Analysis
-
max time kernel
421s -
max time network
420s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
-
submitted
25-04-2024 12:20
General
-
Target
https://github.com/darkangelveron/darkangelveron/releases/tag/v1.3.7
Malware Config
Extracted
lumma
https://productivelookewr.shop/api
https://tolerateilusidjukl.shop/api
https://shatterbreathepsw.shop/api
https://shortsvelventysjo.shop/api
https://incredibleextedwj.shop/api
https://alcojoldwograpciw.shop/api
https://liabilitynighstjsko.shop/api
https://demonstationfukewko.shop/api
Signatures
-
Lumma Stealer
An infostealer written in C++ first seen in August 2022.
-
Executes dropped EXE 11 IoCs
-
Loads dropped DLL 2 IoCs
-
Registers COM server for autorun 1 TTPs 3 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 9 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 9 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 24 IoCs
-
NTFS ADS 1 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs
-
Suspicious use of AdjustPrivilegeToken 7 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 41 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/darkangelveron/darkangelveron/releases/tag/v1.3.71⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc596046f8,0x7ffc59604708,0x7ffc596047182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,2224319302731808172,2088818820700577253,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,2224319302731808172,2088818820700577253,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2320 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,2224319302731808172,2088818820700577253,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2864 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,2224319302731808172,2088818820700577253,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,2224319302731808172,2088818820700577253,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,2224319302731808172,2088818820700577253,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5592 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,2224319302731808172,2088818820700577253,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5592 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2092,2224319302731808172,2088818820700577253,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5656 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,2224319302731808172,2088818820700577253,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4128 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,2224319302731808172,2088818820700577253,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6044 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,2224319302731808172,2088818820700577253,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6060 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,2224319302731808172,2088818820700577253,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5872 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,2224319302731808172,2088818820700577253,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5664 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,2224319302731808172,2088818820700577253,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2196 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,2224319302731808172,2088818820700577253,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6256 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2092,2224319302731808172,2088818820700577253,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4696 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,2224319302731808172,2088818820700577253,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6648 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,2224319302731808172,2088818820700577253,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6364 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,2224319302731808172,2088818820700577253,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6372 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,2224319302731808172,2088818820700577253,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5816 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2092,2224319302731808172,2088818820700577253,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6676 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2092,2224319302731808172,2088818820700577253,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6096 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,2224319302731808172,2088818820700577253,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4740 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,2224319302731808172,2088818820700577253,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4768 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,2224319302731808172,2088818820700577253,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4984 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,2224319302731808172,2088818820700577253,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1048 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,2224319302731808172,2088818820700577253,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5580 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,2224319302731808172,2088818820700577253,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3732 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2092,2224319302731808172,2088818820700577253,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3108 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2092,2224319302731808172,2088818820700577253,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5736 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\Downloads\7z2404-x64.exe"C:\Users\Admin\Downloads\7z2404-x64.exe"2⤵
- Executes dropped EXE
- Registers COM server for autorun
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\installer_v1.3.7\" -ad -an -ai#7zMap16277:92:7zEvent250151⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Downloads\installer_v1.3.7\Setup.exe"C:\Users\Admin\Downloads\installer_v1.3.7\Setup.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5712 -s 6082⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5712 -ip 57121⤵
-
C:\Users\Admin\Downloads\installer_v1.3.7\Setup.exe"C:\Users\Admin\Downloads\installer_v1.3.7\Setup.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5388 -s 1842⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5388 -ip 53881⤵
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\Downloads\installer_v1.3.7\Setup.exe"C:\Users\Admin\Downloads\installer_v1.3.7\Setup.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4424 -s 6242⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4424 -ip 44241⤵
-
C:\Users\Admin\Downloads\installer_v1.3.7\Setup.exe"C:\Users\Admin\Downloads\installer_v1.3.7\Setup.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 6242⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4944 -ip 49441⤵
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\installer_v1.3.7\password-2024.txt1⤵
- Opens file in notepad (likely ransom note)
-
C:\Users\Admin\Downloads\installer_v1.3.7\Setup.exe"C:\Users\Admin\Downloads\installer_v1.3.7\Setup.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6052 -s 1842⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 6052 -ip 60521⤵
-
C:\Users\Admin\Downloads\installer_v1.3.7\Setup.exe"C:\Users\Admin\Downloads\installer_v1.3.7\Setup.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5772 -s 6042⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5772 -ip 57721⤵
-
C:\Users\Admin\Downloads\installer_v1.3.7\Setup.exe"C:\Users\Admin\Downloads\installer_v1.3.7\Setup.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1188 -s 6242⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1188 -ip 11881⤵
-
C:\Users\Admin\Desktop\Setup.exe"C:\Users\Admin\Desktop\Setup.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5668 -s 6482⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5668 -ip 56681⤵
-
C:\Users\Admin\Desktop\Setup.exe"C:\Users\Admin\Desktop\Setup.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 6002⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4804 -ip 48041⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
99KB
MD5fe487725998a00de2ecd41b1357ca0bc
SHA1cffe7d83767b3334533f9525bea67e34dcb2b632
SHA256e0625e017c02038cf25b60d03f3c46da44b4232bf9c664cf30bcf67af81229b1
SHA512173191f2678a4e73457ce4a4008c432080e050004fe034f93cf05281be6be670c54e0c37f23b90d4f9f6cce4de82fbff71cec817bf301d4d84405ea238f1c730
-
Filesize
1.8MB
MD529f6d49053de1408586f48681864ca5f
SHA11071e887849cb92776f4a6d4cb6d0dd1ec264b65
SHA25684d2bcf774aba77e938d3f36bfe020e0d49cfb3074ad9de69b5af78054602b7e
SHA512dcdb5252e660b0d186c8db508db3fdaab22d33bc20dcaca2b41d5d5e64d5780b25f2242389227ddefff96978f373f89942389673c737b3102778982b91ca6f32
-
Filesize
691KB
MD54a8614832d2512e1b1cf73051f083185
SHA1da8b5fbc538cfc186dde7292dc17f4580b789c4a
SHA2562f4f3768ca8f50f9a8882a7ac99aa95513f26fda7a41ce8c7971735d9b7ce920
SHA5124846340d1726f14b9a932e032d914e15d7122dc5b24c12f63ac4b9b04ada46fe7a83551870509720be39e67abc6e7d27499fb853b4df5871253b26901c2d6e55
-
Filesize
152B
MD53d9da931f98579d9af12b0cddeea667a
SHA15f02b023ce6b879af428b39ce9573f2343ef4771
SHA256ae100e49b8a80ae8b977141fca8c9d0b35112f92af89ebe4dc5dbf2b1311fff0
SHA512bd338bf14893d2c2f529eb0542b6b82e2beed5614d449c4147a87067f6ba1ff8d7bb178ad56d7b1491acd9d08d5bac5d1906160cf14998a13957117967a28680
-
Filesize
152B
MD5e95d45b99ee46b05441be74a152f3af8
SHA176adb523ca3943c8eeb4793a7daaa1f27cbab7d4
SHA256435d76228edca3be83910f980b82f508e25541918fc3d7c4278a77307c880fb0
SHA51235ec6bb16d0aba61622e6c9c8d1d4823b8d3e13644ab0b849cace25e0ed2adcf3cd98f6e7e7a24be8c64e360ea3be71523ed12d3c061d88eaa24276bfd91da80
-
Filesize
24.9MB
MD58059cdf426007a7da34b044decaed17c
SHA1a298c596cc09b1b727be9afc4d19034551347073
SHA2566c2a40998028849e7f033918065886102be34e9674e17c7d9db6f3877bc85a9c
SHA51269cbdd5c38683a37e14491373dafdea7740240f95bd02576d4d27c28597e71116f5ab2804d86ac3c7d6b56ae47147566d5e0aa3184250044f159093ae837e26f
-
Filesize
1KB
MD520292e85844b106cd9388dc71f23b069
SHA1ba180efb325561a16266dc0327df4206d8444e1a
SHA2561d802b8866a6497c51475acc03cb065b947d0ae5f4f0c573f6b969b950067717
SHA51269ad5694f1e9b5a4b55e6dfc30962308bb14df4d5ccb9bbca11ea8aa01e0671e4121e25e6ba6faac256a8900ea8689e4db79954f16e918f9ae2ec5bb9e5dec29
-
Filesize
3KB
MD53ca4038bf1b6635b9a52a302e59a5802
SHA16380471af79624221a6aa94306b03fbd1101d229
SHA2562f89d7e173dd44bdf5f27899ccab9361c99983d40679a6456ae7fd5db4fe8768
SHA51213f8cf4a8fc13669f3467162c282fa63dc8524725c4de3c4916c2f56d617b25956c0940fac5b918506ae566222f20616e76bae3a69a6feb86dfb5a5688943bbe
-
Filesize
1KB
MD5d3084d5362dee2943132f0661f873c69
SHA16c63a29254d1e6a5210c57699e77c97ac7004eda
SHA256eb9eecd9dd83137b330365990cff2c9726899de7acf875ef324a5dac8ba33302
SHA5124e07fee29071aa77bd0e32b271ddd7101dcd9c6f2a4071cb9e6121620d7ca78425b3c9dd42336bb968e8952b52ab0efc44bfcc86c3af9cb341f9e804daa45d72
-
Filesize
1KB
MD5395c0bad692a077864a6dfad85e9a797
SHA13cae039dd16b5199cb2793df6d2129cc1c9c2e34
SHA256def35b402d717e5efda4966702212fb5a7ba27f7231a2fb1a201f39b8995735a
SHA5129b2f2c308453576c9582ca263a80bb20ebff4b4bbb2f229a3d5df031c5f8cc17daf20599d6c36b5da54f0fdeb6f8933ff470b6e348a9cd070bbca87be3a5c05a
-
Filesize
595B
MD5afccf57f06470c3226d45bb05b413a90
SHA10c678e8d5c07133c9bf3bd4512063c6cf28be0eb
SHA2564cc6ad8a2ab618d434299eed64a1263041aa9f4fcf657c7624e77345ddb28c06
SHA5128f1ba668de84f5699b76615a832942b3f149c7e4d9b27e02dd7e1ceb574f65397af0794c25e69dd88196aafd8fd9c4cea656764506fea8ba97756d0f3440cdbe
-
Filesize
595B
MD536070d4135b20d0805fdd7391fc0de63
SHA140db376f1a445f56bcc67d73a96bff19c432f99e
SHA25668e824023f77851721bc6a00236af2413cda3233cad79af9b07f691d014b1a42
SHA512afffe04bbd46dc9cce025b3107228eda935d93c478500f1d60647e23df0d0dfc464f00dcd0e6aa40cfddebed69fc9054f149ed425dc4e245752bee612ceb9f9e
-
Filesize
5KB
MD5d8f4dcbcbc0d7b9ad09a10f29c9a3714
SHA149c60c68745c28780fb171680bc8dfadc3570834
SHA2567cef6907c12ce0863a590348fcc4f5e92ec0dbb58ab22f5bb861dba6066349b2
SHA512228744abdbbc81653b16a80d2c3997f7113e5929af80149f2e2e82ed6c7d29742a07547b9bae27046eaf39ff710d6d92cbd84135aeb4aca765055a7bb27242ae
-
Filesize
6KB
MD5e0eabcf940df5f793f3b1a1bfea1ef09
SHA173e312aa9794a7eb6b8ce7759f3e9a72f3089277
SHA256095b02d2a7e91f13782c31d6285c3ff02184a6628e8bf1e27087f2baacc0855d
SHA512af587e8129224963e6eab301861ff7cbfb1e09932d270e705289cb0668cb40ae7c3ac014579b05d9d8268328a22e714def7bdb546382ba05266fd269ee2d92fa
-
Filesize
6KB
MD5aa09d8bf8470f9400fa139d140d11baf
SHA10b49797dfaf2346a2cadf17e246b7890386fef31
SHA25661a3328b1375c995e274822c5ebb616aa61b5cfeeee7569bb80453f5232a6a9e
SHA512f8f0e76df4b6e7d5017a208cb0cff56074b0b23847c929522f7905e3d59406b08912378f22159a742ab2f0d0380c79029249ff6e2bf2ecc1eb62d3f5eeef9a60
-
Filesize
6KB
MD5b4cb70898e6836bfefa102bbc7da18aa
SHA1023a1f8c2e01fa5a41878a0de6bd6a21ea53385b
SHA2561c7382c35dffdc632add0f763c37699ec33247c54843520afb498f7fd1d20325
SHA5121df79f3c18395e966a3f37b0b56631d21fe0a6d75ec7a99137183c52d847ccb7ae7e99b185bfc13cd6d54ce84c9d2ac4307ae3f54da91633df519a458a8e1655
-
Filesize
6KB
MD56c41fe9512edcf90d01b6228d9159139
SHA103b8f62ca676bdd82601a070439764f77d2bbbe3
SHA256db6e62b850cf12ddc6322502877cf2e58e58254114b418f384c8f8bcc638f8f9
SHA512d857b77bb93f4fd68e1d311b29fc4634f51143f57d32ee4b2a1bd7c1b654c6122abb4e3e6d6517f3a1daba7e0c11a0a2b2bae379ecb06a51ca7ea463235823aa
-
Filesize
24KB
MD5576e83c1432aa0b2a97b98e1e603ee45
SHA1b8ac02412b03cf249f4943bbd85ebbd85f3a8889
SHA256a14ba96dfa9b38b9981de1b12529c08bc3e884cb7ecae60f6a3c5418dafd736e
SHA5123c763bdcccfdf9415cbec63269cf3d88666ed9231143cb002f813ebbcf0d8e2d21d87e179c37bd9f2d35dd0abfe8b9f018ba81c2e1b01699cfc5a8d6f9139266
-
Filesize
1KB
MD5546d0b0d7f88c571bf4679d54216b6ce
SHA1105e38de0c2e9c6b37e897371b49173d8a20a0ac
SHA2563172ce5e8346ab3327b78cc8a3ca3156568024b632bdff01385b9780824e3bc5
SHA51202fac98ade01c2262e7e5bd3b7aaa3ae15b8e95e2e5c34d7d5acd52abc48125a1f97c5dac799b38b144820f11a7614839db6e6d75ad122d3837c430fb176e45d
-
Filesize
1KB
MD5eae3ee7df47194adcfab372ee93914e5
SHA13eec2810a80bf0f7a074ef0dffb1a9e3a5e44971
SHA2560efb3fa1fb79668531eda80d019de05f6896986199b415423b978eadd9c6e3f2
SHA512754e1b893605bee5e11aff36d3b88c3cdf04d44432c25440c597bc5bf1c5cd2ea73c41ef1850c8335e0b8f3f4557a9fcafa44fad685327fed5969196e94f5265
-
Filesize
1KB
MD55b97c561ad1b78e3914854e8b5215952
SHA12bf2d41e04cd986187487f41c6f50010472abd69
SHA256f06c03d9652d7cc8c740d923e6c8b4bc8390412f8019ff277367d2a812bc4e0f
SHA512ecb4164340243ec6d0598b95ffc8c6c774d42bbb15b6995b4cb8172c880703fa4543bf51f3d5d2693ba1703e480190509fdbbcef3356db4e40d8db6b45e84c6b
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
1KB
MD5675c4ede44e5577b6acb5721b7b9f62a
SHA18a3693ec0d054e928c145a2b47da30f1b0895d88
SHA256e8bb7d2d5892543944b1964012154763cd34c1ce01fd725c2aa2fb6418a67b51
SHA5129918bbb64618be7ddb94d8d8f60ca981d601619472be8d939e8103704a01bde78ee203e2d988c703ba2264afe2d2bb0cb40255593ab32abffda3c0d38bb8338f
-
Filesize
11KB
MD5786330a61793fd32e8ca085adff03aa8
SHA1b84f84b15f387d45751b1bf1f12a45b24fd558a6
SHA2568c9d5b190ea4984ff55381aebee6b13a4109cba12d241c3ed9d5329d6357d3df
SHA512af5663938349d1c164ee88e4460d2f4f2801ed439752c215a9fbfe8ba9900d865226d1afa936ece1ddd0eac97ed0c41e077b60d24dd87c4b6bb3675ce9e42e8a
-
Filesize
10KB
MD5f67fb6808b2471e7f9826251cbfdc8b4
SHA1665a9140ac1d083ef1b60372de73b649bc3d09c4
SHA256689865b055556a7ca3f94f6ad842ea1aa5c4299de9e94869bfec9df590facbba
SHA5125a32e5371d0a7ae14c3435a61c2418a0581e49c6fe970fe7a796e64c6cae10e7bc5035eb4e284091d0333f88c4d8929cf854750824ae583a2f327b91483a9f39
-
Filesize
10KB
MD5f71bdd27cc32833fff908d46dad8ff3b
SHA10331bec6cecae3af49e247601cfe2ba006b54498
SHA25632232514ac5ff4de4c0e8a7053f6687c763321ede4cf4d3745e20b1307d5ef90
SHA51287f86a6608304d307e6d3bccccfff688808669ccd35f0008195d76bbece87c96498d92560772ac697530ece43583616fa1cf09c70d7c88f479b2dcdcda5051f2
-
Filesize
11KB
MD59ede2bf324a358ba36af84945123206d
SHA140fa8283acc800e670867b78f798b6baaf43e46a
SHA256f668fcbd23f32defbab7f65fa343909baba3b0419ea7b0e7bc70b05b1ef4fc0a
SHA51246b85a1844cc864146c5c0f38bfd553988dff65c1b66d5fb36e84424a8818b98c92b23a467c688ed46763c2a75ea2451030b9f2b68b5b6221a7a8b8c43ab539f
-
Filesize
10KB
MD55f2ee9239c1d282409c8a492c9a5e314
SHA1a3c71f09750a55bbe160814eb0151ea20da5f331
SHA25620a6dddb5eb1b776e220471ffad902cfb2f0e11f44908d1964a3df90f6610a46
SHA5126858a598036e1dd30a90a3991d93303102e50c592c8cbdbf67b04e085661ea5fbfe7201da0e5151c470f907505a6c428a225786b50087a98de008ac6e3924cea
-
Filesize
1.5MB
MD561ba723e67d41dd15e134b973f2d7262
SHA13282a5b7c20c7123ae6168f0c565d19930ffb6f6
SHA2564931869d95ffa6f55788e3b5d92088f3fe590e13532b9d8e811a52e2b377bfb6
SHA512b293d21403e8ac935a0ae8daf27a069b31b3b6c4d078d3966f2411e5df34094f9e0ea50c7fdb118ae7f2e7ca25a3b526f0bc172e769244bd92125858357ce0ff
-
Filesize
1.2MB
MD50edc62a65d1081dc5d7b85b678ab57a5
SHA11e1448bcce4f519920f50e12cbe27b79418036b3
SHA2563ea65c50a29c3ae43f9bd78041b110785429a768b3e006da768baaf12f327b63
SHA5124ab96c86203104d741c166f1980b04a5e74c1e294b676c4dccaee9eca5308ea729099d7dbfea605b5037181c57c4f870fe0b3ff5008b4f8b2b60ed0f95cc1db2
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
316KB
-
Filesize
1.2MB
-
Filesize
316KB
-
Filesize
316KB
-
Filesize
316KB
-
Filesize
316KB
-
Filesize
316KB
-
Filesize
316KB
-
Filesize
316KB
-
Filesize
316KB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
316KB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
316KB
-
Filesize
316KB
-
Filesize
316KB
-
Filesize
316KB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
316KB
-
Filesize
1.2MB
-
Filesize
1.2MB