lumma | 3ecf0a5fdc66d37c9e726334a0e57d6dc1e3ab622653d032f8db827185cc7c80

Analysis

max time kernel
150s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-10-2024 18:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3ecf0a5fdc66d37c9e726334a0e57d6dc1e3ab622653d032f8db827185cc7c80.exe
Size

238KB
MD5

f37e0267c53ae8e94fe38e87524b8c45
SHA1

facaa93a619ab87da8ac448dd1fc71fb72e5380e
SHA256

3ecf0a5fdc66d37c9e726334a0e57d6dc1e3ab622653d032f8db827185cc7c80
SHA512

9684c9d8b8c6995f889be8e8a72e8340d12b32e85327c5b70892191f4510b32f374fc408aed1e37022326af43f620d187abfbc93f8f218488c65c3dd732ddb74
SSDEEP

3072:CeuFCkfRp1vGUfQuDHI4AwFW2NcRscYhQ7zkt1gZyAJhETpee5n0dJhhGhzLsygP:CeuNp5GNuDHI4DyWlAif5neJC+S3S7

Score

10^/10

lumma vidar 8ecc9c7eaebfdf2a8cc0586d7419d6ea discovery persistence spyware stealer

Malware Config

Extracted

Family

lumma

https://drawwyobstacw.sbs

https://condifendteu.sbs

https://ehticsprocw.sbs

https://vennurviot.sbs

https://resinedyw.sbs

https://enlargkiw.sbs

https://allocatinow.sbs

https://mathcucom.sbs

Extracted

Family

vidar

Botnet

8ecc9c7eaebfdf2a8cc0586d7419d6ea

https://t.me/maslengdsa

https://steamcommunity.com/profiles/76561199786602107

https://t.me/lpnjoke

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0

Signatures

Detect Vidar Stealer 10 IoCs

stealer

resource	yara_rule
behavioral2/memory/460-200-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/460-197-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/460-222-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/460-223-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/460-238-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/460-239-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/3212-335-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/3212-336-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/3212-345-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral2/memory/3212-348-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	3ecf0a5fdc66d37c9e726334a0e57d6dc1e3ab622653d032f8db827185cc7c80.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	LKMService.exe

Drops startup file 64 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_a9a2b0a1177847d297904e87aa00060e.lnk	LKMService.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_bc75374344c94d2a885a85dd704827a0.lnk	LKMService.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_cb24898ba48b4869b6d3125b3665e1db.lnk	LKMService.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_08d8f42344ea4a0e96ac9409d74c45d1.lnk	LKMService.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_24851d8afb97453d86350986d1f30a37.lnk	LKMService.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_0b9d4c50529d4aa9ac9cde8ed52df3b8.lnk	LKMService.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_1a8231f1134d4537937560d6ca5eb63a.lnk	LKMService.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_94f467f819b04d8899773a9faf6d559d.lnk	LKMService.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_51c4f01498354847b69b1207b4c1687e.lnk	LKMService.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_abbbc9aa612045c9b53563a9111ec07e.lnk	LKMService.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_e4decc81fc114621a55387096940172e.lnk	LKMService.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_e59a28b74bc24292beb5d0bdbffdda0e.lnk	LKMService.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_5acf7c05c0934a08b6b78f5d20a893ea.lnk	LKMService.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_3893f5a4061740faa89506fa0650bbde.lnk	LKMService.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_5ccad18dcc2f4fc59464cc49d633b02e.lnk	LKMService.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_917ee760145848bcaab750ca4f458183.lnk	LKMService.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_062a830ccffa4fb6847e0efedb56621c.lnk	LKMService.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_3fdf77a59f664f8c82dce5735b5c9b51.lnk	LKMService.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_0f3e1cfc1b0c4c809490419bc6b9839d.lnk	LKMService.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_45014487ea53419e8b919b64dbd5418e.lnk	LKMService.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_b2cc81d0dc50489abf9e500c9dd0d248.lnk	LKMService.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_9c5fa49cee224966861d17fabd3e3b25.lnk	LKMService.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_7834a1655b714c2eabb4887da742f3e4.lnk	LKMService.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_0f979c03a614494eba7d459a4d727c3d.lnk	LKMService.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_3e0bd977a46c4e9d83e63c08dc712876.lnk	LKMService.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_4fc2e258874448a6ac545e3f9ae5aabb.lnk	LKMService.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_33bf20e5a8cc43a4b0f0b7de1a93629a.lnk	LKMService.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_be9dd9160cf5498f9337fcf3425e0eb9.lnk	LKMService.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_28d1426cb48b47e6a4c97dc2d1905c36.lnk	LKMService.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_abecc24af86d4767ba2ee7570d5b1dc1.lnk	LKMService.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_952f4a2d095943a097d99ffd3cec52c7.lnk	LKMService.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_17ea92e6593f463c95906e75cbf4b597.lnk	LKMService.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_a810068200db420cb8e54441fe968153.lnk	LKMService.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_5d044b04cc854ccea91d4deb719834ee.lnk	LKMService.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_e95b7460bf26430ea80da505e614b76c.lnk	LKMService.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_d66e0efaef914396a10fbfd35e655b0f.lnk	LKMService.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_8938ab1bd241438e8c9254a77479daf1.lnk	LKMService.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_1cb0f5655fec4df4b707c9aaa0841126.lnk	LKMService.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_60cb575616e44be3b902df11d94b6478.lnk	LKMService.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_d8f37d2c69b94e6f86edb2d09add2ce6.lnk	LKMService.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_add60790af324d018ef3cd39255b90c4.lnk	LKMService.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_5444ae2d5fc545fd85010a485dbfeee4.lnk	LKMService.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_a47f3431b0ee4811b09d6bfce6611a67.lnk	LKMService.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_da9cae88edb743cea04d2553e22c8657.lnk	LKMService.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_2bc460fdc31a4be18e9e2e32de11e483.lnk	LKMService.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_88f42f7529bf4264a89485a9eda49df1.lnk	LKMService.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_0032433ef0444c26abef8ee1a592780f.lnk	LKMService.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_9d170befdf1d4a8a985f9559937e7f3c.lnk	LKMService.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_12c44efbc7df4852a1c1018fdd8d5707.lnk	LKMService.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_95d720d615424dedbc4919f610eaf6a7.lnk	LKMService.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_895473c0e85047c6a172bb9d02747582.lnk	LKMService.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_5d083e8519eb437694926123c08e0b1b.lnk	LKMService.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_2226f8e0041f4b8195b6914777b97b5c.lnk	LKMService.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_1b03659f936d4d79b640ba772867e390.lnk	LKMService.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_650872bcb43a4cafbb73fc2fef563b7c.lnk	LKMService.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_9c7ba352c00548018a18ada29a904e83.lnk	LKMService.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_6d68168739814c85a4ee929393789a39.lnk	LKMService.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_f0698d3c8ff94ed19d02e82b7d80ce7c.lnk	LKMService.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_9de5a9bdd9dd4ccfa7d3f16923364267.lnk	LKMService.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_ec72d6e093874f0eb08508e1afd19262.lnk	LKMService.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_4468b655348f40ad8992713ac9e0378d.lnk	LKMService.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_c2f0f411d72c4c15ac0fbab63d979944.lnk	LKMService.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_b20a497466e84f16a08bdc8adfb3075e.lnk	LKMService.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_c25b48ca9055432b910a6d92b4a936a3.lnk	LKMService.exe

Executes dropped EXE 8 IoCs

pid	Process
4908	LKMService.exe
4792	GoogleUpdater.exe
4172	0681f8d9073b4f9498a20483a89cc20a.exe
948	jjTpzMHSTGGQRViUwLMm3Gs8.exe
5064	mvgstrUc1rMvSJv9EMcXeEMJ.exe
1948	d1afece114fd493cb78ca72b9e7bec82.exe
3312	LeZGWkSxIsIPGDKYGDZsmOUP.exe
2992	072b17a87a6c4769b5f380227d450d13.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LKMService_c270fafd7bc44b3b81fade43efc050bf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EdgeUpdater\\LKMService.exe"	3ecf0a5fdc66d37c9e726334a0e57d6dc1e3ab622653d032f8db827185cc7c80.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LKMService_78906f1202d94d00ac3fac61c502ce6e = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EdgeUpdater\\GoogleUpdater.exe"	LKMService.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
16	api.ipify.org

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 5064 set thread context of 460	5064	mvgstrUc1rMvSJv9EMcXeEMJ.exe	95
PID 948 set thread context of 2136	948	jjTpzMHSTGGQRViUwLMm3Gs8.exe	94
PID 3312 set thread context of 3212	3312	LeZGWkSxIsIPGDKYGDZsmOUP.exe	103

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
2488	948	WerFault.exe	92
2868	5064	WerFault.exe	93
3020	3312	WerFault.exe	102

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LeZGWkSxIsIPGDKYGDZsmOUP.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	072b17a87a6c4769b5f380227d450d13.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0681f8d9073b4f9498a20483a89cc20a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jjTpzMHSTGGQRViUwLMm3Gs8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GoogleUpdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mvgstrUc1rMvSJv9EMcXeEMJ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d1afece114fd493cb78ca72b9e7bec82.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3ecf0a5fdc66d37c9e726334a0e57d6dc1e3ab622653d032f8db827185cc7c80.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LKMService.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	MSBuild.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	MSBuild.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MSBuild.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4908	LKMService.exe
4792	GoogleUpdater.exe
4908	LKMService.exe
4908	LKMService.exe
4792	GoogleUpdater.exe
4908	LKMService.exe
4792	GoogleUpdater.exe
4908	LKMService.exe
4792	GoogleUpdater.exe
4908	LKMService.exe
4792	GoogleUpdater.exe
4908	LKMService.exe
4792	GoogleUpdater.exe
4908	LKMService.exe
4792	GoogleUpdater.exe
4908	LKMService.exe
4792	GoogleUpdater.exe
4908	LKMService.exe
4792	GoogleUpdater.exe
4908	LKMService.exe
4792	GoogleUpdater.exe
4908	LKMService.exe
4792	GoogleUpdater.exe
4908	LKMService.exe
4792	GoogleUpdater.exe
4908	LKMService.exe
4792	GoogleUpdater.exe
4908	LKMService.exe
4792	GoogleUpdater.exe
4908	LKMService.exe
4792	GoogleUpdater.exe
4908	LKMService.exe
4792	GoogleUpdater.exe
4908	LKMService.exe
4792	GoogleUpdater.exe
4908	LKMService.exe
4792	GoogleUpdater.exe
4908	LKMService.exe
4792	GoogleUpdater.exe
4908	LKMService.exe
4792	GoogleUpdater.exe
4908	LKMService.exe
4792	GoogleUpdater.exe
4908	LKMService.exe
4792	GoogleUpdater.exe
4908	LKMService.exe
4792	GoogleUpdater.exe
4908	LKMService.exe
4792	GoogleUpdater.exe
4908	LKMService.exe
4792	GoogleUpdater.exe
4908	LKMService.exe
4792	GoogleUpdater.exe
4908	LKMService.exe
4792	GoogleUpdater.exe
4908	LKMService.exe
4792	GoogleUpdater.exe
4908	LKMService.exe
4792	GoogleUpdater.exe
4908	LKMService.exe
4792	GoogleUpdater.exe
4908	LKMService.exe
4792	GoogleUpdater.exe
4908	LKMService.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4908	LKMService.exe
Token: SeDebugPrivilege	4792	GoogleUpdater.exe

Suspicious use of WriteProcessMemory 53 IoCs

description	pid	Process	procid_target
PID 2352 wrote to memory of 4908	2352	3ecf0a5fdc66d37c9e726334a0e57d6dc1e3ab622653d032f8db827185cc7c80.exe	86
PID 2352 wrote to memory of 4908	2352	3ecf0a5fdc66d37c9e726334a0e57d6dc1e3ab622653d032f8db827185cc7c80.exe	86
PID 2352 wrote to memory of 4908	2352	3ecf0a5fdc66d37c9e726334a0e57d6dc1e3ab622653d032f8db827185cc7c80.exe	86
PID 4908 wrote to memory of 4792	4908	LKMService.exe	87
PID 4908 wrote to memory of 4792	4908	LKMService.exe	87
PID 4908 wrote to memory of 4792	4908	LKMService.exe	87
PID 4908 wrote to memory of 4172	4908	LKMService.exe	91
PID 4908 wrote to memory of 4172	4908	LKMService.exe	91
PID 4908 wrote to memory of 4172	4908	LKMService.exe	91
PID 4172 wrote to memory of 948	4172	0681f8d9073b4f9498a20483a89cc20a.exe	92
PID 4172 wrote to memory of 948	4172	0681f8d9073b4f9498a20483a89cc20a.exe	92
PID 4172 wrote to memory of 948	4172	0681f8d9073b4f9498a20483a89cc20a.exe	92
PID 4172 wrote to memory of 5064	4172	0681f8d9073b4f9498a20483a89cc20a.exe	93
PID 4172 wrote to memory of 5064	4172	0681f8d9073b4f9498a20483a89cc20a.exe	93
PID 4172 wrote to memory of 5064	4172	0681f8d9073b4f9498a20483a89cc20a.exe	93
PID 948 wrote to memory of 2136	948	jjTpzMHSTGGQRViUwLMm3Gs8.exe	94
PID 948 wrote to memory of 2136	948	jjTpzMHSTGGQRViUwLMm3Gs8.exe	94
PID 948 wrote to memory of 2136	948	jjTpzMHSTGGQRViUwLMm3Gs8.exe	94
PID 5064 wrote to memory of 460	5064	mvgstrUc1rMvSJv9EMcXeEMJ.exe	95
PID 5064 wrote to memory of 460	5064	mvgstrUc1rMvSJv9EMcXeEMJ.exe	95
PID 5064 wrote to memory of 460	5064	mvgstrUc1rMvSJv9EMcXeEMJ.exe	95
PID 5064 wrote to memory of 460	5064	mvgstrUc1rMvSJv9EMcXeEMJ.exe	95
PID 5064 wrote to memory of 460	5064	mvgstrUc1rMvSJv9EMcXeEMJ.exe	95
PID 5064 wrote to memory of 460	5064	mvgstrUc1rMvSJv9EMcXeEMJ.exe	95
PID 5064 wrote to memory of 460	5064	mvgstrUc1rMvSJv9EMcXeEMJ.exe	95
PID 5064 wrote to memory of 460	5064	mvgstrUc1rMvSJv9EMcXeEMJ.exe	95
PID 5064 wrote to memory of 460	5064	mvgstrUc1rMvSJv9EMcXeEMJ.exe	95
PID 5064 wrote to memory of 460	5064	mvgstrUc1rMvSJv9EMcXeEMJ.exe	95
PID 948 wrote to memory of 2136	948	jjTpzMHSTGGQRViUwLMm3Gs8.exe	94
PID 948 wrote to memory of 2136	948	jjTpzMHSTGGQRViUwLMm3Gs8.exe	94
PID 948 wrote to memory of 2136	948	jjTpzMHSTGGQRViUwLMm3Gs8.exe	94
PID 948 wrote to memory of 2136	948	jjTpzMHSTGGQRViUwLMm3Gs8.exe	94
PID 948 wrote to memory of 2136	948	jjTpzMHSTGGQRViUwLMm3Gs8.exe	94
PID 948 wrote to memory of 2136	948	jjTpzMHSTGGQRViUwLMm3Gs8.exe	94
PID 4908 wrote to memory of 1948	4908	LKMService.exe	101
PID 4908 wrote to memory of 1948	4908	LKMService.exe	101
PID 4908 wrote to memory of 1948	4908	LKMService.exe	101
PID 1948 wrote to memory of 3312	1948	d1afece114fd493cb78ca72b9e7bec82.exe	102
PID 1948 wrote to memory of 3312	1948	d1afece114fd493cb78ca72b9e7bec82.exe	102
PID 1948 wrote to memory of 3312	1948	d1afece114fd493cb78ca72b9e7bec82.exe	102
PID 3312 wrote to memory of 3212	3312	LeZGWkSxIsIPGDKYGDZsmOUP.exe	103
PID 3312 wrote to memory of 3212	3312	LeZGWkSxIsIPGDKYGDZsmOUP.exe	103
PID 3312 wrote to memory of 3212	3312	LeZGWkSxIsIPGDKYGDZsmOUP.exe	103
PID 3312 wrote to memory of 3212	3312	LeZGWkSxIsIPGDKYGDZsmOUP.exe	103
PID 3312 wrote to memory of 3212	3312	LeZGWkSxIsIPGDKYGDZsmOUP.exe	103
PID 3312 wrote to memory of 3212	3312	LeZGWkSxIsIPGDKYGDZsmOUP.exe	103
PID 3312 wrote to memory of 3212	3312	LeZGWkSxIsIPGDKYGDZsmOUP.exe	103
PID 3312 wrote to memory of 3212	3312	LeZGWkSxIsIPGDKYGDZsmOUP.exe	103
PID 3312 wrote to memory of 3212	3312	LeZGWkSxIsIPGDKYGDZsmOUP.exe	103
PID 3312 wrote to memory of 3212	3312	LeZGWkSxIsIPGDKYGDZsmOUP.exe	103
PID 4908 wrote to memory of 2992	4908	LKMService.exe	106
PID 4908 wrote to memory of 2992	4908	LKMService.exe	106
PID 4908 wrote to memory of 2992	4908	LKMService.exe	106

C:\Users\Admin\AppData\Local\Temp\3ecf0a5fdc66d37c9e726334a0e57d6dc1e3ab622653d032f8db827185cc7c80.exe
"C:\Users\Admin\AppData\Local\Temp\3ecf0a5fdc66d37c9e726334a0e57d6dc1e3ab622653d032f8db827185cc7c80.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2352
- C:\Users\Admin\AppData\Local\Temp\EdgeUpdater\LKMService.exe
  "C:\Users\Admin\AppData\Local\Temp\EdgeUpdater\LKMService.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4908
- - C:\Users\Admin\AppData\Local\Temp\EdgeUpdater\GoogleUpdater.exe
    "C:\Users\Admin\AppData\Local\Temp\EdgeUpdater\GoogleUpdater.exe" --checker
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4792
- - C:\Users\Admin\AppData\Local\Temp\EdgeUpdater\0681f8d9073b4f9498a20483a89cc20a.exe
    "C:\Users\Admin\AppData\Local\Temp\EdgeUpdater\0681f8d9073b4f9498a20483a89cc20a.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4172
  - - C:\Users\Admin\AppData\Local\Temp\VGyt1Er9D2h2gZICHSho\jjTpzMHSTGGQRViUwLMm3Gs8.exe
      C:\Users\Admin\AppData\Local\Temp\VGyt1Er9D2h2gZICHSho\jjTpzMHSTGGQRViUwLMm3Gs8.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:948
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2136
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 948 -s 252
        5⤵
        Program crash
        
        PID:2488
  - - C:\Users\Admin\AppData\Local\Temp\VGyt1Er9D2h2gZICHSho\mvgstrUc1rMvSJv9EMcXeEMJ.exe
      C:\Users\Admin\AppData\Local\Temp\VGyt1Er9D2h2gZICHSho\mvgstrUc1rMvSJv9EMcXeEMJ.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:5064
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        
        PID:460
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 288
        5⤵
        Program crash
        
        PID:2868
- - C:\Users\Admin\AppData\Local\Temp\EdgeUpdater\d1afece114fd493cb78ca72b9e7bec82.exe
    "C:\Users\Admin\AppData\Local\Temp\EdgeUpdater\d1afece114fd493cb78ca72b9e7bec82.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1948
  - - C:\Users\Admin\AppData\Local\Temp\PuviU88YcNpBcIA6X5fs\LeZGWkSxIsIPGDKYGDZsmOUP.exe
      C:\Users\Admin\AppData\Local\Temp\PuviU88YcNpBcIA6X5fs\LeZGWkSxIsIPGDKYGDZsmOUP.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3312
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        
        PID:3212
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3312 -s 300
        5⤵
        Program crash
        
        PID:3020
- - C:\Users\Admin\AppData\Local\Temp\EdgeUpdater\072b17a87a6c4769b5f380227d450d13.exe
    "C:\Users\Admin\AppData\Local\Temp\EdgeUpdater\072b17a87a6c4769b5f380227d450d13.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 948 -ip 948
1⤵
PID:3100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5064 -ip 5064
1⤵
PID:868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3312 -ip 3312
1⤵
PID:3680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\TRPPE7V2\sql[1].dll

Filesize
2.3MB

MD5
90e744829865d57082a7f452edc90de5

SHA1
833b178775f39675fa4e55eab1032353514e1052

SHA256
036a57102385d7f0d7b2deacf932c1c372ae30d924365b7a88f8a26657dd7550

SHA512
0a2d112ff7cb806a74f5ec17fe097d28107bb497d6ed5ad28ea47e6795434ba903cdb49aaf97a9a99c08cd0411f1969cad93031246dc107c26606a898e570323

Download Submit
C:\Users\Admin\AppData\Local\Temp\EdgeUpdater\0681f8d9073b4f9498a20483a89cc20a.exe

Filesize
8.6MB

MD5
fa73c01edce340509c537fafde08c156

SHA1
63fe62225d3fa4ad7059b6b87e5803531a987b38

SHA256
f5ad9ed4195163bd8bd2afba6f7a90ff6ba6060cae3f88dea972acbd061e0133

SHA512
e0abd6796d8f3e2bc8367b07d26882720e85352ed2e85fd39dc354280263cd64baded903a31565efa2e3c7b5954b787d0d7a526229eda6b9e3d8a95691246987

Download Submit
C:\Users\Admin\AppData\Local\Temp\EdgeUpdater\LKMService.exe

Filesize
238KB

MD5
f37e0267c53ae8e94fe38e87524b8c45

SHA1
facaa93a619ab87da8ac448dd1fc71fb72e5380e

SHA256
3ecf0a5fdc66d37c9e726334a0e57d6dc1e3ab622653d032f8db827185cc7c80

SHA512
9684c9d8b8c6995f889be8e8a72e8340d12b32e85327c5b70892191f4510b32f374fc408aed1e37022326af43f620d187abfbc93f8f218488c65c3dd732ddb74

Download Submit
C:\Users\Admin\AppData\Local\Temp\VGyt1Er9D2h2gZICHSho\jjTpzMHSTGGQRViUwLMm3Gs8.exe

Filesize
550KB

MD5
1d515cacda4e794136b724da399e2a63

SHA1
21a21fb11ddff5376c7c328a18b9c4fd0e94a457

SHA256
0c18e333daa942ae82f270fe1a7a44283275d03f9ec059b5f77833401ba1a6f9

SHA512
f82cf859826d9b77caec0ea123f89921afacc04ad267c6d70220845e5b3c3afb1d9887a6ce208c00510a1e9fb43c7de3a26e14ca5cd57f2a9cd82e9978381a83

Download Submit
C:\Users\Admin\AppData\Local\Temp\VGyt1Er9D2h2gZICHSho\mvgstrUc1rMvSJv9EMcXeEMJ.exe

Filesize
594KB

MD5
462d6c46f74e6ed3cc488a662040a2d6

SHA1
09adef55f3fdb4b3d4c4d7d681f8eb2987ba8ea4

SHA256
b1b991a2628cb18dff3f482049ab83df4275fc4cd69a63a972cd1233ce41245a

SHA512
f322cf95d4997b9bd6cde8b4d49640bb56b5a8be46cd512fb1a4f538019209ffc9eb158a2fd9508b423882d67bb82a9fa1fb8a04d4add0610426a6198ea791cf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKMService_bd747596775b43a19e1941124b19227b.lnk

Filesize
1KB

MD5
6a3ff75192e929fdb0bc184c1c6b5e2e

SHA1
2274b0518f95a06ebb6e222ad6ce38e1130dc1f7

SHA256
86bd48d4d9b136705f5d9a24d148d639c0423c0153f57dee5b940d9ec0abe180

SHA512
390f00218f71d2bdadf4645727855e6920fb40b4c286ce9e6a4a5f621b2865356e548a86a40957948357df3225fe40602f6b7c7761887268f2269d77129f03da

Download Submit
memory/460-238-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/460-222-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/460-197-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/460-223-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/460-200-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/460-231-0x0000000022770000-0x00000000229CF000-memory.dmp

Filesize
2.4MB

Download
memory/460-239-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/1948-274-0x0000000000180000-0x0000000001148000-memory.dmp

Filesize
15.8MB

Download
memory/1948-272-0x00000000031B0000-0x00000000031B1000-memory.dmp

Filesize
4KB

Download
memory/1948-271-0x00000000031A0000-0x00000000031A1000-memory.dmp

Filesize
4KB

Download
memory/1948-270-0x0000000003190000-0x0000000003191000-memory.dmp

Filesize
4KB

Download
memory/1948-269-0x0000000003180000-0x0000000003181000-memory.dmp

Filesize
4KB

Download
memory/1948-266-0x0000000001570000-0x0000000001571000-memory.dmp

Filesize
4KB

Download
memory/1948-267-0x0000000001580000-0x0000000001581000-memory.dmp

Filesize
4KB

Download
memory/1948-268-0x0000000001590000-0x0000000001591000-memory.dmp

Filesize
4KB

Download
memory/2136-199-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/2136-198-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/2352-1-0x0000000000D00000-0x0000000000D44000-memory.dmp

Filesize
272KB

Download
memory/2352-0-0x000000007440E000-0x000000007440F000-memory.dmp

Filesize
4KB

Download
memory/2352-20-0x0000000074400000-0x0000000074BB0000-memory.dmp

Filesize
7.7MB

Download
memory/2352-5-0x0000000074400000-0x0000000074BB0000-memory.dmp

Filesize
7.7MB

Download
memory/2352-2-0x0000000002ED0000-0x0000000002ED1000-memory.dmp

Filesize
4KB

Download
memory/2992-434-0x0000000000DF0000-0x0000000001DB8000-memory.dmp

Filesize
15.8MB

Download
memory/2992-433-0x0000000003E50000-0x0000000003E51000-memory.dmp

Filesize
4KB

Download
memory/2992-432-0x0000000003E40000-0x0000000003E41000-memory.dmp

Filesize
4KB

Download
memory/2992-431-0x0000000003E30000-0x0000000003E31000-memory.dmp

Filesize
4KB

Download
memory/2992-430-0x0000000002800000-0x0000000002801000-memory.dmp

Filesize
4KB

Download
memory/2992-429-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/2992-428-0x0000000002260000-0x0000000002261000-memory.dmp

Filesize
4KB

Download
memory/2992-427-0x0000000002250000-0x0000000002251000-memory.dmp

Filesize
4KB

Download
memory/3212-348-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/3212-335-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/3212-345-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/3212-339-0x0000000022410000-0x000000002266F000-memory.dmp

Filesize
2.4MB

Download
memory/3212-336-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/4172-131-0x00000000024E0000-0x00000000024E1000-memory.dmp

Filesize
4KB

Download
memory/4172-127-0x0000000002170000-0x0000000002171000-memory.dmp

Filesize
4KB

Download
memory/4172-128-0x0000000002290000-0x0000000002291000-memory.dmp

Filesize
4KB

Download
memory/4172-129-0x00000000024A0000-0x00000000024A1000-memory.dmp

Filesize
4KB

Download
memory/4172-130-0x00000000024D0000-0x00000000024D1000-memory.dmp

Filesize
4KB

Download
memory/4172-132-0x00000000024F0000-0x00000000024F1000-memory.dmp

Filesize
4KB

Download
memory/4172-136-0x0000000000C50000-0x0000000001C18000-memory.dmp

Filesize
15.8MB

Download
memory/4172-133-0x0000000002500000-0x0000000002501000-memory.dmp

Filesize
4KB

Download
memory/4792-39-0x0000000074400000-0x0000000074BB0000-memory.dmp

Filesize
7.7MB

Download
memory/4792-65-0x0000000074400000-0x0000000074BB0000-memory.dmp

Filesize
7.7MB

Download
memory/4792-68-0x0000000074400000-0x0000000074BB0000-memory.dmp

Filesize
7.7MB

Download
memory/4792-44-0x0000000074400000-0x0000000074BB0000-memory.dmp

Filesize
7.7MB

Download
memory/4908-62-0x0000000074400000-0x0000000074BB0000-memory.dmp

Filesize
7.7MB

Download
memory/4908-25-0x0000000074400000-0x0000000074BB0000-memory.dmp

Filesize
7.7MB

Download
memory/4908-21-0x0000000074400000-0x0000000074BB0000-memory.dmp

Filesize
7.7MB

Download
memory/4908-59-0x0000000074400000-0x0000000074BB0000-memory.dmp

Filesize
7.7MB

Download