lumma | 8f90648143c92c8780cf076b716225ce76fe07e48c10ff5d1d24ed8938791511

Analysis

max time kernel
119s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03-01-2025 00:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SmokeySpoofer-main.zip
Size

748KB
MD5

4807068938430adcad94ae1f70444acf
SHA1

439c19db57e1636a3a8bdc593ef82d93688ef216
SHA256

8f90648143c92c8780cf076b716225ce76fe07e48c10ff5d1d24ed8938791511
SHA512

715119fe906f1247a12bfd94575046630041ffe2983ff2cc57c3d3f1f658bb8bfad0e8e4252442b6fdce0b68afa731f62a2c230bd4c6f1b89a7f0dbd08e17700
SSDEEP

12288:tieNFD5T5vTBkA6gAksiz/YbxZxCXUxYAuTV8wQWCPmHMHPXHek:timZt5tkNOsn4XeITV8wQ+sfek

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://covvercilverow.shop/api

https://surroundeocw.shop/api

https://abortinoiwiam.shop/api

https://pumpkinkwquo.shop/api

https://priooozekw.shop/api

https://deallyharvenw.shop/api

https://defenddsouneuw.shop/api

https://racedsuitreow.shop/api

https://roaddrermncomplai.shop/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Executes dropped EXE 15 IoCs

pid	Process
2492	SmokeySpoofer.exe
5060	SmokeySpoofer.exe
4252	SmokeySpoofer.exe
3100	SmokeySpoofer.exe
3516	SmokeySpoofer.exe
1556	SmokeySpoofer.exe
1200	SmokeySpoofer.exe
2948	SmokeySpoofer.exe
2500	SmokeySpoofer.exe
552	SmokeySpoofer.exe
3924	SmokeySpoofer.exe
3948	SmokeySpoofer.exe
2544	SmokeySpoofer.exe
4400	SmokeySpoofer.exe
3164	SmokeySpoofer.exe

Loads dropped DLL 15 IoCs

pid	Process
2492	SmokeySpoofer.exe
5060	SmokeySpoofer.exe
4252	SmokeySpoofer.exe
3100	SmokeySpoofer.exe
3516	SmokeySpoofer.exe
1556	SmokeySpoofer.exe
1200	SmokeySpoofer.exe
2948	SmokeySpoofer.exe
2500	SmokeySpoofer.exe
552	SmokeySpoofer.exe
3924	SmokeySpoofer.exe
3948	SmokeySpoofer.exe
2544	SmokeySpoofer.exe
4400	SmokeySpoofer.exe
3164	SmokeySpoofer.exe

Suspicious use of SetThreadContext 15 IoCs

description	pid	Process	procid_target
PID 2492 set thread context of 4560	2492	SmokeySpoofer.exe	94
PID 5060 set thread context of 1928	5060	SmokeySpoofer.exe	99
PID 4252 set thread context of 4220	4252	SmokeySpoofer.exe	102
PID 3100 set thread context of 1604	3100	SmokeySpoofer.exe	105
PID 3516 set thread context of 664	3516	SmokeySpoofer.exe	108
PID 1556 set thread context of 4760	1556	SmokeySpoofer.exe	111
PID 1200 set thread context of 1548	1200	SmokeySpoofer.exe	114
PID 2948 set thread context of 1328	2948	SmokeySpoofer.exe	117
PID 2500 set thread context of 860	2500	SmokeySpoofer.exe	120
PID 552 set thread context of 460	552	SmokeySpoofer.exe	123
PID 3924 set thread context of 740	3924	SmokeySpoofer.exe	126
PID 3948 set thread context of 3752	3948	SmokeySpoofer.exe	130
PID 2544 set thread context of 4752	2544	SmokeySpoofer.exe	134
PID 4400 set thread context of 1852	4400	SmokeySpoofer.exe	137
PID 3164 set thread context of 3676	3164	SmokeySpoofer.exe	140

System Location Discovery: System Language Discovery 1 TTPs 30 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SmokeySpoofer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_regiis.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_regiis.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_regiis.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_regiis.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SmokeySpoofer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SmokeySpoofer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_regiis.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SmokeySpoofer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_regiis.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_regiis.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_regiis.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SmokeySpoofer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SmokeySpoofer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SmokeySpoofer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_regiis.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SmokeySpoofer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SmokeySpoofer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_regiis.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SmokeySpoofer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SmokeySpoofer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_regiis.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SmokeySpoofer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_regiis.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_regiis.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_regiis.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SmokeySpoofer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SmokeySpoofer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SmokeySpoofer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_regiis.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4312	7zFM.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	4312	7zFM.exe
Token: 35	4312	7zFM.exe
Token: SeSecurityPrivilege	4312	7zFM.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4312	7zFM.exe
4312	7zFM.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2492 wrote to memory of 4560	2492	SmokeySpoofer.exe	94
PID 2492 wrote to memory of 4560	2492	SmokeySpoofer.exe	94
PID 2492 wrote to memory of 4560	2492	SmokeySpoofer.exe	94
PID 2492 wrote to memory of 4560	2492	SmokeySpoofer.exe	94
PID 2492 wrote to memory of 4560	2492	SmokeySpoofer.exe	94
PID 2492 wrote to memory of 4560	2492	SmokeySpoofer.exe	94
PID 2492 wrote to memory of 4560	2492	SmokeySpoofer.exe	94
PID 2492 wrote to memory of 4560	2492	SmokeySpoofer.exe	94
PID 2492 wrote to memory of 4560	2492	SmokeySpoofer.exe	94
PID 5060 wrote to memory of 1928	5060	SmokeySpoofer.exe	99
PID 5060 wrote to memory of 1928	5060	SmokeySpoofer.exe	99
PID 5060 wrote to memory of 1928	5060	SmokeySpoofer.exe	99
PID 5060 wrote to memory of 1928	5060	SmokeySpoofer.exe	99
PID 5060 wrote to memory of 1928	5060	SmokeySpoofer.exe	99
PID 5060 wrote to memory of 1928	5060	SmokeySpoofer.exe	99
PID 5060 wrote to memory of 1928	5060	SmokeySpoofer.exe	99
PID 5060 wrote to memory of 1928	5060	SmokeySpoofer.exe	99
PID 5060 wrote to memory of 1928	5060	SmokeySpoofer.exe	99
PID 4252 wrote to memory of 4220	4252	SmokeySpoofer.exe	102
PID 4252 wrote to memory of 4220	4252	SmokeySpoofer.exe	102
PID 4252 wrote to memory of 4220	4252	SmokeySpoofer.exe	102
PID 4252 wrote to memory of 4220	4252	SmokeySpoofer.exe	102
PID 4252 wrote to memory of 4220	4252	SmokeySpoofer.exe	102
PID 4252 wrote to memory of 4220	4252	SmokeySpoofer.exe	102
PID 4252 wrote to memory of 4220	4252	SmokeySpoofer.exe	102
PID 4252 wrote to memory of 4220	4252	SmokeySpoofer.exe	102
PID 4252 wrote to memory of 4220	4252	SmokeySpoofer.exe	102
PID 3100 wrote to memory of 1604	3100	SmokeySpoofer.exe	105
PID 3100 wrote to memory of 1604	3100	SmokeySpoofer.exe	105
PID 3100 wrote to memory of 1604	3100	SmokeySpoofer.exe	105
PID 3100 wrote to memory of 1604	3100	SmokeySpoofer.exe	105
PID 3100 wrote to memory of 1604	3100	SmokeySpoofer.exe	105
PID 3100 wrote to memory of 1604	3100	SmokeySpoofer.exe	105
PID 3100 wrote to memory of 1604	3100	SmokeySpoofer.exe	105
PID 3100 wrote to memory of 1604	3100	SmokeySpoofer.exe	105
PID 3100 wrote to memory of 1604	3100	SmokeySpoofer.exe	105
PID 3516 wrote to memory of 664	3516	SmokeySpoofer.exe	108
PID 3516 wrote to memory of 664	3516	SmokeySpoofer.exe	108
PID 3516 wrote to memory of 664	3516	SmokeySpoofer.exe	108
PID 3516 wrote to memory of 664	3516	SmokeySpoofer.exe	108
PID 3516 wrote to memory of 664	3516	SmokeySpoofer.exe	108
PID 3516 wrote to memory of 664	3516	SmokeySpoofer.exe	108
PID 3516 wrote to memory of 664	3516	SmokeySpoofer.exe	108
PID 3516 wrote to memory of 664	3516	SmokeySpoofer.exe	108
PID 3516 wrote to memory of 664	3516	SmokeySpoofer.exe	108
PID 1556 wrote to memory of 4760	1556	SmokeySpoofer.exe	111
PID 1556 wrote to memory of 4760	1556	SmokeySpoofer.exe	111
PID 1556 wrote to memory of 4760	1556	SmokeySpoofer.exe	111
PID 1556 wrote to memory of 4760	1556	SmokeySpoofer.exe	111
PID 1556 wrote to memory of 4760	1556	SmokeySpoofer.exe	111
PID 1556 wrote to memory of 4760	1556	SmokeySpoofer.exe	111
PID 1556 wrote to memory of 4760	1556	SmokeySpoofer.exe	111
PID 1556 wrote to memory of 4760	1556	SmokeySpoofer.exe	111
PID 1556 wrote to memory of 4760	1556	SmokeySpoofer.exe	111
PID 1200 wrote to memory of 1548	1200	SmokeySpoofer.exe	114
PID 1200 wrote to memory of 1548	1200	SmokeySpoofer.exe	114
PID 1200 wrote to memory of 1548	1200	SmokeySpoofer.exe	114
PID 1200 wrote to memory of 1548	1200	SmokeySpoofer.exe	114
PID 1200 wrote to memory of 1548	1200	SmokeySpoofer.exe	114
PID 1200 wrote to memory of 1548	1200	SmokeySpoofer.exe	114
PID 1200 wrote to memory of 1548	1200	SmokeySpoofer.exe	114
PID 1200 wrote to memory of 1548	1200	SmokeySpoofer.exe	114
PID 1200 wrote to memory of 1548	1200	SmokeySpoofer.exe	114
PID 2948 wrote to memory of 1328	2948	SmokeySpoofer.exe	117

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\SmokeySpoofer-main.zip"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4312

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2344

C:\Users\Admin\Desktop\SmokeySpoofer-main\SmokeySpoofer\SmokeySpoofer.exe
"C:\Users\Admin\Desktop\SmokeySpoofer-main\SmokeySpoofer\SmokeySpoofer.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2492
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4560

C:\Users\Admin\Desktop\SmokeySpoofer-main\SmokeySpoofer\SmokeySpoofer.exe
"C:\Users\Admin\Desktop\SmokeySpoofer-main\SmokeySpoofer\SmokeySpoofer.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5060
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1928

C:\Users\Admin\Desktop\SmokeySpoofer-main\SmokeySpoofer\SmokeySpoofer.exe
"C:\Users\Admin\Desktop\SmokeySpoofer-main\SmokeySpoofer\SmokeySpoofer.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4252
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4220

C:\Users\Admin\Desktop\SmokeySpoofer-main\SmokeySpoofer\SmokeySpoofer.exe
"C:\Users\Admin\Desktop\SmokeySpoofer-main\SmokeySpoofer\SmokeySpoofer.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3100
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1604

C:\Users\Admin\Desktop\SmokeySpoofer-main\SmokeySpoofer\SmokeySpoofer.exe
"C:\Users\Admin\Desktop\SmokeySpoofer-main\SmokeySpoofer\SmokeySpoofer.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3516
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:664

C:\Users\Admin\Desktop\SmokeySpoofer-main\SmokeySpoofer\SmokeySpoofer.exe
"C:\Users\Admin\Desktop\SmokeySpoofer-main\SmokeySpoofer\SmokeySpoofer.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1556
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4760

C:\Users\Admin\Desktop\SmokeySpoofer-main\SmokeySpoofer\SmokeySpoofer.exe
"C:\Users\Admin\Desktop\SmokeySpoofer-main\SmokeySpoofer\SmokeySpoofer.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1200
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1548

C:\Users\Admin\Desktop\SmokeySpoofer-main\SmokeySpoofer\SmokeySpoofer.exe
"C:\Users\Admin\Desktop\SmokeySpoofer-main\SmokeySpoofer\SmokeySpoofer.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2948
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1328

C:\Users\Admin\Desktop\SmokeySpoofer-main\SmokeySpoofer\SmokeySpoofer.exe
"C:\Users\Admin\Desktop\SmokeySpoofer-main\SmokeySpoofer\SmokeySpoofer.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2500
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:860

C:\Users\Admin\Desktop\SmokeySpoofer-main\SmokeySpoofer\SmokeySpoofer.exe
"C:\Users\Admin\Desktop\SmokeySpoofer-main\SmokeySpoofer\SmokeySpoofer.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:552
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:460

C:\Users\Admin\Desktop\SmokeySpoofer-main\SmokeySpoofer\SmokeySpoofer.exe
"C:\Users\Admin\Desktop\SmokeySpoofer-main\SmokeySpoofer\SmokeySpoofer.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3924
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:740

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
1⤵
PID:212
- C:\Users\Admin\Desktop\SmokeySpoofer-main\SmokeySpoofer\SmokeySpoofer.exe
  SmokeySpoofer.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:3948
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3752

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
1⤵
PID:2980
- C:\Users\Admin\Desktop\SmokeySpoofer-main\SmokeySpoofer\SmokeySpoofer.exe
  SmokeySpoofer.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:2544
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4752

C:\Users\Admin\Desktop\SmokeySpoofer-main\SmokeySpoofer\SmokeySpoofer.exe
"C:\Users\Admin\Desktop\SmokeySpoofer-main\SmokeySpoofer\SmokeySpoofer.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4400
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1852

C:\Users\Admin\Desktop\SmokeySpoofer-main\SmokeySpoofer\SmokeySpoofer.exe
"C:\Users\Admin\Desktop\SmokeySpoofer-main\SmokeySpoofer\SmokeySpoofer.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3164
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SmokeySpoofer.exe.log

Filesize
42B

MD5
84cfdb4b995b1dbf543b26b86c863adc

SHA1
d2f47764908bf30036cf8248b9ff5541e2711fa2

SHA256
d8988d672d6915b46946b28c06ad8066c50041f6152a91d37ffa5cf129cc146b

SHA512
485f0ed45e13f00a93762cbf15b4b8f996553baa021152fae5aba051e3736bcd3ca8f4328f0e6d9e3e1f910c96c4a9ae055331123ee08e3c2ce3a99ac2e177ce

Download Submit
C:\Users\Admin\AppData\Roaming\msvcp110.dll

Filesize
642KB

MD5
9bc424be13dca227268ab018dca9ef0c

SHA1
f6f42e926f511d57ef298613634f3a186ec25ddc

SHA256
59d3999d0989c9c91dae93c26499f5a14b837a0fe56e6fc29f57456f54a1f8a2

SHA512
70a1abb35bd95efc40af6653d5db2e155fab9a8575b7ae5b69ab3fbcd60925c66a675dac6cba57564a430e9b92f1a2ea9e912c4d7f356b82696ed77e92b52715

Download Submit
C:\Users\Admin\Desktop\SmokeySpoofer-main\SmokeySpoofer\SmokeySpoofer.exe

Filesize
550KB

MD5
ee6be1648866b63fd7f860fa0114f368

SHA1
42cab62fff29eb98851b33986b637514fc904f4b

SHA256
e17bf83e09457d8cecd1f3e903fa4c9770e17e823731650a453bc479591ac511

SHA512
d6492d3b3c1d94d6c87b77a9a248e8c46b889d2e23938ddb8a8e242caccb23e8cd1a1fbeffee6b140cf6fd3ea7e8da89190286a912032ce4a671257bd8e3e28a

Download Submit
memory/860-136-0x00000000005A0000-0x0000000000605000-memory.dmp

Filesize
404KB

Download
memory/860-133-0x00000000005A0000-0x0000000000605000-memory.dmp

Filesize
404KB

Download
memory/1548-115-0x00000000005F0000-0x0000000000655000-memory.dmp

Filesize
404KB

Download
memory/1548-112-0x00000000005F0000-0x0000000000655000-memory.dmp

Filesize
404KB

Download
memory/2492-55-0x0000000074660000-0x0000000074E10000-memory.dmp

Filesize
7.7MB

Download
memory/2492-57-0x0000000074660000-0x0000000074E10000-memory.dmp

Filesize
7.7MB

Download
memory/2492-50-0x0000000074660000-0x0000000074E10000-memory.dmp

Filesize
7.7MB

Download
memory/2492-43-0x0000000000C50000-0x0000000000CE0000-memory.dmp

Filesize
576KB

Download
memory/2492-42-0x000000007466E000-0x000000007466F000-memory.dmp

Filesize
4KB

Download
memory/4560-56-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4560-51-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4560-54-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download