Analysis
-
max time kernel
93s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
11-07-2024 06:27
Static task
static1
Behavioral task
behavioral1
Sample
85a2663d50db7dff03da346ca9d01f063b135f92ebd02a5f0166136a012305ab.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral2
Sample
85a2663d50db7dff03da346ca9d01f063b135f92ebd02a5f0166136a012305ab.exe
Resource
win11-20240709-en
General
-
Target
85a2663d50db7dff03da346ca9d01f063b135f92ebd02a5f0166136a012305ab.exe
-
Size
108.0MB
-
MD5
c2486568ba1d5f2c84467fcf7f2be9c4
-
SHA1
5735ab8a8191e8f953d3a8915a32b26095e63a6d
-
SHA256
85a2663d50db7dff03da346ca9d01f063b135f92ebd02a5f0166136a012305ab
-
SHA512
fc7b468026fbf813eba4aa31202d05055b5c064bf102349c95829dc789987291dfdd4bd92d8621974beac75306b314c8d606c1198ad8fab52daee5cff8c3f528
-
SSDEEP
24576:a90Ig9VOqzxDifmgEtYI/yt39qCC0ts64iNh:7PxDiMP/ytMCrts6Rh
Malware Config
Extracted
lumma
https://bouncedgowp.shop/api
https://bannngwko.shop/api
https://bargainnykwo.shop/api
https://affecthorsedpo.shop/api
https://radiationnopp.shop/api
https://answerrsdo.shop/api
https://publicitttyps.shop/api
https://benchillppwo.shop/api
https://reinforcedirectorywd.shop/api
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation 85a2663d50db7dff03da346ca9d01f063b135f92ebd02a5f0166136a012305ab.exe -
Executes dropped EXE 1 IoCs
pid Process 3556 Stockholm.pif -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
pid Process 4400 timeout.exe -
Enumerates processes with tasklist 1 TTPs 2 IoCs
pid Process 2784 tasklist.exe 3308 tasklist.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 3556 Stockholm.pif 3556 Stockholm.pif 3556 Stockholm.pif 3556 Stockholm.pif 3556 Stockholm.pif 3556 Stockholm.pif -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2784 tasklist.exe Token: SeDebugPrivilege 3308 tasklist.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 3556 Stockholm.pif 3556 Stockholm.pif 3556 Stockholm.pif -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 3556 Stockholm.pif 3556 Stockholm.pif 3556 Stockholm.pif -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 3680 wrote to memory of 3172 3680 85a2663d50db7dff03da346ca9d01f063b135f92ebd02a5f0166136a012305ab.exe 86 PID 3680 wrote to memory of 3172 3680 85a2663d50db7dff03da346ca9d01f063b135f92ebd02a5f0166136a012305ab.exe 86 PID 3680 wrote to memory of 3172 3680 85a2663d50db7dff03da346ca9d01f063b135f92ebd02a5f0166136a012305ab.exe 86 PID 3172 wrote to memory of 2784 3172 cmd.exe 88 PID 3172 wrote to memory of 2784 3172 cmd.exe 88 PID 3172 wrote to memory of 2784 3172 cmd.exe 88 PID 3172 wrote to memory of 2288 3172 cmd.exe 89 PID 3172 wrote to memory of 2288 3172 cmd.exe 89 PID 3172 wrote to memory of 2288 3172 cmd.exe 89 PID 3172 wrote to memory of 3308 3172 cmd.exe 91 PID 3172 wrote to memory of 3308 3172 cmd.exe 91 PID 3172 wrote to memory of 3308 3172 cmd.exe 91 PID 3172 wrote to memory of 4108 3172 cmd.exe 92 PID 3172 wrote to memory of 4108 3172 cmd.exe 92 PID 3172 wrote to memory of 4108 3172 cmd.exe 92 PID 3172 wrote to memory of 2528 3172 cmd.exe 93 PID 3172 wrote to memory of 2528 3172 cmd.exe 93 PID 3172 wrote to memory of 2528 3172 cmd.exe 93 PID 3172 wrote to memory of 1900 3172 cmd.exe 94 PID 3172 wrote to memory of 1900 3172 cmd.exe 94 PID 3172 wrote to memory of 1900 3172 cmd.exe 94 PID 3172 wrote to memory of 4464 3172 cmd.exe 95 PID 3172 wrote to memory of 4464 3172 cmd.exe 95 PID 3172 wrote to memory of 4464 3172 cmd.exe 95 PID 3172 wrote to memory of 3556 3172 cmd.exe 96 PID 3172 wrote to memory of 3556 3172 cmd.exe 96 PID 3172 wrote to memory of 3556 3172 cmd.exe 96 PID 3172 wrote to memory of 4400 3172 cmd.exe 97 PID 3172 wrote to memory of 4400 3172 cmd.exe 97 PID 3172 wrote to memory of 4400 3172 cmd.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\85a2663d50db7dff03da346ca9d01f063b135f92ebd02a5f0166136a012305ab.exe"C:\Users\Admin\AppData\Local\Temp\85a2663d50db7dff03da346ca9d01f063b135f92ebd02a5f0166136a012305ab.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3680 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k copy Invision Invision.cmd & Invision.cmd & exit2⤵
- Suspicious use of WriteProcessMemory
PID:3172 -
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2784
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa.exe opssvc.exe"3⤵PID:2288
-
-
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3308
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe"3⤵PID:4108
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 6228143⤵PID:2528
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V "hophierarchychildrensfour" Close3⤵PID:1900
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b Figure + Giant + Realm + Weapon 622814\e3⤵PID:4464
-
-
C:\Users\Admin\AppData\Local\Temp\622814\Stockholm.pif622814\Stockholm.pif 622814\e3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3556
-
-
C:\Windows\SysWOW64\timeout.exetimeout 53⤵
- Delays execution with timeout.exe
PID:4400
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
915KB
MD5b06e67f9767e5023892d9698703ad098
SHA1acc07666f4c1d4461d3e1c263cf6a194a8dd1544
SHA2568498900e57a490404e7ec4d8159bee29aed5852ae88bd484141780eaadb727bb
SHA5127972c78acebdd86c57d879c12cb407120155a24a52fda23ddb7d9e181dd59dac1eb74f327817adbc364d37c8dc704f8236f3539b4d3ee5a022814924a1616943
-
Filesize
399KB
MD565ac9eade3494b6424b2d31ba75be325
SHA1767e2fd28c8363fc4775aa1dea99200f390adf13
SHA2563104004ba01526e82382f0fbbb4eb659e36d074a8caab787b84bc1f92a0316a2
SHA51276273e30f2da05791506c7758c4b4a29f5a4410428ec4ad0c3d7fd888bbcc106a73c40945fc16e814a2114ae56baff1e39c0d01102cca97b33ab05d46626f5c9
-
Filesize
39KB
MD5616f8d3eb30081aa0206a7a65fff97cf
SHA1c25f90bb63dc1f2078a953cf35dd46e0ceff68da
SHA25611b40328101cf6cac85f825d8800e98a7c472f0dad428fb584c7379d663da9a1
SHA512734ac4907825a83cc51c1501b5d024d5c2e41a4c0f9feda23732a0d38f5fd12e8e266d8e83462425f06e54bab359b1175f67987286b8dec41bc76176042cba52
-
Filesize
6KB
MD5453f0ddf29f36cb5fcec3f426b7a7ddc
SHA1bc81c8f56b09930b40e25a03bd4941f1143d0b6c
SHA256dafb6fc32ceb25827d274e2ae8f55ab9ad725aabda56570a61b56ab2ead85296
SHA5123756ba383998df8838e98931ce85e678edd56e002e5a35f66f6def30051564f7ecf0eb9a6e9442ff350dd056a7eae038abd8a411a7ccadfafc5aad3d893328de
-
Filesize
42KB
MD561c5ff2c456d6723243b5a92e5ac313f
SHA1734c2eccde8c43fbfea9397f95d116aad5215ceb
SHA256f835f0e90904f9753cf9082a6fa99fe4a91f06046bfd24dc7d26004248a43cd6
SHA5126f732bc206b9a8ba2f57fd562f29481ac57966a1fc5df4ae6081da85db305de9b08f05aacff10145c4fb55513963035a3ac95ae57fee83e15a896ac43ff90b43
-
Filesize
49KB
MD5a25452465661fb6f3a9027001a7c14d3
SHA1f1d68c34717fcabd4d1666c114ce237b4250358b
SHA25666d354ce428008d553566746da683ccf7b1879319b4e6029c1b3ac2b15c66aae
SHA5120eb25915b1c55fd78a5260f70c3394d73756dcffe6eee86539828d05752f8f23467daf9a5cf651570494bd102e0c4c265fa358ef5b419451f78556ee6b9f7d6d
-
Filesize
66KB
MD5e63819404f9b7d6dab058ffdc4895e99
SHA177353c249c437550146c655b8566bd788f35cc56
SHA256a007ae12a8f23611f64e253b23a09e664368b6e2cfb1160aafe38d26145532eb
SHA512a7379b6a763d637be374c954a7ecc7f38c1b9802564a0f095384ac63d1a9287ead24d9b475d49506ce90a0ec4fe4a01e20a8f4921cdbcb89a0acbbe8dc21ced8
-
Filesize
63KB
MD54dde4b052ded57bb35720230c2a1bfd3
SHA1b963d77130b85c8a822a3760fc91ff826927691f
SHA25630f1a95b9680f38d85b62710d4c7a5bdf9fb440bd82574ede85b93cc54f8e8af
SHA5122350d5774297da327ae290b041a44d91cfdd79626a51ee4d461b85cf1046b9e348eb05e38930ac37818039570b7cfa88e0ac971be009c0e0116d66825bc14a12
-
Filesize
19KB
MD53e3070d01e9a68967db526012a723e9c
SHA1abcd6b9569d50cac6931e1463a0826d96bf963eb
SHA256fbf73914ec14497be89e9e4ade9e295cc7aa6a5a0910a0943fc21c712be159fe
SHA512ecc66b2f5cffa44cc52eda1dd9e1bbcb9cc5d26091d2a60e23966fe5e198317d24260aea666a68404618e0cf3c58c1325e2bbeaba0007b25f1dc2971d8714920
-
Filesize
32KB
MD50cd67281cc0f3992643872064ae936a9
SHA1440d9eb5accd108e6972c7ba08071a4a75da17f7
SHA2562bf63cdffa011a72134b8a0e7e0e152f53d8546bd768c96f422a525cd83ecf22
SHA51298a5f9834245d89f05aef2077a5306bfda4c44aed16b8a116b1295bbfc248d1a9d9e06bd0db7e0fcab81dac9b4483c5728f7adc9bf608850b74b89a06c2dea92
-
Filesize
166B
MD5fddd5bae9019ac4a197c26d8944bb5d1
SHA15460f00dcc6933fdc62553ab956e82b338972c8e
SHA2566860467d64e2a7362de6e1c55e85598a86f9fe15e6c54f5ceaeefd5dc4fba563
SHA51255abe3af6cfca3402982d3cbf4ff2172b6a552f626f980b5529c9f717aaae4df783afa820441a4a524cd4fee85af7a257b7ceeb415821445f17f52e1b17f2322
-
Filesize
5KB
MD52974a3776121de0ff4af26b3a61f2404
SHA1dcb283d4818bb93817f46073ad1134859aaf675e
SHA2569f50b41bb9e5ba70cc52504397108fd09ea615f81648c53f5b639ee65b3aeaa7
SHA512cfe74b89ea5e77aa4d1cd12420490e656e9790d6a741b479605e1d66ea0a82a8b9203277b9c71bfbe1599d7a33390084bb6e0fc59f5ce390bd32d1ad46b949da
-
Filesize
51KB
MD5ec57171d25cb585020d8cacddec8d0e7
SHA1c4c31f8737cf02466e4c8ab36bf112f5ffc501f0
SHA256f01c60c8a2e6ed32e58f5ccc2af697a9f7474074529adcd0f2ce2620db9c08f4
SHA512b20c7f6edc5980c06534a8ea08a0077ab41ce07f91e8b4cb9858f8b032809a867bcf402ed77e917b54665c2712334be6af33fc1467fbe097bbfcf4b406120fbc
-
Filesize
49KB
MD595eda64bc162b005b8868c77107b844c
SHA11dde05abd0e55bfabd55d2ad5720dba15003dcea
SHA2560d1dda9cc11bcfad0877b168726e95c69aee15ecf32029bd32bf37df19b29666
SHA5122e18168865520ed59fc8467b7099cb24f5b41b7a557f4e938f02018bba12095e5048bc36e07738d723c58091fe4ae6aa3121bb0409831bb78639f41f186c7e1d
-
Filesize
7KB
MD5ca4270d699eb0ddaf60f97c8931bfc37
SHA15052bb712499b3f93ebb88b36ae07071489117c2
SHA2562586c6793bf69b70fb7dc6e3c1c3dcb1392d18dd27fc757c52459de6d2b2ec25
SHA512b7ccdd38b9a4e85d420d114ef0d0c588da1cd9988ac0f6645cbca9e7ffeef80b63f0d9eaba5f77f2a2113f2c1dac7b2ed00bb3dfc3b7ddfe14fe4d6ab5a8678e
-
Filesize
181KB
MD5e4fee1c5de030b78acbfcf715ae5ad55
SHA1217654be1469e0a54a663742115f0ecf8d31053d
SHA2564bf3c79babba096fb1f6190857da49310f51a3b743aac3e64c14c995e90b3807
SHA512e97e48f4f01f44ecfbe23150d72583850fb675bb2a936022c7efc69c88451cc4d42742a59c074f97f999c942d90557fdebde0e82625b34e9fbd81da8a332b36d
-
Filesize
6KB
MD514cbdbd43de0b6d63c087119f4fdd80d
SHA1e1ed33a79e9be261d5c68812d36e7c3860508403
SHA2567102938b273ea82d8db39b5ff476c56793677ce175cffe72ab250bab3db97804
SHA51205c5da429afa87bec26817e011391a54ff133aca29d0506af14c97a22861595c6af2e3d5f607124f2392b78af812a5cef92e7ed9f438aaf9215d264dcb5542c4
-
Filesize
27KB
MD51c1561abe23a61fc6971de6bff07020d
SHA1e9ca9aba0fb64ac201b12ac13addb6d0fd1397f1
SHA256501e0d995c4e628c03f9fb7ec72dd8c654b6d13618e72c790e3a163dcc0a0c6b
SHA5123e4a1aaad536d1828caaeba0f7f774cca44dfb24b6657c03e2e4e88b3fc904074a5a8c0c3cce22c9b8d1e055ba8b47d0cb24b2c481a7781516677e8bd587a42d
-
Filesize
54KB
MD58e9f571afaaaa2312f5e902a8194a335
SHA10e514ab6750b6f4c00e5b828f57b68e4eb41e4f6
SHA256d7d36c1fd43de3c93869f2015e29386a234faea9f9c3e2aa18d240834e36a723
SHA512bf3be6b891b4b5039439ef6db81dd80f675dc834d05d45cd8f7bee3d2818baa59639289350abbd519451789b8864e5790b99cdd8602240a46098a9409bf2250f
-
Filesize
46KB
MD5fc5b5c4895f21b3f1d53ab1ceb41b053
SHA1927c30832191ff5b2ab98521f8ec42bcec2a5ad1
SHA2567f37cc5de00dd606cd81cb98bc57ff42df2428cdcefcb6ff8f02cb6791a4b604
SHA512786656a7e582395d649b58ad4b48a4782d378f279493a017b1161638f892c9abef8d6812af82a630e60d396a116fd061ac80e860e34d63f669d7da4725d7fcb1
-
Filesize
8KB
MD5e473cb4d32454de289570e72449b46cd
SHA1b887710f9baebf5ba07a9bfcd620a7f2f12bbb34
SHA25629ad8606520a87efbf25527cd0d22b92963d65fef45dace7c78fa09714ac0195
SHA512e45125ea88cdb30af17761688fbc986f6d78441b27e80d184fd946e8c5dae87203d943977bfc077a974cae026f121c881efade3863c2e018b14b908df8b3fbfe
-
Filesize
41KB
MD55a95cd6ebb447b6d1458e19d54a1bea9
SHA10c6b6436d1033e97fb469279f39b877a47f3e74b
SHA256b94db5888d3655d56369ec0fad7f767d3e35ecd7d115544dd520786403cf8cc5
SHA512040832ac89d1f540ab50c7042d3df3a20ac4d95f8db770b4de3c156d19ff42736687160d4d7ffca9df5cd31a5fec442b4a92f1fffd36d7ca8ac691581a2bff51
-
Filesize
69KB
MD54c20543e6137dd6bb2189482b02ca073
SHA14fbe6d8305c4b28e44330d5ad3b15f94d487d79f
SHA256217ada2347aab3bc1cab4efb945371e8102ea11be07248ec34c9d709e971d535
SHA5123850126336deb39a22bc05d970b9129f0a485f06fb0a6db29617d9dfc497a9d2cd06f1509be30e532c4fa1e3bb0ae7230a03353ede2b059dd71ab40674085cdd
-
Filesize
61KB
MD525555d9adbfe77a93e02ed0aea4b70ac
SHA1b6136ab724b57bb0ce3aefa49cc742ae34d694f5
SHA256cbd0eabd3f26ca1ce25a3385a6b75b3fb49ed04ce6bbf63749e3229ddb527c2e
SHA512685f62f68462f1225bc6b6cc434ac8ab85ce3e3a47eea24415b1f505098394381eca6b8a3f19138e27364bc693bdcb2f9c53090aa8bf4acea7be4539dfcb7903
-
Filesize
35KB
MD5d43818576168fbadaa89df997710407e
SHA1b9018909cf7a8c3208b0819ac2575b20fcf13f7d
SHA2565255752930a5b78a905850f08f2c0876932e7ebd38f7939c4d503566cc51ebe4
SHA512adf0cb98cd49579f9ee6c6cab8ce0f13a012096289adaea9fcff95a24c59f9a9d6d9847a24603a48be727269982519ca78f89eca82ba00beab0e01f40097d1ab
-
Filesize
16KB
MD5dcd6244f36dbb6cb09977c90c3f08e20
SHA15989ff1e3ab91157e3cd8b9baa8256bae1255c42
SHA256413373ebd5dc4adb95caa56c4f923f9b213357038a23fce617894cbbc7d4bb37
SHA5129bebba4f6d47956643f335fd4ba308089af5219bf20ddbd8b53ab5bd4050cf81b3054ff53c93d4490c7fbbd1b42abceba2388f019376c46a8add5773c5315b41
-
Filesize
38KB
MD51e7217ae13ed72520376be8165ded9f2
SHA136bfef64fb0210ddac354fd6f9f46e9fd8aa73cd
SHA2562aaf0e8af02c0bfe0c667cedcd37ca01adc56cd7591f3a8f0d4ffb79a35033ba
SHA512e2d10df193367f9c088808a345b845cb92edd18fe276ae45955aaed6e3fbc2982f129d340f9e5f05f3823f400bd036f0aa7353d3349ade1a1bb09d8a96ebde7e
-
Filesize
63KB
MD5347ea445947fce26069d1416df1231d9
SHA175bf8c7828a35b894519eb64593b9af4d05a7f24
SHA2560ff46454fcd0acb98a0a65f44a7b9104d3f4f9bcf813dd669e0f4e95dd5a5de4
SHA5123df4dc4d5bbe1fff0527443502458f1dccbee250a9a4e48df7b81d34b94da5f4f9436420bdb88bad8321d131aec759e8f92fc6af436659275aa6567d8ccd30da
-
Filesize
12KB
MD5739f8cde6bc9fd4301625c8617abecfe
SHA103bbf91e7a80355ed2a50e2dec6f222f83e822ff
SHA2567ef482eea81ba12c367cd2ee1879fba072dc17a1b05be7b5533b886f23b8e7bb
SHA512d303155dc840fa7f81a2555819e5a94ed2b911ad85a0732564fe060a83252f1eda50049c5bcfb85c4040aad2339e2a1622b1629f09ab4ae0e958c1c34d83ecd0
-
Filesize
18KB
MD56b528946c33427972a15d8eabfab0686
SHA1c1c877784d64b434de8fed5bc948536bd6311f19
SHA2561256b7d69423a99ba7abbf92402ba1fd8ad4e58cb80bbc299bc48286d032cfd1
SHA5122f1c2c5e8f8a94c023904e5f51d8c10111cec3c59fcf5dfd496e7cb8610eb412516d71405f0745961c8c101bf791ed980cdf1d5215a710b1ab738e436f6fe164
-
Filesize
127KB
MD53c410e0b87de4c6d20454567bdf3188c
SHA1d18d0cce032454672c7e241648b981764c9689c3
SHA256b9a2616461913d1198b81bdf59bc032fb8a0dc64cd1065a3f923dfeb51fef6d8
SHA512a1c4d2a9c9062f83c4f02aebb88a89685ad06de099a4636d7a244f289e397da9604ebd8c4c0e1eee86138d88d188168c3dd4174e94259c58bd524999527c9879
-
Filesize
21KB
MD5962acba697097e36e2c65cd88226b703
SHA1f5a1e30490704344d85c3e90c5ee612595874be5
SHA256b5888f7da8149b258908a7b48d04f5f020a57622387fc4dfefc845e3ecf59e5a
SHA512be764a1a73da6df738dc7b00fbfe86ad4ad0a8ec77f5582e0e81f203dc8b5e01b73cda7834d0c23f1d722ba256f2857ecb4e263fb8262ccdf8a00080f8dcbe1d
-
Filesize
29KB
MD5413cf0d0ca1fdf9f2fbb5ba37568f37a
SHA148fcdc4aa18001251f18e86fbc24fcbfee6d575f
SHA256c9a27bf0a0c40a5f205453a870eb48db476b2f737b9a96114f00ff3ceebc3f72
SHA512085f63dc907f610a062adbe43cf09b9fcec17c52e3cae78e1e1675ede831e480eeb7bd725e8802d9258672b16cea9fd16acfb2a1e8becbbe13de991a8f95b878
-
Filesize
50KB
MD5a016f2931a9c72aef52e32f77ea02c5d
SHA1f2ab1dc6f41f655f191a6893913970f0a2e153fa
SHA256d2bb028bd1d52358dcacea6d6ce33d8c9361342b64167fc1d89676471520bf29
SHA5121985772d2cff33887ec89852de4bca48a38ccb9a3aada653ffb4edc4c9b90fe7d0963b606806759e200424b4b642bb4982c6e007d6bd4dcb40b973ee5abf86fe