Analysis
-
max time kernel
94s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 02:32
Static task
static1
Behavioral task
behavioral1
Sample
343b51b34ac69ba9e09927634079bb0632509d3a2d9bafdba15d75a8f05b98ec.exe
Resource
win7-20241010-en
General
-
Target
343b51b34ac69ba9e09927634079bb0632509d3a2d9bafdba15d75a8f05b98ec.exe
-
Size
1.8MB
-
MD5
830c7205f281af8e8be936566c40d1a5
-
SHA1
b1cfc6601006600a9823c324b3d26e1364802467
-
SHA256
343b51b34ac69ba9e09927634079bb0632509d3a2d9bafdba15d75a8f05b98ec
-
SHA512
4b1f86468ac9949f01fb746027ff3c7defac126cb0e7db1f9cd2b9ef342671575badd19f960994b84228aca5342de0509eec078ab6b02c8d5903399b51901a1c
-
SSDEEP
24576:/T2gIAMGk8TeOHlRPsZXwYcYxaG1HLYBMGFY1nr6rqQBfgRFemkp9UDKD2acoU8g:/TaGkBOFRPsJwRgnkBFmevBQLYf+Jy
Malware Config
Extracted
lumma
Extracted
stealc
stok
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Signatures
-
Lumma family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 6KUAE2563U81RSNJ7NR07RF.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 6KUAE2563U81RSNJ7NR07RF.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 6KUAE2563U81RSNJ7NR07RF.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 6KUAE2563U81RSNJ7NR07RF.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 6KUAE2563U81RSNJ7NR07RF.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 6KUAE2563U81RSNJ7NR07RF.exe -
Stealc family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 6KUAE2563U81RSNJ7NR07RF.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ ULVXLR13HNK6G7IMA11MQHNI.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 343b51b34ac69ba9e09927634079bb0632509d3a2d9bafdba15d75a8f05b98ec.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 6KUAE2563U81RSNJ7NR07RF.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ULVXLR13HNK6G7IMA11MQHNI.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ULVXLR13HNK6G7IMA11MQHNI.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 343b51b34ac69ba9e09927634079bb0632509d3a2d9bafdba15d75a8f05b98ec.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 343b51b34ac69ba9e09927634079bb0632509d3a2d9bafdba15d75a8f05b98ec.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 6KUAE2563U81RSNJ7NR07RF.exe -
Executes dropped EXE 2 IoCs
pid Process 4592 6KUAE2563U81RSNJ7NR07RF.exe 1016 ULVXLR13HNK6G7IMA11MQHNI.exe -
Identifies Wine through registry keys 2 TTPs 3 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Wine 6KUAE2563U81RSNJ7NR07RF.exe Key opened \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Wine ULVXLR13HNK6G7IMA11MQHNI.exe Key opened \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Wine 343b51b34ac69ba9e09927634079bb0632509d3a2d9bafdba15d75a8f05b98ec.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 6KUAE2563U81RSNJ7NR07RF.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 6KUAE2563U81RSNJ7NR07RF.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
pid Process 2412 343b51b34ac69ba9e09927634079bb0632509d3a2d9bafdba15d75a8f05b98ec.exe 4592 6KUAE2563U81RSNJ7NR07RF.exe 1016 ULVXLR13HNK6G7IMA11MQHNI.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 343b51b34ac69ba9e09927634079bb0632509d3a2d9bafdba15d75a8f05b98ec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6KUAE2563U81RSNJ7NR07RF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ULVXLR13HNK6G7IMA11MQHNI.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 2412 343b51b34ac69ba9e09927634079bb0632509d3a2d9bafdba15d75a8f05b98ec.exe 2412 343b51b34ac69ba9e09927634079bb0632509d3a2d9bafdba15d75a8f05b98ec.exe 2412 343b51b34ac69ba9e09927634079bb0632509d3a2d9bafdba15d75a8f05b98ec.exe 2412 343b51b34ac69ba9e09927634079bb0632509d3a2d9bafdba15d75a8f05b98ec.exe 2412 343b51b34ac69ba9e09927634079bb0632509d3a2d9bafdba15d75a8f05b98ec.exe 2412 343b51b34ac69ba9e09927634079bb0632509d3a2d9bafdba15d75a8f05b98ec.exe 4592 6KUAE2563U81RSNJ7NR07RF.exe 4592 6KUAE2563U81RSNJ7NR07RF.exe 1016 ULVXLR13HNK6G7IMA11MQHNI.exe 1016 ULVXLR13HNK6G7IMA11MQHNI.exe 4592 6KUAE2563U81RSNJ7NR07RF.exe 4592 6KUAE2563U81RSNJ7NR07RF.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4592 6KUAE2563U81RSNJ7NR07RF.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2412 wrote to memory of 4592 2412 343b51b34ac69ba9e09927634079bb0632509d3a2d9bafdba15d75a8f05b98ec.exe 91 PID 2412 wrote to memory of 4592 2412 343b51b34ac69ba9e09927634079bb0632509d3a2d9bafdba15d75a8f05b98ec.exe 91 PID 2412 wrote to memory of 4592 2412 343b51b34ac69ba9e09927634079bb0632509d3a2d9bafdba15d75a8f05b98ec.exe 91 PID 2412 wrote to memory of 1016 2412 343b51b34ac69ba9e09927634079bb0632509d3a2d9bafdba15d75a8f05b98ec.exe 92 PID 2412 wrote to memory of 1016 2412 343b51b34ac69ba9e09927634079bb0632509d3a2d9bafdba15d75a8f05b98ec.exe 92 PID 2412 wrote to memory of 1016 2412 343b51b34ac69ba9e09927634079bb0632509d3a2d9bafdba15d75a8f05b98ec.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\343b51b34ac69ba9e09927634079bb0632509d3a2d9bafdba15d75a8f05b98ec.exe"C:\Users\Admin\AppData\Local\Temp\343b51b34ac69ba9e09927634079bb0632509d3a2d9bafdba15d75a8f05b98ec.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Users\Admin\AppData\Local\Temp\6KUAE2563U81RSNJ7NR07RF.exe"C:\Users\Admin\AppData\Local\Temp\6KUAE2563U81RSNJ7NR07RF.exe"2⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4592
-
-
C:\Users\Admin\AppData\Local\Temp\ULVXLR13HNK6G7IMA11MQHNI.exe"C:\Users\Admin\AppData\Local\Temp\ULVXLR13HNK6G7IMA11MQHNI.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1016
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Registry
2Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.7MB
MD55ee16489ab5a0d6cf49a20e9fdae3681
SHA1b531e0dd6cf1ec02f0bebf334e0a8ca286a12cf3
SHA25685e590af5f8e19dd85fd3471dcffb1ea1fa0f6cc3084ef50c6b44f02244e1075
SHA512e923a07668fc965eed5adc066cb1991ce8517bd633348da37f7ae32c46624ef29d3d9d8145bbcad9b2112304387a8b348fe37deb700c384b0185595f64a48bfe
-
Filesize
2.8MB
MD5dfc4ac821d77ac74e88a8d6806f3b381
SHA1328c4646185f83623b64acc275314337cb8507af
SHA256f1fa0545bde183d84cb9b24d6635ffb5ab98bd398659e92adcbb5dc90064531d
SHA5125aee1cf473a623a0b6c659a337d1960e395d67c94fc54a230b9b70936f2ad2bf983547f9c76e13ff20c37fb34dd8185cd8e5d96979f91f9749626e6fa902a2fe