lumma | 555279cf7c7064b32bd5595f490702dba5c5aec6a0b58db22410880ad42b7106

Analysis

max time kernel
146s
max time network
128s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28-02-2024 19:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

acaef7a4ed87dc90ff181955ea7a2bbf.exe
Size

1.4MB
MD5

acaef7a4ed87dc90ff181955ea7a2bbf
SHA1

e0292a9243be088f673b151ddb9d81d34ed50c1e
SHA256

555279cf7c7064b32bd5595f490702dba5c5aec6a0b58db22410880ad42b7106
SHA512

b1383930888c5effe283617964cfad0753619863e3a9865c174a3dcaabf8e224fdf1ab6d69d7c3d41b2ebfc9d4fa8e2d8c15f10b68cd13a2bff3e0a4e7721536
SSDEEP

24576:slbRUyb2oyZ1rdHgCu4oK1I+zZMZaPKLQXuXujAnO6eWe0LjlEQfARoac:UUybE3RHgCud+I++p8XuXJq8l9Fac

Score

10^/10

lumma evasion stealer themida

Malware Config

Signatures

Detect Lumma Stealer payload V4 17 IoCs

resource	yara_rule
behavioral1/memory/2228-10-0x0000000000400000-0x00000000007BB000-memory.dmp	family_lumma_v4
behavioral1/memory/2228-147-0x0000000000400000-0x00000000007BB000-memory.dmp	family_lumma_v4
behavioral1/memory/2640-157-0x0000000000400000-0x00000000007BB000-memory.dmp	family_lumma_v4
behavioral1/memory/2640-285-0x0000000000400000-0x00000000007BB000-memory.dmp	family_lumma_v4
behavioral1/memory/2640-289-0x0000000000400000-0x00000000007BB000-memory.dmp	family_lumma_v4
behavioral1/memory/2640-290-0x0000000000400000-0x00000000007BB000-memory.dmp	family_lumma_v4
behavioral1/memory/772-311-0x0000000000400000-0x00000000007BB000-memory.dmp	family_lumma_v4
behavioral1/memory/772-426-0x0000000000400000-0x00000000007BB000-memory.dmp	family_lumma_v4
behavioral1/memory/772-432-0x0000000000400000-0x00000000007BB000-memory.dmp	family_lumma_v4
behavioral1/memory/2924-568-0x0000000000400000-0x00000000007BB000-memory.dmp	family_lumma_v4
behavioral1/memory/2900-704-0x0000000000400000-0x00000000007BB000-memory.dmp	family_lumma_v4
behavioral1/memory/2900-710-0x0000000000400000-0x00000000007BB000-memory.dmp	family_lumma_v4
behavioral1/memory/1160-847-0x0000000000400000-0x00000000007BB000-memory.dmp	family_lumma_v4
behavioral1/memory/2996-991-0x0000000000400000-0x00000000007BB000-memory.dmp	family_lumma_v4
behavioral1/memory/464-1120-0x0000000000400000-0x00000000007BB000-memory.dmp	family_lumma_v4
behavioral1/memory/3068-1245-0x0000000000400000-0x00000000007BB000-memory.dmp	family_lumma_v4
behavioral1/memory/1872-1364-0x0000000000400000-0x00000000007BB000-memory.dmp	family_lumma_v4

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma

Modifies security service 2 TTPs 22 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe

Executes dropped EXE 10 IoCs

pid	Process
2640	nodf64.exe
772	nodf64.exe
2924	nodf64.exe
2900	nodf64.exe
1160	nodf64.exe
2996	nodf64.exe
464	nodf64.exe
3068	nodf64.exe
1872	nodf64.exe
1896	nodf64.exe

Identifies Wine through registry keys 2 TTPs 11 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine	nodf64.exe
Key opened	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine	nodf64.exe
Key opened	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine	acaef7a4ed87dc90ff181955ea7a2bbf.exe
Key opened	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine	nodf64.exe
Key opened	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine	nodf64.exe
Key opened	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine	nodf64.exe
Key opened	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine	nodf64.exe
Key opened	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine	nodf64.exe
Key opened	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine	nodf64.exe
Key opened	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine	nodf64.exe
Key opened	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine	nodf64.exe

Loads dropped DLL 20 IoCs

pid	Process
2228	acaef7a4ed87dc90ff181955ea7a2bbf.exe
2228	acaef7a4ed87dc90ff181955ea7a2bbf.exe
2640	nodf64.exe
2640	nodf64.exe
772	nodf64.exe
772	nodf64.exe
2924	nodf64.exe
2924	nodf64.exe
2900	nodf64.exe
2900	nodf64.exe
1160	nodf64.exe
1160	nodf64.exe
2996	nodf64.exe
2996	nodf64.exe
464	nodf64.exe
464	nodf64.exe
3068	nodf64.exe
3068	nodf64.exe
1872	nodf64.exe
1872	nodf64.exe

Themida packer 29 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/2228-0-0x0000000000400000-0x00000000007BB000-memory.dmp	themida
behavioral1/memory/2228-10-0x0000000000400000-0x00000000007BB000-memory.dmp	themida
behavioral1/files/0x0007000000016d84-142.dat	themida
behavioral1/memory/2228-147-0x0000000000400000-0x00000000007BB000-memory.dmp	themida
behavioral1/memory/2640-148-0x0000000000400000-0x00000000007BB000-memory.dmp	themida
behavioral1/memory/2640-157-0x0000000000400000-0x00000000007BB000-memory.dmp	themida
behavioral1/memory/2640-285-0x0000000000400000-0x00000000007BB000-memory.dmp	themida
behavioral1/memory/2640-289-0x0000000000400000-0x00000000007BB000-memory.dmp	themida
behavioral1/memory/772-291-0x0000000000400000-0x00000000007BB000-memory.dmp	themida
behavioral1/memory/2640-290-0x0000000000400000-0x00000000007BB000-memory.dmp	themida
behavioral1/memory/772-311-0x0000000000400000-0x00000000007BB000-memory.dmp	themida
behavioral1/memory/772-426-0x0000000000400000-0x00000000007BB000-memory.dmp	themida
behavioral1/memory/772-432-0x0000000000400000-0x00000000007BB000-memory.dmp	themida
behavioral1/memory/2924-568-0x0000000000400000-0x00000000007BB000-memory.dmp	themida
behavioral1/memory/2900-704-0x0000000000400000-0x00000000007BB000-memory.dmp	themida
behavioral1/memory/2900-710-0x0000000000400000-0x00000000007BB000-memory.dmp	themida
behavioral1/memory/1160-847-0x0000000000400000-0x00000000007BB000-memory.dmp	themida
behavioral1/files/0x0007000000016d84-848.dat	themida
behavioral1/memory/2996-991-0x0000000000400000-0x00000000007BB000-memory.dmp	themida
behavioral1/files/0x0007000000016d84-995.dat	themida
behavioral1/files/0x0007000000016d84-1117.dat	themida
behavioral1/files/0x0007000000016d84-1119.dat	themida
behavioral1/files/0x0007000000016d84-1118.dat	themida
behavioral1/memory/464-1120-0x0000000000400000-0x00000000007BB000-memory.dmp	themida
behavioral1/memory/3068-1245-0x0000000000400000-0x00000000007BB000-memory.dmp	themida
behavioral1/files/0x0007000000016d84-1362.dat	themida
behavioral1/files/0x0007000000016d84-1361.dat	themida
behavioral1/files/0x0007000000016d84-1363.dat	themida
behavioral1/memory/1872-1364-0x0000000000400000-0x00000000007BB000-memory.dmp	themida

Drops file in System32 directory 22 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\nodf64.exe	nodf64.exe
File created	C:\Windows\SysWOW64\nodf64.exe	nodf64.exe
File created	C:\Windows\SysWOW64\nodf64.exe	nodf64.exe
File opened for modification	C:\Windows\SysWOW64\nodf64.exe	nodf64.exe
File created	C:\Windows\SysWOW64\nodf64.exe	nodf64.exe
File opened for modification	C:\Windows\SysWOW64\nodf64.exe	nodf64.exe
File opened for modification	C:\Windows\SysWOW64\nodf64.exe	nodf64.exe
File created	C:\Windows\SysWOW64\nodf64.exe	nodf64.exe
File opened for modification	C:\Windows\SysWOW64\nodf64.exe	nodf64.exe
File created	C:\Windows\SysWOW64\nodf64.exe	nodf64.exe
File created	C:\Windows\SysWOW64\nodf64.exe	nodf64.exe
File opened for modification	C:\Windows\SysWOW64\nodf64.exe	nodf64.exe
File opened for modification	C:\Windows\SysWOW64\nodf64.exe	nodf64.exe
File created	C:\Windows\SysWOW64\nodf64.exe	nodf64.exe
File opened for modification	C:\Windows\SysWOW64\nodf64.exe	nodf64.exe
File opened for modification	C:\Windows\SysWOW64\nodf64.exe	nodf64.exe
File created	C:\Windows\SysWOW64\nodf64.exe	acaef7a4ed87dc90ff181955ea7a2bbf.exe
File opened for modification	C:\Windows\SysWOW64\nodf64.exe	acaef7a4ed87dc90ff181955ea7a2bbf.exe
File created	C:\Windows\SysWOW64\nodf64.exe	nodf64.exe
File opened for modification	C:\Windows\SysWOW64\nodf64.exe	nodf64.exe
File created	C:\Windows\SysWOW64\nodf64.exe	nodf64.exe
File created	C:\Windows\SysWOW64\nodf64.exe	nodf64.exe

Runs .reg file with regedit 11 IoCs

pid	Process
1976	regedit.exe
2276	regedit.exe
2176	regedit.exe
2148	regedit.exe
2280	regedit.exe
2364	regedit.exe
2100	regedit.exe
1692	regedit.exe
1636	regedit.exe
2532	regedit.exe
2668	regedit.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
2228	acaef7a4ed87dc90ff181955ea7a2bbf.exe
2640	nodf64.exe
772	nodf64.exe
2924	nodf64.exe
2900	nodf64.exe
1160	nodf64.exe
2996	nodf64.exe
464	nodf64.exe
3068	nodf64.exe
1872	nodf64.exe
1896	nodf64.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2228 wrote to memory of 1608	2228	acaef7a4ed87dc90ff181955ea7a2bbf.exe	30
PID 2228 wrote to memory of 1608	2228	acaef7a4ed87dc90ff181955ea7a2bbf.exe	30
PID 2228 wrote to memory of 1608	2228	acaef7a4ed87dc90ff181955ea7a2bbf.exe	30
PID 2228 wrote to memory of 1608	2228	acaef7a4ed87dc90ff181955ea7a2bbf.exe	30
PID 1608 wrote to memory of 2532	1608	cmd.exe	31
PID 1608 wrote to memory of 2532	1608	cmd.exe	31
PID 1608 wrote to memory of 2532	1608	cmd.exe	31
PID 1608 wrote to memory of 2532	1608	cmd.exe	31
PID 2228 wrote to memory of 2640	2228	acaef7a4ed87dc90ff181955ea7a2bbf.exe	32
PID 2228 wrote to memory of 2640	2228	acaef7a4ed87dc90ff181955ea7a2bbf.exe	32
PID 2228 wrote to memory of 2640	2228	acaef7a4ed87dc90ff181955ea7a2bbf.exe	32
PID 2228 wrote to memory of 2640	2228	acaef7a4ed87dc90ff181955ea7a2bbf.exe	32
PID 2640 wrote to memory of 2928	2640	nodf64.exe	33
PID 2640 wrote to memory of 2928	2640	nodf64.exe	33
PID 2640 wrote to memory of 2928	2640	nodf64.exe	33
PID 2640 wrote to memory of 2928	2640	nodf64.exe	33
PID 2928 wrote to memory of 2148	2928	cmd.exe	34
PID 2928 wrote to memory of 2148	2928	cmd.exe	34
PID 2928 wrote to memory of 2148	2928	cmd.exe	34
PID 2928 wrote to memory of 2148	2928	cmd.exe	34
PID 2640 wrote to memory of 772	2640	nodf64.exe	35
PID 2640 wrote to memory of 772	2640	nodf64.exe	35
PID 2640 wrote to memory of 772	2640	nodf64.exe	35
PID 2640 wrote to memory of 772	2640	nodf64.exe	35
PID 772 wrote to memory of 2616	772	nodf64.exe	36
PID 772 wrote to memory of 2616	772	nodf64.exe	36
PID 772 wrote to memory of 2616	772	nodf64.exe	36
PID 772 wrote to memory of 2616	772	nodf64.exe	36
PID 2616 wrote to memory of 2668	2616	cmd.exe	37
PID 2616 wrote to memory of 2668	2616	cmd.exe	37
PID 2616 wrote to memory of 2668	2616	cmd.exe	37
PID 2616 wrote to memory of 2668	2616	cmd.exe	37
PID 772 wrote to memory of 2924	772	nodf64.exe	38
PID 772 wrote to memory of 2924	772	nodf64.exe	38
PID 772 wrote to memory of 2924	772	nodf64.exe	38
PID 772 wrote to memory of 2924	772	nodf64.exe	38
PID 2924 wrote to memory of 1404	2924	nodf64.exe	39
PID 2924 wrote to memory of 1404	2924	nodf64.exe	39
PID 2924 wrote to memory of 1404	2924	nodf64.exe	39
PID 2924 wrote to memory of 1404	2924	nodf64.exe	39
PID 1404 wrote to memory of 2280	1404	cmd.exe	40
PID 1404 wrote to memory of 2280	1404	cmd.exe	40
PID 1404 wrote to memory of 2280	1404	cmd.exe	40
PID 1404 wrote to memory of 2280	1404	cmd.exe	40
PID 2924 wrote to memory of 2900	2924	nodf64.exe	41
PID 2924 wrote to memory of 2900	2924	nodf64.exe	41
PID 2924 wrote to memory of 2900	2924	nodf64.exe	41
PID 2924 wrote to memory of 2900	2924	nodf64.exe	41
PID 2900 wrote to memory of 1260	2900	nodf64.exe	42
PID 2900 wrote to memory of 1260	2900	nodf64.exe	42
PID 2900 wrote to memory of 1260	2900	nodf64.exe	42
PID 2900 wrote to memory of 1260	2900	nodf64.exe	42
PID 1260 wrote to memory of 2364	1260	cmd.exe	43
PID 1260 wrote to memory of 2364	1260	cmd.exe	43
PID 1260 wrote to memory of 2364	1260	cmd.exe	43
PID 1260 wrote to memory of 2364	1260	cmd.exe	43
PID 2900 wrote to memory of 1160	2900	nodf64.exe	44
PID 2900 wrote to memory of 1160	2900	nodf64.exe	44
PID 2900 wrote to memory of 1160	2900	nodf64.exe	44
PID 2900 wrote to memory of 1160	2900	nodf64.exe	44
PID 1160 wrote to memory of 1032	1160	nodf64.exe	45
PID 1160 wrote to memory of 1032	1160	nodf64.exe	45
PID 1160 wrote to memory of 1032	1160	nodf64.exe	45
PID 1160 wrote to memory of 1032	1160	nodf64.exe	45

C:\Users\Admin\AppData\Local\Temp\acaef7a4ed87dc90ff181955ea7a2bbf.exe
"C:\Users\Admin\AppData\Local\Temp\acaef7a4ed87dc90ff181955ea7a2bbf.exe"
1⤵
- Identifies Wine through registry keys
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2228
- C:\Windows\SysWOW64\cmd.exe
  cmd /c c:\a.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1608
- - C:\Windows\SysWOW64\regedit.exe
    REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
    3⤵
    - Modifies security service
    - Runs .reg file with regedit
    PID:2532
- C:\Windows\SysWOW64\nodf64.exe
  C:\Windows\system32\nodf64.exe 632 "C:\Users\Admin\AppData\Local\Temp\acaef7a4ed87dc90ff181955ea7a2bbf.exe"
  2⤵
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2640
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c c:\a.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2928
  - - C:\Windows\SysWOW64\regedit.exe
      REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
      4⤵
      Modifies security service
      Runs .reg file with regedit
      PID:2148
- - C:\Windows\SysWOW64\nodf64.exe
    C:\Windows\system32\nodf64.exe 720 "C:\Windows\SysWOW64\nodf64.exe"
    3⤵
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:772
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c c:\a.bat
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2616
    - - C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        5⤵
        Modifies security service
        Runs .reg file with regedit
        
        PID:2668
  - - C:\Windows\SysWOW64\nodf64.exe
      C:\Windows\system32\nodf64.exe 716 "C:\Windows\SysWOW64\nodf64.exe"
      4⤵
      Executes dropped EXE
      Identifies Wine through registry keys
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2924
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1404
      - C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        6⤵
        Modifies security service
        Runs .reg file with regedit
        
        PID:2280
    - - C:\Windows\SysWOW64\nodf64.exe
        
        C:\Windows\system32\nodf64.exe 724 "C:\Windows\SysWOW64\nodf64.exe"
        5⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2900
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1260
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        7⤵
        Modifies security service
        Runs .reg file with regedit
        
        PID:2364
      - C:\Windows\SysWOW64\nodf64.exe
        
        C:\Windows\system32\nodf64.exe 732 "C:\Windows\SysWOW64\nodf64.exe"
        6⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1160
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        7⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        8⤵
        Modifies security service
        Runs .reg file with regedit
        
        PID:2100
        
        C:\Windows\SysWOW64\nodf64.exe
        
        C:\Windows\system32\nodf64.exe 728 "C:\Windows\SysWOW64\nodf64.exe"
        7⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2996
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        8⤵
        
        PID:840
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        9⤵
        Modifies security service
        Runs .reg file with regedit
        
        PID:1692
        
        C:\Windows\SysWOW64\nodf64.exe
        
        C:\Windows\system32\nodf64.exe 740 "C:\Windows\SysWOW64\nodf64.exe"
        8⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:464
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        9⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        10⤵
        Modifies security service
        Runs .reg file with regedit
        
        PID:1636
        
        C:\Windows\SysWOW64\nodf64.exe
        
        C:\Windows\system32\nodf64.exe 736 "C:\Windows\SysWOW64\nodf64.exe"
        9⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:3068
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        10⤵
        
        PID:596
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        11⤵
        Modifies security service
        Runs .reg file with regedit
        
        PID:1976
        
        C:\Windows\SysWOW64\nodf64.exe
        
        C:\Windows\system32\nodf64.exe 748 "C:\Windows\SysWOW64\nodf64.exe"
        10⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1872
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        11⤵
        
        PID:980
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        12⤵
        Modifies security service
        Runs .reg file with regedit
        
        PID:2276
        
        C:\Windows\SysWOW64\nodf64.exe
        
        C:\Windows\system32\nodf64.exe 744 "C:\Windows\SysWOW64\nodf64.exe"
        11⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1896
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        12⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        13⤵
        Modifies security service
        Runs .reg file with regedit
        
        PID:2176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
9e5db93bd3302c217b15561d8f1e299d

SHA1
95a5579b336d16213909beda75589fd0a2091f30

SHA256
f360fb5740172b6b4dd59c1ac30b480511665ae991196f833167e275d91f943e

SHA512
b5547e5047a3c43397ee846ff9d5979cba45ba44671db5c5df5536d9dc26262e27a8645a08e0cf35960a3601dc0f6f5fe8d47ae232c9ca44d6899e97d36fb25a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
1KB

MD5
5002319f56002f8d7ceacecf8672ce25

SHA1
3b26b6801be4768cc7582e29bc93facdf2a74be3

SHA256
f23f4854d17525744e8028db6dde6eb7d5d664b0ee1b08870c9c01b639e0124c

SHA512
8eae0fabc7f5a7e452abacf988a3632874c556af409da5e60c5e529524732b40f22d4e1d860ccceae87642875c819fc8a8120eceaabd25861f920c8c066a9aef

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
1KB

MD5
8a84d46ef81c793a90a80bc806cffdcf

SHA1
02fac9db9330040ffc613a325686ddca2678a7c5

SHA256
201891985252489d470c08e66c42a4cf5f9220be3051b9a167936c8f80a606c4

SHA512
b198b32fd9be872968644641248d4e3794aa095f446bab4e1c5a54b2c109df166bbdfb54d4fd8912d202f92ac69b1685ed0c30256e40f30d72e433ee987cc374

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
2KB

MD5
d8be0d42e512d922804552250f01eb90

SHA1
cda2fd8fc9c4cdf15d5e2f07a4c633e21d11c9d3

SHA256
901619f668fe541b53d809cd550460f579985c3d2f3d899a557997e778eb1d82

SHA512
f53619e1ec3c9abc833f9fca1174529fb4a4723b64f7560059cd3147d74ea8fe945a7bd0034f6fb68c0e61b6782a26908d30a749a256e019031b5a6ac088eb97

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
538B

MD5
d67d51b859c99a46a906a4c3a6ff6560

SHA1
b685cc703a1c86ba8ad681b545a6f3014b80d585

SHA256
33d0a27d49cd3cfa5a4ef5027d3defe60a3f7be1a3914870390b9829d360937a

SHA512
c986416a115ca162ee28d5dfd1159538d81a751e4961340415718c0d1f0ffa4d80675b4b698ed039eef86cbe1b2c0b01a0004dea39111056013d3e0a0179cedd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
784B

MD5
5a466127fedf6dbcd99adc917bd74581

SHA1
a2e60b101c8789b59360d95a64ec07d0723c4d38

SHA256
8cd3b8dd28ac014cf973d9ab4b03af1c274bbc9b5ee0ee4ab8af0bdb01573b84

SHA512
695cafc932bc8f0a514bc515860cb275297665de63ca3394b55f42c457761ebf654d29d504674681a77b34e3356a469e8c5b97ff7efc24de330d5375f025cba5

Download Submit
C:\Windows\SysWOW64\nodf64.exe

Filesize
910KB

MD5
206f381696e1eb40fd1016f6cd5ea5fc

SHA1
12776abe7ac6360cc1fa69e9c6f28eb88dd46c3f

SHA256
5bed48c409bbca372d2dad0bbc827616b450b28a9fc365a36839ec04d7f053c3

SHA512
a8d30fc22bbc36e6bfafa09de09bf2930821ea25e44092e0f39407ffbd959adfbb2ff961f1d92d27b01128d34701987b50cb840186d73c7d09710abbca889da8

Download Submit
C:\Windows\SysWOW64\nodf64.exe

Filesize
556KB

MD5
87073dd9390665b126d8251370d72b6d

SHA1
a6dfb58a27f7c39eb8b259d45044456d5520e267

SHA256
9f89b7a73a4e9be7f3c1b549f7cd485985a09b4bd4e0e6c373e0a4dfcea6d0a7

SHA512
9370f8b2af99a7892ff44cadf9aeba0508ce2587cdc040825c13a7ad9e890526064c56d3c2de117a0e05ec02b631762e9843497f667617a4e0b6702321a5f738

Download Submit
C:\Windows\SysWOW64\nodf64.exe

Filesize
1.4MB

MD5
acaef7a4ed87dc90ff181955ea7a2bbf

SHA1
e0292a9243be088f673b151ddb9d81d34ed50c1e

SHA256
555279cf7c7064b32bd5595f490702dba5c5aec6a0b58db22410880ad42b7106

SHA512
b1383930888c5effe283617964cfad0753619863e3a9865c174a3dcaabf8e224fdf1ab6d69d7c3d41b2ebfc9d4fa8e2d8c15f10b68cd13a2bff3e0a4e7721536

Download Submit
C:\Windows\SysWOW64\nodf64.exe

Filesize
1.1MB

MD5
9d3c610a9349666a48ceb6a115656896

SHA1
ccb483b2b03719d756827146f1eac110ce9700f0

SHA256
21aa461efd55afe4d68a8c2594030a42422c61934da17118fd42fd9eca79824a

SHA512
14fc0def3455f0bcd544a32ed67bd3750d36af5d206944374a20c31b64caa827c82c48a50f76df01331dc9486e3a39316181caf8aea08573742b3b1dcb671f38

Download Submit
C:\a.bat

Filesize
5KB

MD5
0019a0451cc6b9659762c3e274bc04fb

SHA1
5259e256cc0908f2846e532161b989f1295f479b

SHA256
ce4674afd978d1401596d22a0961f90c8fb53c5bd55649684e1a999c8cf77876

SHA512
314c23ec37cb0cd4443213c019c4541df968447353b422ef6fff1e7ddf6c983c80778787408b7ca9b81e580a6a7f1589ca7f43c022e6fc16182973580ed4d904

Download Submit
\Windows\SysWOW64\nodf64.exe

Filesize
1.3MB

MD5
79d8cac956fef5a64bf0b826ddafdfae

SHA1
a24685b8eae89955440fed541b2298b40a8fb026

SHA256
f84ae172a21ebf5bcb1fe3086aa899c8c7252d989c652f67a59412276f529aef

SHA512
1c328200a1cad4cddc01c05a4cc4b012f8c32a40fa6e5aa23f755a60e435c6a5d831e506ce2463ec14d47de60d3472244d8e067edff1828de5e812f5eb6caa02

Download Submit
\Windows\SysWOW64\nodf64.exe

Filesize
1.1MB

MD5
c8634aae6f8564a2f7f37d113f154239

SHA1
f2d05800bb926ad741e9ae393e8d5d1c1158477a

SHA256
199fe6ad4c65851b6ee6012832abb2de93123a90f2ee3c38a933154ae6854f80

SHA512
e641cd193574e6204f810f05d07792c72d87a1698866e0b94ef791cd85eaf05c936a867576db7fd94007ee308a053a41be4ef9c8bd57ebc57958bc5475057181

Download Submit
\Windows\SysWOW64\nodf64.exe

Filesize
776KB

MD5
f42a840f264e9267931b4034b511ef02

SHA1
629c998934fd7e56cf51e3d2ce20cd5055d14f2f

SHA256
304e8acb1061db91d3980dbdb47677fbe962e16dc4506c7f452420571a15367a

SHA512
16697d9d814ccab0a1173ddc7c9a67d17a5092468bcc7ffa40c53f0889374ea0cea66b5ab0080dce8db87f40ad47ae4baa455c99335b7fd2b254998b9e2efc8e

Download Submit
\Windows\SysWOW64\nodf64.exe

Filesize
764KB

MD5
bbc19778f7f1fd71fffcb94d18b2d7b4

SHA1
8beda72b59013f076b17e3a63aed9ca7734f0dfe

SHA256
3134ec921f164811a89e069f0f2e9c4a40be1ec3cfb0fc5fc6821db3faeead05

SHA512
925f1805a3d29d9f330e40f04245121e1d116d62834cff4001e7d6d4afe4e563eb8dc956b23b66db322a40316e44a2c7b540b0940be0cf60a7c72138e2bde98e

Download Submit
\Windows\SysWOW64\nodf64.exe

Filesize
192KB

MD5
a1af673b0245ce311e8ffeb2b607cdc9

SHA1
6e47c5c9dbbdce2410d70c42422e3380b929deb9

SHA256
392f3ee58c9aa4d5830f4ee5dd08e5decd700c07054023097e6da3361dc5c9be

SHA512
fe60a8c78b1a6fb5067c9c18db520e20b9ff2d88d89203db7ac587b136539bc0633c8e9a91b0510499b31891bca997fc149d58e7a1036d1191dd4e3313eb533c

Download Submit
memory/464-1120-0x0000000000400000-0x00000000007BB000-memory.dmp

Filesize
3.7MB

Download
memory/772-411-0x0000000004450000-0x0000000004451000-memory.dmp

Filesize
4KB

Download
memory/772-416-0x00000000043F0000-0x00000000043F1000-memory.dmp

Filesize
4KB

Download
memory/772-426-0x0000000000400000-0x00000000007BB000-memory.dmp

Filesize
3.7MB

Download
memory/772-292-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/772-414-0x00000000044F0000-0x00000000044F1000-memory.dmp

Filesize
4KB

Download
memory/772-419-0x0000000004530000-0x0000000004531000-memory.dmp

Filesize
4KB

Download
memory/772-291-0x0000000000400000-0x00000000007BB000-memory.dmp

Filesize
3.7MB

Download
memory/772-420-0x00000000044E0000-0x00000000044E1000-memory.dmp

Filesize
4KB

Download
memory/772-421-0x00000000044D0000-0x00000000044D1000-memory.dmp

Filesize
4KB

Download
memory/772-422-0x0000000004400000-0x0000000004401000-memory.dmp

Filesize
4KB

Download
memory/772-423-0x0000000004480000-0x0000000004481000-memory.dmp

Filesize
4KB

Download
memory/772-425-0x0000000004430000-0x0000000004432000-memory.dmp

Filesize
8KB

Download
memory/772-424-0x00000000044A0000-0x00000000044A1000-memory.dmp

Filesize
4KB

Download
memory/772-418-0x0000000004440000-0x0000000004441000-memory.dmp

Filesize
4KB

Download
memory/772-413-0x0000000004510000-0x0000000004511000-memory.dmp

Filesize
4KB

Download
memory/772-415-0x00000000044C0000-0x00000000044C2000-memory.dmp

Filesize
8KB

Download
memory/772-432-0x0000000000400000-0x00000000007BB000-memory.dmp

Filesize
3.7MB

Download
memory/772-417-0x0000000004410000-0x0000000004411000-memory.dmp

Filesize
4KB

Download
memory/772-410-0x0000000004520000-0x0000000004522000-memory.dmp

Filesize
8KB

Download
memory/772-346-0x0000000004490000-0x0000000004491000-memory.dmp

Filesize
4KB

Download
memory/772-409-0x0000000004460000-0x0000000004461000-memory.dmp

Filesize
4KB

Download
memory/772-311-0x0000000000400000-0x00000000007BB000-memory.dmp

Filesize
3.7MB

Download
memory/1160-847-0x0000000000400000-0x00000000007BB000-memory.dmp

Filesize
3.7MB

Download
memory/1872-1364-0x0000000000400000-0x00000000007BB000-memory.dmp

Filesize
3.7MB

Download
memory/2228-137-0x00000000044A0000-0x00000000044A1000-memory.dmp

Filesize
4KB

Download
memory/2228-126-0x0000000004510000-0x0000000004511000-memory.dmp

Filesize
4KB

Download
memory/2228-2-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2228-1-0x00000000007C0000-0x00000000008BA000-memory.dmp

Filesize
1000KB

Download
memory/2228-10-0x0000000000400000-0x00000000007BB000-memory.dmp

Filesize
3.7MB

Download
memory/2228-119-0x0000000004320000-0x0000000004321000-memory.dmp

Filesize
4KB

Download
memory/2228-11-0x0000000004350000-0x0000000004351000-memory.dmp

Filesize
4KB

Download
memory/2228-120-0x0000000004520000-0x0000000004522000-memory.dmp

Filesize
8KB

Download
memory/2228-121-0x0000000004310000-0x0000000004311000-memory.dmp

Filesize
4KB

Download
memory/2228-123-0x00000000044F0000-0x00000000044F1000-memory.dmp

Filesize
4KB

Download
memory/2228-122-0x0000000004500000-0x0000000004501000-memory.dmp

Filesize
4KB

Download
memory/2228-124-0x00000000044C0000-0x00000000044C2000-memory.dmp

Filesize
8KB

Download
memory/2228-125-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2228-127-0x00000000042D0000-0x00000000042D1000-memory.dmp

Filesize
4KB

Download
memory/2228-128-0x0000000004530000-0x0000000004531000-memory.dmp

Filesize
4KB

Download
memory/2228-129-0x00000000044E0000-0x00000000044E1000-memory.dmp

Filesize
4KB

Download
memory/2228-130-0x00000000044D0000-0x00000000044D1000-memory.dmp

Filesize
4KB

Download
memory/2228-132-0x0000000004340000-0x0000000004341000-memory.dmp

Filesize
4KB

Download
memory/2228-131-0x0000000000900000-0x0000000000901000-memory.dmp

Filesize
4KB

Download
memory/2228-136-0x00000000042F0000-0x00000000042F2000-memory.dmp

Filesize
8KB

Download
memory/2228-0-0x0000000000400000-0x00000000007BB000-memory.dmp

Filesize
3.7MB

Download
memory/2228-147-0x0000000000400000-0x00000000007BB000-memory.dmp

Filesize
3.7MB

Download
memory/2228-146-0x0000000004BD0000-0x0000000004F8B000-memory.dmp

Filesize
3.7MB

Download
memory/2640-275-0x00000000044F0000-0x00000000044F1000-memory.dmp

Filesize
4KB

Download
memory/2640-268-0x0000000004470000-0x0000000004471000-memory.dmp

Filesize
4KB

Download
memory/2640-149-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2640-157-0x0000000000400000-0x00000000007BB000-memory.dmp

Filesize
3.7MB

Download
memory/2640-279-0x00000000044E0000-0x00000000044E1000-memory.dmp

Filesize
4KB

Download
memory/2640-269-0x0000000004530000-0x0000000004532000-memory.dmp

Filesize
8KB

Download
memory/2640-271-0x0000000004510000-0x0000000004511000-memory.dmp

Filesize
4KB

Download
memory/2640-272-0x0000000004500000-0x0000000004501000-memory.dmp

Filesize
4KB

Download
memory/2640-270-0x0000000004460000-0x0000000004461000-memory.dmp

Filesize
4KB

Download
memory/2640-273-0x00000000044C0000-0x00000000044C2000-memory.dmp

Filesize
8KB

Download
memory/2640-278-0x0000000004540000-0x0000000004541000-memory.dmp

Filesize
4KB

Download
memory/2640-283-0x00000000044A0000-0x00000000044A1000-memory.dmp

Filesize
4KB

Download
memory/2640-277-0x0000000004410000-0x0000000004411000-memory.dmp

Filesize
4KB

Download
memory/2640-276-0x00000000043F0000-0x00000000043F1000-memory.dmp

Filesize
4KB

Download
memory/2640-158-0x0000000004490000-0x0000000004491000-memory.dmp

Filesize
4KB

Download
memory/2640-148-0x0000000000400000-0x00000000007BB000-memory.dmp

Filesize
3.7MB

Download
memory/2640-274-0x0000000004520000-0x0000000004521000-memory.dmp

Filesize
4KB

Download
memory/2640-284-0x0000000004440000-0x0000000004441000-memory.dmp

Filesize
4KB

Download
memory/2640-282-0x0000000004480000-0x0000000004481000-memory.dmp

Filesize
4KB

Download
memory/2640-290-0x0000000000400000-0x00000000007BB000-memory.dmp

Filesize
3.7MB

Download
memory/2640-281-0x0000000004400000-0x0000000004401000-memory.dmp

Filesize
4KB

Download
memory/2640-280-0x00000000044D0000-0x00000000044D1000-memory.dmp

Filesize
4KB

Download
memory/2640-289-0x0000000000400000-0x00000000007BB000-memory.dmp

Filesize
3.7MB

Download
memory/2640-285-0x0000000000400000-0x00000000007BB000-memory.dmp

Filesize
3.7MB

Download
memory/2900-710-0x0000000000400000-0x00000000007BB000-memory.dmp

Filesize
3.7MB

Download
memory/2900-704-0x0000000000400000-0x00000000007BB000-memory.dmp

Filesize
3.7MB

Download
memory/2924-568-0x0000000000400000-0x00000000007BB000-memory.dmp

Filesize
3.7MB

Download
memory/2996-991-0x0000000000400000-0x00000000007BB000-memory.dmp

Filesize
3.7MB

Download
memory/3068-1245-0x0000000000400000-0x00000000007BB000-memory.dmp

Filesize
3.7MB

Download