Analysis
-
max time kernel
94s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 07:21
Static task
static1
Behavioral task
behavioral1
Sample
c3f863149cf166e5866fca1fe42cad0e.exe
Resource
win7-20240903-en
General
-
Target
c3f863149cf166e5866fca1fe42cad0e.exe
-
Size
1.8MB
-
MD5
c3f863149cf166e5866fca1fe42cad0e
-
SHA1
56b43b172e2ac0412ef1f0721e9bf91adef93194
-
SHA256
890cfc8c067ec2e4380ad770dc7ff0bad378824e09d0437aa0595c4215389989
-
SHA512
5d5658219d7d5404e220dc15958dfa4e7f97ebc2f2ea2c5b6b377abc8e48c97c718f3d910d94ebea66e53e23390f702c4f0e3adb6e590301d934d8a913c9b05b
-
SSDEEP
49152:sDTma7ZZWYFgDPIbcnh4IoZlTmnckAZ27suaiS:8TrOYiDcgVoCncko4O
Malware Config
Extracted
lumma
Extracted
stealc
stok
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Signatures
-
Lumma family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection XRNZW7BCP9JUYEP7EUU1N5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" XRNZW7BCP9JUYEP7EUU1N5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" XRNZW7BCP9JUYEP7EUU1N5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" XRNZW7BCP9JUYEP7EUU1N5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" XRNZW7BCP9JUYEP7EUU1N5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" XRNZW7BCP9JUYEP7EUU1N5.exe -
Stealc family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ BH9STVW6VEIMAVYJVWWNORVILB.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ c3f863149cf166e5866fca1fe42cad0e.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ XRNZW7BCP9JUYEP7EUU1N5.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion XRNZW7BCP9JUYEP7EUU1N5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion XRNZW7BCP9JUYEP7EUU1N5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion BH9STVW6VEIMAVYJVWWNORVILB.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion BH9STVW6VEIMAVYJVWWNORVILB.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion c3f863149cf166e5866fca1fe42cad0e.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion c3f863149cf166e5866fca1fe42cad0e.exe -
Executes dropped EXE 2 IoCs
pid Process 4916 XRNZW7BCP9JUYEP7EUU1N5.exe 232 BH9STVW6VEIMAVYJVWWNORVILB.exe -
Identifies Wine through registry keys 2 TTPs 3 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Wine XRNZW7BCP9JUYEP7EUU1N5.exe Key opened \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Wine BH9STVW6VEIMAVYJVWWNORVILB.exe Key opened \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Wine c3f863149cf166e5866fca1fe42cad0e.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" XRNZW7BCP9JUYEP7EUU1N5.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features XRNZW7BCP9JUYEP7EUU1N5.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
pid Process 3148 c3f863149cf166e5866fca1fe42cad0e.exe 4916 XRNZW7BCP9JUYEP7EUU1N5.exe 232 BH9STVW6VEIMAVYJVWWNORVILB.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c3f863149cf166e5866fca1fe42cad0e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language XRNZW7BCP9JUYEP7EUU1N5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BH9STVW6VEIMAVYJVWWNORVILB.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 3148 c3f863149cf166e5866fca1fe42cad0e.exe 3148 c3f863149cf166e5866fca1fe42cad0e.exe 3148 c3f863149cf166e5866fca1fe42cad0e.exe 3148 c3f863149cf166e5866fca1fe42cad0e.exe 3148 c3f863149cf166e5866fca1fe42cad0e.exe 3148 c3f863149cf166e5866fca1fe42cad0e.exe 4916 XRNZW7BCP9JUYEP7EUU1N5.exe 4916 XRNZW7BCP9JUYEP7EUU1N5.exe 232 BH9STVW6VEIMAVYJVWWNORVILB.exe 232 BH9STVW6VEIMAVYJVWWNORVILB.exe 4916 XRNZW7BCP9JUYEP7EUU1N5.exe 4916 XRNZW7BCP9JUYEP7EUU1N5.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4916 XRNZW7BCP9JUYEP7EUU1N5.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3148 wrote to memory of 4916 3148 c3f863149cf166e5866fca1fe42cad0e.exe 86 PID 3148 wrote to memory of 4916 3148 c3f863149cf166e5866fca1fe42cad0e.exe 86 PID 3148 wrote to memory of 4916 3148 c3f863149cf166e5866fca1fe42cad0e.exe 86 PID 3148 wrote to memory of 232 3148 c3f863149cf166e5866fca1fe42cad0e.exe 87 PID 3148 wrote to memory of 232 3148 c3f863149cf166e5866fca1fe42cad0e.exe 87 PID 3148 wrote to memory of 232 3148 c3f863149cf166e5866fca1fe42cad0e.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\c3f863149cf166e5866fca1fe42cad0e.exe"C:\Users\Admin\AppData\Local\Temp\c3f863149cf166e5866fca1fe42cad0e.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3148 -
C:\Users\Admin\AppData\Local\Temp\XRNZW7BCP9JUYEP7EUU1N5.exe"C:\Users\Admin\AppData\Local\Temp\XRNZW7BCP9JUYEP7EUU1N5.exe"2⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4916
-
-
C:\Users\Admin\AppData\Local\Temp\BH9STVW6VEIMAVYJVWWNORVILB.exe"C:\Users\Admin\AppData\Local\Temp\BH9STVW6VEIMAVYJVWWNORVILB.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:232
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Registry
2Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.7MB
MD5696ee1c9d08773339efe314269dcf7f5
SHA121bfb4fcb39ccc3969a0d07cf743b113d64a1c63
SHA25657014fe84559fa166db76f925753b65e9b18fc6e175e7c6900b67b4487e6c519
SHA512eb7b0ca0510d332c123c2cdd998e7c8af22f1922ff5f1f8075c8774a93e46268e7965d9ec763f45ad8cd70a0e649dd3041338c2638792a9552590f3922463e14
-
Filesize
1.7MB
MD59dfbaebce6e517991f34b94c67a038e2
SHA182fc1e85fe38a59248fc43837a6f0d32f3f0c0be
SHA2561b625c9923c41449ed1fdce417c57890367204340c2236b4b2f44ca864ae14ad
SHA512dd88abb1f9d0b0fd441e9333b64a88c5f66fb40c8f1ca8c98e4d04299e970410ddc49b60eadfbe7b76a74ef0a4d39cca270d4364d9d83ab66e777ca44257d4d4