Windows Analysis Report
Autoplay.exe

Overview

General Information

Sample Name: Autoplay.exe
Analysis ID: 831163
MD5: 66ac9ab5cd3881b7799a8cec1c6611f0
SHA1: 6671c3205779264e90cfbb17221f62a31aef8d4c
SHA256: 1f9bd27fd7591a98afd67499ae6730eb56c137335d283892bc06b7ab2241ed6c
Tags: exemalwarestealer
Infos:

Detection

LummaC Stealer
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected LummaC Stealer
Multi AV Scanner detection for submitted file
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Hides threads from debuggers
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Tries to evade analysis by execution special instruction (VM detection)
Tries to detect virtualization through RDTSC time measurements
Found potential dummy code loops (likely to delay analysis)
Machine Learning detection for sample
Tries to harvest and steal browser information (history, passwords, etc)
PE file contains section with special chars
Uses 32bit PE files
Sample file is different than original file name gathered from version info
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))
Tries to load missing DLLs
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Checks if the current process is being debugged
PE file contains sections with non-standard names
Potential time zone aware malware
Program does not show much activity (idle)
Searches for user specific document files
Entry point lies outside standard sections

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: Autoplay.exe ReversingLabs: Detection: 25%
Source: Autoplay.exe Virustotal: Detection: 26% Perma Link
Antivirus detection for URL or domain
Source: http://82.118.23.50/c2socksBi Avira URL Cloud: Label: malware
Source: http://82.118.23.50/ Avira URL Cloud: Label: malware
Source: http://82.118.23.50/c2sockYi Avira URL Cloud: Label: malware
Source: http://82.118.23.50/c2socksSi Avira URL Cloud: Label: malware
Source: http://82.118.23.50/c2sock Avira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URL
Source: http://82.118.23.50/c2sock Virustotal: Detection: 13% Perma Link
Source: http://82.118.23.50/ Virustotal: Detection: 8% Perma Link
Machine Learning detection for sample
Source: Autoplay.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: Autoplay.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Source: global traffic TCP traffic: 192.168.2.4:49692 -> 82.118.23.50:80
Source: unknown TCP traffic detected without corresponding DNS query: 82.118.23.50
Source: unknown TCP traffic detected without corresponding DNS query: 82.118.23.50
Source: unknown TCP traffic detected without corresponding DNS query: 82.118.23.50
Source: unknown TCP traffic detected without corresponding DNS query: 82.118.23.50
Source: unknown TCP traffic detected without corresponding DNS query: 82.118.23.50
Source: unknown TCP traffic detected without corresponding DNS query: 82.118.23.50
Source: unknown TCP traffic detected without corresponding DNS query: 82.118.23.50
Source: unknown TCP traffic detected without corresponding DNS query: 82.118.23.50
Source: unknown TCP traffic detected without corresponding DNS query: 82.118.23.50
Source: unknown TCP traffic detected without corresponding DNS query: 82.118.23.50
Source: unknown TCP traffic detected without corresponding DNS query: 82.118.23.50
Source: unknown TCP traffic detected without corresponding DNS query: 82.118.23.50
Source: unknown TCP traffic detected without corresponding DNS query: 82.118.23.50
Source: unknown TCP traffic detected without corresponding DNS query: 82.118.23.50
Source: unknown TCP traffic detected without corresponding DNS query: 82.118.23.50
Source: unknown TCP traffic detected without corresponding DNS query: 82.118.23.50
Source: unknown TCP traffic detected without corresponding DNS query: 82.118.23.50
Source: Autoplay.exe, 00000000.00000002.581825210.0000000003F9F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://82.118.23.50/
Source: Autoplay.exe, Autoplay.exe, 00000000.00000002.581255406.00000000037AA000.00000004.00000020.00020000.00000000.sdmp, Autoplay.exe, 00000000.00000002.581825210.0000000003FA6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://82.118.23.50/c2sock
Source: Autoplay.exe, 00000000.00000002.581825210.0000000003FA6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://82.118.23.50/c2sockYi
Source: Autoplay.exe, 00000000.00000002.581825210.0000000003FA6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://82.118.23.50/c2socksBi
Source: Autoplay.exe, 00000000.00000002.581825210.0000000003FA6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://82.118.23.50/c2socksSi
Source: Autoplay.exe, 00000000.00000002.580766315.000000000116D000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://r.acdsee.com/Ot1su=Copy
Source: Autoplay.exe, 00000000.00000003.330780726.000000000376E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: Autoplay.exe, 00000000.00000003.330780726.000000000376E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: Autoplay.exe, 00000000.00000003.330780726.000000000376E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Autoplay.exe, 00000000.00000003.330780726.000000000376E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: Autoplay.exe, 00000000.00000003.330780726.000000000376E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: Autoplay.exe, 00000000.00000003.330780726.000000000376E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: Autoplay.exe, 00000000.00000003.330780726.000000000376E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=
Source: Autoplay.exe, 00000000.00000003.330780726.000000000376E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://search.yahoo.com?fr=crmas_sfp
Source: Autoplay.exe, 00000000.00000003.330780726.000000000376E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://search.yahoo.com?fr=crmas_sfpf
Source: Autoplay.exe, 00000000.00000003.330780726.000000000376E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

System Summary
barindex
PE file contains section with special chars
Source: Autoplay.exe Static PE information: section name: .!Q:
Uses 32bit PE files
Source: Autoplay.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Sample file is different than original file name gathered from version info
Source: Autoplay.exe, 00000000.00000000.303639351.0000000000F56000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameACDSeeQVUltimate15.exe.dllD vs Autoplay.exe
Source: Autoplay.exe, 00000000.00000002.580766315.0000000000F56000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameACDSeeQVUltimate15.exe.dllD vs Autoplay.exe
Source: Autoplay.exe Binary or memory string: OriginalFilenameACDSeeQVUltimate15.exe.dllD vs Autoplay.exe
Tries to load missing DLLs
Source: C:\Users\user\Desktop\Autoplay.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Users\user\Desktop\Autoplay.exe Section loaded: ters-alreq-std-v19.dll Jump to behavior
Source: Autoplay.exe ReversingLabs: Detection: 25%
Source: Autoplay.exe Virustotal: Detection: 26%
Source: C:\Users\user\Desktop\Autoplay.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@1/0@0/1
Source: Autoplay.exe, 00000000.00000003.425732180.00000000018B8000.00000004.00000020.00020000.00000000.sdmp, Autoplay.exe, 00000000.00000002.581255406.000000000372C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: Autoplay.exe Static file information: File size 7896576 > 1048576
Source: Autoplay.exe Static PE information: Raw size of .!Q: is bigger than: 0x100000 < 0x784800
PE file contains sections with non-standard names
Source: Autoplay.exe Static PE information: section name: .00cfg
Source: Autoplay.exe Static PE information: section name: .voltbl
Source: Autoplay.exe Static PE information: section name: .I6g
Source: Autoplay.exe Static PE information: section name: .oLB
Source: Autoplay.exe Static PE information: section name: .!Q:
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .!Q:

Hooking and other Techniques for Hiding and Protection
barindex
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Source: C:\Users\user\Desktop\Autoplay.exe Memory written: PID: 1400 base: 1670005 value: E9 FB 99 6F 76 Jump to behavior
Source: C:\Users\user\Desktop\Autoplay.exe Memory written: PID: 1400 base: 77D69A00 value: E9 0A 66 90 89 Jump to behavior
Source: C:\Users\user\Desktop\Autoplay.exe Memory written: PID: 1400 base: 1680007 value: E9 7B 4C 72 76 Jump to behavior
Source: C:\Users\user\Desktop\Autoplay.exe Memory written: PID: 1400 base: 77DA4C80 value: E9 8E B3 8D 89 Jump to behavior

Malware Analysis System Evasion
barindex
Tries to evade analysis by execution special instruction (VM detection)
Source: C:\Users\user\Desktop\Autoplay.exe Special instruction interceptor: First address: 00000000008A6E86 instructions rdtsc caused by: RDTSC with Trap Flag (TF)
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\Autoplay.exe RDTSC instruction interceptor: First address: 000000000094C993 second address: 000000000094C99D instructions: 0x00000000 rdtsc 0x00000002 sub eax, edi 0x00000004 xchg ebp, ebx 0x00000006 pop ebx 0x00000007 shl dh, FFFFFFD1h 0x0000000a rdtsc
Potential time zone aware malware
Source: C:\Users\user\Desktop\Autoplay.exe System information queried: CurrentTimeZoneInformation Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\Autoplay.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\Autoplay.exe System information queried: ModuleInformation Jump to behavior
Source: Autoplay.exe Binary or memory string: iSCM8L5RJ4SH80ehgFST82YbagYP/3soq5XCV103AABO8GWOM9jzUG9pqQ65IP5GPRDu23FkMjK3Gf1kr3Gpm7V9YaGVWMT3DkRpma9uAKjugadVJIYOFY1y+6YRFe2KQ0yHIM1qIYj7zj0oSZW5Slt2VgQs8hx01yo6lDVFhiRuON0sQwcb2qNRei3qWLNNFuLdVjjUrzAJ0FHvbwSyBCVdgqWL7Ek2ZfQH2majYYubCIrUCQ2I0bzay8s4kA+AcPNb
Source: Autoplay.exe, 00000000.00000002.581255406.000000000377F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW@
Source: Autoplay.exe Binary or memory string: AmqFASb2a9cniFd1WShAuTwy4azZ2s7TEdmMYHqp3Q1qriAFImdAb1wPj0LK+XKeiS7aaYX8fxpchpGLJGHWazeezetpfT0VpJr1Q64QgHcMbnwZFQ23TTPL8ycERvYa+v2DGlUmLdRcUa8JvlNv5MnW63qrAoY3MIz4XFdquCuB2O8Saf5uD5XB2XhlSnr7sk3grNdoMQC7oFCiSCM8L5RJ4SH80ehgFST82YbagYP/3soq5XCV103AABO8GWOM9jzU

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\Autoplay.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\Autoplay.exe Thread information set: HideFromDebugger Jump to behavior
Found potential dummy code loops (likely to delay analysis)
Source: C:\Users\user\Desktop\Autoplay.exe Process Stats: CPU usage > 85% for more than 60s
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))
Source: C:\Users\user\Desktop\Autoplay.exe System information queried: KernelDebuggerInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\Autoplay.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\Autoplay.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Users\user\Desktop\Autoplay.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Users\user\Desktop\Autoplay.exe Process queried: DebugPort Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Stealing of Sensitive Information
barindex
Yara detected LummaC Stealer
Source: Yara match File source: 0.2.Autoplay.exe.3c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.574486828.0000000000401000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Autoplay.exe PID: 1400, type: MEMORYSTR
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\Autoplay.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\Autoplay.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf Jump to behavior
Source: C:\Users\user\Desktop\Autoplay.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb Jump to behavior
Source: C:\Users\user\Desktop\Autoplay.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln Jump to behavior
Source: C:\Users\user\Desktop\Autoplay.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\Autoplay.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm Jump to behavior
Source: C:\Users\user\Desktop\Autoplay.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm Jump to behavior
Source: C:\Users\user\Desktop\Autoplay.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\Autoplay.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd Jump to behavior
Source: C:\Users\user\Desktop\Autoplay.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap Jump to behavior
Source: C:\Users\user\Desktop\Autoplay.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh Jump to behavior
Source: C:\Users\user\Desktop\Autoplay.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa Jump to behavior
Source: C:\Users\user\Desktop\Autoplay.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad Jump to behavior
Source: C:\Users\user\Desktop\Autoplay.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf Jump to behavior
Source: C:\Users\user\Desktop\Autoplay.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid Jump to behavior
Source: C:\Users\user\Desktop\Autoplay.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh Jump to behavior
Source: C:\Users\user\Desktop\Autoplay.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg Jump to behavior
Source: C:\Users\user\Desktop\Autoplay.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae Jump to behavior
Source: C:\Users\user\Desktop\Autoplay.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec Jump to behavior
Source: C:\Users\user\Desktop\Autoplay.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log Jump to behavior
Source: C:\Users\user\Desktop\Autoplay.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn Jump to behavior
Source: C:\Users\user\Desktop\Autoplay.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm Jump to behavior
Source: C:\Users\user\Desktop\Autoplay.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm Jump to behavior
Source: C:\Users\user\Desktop\Autoplay.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp Jump to behavior
Source: C:\Users\user\Desktop\Autoplay.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\MANIFEST-000001 Jump to behavior
Source: C:\Users\user\Desktop\Autoplay.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp Jump to behavior
Source: C:\Users\user\Desktop\Autoplay.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbml Jump to behavior
Source: C:\Users\user\Desktop\Autoplay.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles Jump to behavior
Source: C:\Users\user\Desktop\Autoplay.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobl Jump to behavior
Source: C:\Users\user\Desktop\Autoplay.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc Jump to behavior
Source: C:\Users\user\Desktop\Autoplay.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj Jump to behavior
Source: C:\Users\user\Desktop\Autoplay.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb Jump to behavior
Source: C:\Users\user\Desktop\Autoplay.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflal Jump to behavior
Source: C:\Users\user\Desktop\Autoplay.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne Jump to behavior
Source: C:\Users\user\Desktop\Autoplay.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\Autoplay.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk Jump to behavior
Source: C:\Users\user\Desktop\Autoplay.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG.old Jump to behavior
Source: C:\Users\user\Desktop\Autoplay.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai Jump to behavior
Source: C:\Users\user\Desktop\Autoplay.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac Jump to behavior
Source: C:\Users\user\Desktop\Autoplay.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG Jump to behavior
Source: C:\Users\user\Desktop\Autoplay.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn Jump to behavior
Source: C:\Users\user\Desktop\Autoplay.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno Jump to behavior
Source: C:\Users\user\Desktop\Autoplay.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhl Jump to behavior
Source: C:\Users\user\Desktop\Autoplay.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi Jump to behavior
Source: C:\Users\user\Desktop\Autoplay.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig Jump to behavior
Source: C:\Users\user\Desktop\Autoplay.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb Jump to behavior
Source: C:\Users\user\Desktop\Autoplay.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd Jump to behavior
Source: C:\Users\user\Desktop\Autoplay.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account Jump to behavior
Source: C:\Users\user\Desktop\Autoplay.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn Jump to behavior
Source: C:\Users\user\Desktop\Autoplay.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj Jump to behavior
Source: C:\Users\user\Desktop\Autoplay.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih Jump to behavior
Source: C:\Users\user\Desktop\Autoplay.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao Jump to behavior
Source: C:\Users\user\Desktop\Autoplay.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfel Jump to behavior
Source: C:\Users\user\Desktop\Autoplay.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik Jump to behavior
Source: C:\Users\user\Desktop\Autoplay.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk Jump to behavior
Source: C:\Users\user\Desktop\Autoplay.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec Jump to behavior
Source: C:\Users\user\Desktop\Autoplay.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad Jump to behavior
Source: C:\Users\user\Desktop\Autoplay.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje Jump to behavior
Source: C:\Users\user\Desktop\Autoplay.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc Jump to behavior
Source: C:\Users\user\Desktop\Autoplay.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp Jump to behavior
Source: C:\Users\user\Desktop\Autoplay.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Searches for user specific document files
Source: C:\Users\user\Desktop\Autoplay.exe Directory queried: C:\Users\user\Documents Jump to behavior

Remote Access Functionality
barindex
Yara detected LummaC Stealer
Source: Yara match File source: 0.2.Autoplay.exe.3c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.574486828.0000000000401000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Autoplay.exe PID: 1400, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 831163 Sample: Autoplay.exe Startdate: 21/03/2023 Architecture: WINDOWS Score: 100 11 Multi AV Scanner detection for domain / URL 2->11 13 Antivirus detection for URL or domain 2->13 15 Multi AV Scanner detection for submitted file 2->15 17 3 other signatures 2->17 5 Autoplay.exe 2->5         started        process3 dnsIp4 9 82.118.23.50, 80 GREENFLOID-ASUA Ukraine 5->9 19 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 5->19 21 Tries to harvest and steal browser information (history, passwords, etc) 5->21 23 Tries to evade analysis by execution special instruction (VM detection) 5->23 25 3 other signatures 5->25 signatures5
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
82.118.23.50
 unknown Ukraine
204957 GREENFLOID-ASUA false