Analysis
-
max time kernel
94s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17-12-2024 15:24
Static task
static1
General
-
Target
cce6c6f51a01ff3662b263cd464e41b163db9590453603e2c8b5dee39d5f94d0.exe
-
Size
1.8MB
-
MD5
1d13d83ba0b9e54307060da3ad2c16bf
-
SHA1
45fe957170c36b1704c25ff65d59dd8bbe6894cd
-
SHA256
cce6c6f51a01ff3662b263cd464e41b163db9590453603e2c8b5dee39d5f94d0
-
SHA512
803e1b9587fc7aab36c96d52fe901fa6dbe0523aa46da23afb0bd50f7ebcbe5bfd9793ac61cbdd4d228159786d240d5161ff80a5e445eaa00fc77cdf455eb526
-
SSDEEP
24576:ujGFRFajDFCy++ZmOo3Ku3nMTpvvVxgjvS0CrhHnDvutPCisiQR5gCdcd3:ujeFmD/+Go3Ku3evVxquNrmPCwu
Malware Config
Extracted
lumma
https://sordid-snaked.cyou/api
https://awake-weaves.cyou/api
https://wrathful-jammy.cyou/api
https://debonairnukk.xyz/api
https://diffuculttan.xyz/api
https://effecterectz.xyz/api
https://deafeninggeh.biz/api
https://immureprech.biz/api
https://tacitglibbr.biz/api
Extracted
stealc
stok
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Extracted
lumma
https://tacitglibbr.biz/api
Signatures
-
Lumma family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection E9ER0WY8P3GYEWTL.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" E9ER0WY8P3GYEWTL.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" E9ER0WY8P3GYEWTL.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" E9ER0WY8P3GYEWTL.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" E9ER0WY8P3GYEWTL.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" E9ER0WY8P3GYEWTL.exe -
Stealc family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ SBE3UU1GVSC3SBN49.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ cce6c6f51a01ff3662b263cd464e41b163db9590453603e2c8b5dee39d5f94d0.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ E9ER0WY8P3GYEWTL.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion SBE3UU1GVSC3SBN49.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion cce6c6f51a01ff3662b263cd464e41b163db9590453603e2c8b5dee39d5f94d0.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion cce6c6f51a01ff3662b263cd464e41b163db9590453603e2c8b5dee39d5f94d0.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion E9ER0WY8P3GYEWTL.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion E9ER0WY8P3GYEWTL.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion SBE3UU1GVSC3SBN49.exe -
Executes dropped EXE 2 IoCs
pid Process 1012 E9ER0WY8P3GYEWTL.exe 4512 SBE3UU1GVSC3SBN49.exe -
Identifies Wine through registry keys 2 TTPs 3 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Wine cce6c6f51a01ff3662b263cd464e41b163db9590453603e2c8b5dee39d5f94d0.exe Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Wine E9ER0WY8P3GYEWTL.exe Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Wine SBE3UU1GVSC3SBN49.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features E9ER0WY8P3GYEWTL.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" E9ER0WY8P3GYEWTL.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
pid Process 608 cce6c6f51a01ff3662b263cd464e41b163db9590453603e2c8b5dee39d5f94d0.exe 1012 E9ER0WY8P3GYEWTL.exe 4512 SBE3UU1GVSC3SBN49.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cce6c6f51a01ff3662b263cd464e41b163db9590453603e2c8b5dee39d5f94d0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language E9ER0WY8P3GYEWTL.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SBE3UU1GVSC3SBN49.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 608 cce6c6f51a01ff3662b263cd464e41b163db9590453603e2c8b5dee39d5f94d0.exe 608 cce6c6f51a01ff3662b263cd464e41b163db9590453603e2c8b5dee39d5f94d0.exe 608 cce6c6f51a01ff3662b263cd464e41b163db9590453603e2c8b5dee39d5f94d0.exe 608 cce6c6f51a01ff3662b263cd464e41b163db9590453603e2c8b5dee39d5f94d0.exe 608 cce6c6f51a01ff3662b263cd464e41b163db9590453603e2c8b5dee39d5f94d0.exe 608 cce6c6f51a01ff3662b263cd464e41b163db9590453603e2c8b5dee39d5f94d0.exe 1012 E9ER0WY8P3GYEWTL.exe 1012 E9ER0WY8P3GYEWTL.exe 1012 E9ER0WY8P3GYEWTL.exe 1012 E9ER0WY8P3GYEWTL.exe 4512 SBE3UU1GVSC3SBN49.exe 4512 SBE3UU1GVSC3SBN49.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1012 E9ER0WY8P3GYEWTL.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 608 wrote to memory of 1012 608 cce6c6f51a01ff3662b263cd464e41b163db9590453603e2c8b5dee39d5f94d0.exe 85 PID 608 wrote to memory of 1012 608 cce6c6f51a01ff3662b263cd464e41b163db9590453603e2c8b5dee39d5f94d0.exe 85 PID 608 wrote to memory of 1012 608 cce6c6f51a01ff3662b263cd464e41b163db9590453603e2c8b5dee39d5f94d0.exe 85 PID 608 wrote to memory of 4512 608 cce6c6f51a01ff3662b263cd464e41b163db9590453603e2c8b5dee39d5f94d0.exe 87 PID 608 wrote to memory of 4512 608 cce6c6f51a01ff3662b263cd464e41b163db9590453603e2c8b5dee39d5f94d0.exe 87 PID 608 wrote to memory of 4512 608 cce6c6f51a01ff3662b263cd464e41b163db9590453603e2c8b5dee39d5f94d0.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\cce6c6f51a01ff3662b263cd464e41b163db9590453603e2c8b5dee39d5f94d0.exe"C:\Users\Admin\AppData\Local\Temp\cce6c6f51a01ff3662b263cd464e41b163db9590453603e2c8b5dee39d5f94d0.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:608 -
C:\Users\Admin\AppData\Local\Temp\E9ER0WY8P3GYEWTL.exe"C:\Users\Admin\AppData\Local\Temp\E9ER0WY8P3GYEWTL.exe"2⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1012
-
-
C:\Users\Admin\AppData\Local\Temp\SBE3UU1GVSC3SBN49.exe"C:\Users\Admin\AppData\Local\Temp\SBE3UU1GVSC3SBN49.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4512
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Registry
2Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.7MB
MD5f2cf677babadbcf66be5b6925d970476
SHA1e0a0af7b241ec576068d796336c4c6e7717981a0
SHA25607e62cbe2492d263158762c413cfe0dc1ff7e9da26074c4b28c6a506c9253ff1
SHA5127264dc65b8522f3bf43083aeb2faf684424a73eb1b030be44314982abe34ec9f23f168cb326054508a9dbff87f11a849578bab9b65c832c47adff438bb979def
-
Filesize
2.8MB
MD584061ff2b02888f350dd0d0ede0479d7
SHA19d59578251487b20994b35fa711cb5e672de47b1
SHA256b5607eabc939ebf86a0efd6d4fa534bcd9f275a350a137079cf2e298c1751911
SHA5121e24c7bd9390aee22e017bef0e07e2d9e4291f8cef0508afaed2b6347fca0f9cf8752c76a4531b81a20c011d8b57345c3ace6e6b3c05b2099fef4e7a74f467e1