16249d2

Download Submit
\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
memory/408-494-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/408-531-0x0000000073040000-0x000000007372E000-memory.dmp

Filesize
6.9MB

Download
memory/408-532-0x0000000073040000-0x000000007372E000-memory.dmp

Filesize
6.9MB

Download
memory/408-495-0x0000000073040000-0x000000007372E000-memory.dmp

Filesize
6.9MB

Download
memory/408-493-0x000000007304E000-0x000000007304F000-memory.dmp

Filesize
4KB

Download
memory/904-521-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/904-519-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/904-533-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/904-523-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/904-515-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/904-529-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/904-527-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/904-525-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/904-517-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1044-579-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/1044-577-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/1044-573-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/1044-575-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/1044-571-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/1044-585-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/1044-583-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/1044-582-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/1380-823-0x0000000000CE0000-0x0000000000D40000-memory.dmp

Filesize
384KB

Download
memory/1496-794-0x00000000010E0000-0x0000000001148000-memory.dmp

Filesize
416KB

Download
memory/1784-641-0x0000000000400000-0x0000000000661000-memory.dmp

Filesize
2.4MB

Download
memory/2336-0-0x000000007480E000-0x000000007480F000-memory.dmp

Filesize
4KB

Download
memory/2336-4-0x0000000074800000-0x0000000074EEE000-memory.dmp

Filesize
6.9MB

Download
memory/2336-1-0x0000000000210000-0x0000000000278000-memory.dmp

Filesize
416KB

Download
memory/2336-2-0x0000000074800000-0x0000000074EEE000-memory.dmp

Filesize
6.9MB

Download
memory/2336-16-0x0000000074800000-0x0000000074EEE000-memory.dmp

Filesize
6.9MB

Download
memory/2376-229-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2376-6-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2376-199-0x00000000205D0000-0x000000002082F000-memory.dmp

Filesize
2.4MB

Download
memory/2376-180-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2376-161-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2376-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2376-15-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2376-422-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2376-18-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2376-20-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2376-11-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2376-210-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2376-7-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2376-441-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2376-379-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2376-8-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2376-9-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2376-5-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2376-360-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2512-558-0x0000000000A20000-0x0000000000A88000-memory.dmp

Filesize
416KB

Download
memory/2780-611-0x0000000000160000-0x00000000001B6000-memory.dmp

Filesize
344KB

Download