lumma | bd948aeb2b607b34e8d32f22b9e5aee402057adebae4a2e0c70bd666e688f1f8

Resubmissions

14-01-2025 12:40

250114-pwhacaykaz 10

14-01-2025 11:59

250114-n5y4saxngy 10

13-01-2025 14:41

250113-r2dv8avrgs 10

Analysis

max time kernel
39s
max time network
70s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13-01-2025 14:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4363463463464363463463463.exe
Size

10KB
MD5

2a94f3960c58c6e70826495f76d00b85
SHA1

e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
SHA256

2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
SHA512

fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
SSDEEP

192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

Score

10^/10

lumma xworm discovery rat stealer trojan

Malware Config

Extracted

Family

lumma

https://servicedny.site/api

https://authorisev.site/api

https://faulteyotk.site/api

https://dilemmadu.site/api

https://contemteny.site/api

https://goalyfeastz.site/api

https://opposezmny.site/api

https://seallysl.site/api

https://ponintnykqwm.shop/api

Extracted

Family

xworm

Version

5.0

applications-scenario.gl.at.ply.gg:53694

Mutex

LkatwdFtbmAdPfGj

Attributes

Install_directory
%AppData%
install_file
Wave.exe

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023cbb-36.dat	family_xworm
behavioral2/memory/1904-43-0x00000000005E0000-0x0000000000622000-memory.dmp	family_xworm

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm
Downloads MZ/PE file

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DRIVERS\SET4B3D.tmp	snetcfg.exe
File created	C:\Windows\system32\DRIVERS\SET4B3D.tmp	snetcfg.exe
File opened for modification	C:\Windows\system32\DRIVERS\ndisrd.sys	snetcfg.exe

Manipulates Digital Signatures 1 TTPs 1 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\FDB7CFFE05417C221025E753BC3999E44D10C22A\Blob = 030000000100000014000000fdb7cffe05417c221025e753bc3999e44d10c22a2000000001000000ed070000308207e9308205d1a003020102020c322de87f977c01136bdde212300d06092a864886f70d01010b0500305c310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613132303006035504031329476c6f62616c5369676e204743432052343520455620436f64655369676e696e672043412032303230301e170d3231303832353037313634305a170d3234303832353037313634305a3082012e311d301b060355040f0c1450726976617465204f7267616e697a6174696f6e311830160603550405130f33323033393236303030343338383031133011060b2b0601040182373c0201031302525531283026060b2b0601040182373c02010213174b616c696e696e67726164736b617961204f626c617374310b30090603550406130252553120301e060355040813174b616c696e696e67726164736b617961204f626c617374311430120603550407130b537665746c6f676f72736b31253023060355040a131c495020534d49524e4f5620564144494d2056414c4552494556494348312530230603550403131c495020534d49524e4f5620564144494d2056414c45524945564943483121301f06092a864886f70d0109011612766164696d406e746b65726e656c2e636f6d30820222300d06092a864886f70d01010105000382020f003082020a0282020100a466b41cd5b910d2c5783c2233beff4065273b79464caaea32b636928b35528dd4ef863f579a9352b2c540f355adc3abb6eade3585aee15ab0ecfe76d8c91b1a6f16f94917b821c5b5b7e7fc480779d803334e999f989e5e80f84e0c0da98eb7345c926652ba004b3fcb15f146de664025b6285f1c02ba54b4e840035878cd101f063193c7373a44850a1b3832172d8c0c07975515c95369b2d37dec3d00b22600705cf3e7a92febf654464fdf0c50513dfe052832534dc40a842c5af632e09ac8092002dab38ca6af7b061fc2249876d37815c78664882bbf1e4a3635a67c5a1629e986af57037e97d74603f8e635c1202addf000ae85d3364230e4de46cd00b03b534db6e57c0ff2d0f75a141f1684ca3da36b108c5942d570510909f0ea0564b8dfad741027ca0ba5c794db49eeef33a3c37ff2695aa24a2fa312a1f85898870e1e60aad55ef199c0a04a3fb86a32fb58083dac6bd5b958e925972d830cab0dcb4ae6ff6bbd5937c1111cd373f4fe18ab72e1add09463017b1a939f8378fa70db5667fed6fbbc6b12a4acca7ff6d2f6395fe4c0d95a81b500017c14debf28ba60acd1c54b5685eb2128c8872f2ad129b46794a889c55a5e6804285c6ffa6b833fff384458e377bdb1d58990b3a1cf14517be30a79e5bba8c046f5e94f388d2337d833a1efb5fa6e13096edee442f4aa2b4ccc1251a8debd7a733cda88e50b0203010001a38201d5308201d1300e0603551d0f0101ff04040302078030819f06082b0601050507010104819230818f304c06082b060105050730028640687474703a2f2f7365637572652e676c6f62616c7369676e2e636f6d2f6361636572742f67736763637234356576636f64657369676e6361323032302e637274303f06082b060105050730018633687474703a2f2f6f6373702e676c6f62616c7369676e2e636f6d2f67736763637234356576636f64657369676e63613230323030550603551d20044e304c304106092b06010401a03201023034303206082b06010505070201162668747470733a2f2f7777772e676c6f62616c7369676e2e636f6d2f7265706f7369746f72792f3007060567810c010330090603551d130402300030470603551d1f0440303e303ca03aa0388636687474703a2f2f63726c2e676c6f62616c7369676e2e636f6d2f67736763637234356576636f64657369676e6361323032302e63726c301d0603551d11041630148112766164696d406e746b65726e656c2e636f6d30130603551d25040c300a06082b06010505070303301f0603551d23041830168014259dd0fc59098663c5ecf3b1133b571c03923611301d0603551d0e041604148dc2b11ae78ab76f8aab5960b890d909d9016401300d06092a864886f70d01010b050003820201000895095a5571b35e6f7dde4c5c5fb34fcfea592612898f06ff108300f532fee557063725122bd0aa4a1ac4da784c2597abba914008191d7cbdae8418e36ce302f6f65f94dcbf2e4cb5f67e9e20ed3297d6a96bb691359dfc951358870bc18cc09a21a2dd6ddce4a24e713b6323532549e9b83e7cc50e3f0333eca25219bddc9d6332b566cf5a46c9bf984a0396ee407e0466e89471eb294ffdd0b3245fa41e96ee85b224972dcb3f5471ce0073d4dde220aa2b57e6da477082b0c6a8bfa0a56ac40470252e005c8a3d97d2bdefdd0d5ad36db289fdfc6421d57f4e0aa2d3caa94dba8a52afaffdccf457cb6f8a8943c22ba3dd13ddfbb16f7a59bd54e382769e96b6700d21acd61cf89b0fed3934668ccd4615cb880ecde2232abfada603186f89e17a90bed8dd9b7e4c44429a32ed7eda6b175b893098f95c612f68918ff8e7bc6a90f0cbca83103a9371822bc7fe149c40ee8ea69753630915d8b3fb8c9e8b34278b530183f97c2140e19045fde98d206fe1700f17f6005b5a0022a42408caf750d32e429dbc5f93f1c9b875310e0fba0b60d56ab3a8e410cfc4a6120f4af5de0cd5de4b0b433f126af310bd321d07e6deff50903982e19494215af259b7a5e310d3e23036820e34703ce3c9ceec88acf7ef8e7162232a53eb29001f2821b74c96012e63584f142e66a139b10de2a55656e291584c1eee01a161d0dbb42154	certinst.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	4363463463464363463463463.exe

Executes dropped EXE 5 IoCs

pid	Process
1352	khtoawdltrha.exe
2180	NdisInstaller3.2.32.1.exe
1904	XClient.exe
780	certinst.exe
5116	snetcfg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
23	raw.githubusercontent.com
24	raw.githubusercontent.com

Drops file in System32 directory 26 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\Temp\{5e82f1b7-e6db-6f44-8495-382382fdc992}\SET462C.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{5e82f1b7-e6db-6f44-8495-382382fdc992}\ndisrd.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\ndisrd_lwf.inf_amd64_4ce59cd5668e5ccb\ndisrd.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\ndisrd_lwf.inf_amd64_4ce59cd5668e5ccb\ndisrd_lwf.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netserv.inf_amd64_73adce5afe861093\netserv.PNF	snetcfg.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netnb.inf_amd64_0dc913ad00b14824\netnb.PNF	snetcfg.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{5e82f1b7-e6db-6f44-8495-382382fdc992}\ndisrd_lwf.inf	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{5e82f1b7-e6db-6f44-8495-382382fdc992}	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ndiscap.inf_amd64_a009d240f9b4a192\ndiscap.PNF	snetcfg.exe
File created	C:\Windows\System32\DriverStore\FileRepository\c_netservice.inf_amd64_9ab9cf10857f7349\c_netservice.PNF	snetcfg.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ndisrd_lwf.inf_amd64_4ce59cd5668e5ccb\ndisrd_lwf.PNF	snetcfg.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{5e82f1b7-e6db-6f44-8495-382382fdc992}\ndisrd.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{5e82f1b7-e6db-6f44-8495-382382fdc992}\SET462D.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\ndisrd_lwf.inf_amd64_4ce59cd5668e5ccb\ndisrd.cat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netpacer.inf_amd64_7d294c7fa012d315\netpacer.PNF	snetcfg.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wfpcapture.inf_amd64_54cf91ab0e4c9ac2\wfpcapture.PNF	snetcfg.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netnwifi.inf_amd64_a2bfd066656fe297\netnwifi.PNF	snetcfg.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{5e82f1b7-e6db-6f44-8495-382382fdc992}\SET462C.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{5e82f1b7-e6db-6f44-8495-382382fdc992}\SET462D.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{5e82f1b7-e6db-6f44-8495-382382fdc992}\SET463D.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{5e82f1b7-e6db-6f44-8495-382382fdc992}\SET463D.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netvwififlt.inf_amd64_c5e19aab2305f37f\netvwififlt.PNF	snetcfg.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netbrdg.inf_amd64_8a737d38f201aeb1\netbrdg.PNF	snetcfg.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netrass.inf_amd64_7f701cb29b5389d3\netrass.PNF	snetcfg.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1352	khtoawdltrha.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.dev.log	snetcfg.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\inf\oem3.inf	DrvInst.exe
File created	C:\Windows\inf\oem3.inf	DrvInst.exe
File created	C:\Windows\INF\oem3.PNF	snetcfg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4363463463464363463463463.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	khtoawdltrha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NdisInstaller3.2.32.1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	certinst.exe

Checks SCSI registry key(s) 3 TTPs 26 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	DrvInst.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	NdisInstaller3.2.32.1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	NdisInstaller3.2.32.1.exe

Modifies data under HKEY_USERS 41 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\FDB7CFFE05417C221025E753BC3999E44D10C22A	certinst.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\FDB7CFFE05417C221025E753BC3999E44D10C22A\Blob = 030000000100000014000000fdb7cffe05417c221025e753bc3999e44d10c22a2000000001000000ed070000308207e9308205d1a003020102020c322de87f977c01136bdde212300d06092a864886f70d01010b0500305c310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613132303006035504031329476c6f62616c5369676e204743432052343520455620436f64655369676e696e672043412032303230301e170d3231303832353037313634305a170d3234303832353037313634305a3082012e311d301b060355040f0c1450726976617465204f7267616e697a6174696f6e311830160603550405130f33323033393236303030343338383031133011060b2b0601040182373c0201031302525531283026060b2b0601040182373c02010213174b616c696e696e67726164736b617961204f626c617374310b30090603550406130252553120301e060355040813174b616c696e696e67726164736b617961204f626c617374311430120603550407130b537665746c6f676f72736b31253023060355040a131c495020534d49524e4f5620564144494d2056414c4552494556494348312530230603550403131c495020534d49524e4f5620564144494d2056414c45524945564943483121301f06092a864886f70d0109011612766164696d406e746b65726e656c2e636f6d30820222300d06092a864886f70d01010105000382020f003082020a0282020100a466b41cd5b910d2c5783c2233beff4065273b79464caaea32b636928b35528dd4ef863f579a9352b2c540f355adc3abb6eade3585aee15ab0ecfe76d8c91b1a6f16f94917b821c5b5b7e7fc480779d803334e999f989e5e80f84e0c0da98eb7345c926652ba004b3fcb15f146de664025b6285f1c02ba54b4e840035878cd101f063193c7373a44850a1b3832172d8c0c07975515c95369b2d37dec3d00b22600705cf3e7a92febf654464fdf0c50513dfe052832534dc40a842c5af632e09ac8092002dab38ca6af7b061fc2249876d37815c78664882bbf1e4a3635a67c5a1629e986af57037e97d74603f8e635c1202addf000ae85d3364230e4de46cd00b03b534db6e57c0ff2d0f75a141f1684ca3da36b108c5942d570510909f0ea0564b8dfad741027ca0ba5c794db49eeef33a3c37ff2695aa24a2fa312a1f85898870e1e60aad55ef199c0a04a3fb86a32fb58083dac6bd5b958e925972d830cab0dcb4ae6ff6bbd5937c1111cd373f4fe18ab72e1add09463017b1a939f8378fa70db5667fed6fbbc6b12a4acca7ff6d2f6395fe4c0d95a81b500017c14debf28ba60acd1c54b5685eb2128c8872f2ad129b46794a889c55a5e6804285c6ffa6b833fff384458e377bdb1d58990b3a1cf14517be30a79e5bba8c046f5e94f388d2337d833a1efb5fa6e13096edee442f4aa2b4ccc1251a8debd7a733cda88e50b0203010001a38201d5308201d1300e0603551d0f0101ff04040302078030819f06082b0601050507010104819230818f304c06082b060105050730028640687474703a2f2f7365637572652e676c6f62616c7369676e2e636f6d2f6361636572742f67736763637234356576636f64657369676e6361323032302e637274303f06082b060105050730018633687474703a2f2f6f6373702e676c6f62616c7369676e2e636f6d2f67736763637234356576636f64657369676e63613230323030550603551d20044e304c304106092b06010401a03201023034303206082b06010505070201162668747470733a2f2f7777772e676c6f62616c7369676e2e636f6d2f7265706f7369746f72792f3007060567810c010330090603551d130402300030470603551d1f0440303e303ca03aa0388636687474703a2f2f63726c2e676c6f62616c7369676e2e636f6d2f67736763637234356576636f64657369676e6361323032302e63726c301d0603551d11041630148112766164696d406e746b65726e656c2e636f6d30130603551d25040c300a06082b06010505070303301f0603551d23041830168014259dd0fc59098663c5ecf3b1133b571c03923611301d0603551d0e041604148dc2b11ae78ab76f8aab5960b890d909d9016401300d06092a864886f70d01010b050003820201000895095a5571b35e6f7dde4c5c5fb34fcfea592612898f06ff108300f532fee557063725122bd0aa4a1ac4da784c2597abba914008191d7cbdae8418e36ce302f6f65f94dcbf2e4cb5f67e9e20ed3297d6a96bb691359dfc951358870bc18cc09a21a2dd6ddce4a24e713b6323532549e9b83e7cc50e3f0333eca25219bddc9d6332b566cf5a46c9bf984a0396ee407e0466e89471eb294ffdd0b3245fa41e96ee85b224972dcb3f5471ce0073d4dde220aa2b57e6da477082b0c6a8bfa0a56ac40470252e005c8a3d97d2bdefdd0d5ad36db289fdfc6421d57f4e0aa2d3caa94dba8a52afaffdccf457cb6f8a8943c22ba3dd13ddfbb16f7a59bd54e382769e96b6700d21acd61cf89b0fed3934668ccd4615cb880ecde2232abfada603186f89e17a90bed8dd9b7e4c44429a32ed7eda6b175b893098f95c612f68918ff8e7bc6a90f0cbca83103a9371822bc7fe149c40ee8ea69753630915d8b3fb8c9e8b34278b530183f97c2140e19045fde98d206fe1700f17f6005b5a0022a42408caf750d32e429dbc5f93f1c9b875310e0fba0b60d56ab3a8e410cfc4a6120f4af5de0cd5de4b0b433f126af310bd321d07e6deff50903982e19494215af259b7a5e310d3e23036820e34703ce3c9ceec88acf7ef8e7162232a53eb29001f2821b74c96012e63584f142e66a139b10de2a55656e291584c1eee01a161d0dbb42154	certinst.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3964	4363463463464363463463463.exe
Token: SeDebugPrivilege	1904	XClient.exe
Token: SeAuditPrivilege	2804	svchost.exe
Token: SeSecurityPrivilege	2804	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1352	khtoawdltrha.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3964 wrote to memory of 1352	3964	4363463463464363463463463.exe	97
PID 3964 wrote to memory of 1352	3964	4363463463464363463463463.exe	97
PID 3964 wrote to memory of 1352	3964	4363463463464363463463463.exe	97
PID 3964 wrote to memory of 2180	3964	4363463463464363463463463.exe	102
PID 3964 wrote to memory of 2180	3964	4363463463464363463463463.exe	102
PID 3964 wrote to memory of 2180	3964	4363463463464363463463463.exe	102
PID 3964 wrote to memory of 1904	3964	4363463463464363463463463.exe	104
PID 3964 wrote to memory of 1904	3964	4363463463464363463463463.exe	104
PID 2180 wrote to memory of 780	2180	NdisInstaller3.2.32.1.exe	105
PID 2180 wrote to memory of 780	2180	NdisInstaller3.2.32.1.exe	105
PID 2180 wrote to memory of 780	2180	NdisInstaller3.2.32.1.exe	105
PID 2180 wrote to memory of 5116	2180	NdisInstaller3.2.32.1.exe	106
PID 2180 wrote to memory of 5116	2180	NdisInstaller3.2.32.1.exe	106
PID 2804 wrote to memory of 4796	2804	svchost.exe	109
PID 2804 wrote to memory of 4796	2804	svchost.exe	109

C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3964
- C:\Users\Admin\AppData\Local\Temp\Files\khtoawdltrha.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\khtoawdltrha.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1352
- C:\Users\Admin\AppData\Local\Temp\Files\NdisInstaller3.2.32.1.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\NdisInstaller3.2.32.1.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious use of WriteProcessMemory
  PID:2180
- - C:\Users\Admin\AppData\Local\Temp\Files\certinst.exe
    certinst.exe root.cer
    3⤵
    - Manipulates Digital Signatures
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies system certificate store
    PID:780
- - C:\Users\Admin\AppData\Local\Temp\Files\snetcfg.exe
    snetcfg.exe -v -l ndisrd_lwf.inf -c s -i nt_ndisrd
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    PID:5116
- C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1904

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2804
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{078876bf-24f5-5048-8af7-515b1123e9a9}\ndisrd_lwf.inf" "9" "4bd8d163f" "0000000000000148" "WinSta0\Default" "0000000000000158" "208" "C:\Users\Admin\AppData\Local\Temp\Files"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:4796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Files\NdisInstaller3.2.32.1.exe

Filesize
720KB

MD5
856b304059bba7cd73f05328e48daff8

SHA1
e9e52af6dd4715ece91d253bda4acba43abcf277

SHA256
f6ce81e27f70f5563c0e69a0d8e027deb28e96d3bef447d8cdd687ce3b8a3919

SHA512
fbf4373b94199b06a19e751f9cdcad6c05ecaed496f8d5d352f05bc5d6e53dfeac18ae3b5896f1da816c68da1c6254a7ea3335872aa8f296262662a67433606d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe

Filesize
237KB

MD5
34d6274d11258ced240d9197baef3468

SHA1
21f0e4e9f0d19ecb2027cbd98f6f7e1e5c2be131

SHA256
25179f1c63031ba0b4daf7ff315f008d6f794eed2b5d486c796457cd4a8b4bce

SHA512
54f123f82a53b402bbfdfbf5da99ca84cdff4ba1ff1494cd2c983541fb100a8239e799de2e1f4d2de189f1b31bcd1354c5f88b726424bae055053b57c204ccfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\certinst.exe

Filesize
53KB

MD5
2d948539597c092b917ede9ac3dc298b

SHA1
7ec62bbfce2c2d213922b21e9261ad8421daef5d

SHA256
be6bd964af73210976747ab01b8081c5988703600b49c4725d43affb3835da6e

SHA512
1266d4f8eb02748b61d4da289c67247966a40553a1081058b74fd26e43ba86db1913597df7938c24dfd7f766e341059af2a2a2c3f0ef7f1b8aedc46a1e6b8e71

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\khtoawdltrha.exe

Filesize
1.2MB

MD5
21eb0b29554b832d677cea9e8a59b999

SHA1
e6775ef09acc67f90e07205788a4165cbf8496ca

SHA256
9aaa862061c903f3f5a1d509f0016a599b9152d02ea0365dfd3bbd9c5c147656

SHA512
e7434e0d46e37e4a76bd8e394063a3ac531892b972347b3de8aa71689ded1ce4968b1a1defda720af4cfa66037390cbe771105e7bf892ef640cbee12e862e742

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\ndisrd.cat

Filesize
10KB

MD5
57f18ba4482ce389813f1d9a7e4c25e2

SHA1
80952e76258d61bb2857a2cdad0b5f08d23f3f50

SHA256
b5d021d96b29b9c961c135dc992b68aea4380653b7179747b0f39e4a019a6f57

SHA512
f5812729085dfe557c2e48a74168064f501a274ea0f6bfbd590b67bd144a48d6b8576f04739b53d871fdb999ff7f5c2e6a7d025ae6d561eca1a376c4983efea8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\ndisrd.sys

Filesize
56KB

MD5
36b09f1926e69866333f33a87ae87c54

SHA1
120c914cb5a1c96971514a392acb9150ed1d748d

SHA256
8e9a3db5d50cea173fcf7f93552bd62846af4b92cafa8c25e55fff88a5a1d364

SHA512
3f4c6fd484666f4a4942ca92e124a48e3d1f3891ac613b6e14a79c2f9036006162ea46bcbcdd6901abeadbe45785f82561acd827299ab87000f626d644dea920

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\ndisrd_lwf.inf

Filesize
2KB

MD5
7037faf01371f8f2b40acd965624f564

SHA1
df69062aeef984b957290d6b9216319ef19a8a57

SHA256
bff2d6c7975e221074c2a20c74f8671f191e7a43dcf9e7435366213dc40ac993

SHA512
29758763b23efd18f037c9695eb4f949feebfa15e41e2cfe3635d1163515e349fdc95de595215e5996ea3f6db1b15ee2f28c968e788b78e43b6dcf46dd04c0ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\root.cer

Filesize
1KB

MD5
6a3ba8df688d08464008efa7ae49be8d

SHA1
fdb7cffe05417c221025e753bc3999e44d10c22a

SHA256
a09f01679b590ef637341dc874fb846581caecff0571036493ac42f4ff9ce335

SHA512
6109c023c87b1688b542baca5f94a7d4029e83fafbdec6e5dac811c80fb6ad7a17073a8896bae2a12620e21a364a75945e2fbfba7380a65a2ad665597c201788

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\snetcfg.exe

Filesize
15KB

MD5
3b646b9d750aadd3dc5e26d08ea5b285

SHA1
a396e740a34da1112621efca0b7309dba9706cf5

SHA256
c80d994761ec106e15232ca38aeda7e673d82888644fc8e71d6943c2af26f3e7

SHA512
4e448d4d2b10d44f09e337856c3e133e99a41448fb132fb675805c140d22bd85602ee130b6204a6a17f5391946156c133a975e0f411dd1f38abd30cd53635d2d

Download Submit
memory/1352-15-0x0000000000D40000-0x0000000001103000-memory.dmp

Filesize
3.8MB

Download
memory/1352-14-0x0000000000D40000-0x0000000001103000-memory.dmp

Filesize
3.8MB

Download
memory/1904-43-0x00000000005E0000-0x0000000000622000-memory.dmp

Filesize
264KB

Download
memory/3964-0-0x0000000074EEE000-0x0000000074EEF000-memory.dmp

Filesize
4KB

Download
memory/3964-5-0x0000000074EE0000-0x0000000075690000-memory.dmp

Filesize
7.7MB

Download
memory/3964-4-0x0000000074EEE000-0x0000000074EEF000-memory.dmp

Filesize
4KB

Download
memory/3964-3-0x0000000074EE0000-0x0000000075690000-memory.dmp

Filesize
7.7MB

Download
memory/3964-2-0x0000000005040000-0x00000000050DC000-memory.dmp

Filesize
624KB

Download
memory/3964-1-0x00000000005E0000-0x00000000005E8000-memory.dmp

Filesize
32KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads