lumma | hxxps://drive[.]google[.]com/file/d/1fwJdsnnK8CE52uB6ttf5BOyA6_zlBL57/view?usp=drive_link

Analysis

max time kernel
132s
max time network
123s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
03-08-2024 05:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/1fwJdsnnK8CE52uB6ttf5BOyA6_zlBL57/view?usp=drive_link

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://flyyedreplacodp.shop/api

https://horizonvxjis.shop/api

https://effectivedoxzj.shop/api

https://parntorpkxzlp.shop/api

https://stimultaionsppzv.shop/api

https://grassytaisol.shop/api

https://broccoltisop.shop/api

https://shellfyyousdjz.shop/api

https://bravedreacisopm.shop/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma

Executes dropped EXE 1 IoCs

pid	Process
1892	main.exe

Loads dropped DLL 1 IoCs

pid	Process
1892	main.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
1	drive.google.com
5	drive.google.com
7	drive.google.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1696	1892	WerFault.exe	112

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	main.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4272559161-3282441186-401869126-1000\{941E2A3D-CDCF-47AA-A863-C42501A29D55}	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\install.rar:Zone.Identifier	msedge.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
4276	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 37 IoCs

pid	Process
4608	msedge.exe
4608	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1680	identity_helper.exe
1680	identity_helper.exe
776	msedge.exe
776	msedge.exe
796	msedge.exe
796	msedge.exe
2352	msedge.exe
2352	msedge.exe
3200	taskmgr.exe
3200	taskmgr.exe
3200	taskmgr.exe
3200	taskmgr.exe
3200	taskmgr.exe
3200	taskmgr.exe
3200	taskmgr.exe
3200	taskmgr.exe
3200	taskmgr.exe
3200	taskmgr.exe
3200	taskmgr.exe
3200	taskmgr.exe
3200	taskmgr.exe
3200	taskmgr.exe
3200	taskmgr.exe
3200	taskmgr.exe
3200	taskmgr.exe
3200	taskmgr.exe
3200	taskmgr.exe
3200	taskmgr.exe
3200	taskmgr.exe
3200	taskmgr.exe
3200	taskmgr.exe
3200	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

pid	Process
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeRestorePrivilege	1668	7zG.exe
Token: 35	1668	7zG.exe
Token: SeSecurityPrivilege	1668	7zG.exe
Token: SeSecurityPrivilege	1668	7zG.exe
Token: SeDebugPrivilege	3200	taskmgr.exe
Token: SeSystemProfilePrivilege	3200	taskmgr.exe
Token: SeCreateGlobalPrivilege	3200	taskmgr.exe
Token: 33	3200	taskmgr.exe
Token: SeIncBasePriorityPrivilege	3200	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1668	7zG.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
3200	taskmgr.exe
3200	taskmgr.exe
3200	taskmgr.exe
3200	taskmgr.exe
3200	taskmgr.exe
3200	taskmgr.exe
3200	taskmgr.exe
3200	taskmgr.exe
3200	taskmgr.exe
3200	taskmgr.exe
3200	taskmgr.exe
3200	taskmgr.exe
3200	taskmgr.exe
3200	taskmgr.exe
3200	taskmgr.exe
3200	taskmgr.exe
3200	taskmgr.exe
3200	taskmgr.exe
3200	taskmgr.exe
3200	taskmgr.exe
3200	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
1980	msedge.exe
3200	taskmgr.exe
3200	taskmgr.exe
3200	taskmgr.exe
3200	taskmgr.exe
3200	taskmgr.exe
3200	taskmgr.exe
3200	taskmgr.exe
3200	taskmgr.exe
3200	taskmgr.exe
3200	taskmgr.exe
3200	taskmgr.exe
3200	taskmgr.exe
3200	taskmgr.exe
3200	taskmgr.exe
3200	taskmgr.exe
3200	taskmgr.exe
3200	taskmgr.exe
3200	taskmgr.exe
3200	taskmgr.exe
3200	taskmgr.exe
3200	taskmgr.exe
3200	taskmgr.exe
3200	taskmgr.exe
3200	taskmgr.exe
3200	taskmgr.exe
3200	taskmgr.exe
3200	taskmgr.exe
3200	taskmgr.exe
3200	taskmgr.exe
3200	taskmgr.exe
3200	taskmgr.exe
3200	taskmgr.exe
3200	taskmgr.exe
3200	taskmgr.exe
3200	taskmgr.exe
3200	taskmgr.exe
3200	taskmgr.exe
3200	taskmgr.exe
3200	taskmgr.exe
3200	taskmgr.exe
3200	taskmgr.exe
3200	taskmgr.exe
3200	taskmgr.exe
3200	taskmgr.exe
3200	taskmgr.exe
3200	taskmgr.exe
3200	taskmgr.exe
3200	taskmgr.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3212	OpenWith.exe
3212	OpenWith.exe
3212	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1980 wrote to memory of 2092	1980	msedge.exe	80
PID 1980 wrote to memory of 2092	1980	msedge.exe	80
PID 1980 wrote to memory of 4360	1980	msedge.exe	81
PID 1980 wrote to memory of 4360	1980	msedge.exe	81
PID 1980 wrote to memory of 4360	1980	msedge.exe	81
PID 1980 wrote to memory of 4360	1980	msedge.exe	81
PID 1980 wrote to memory of 4360	1980	msedge.exe	81
PID 1980 wrote to memory of 4360	1980	msedge.exe	81
PID 1980 wrote to memory of 4360	1980	msedge.exe	81
PID 1980 wrote to memory of 4360	1980	msedge.exe	81
PID 1980 wrote to memory of 4360	1980	msedge.exe	81
PID 1980 wrote to memory of 4360	1980	msedge.exe	81
PID 1980 wrote to memory of 4360	1980	msedge.exe	81
PID 1980 wrote to memory of 4360	1980	msedge.exe	81
PID 1980 wrote to memory of 4360	1980	msedge.exe	81
PID 1980 wrote to memory of 4360	1980	msedge.exe	81
PID 1980 wrote to memory of 4360	1980	msedge.exe	81
PID 1980 wrote to memory of 4360	1980	msedge.exe	81
PID 1980 wrote to memory of 4360	1980	msedge.exe	81
PID 1980 wrote to memory of 4360	1980	msedge.exe	81
PID 1980 wrote to memory of 4360	1980	msedge.exe	81
PID 1980 wrote to memory of 4360	1980	msedge.exe	81
PID 1980 wrote to memory of 4360	1980	msedge.exe	81
PID 1980 wrote to memory of 4360	1980	msedge.exe	81
PID 1980 wrote to memory of 4360	1980	msedge.exe	81
PID 1980 wrote to memory of 4360	1980	msedge.exe	81
PID 1980 wrote to memory of 4360	1980	msedge.exe	81
PID 1980 wrote to memory of 4360	1980	msedge.exe	81
PID 1980 wrote to memory of 4360	1980	msedge.exe	81
PID 1980 wrote to memory of 4360	1980	msedge.exe	81
PID 1980 wrote to memory of 4360	1980	msedge.exe	81
PID 1980 wrote to memory of 4360	1980	msedge.exe	81
PID 1980 wrote to memory of 4360	1980	msedge.exe	81
PID 1980 wrote to memory of 4360	1980	msedge.exe	81
PID 1980 wrote to memory of 4360	1980	msedge.exe	81
PID 1980 wrote to memory of 4360	1980	msedge.exe	81
PID 1980 wrote to memory of 4360	1980	msedge.exe	81
PID 1980 wrote to memory of 4360	1980	msedge.exe	81
PID 1980 wrote to memory of 4360	1980	msedge.exe	81
PID 1980 wrote to memory of 4360	1980	msedge.exe	81
PID 1980 wrote to memory of 4360	1980	msedge.exe	81
PID 1980 wrote to memory of 4360	1980	msedge.exe	81
PID 1980 wrote to memory of 4608	1980	msedge.exe	82
PID 1980 wrote to memory of 4608	1980	msedge.exe	82
PID 1980 wrote to memory of 1656	1980	msedge.exe	83
PID 1980 wrote to memory of 1656	1980	msedge.exe	83
PID 1980 wrote to memory of 1656	1980	msedge.exe	83
PID 1980 wrote to memory of 1656	1980	msedge.exe	83
PID 1980 wrote to memory of 1656	1980	msedge.exe	83
PID 1980 wrote to memory of 1656	1980	msedge.exe	83
PID 1980 wrote to memory of 1656	1980	msedge.exe	83
PID 1980 wrote to memory of 1656	1980	msedge.exe	83
PID 1980 wrote to memory of 1656	1980	msedge.exe	83
PID 1980 wrote to memory of 1656	1980	msedge.exe	83
PID 1980 wrote to memory of 1656	1980	msedge.exe	83
PID 1980 wrote to memory of 1656	1980	msedge.exe	83
PID 1980 wrote to memory of 1656	1980	msedge.exe	83
PID 1980 wrote to memory of 1656	1980	msedge.exe	83
PID 1980 wrote to memory of 1656	1980	msedge.exe	83
PID 1980 wrote to memory of 1656	1980	msedge.exe	83
PID 1980 wrote to memory of 1656	1980	msedge.exe	83
PID 1980 wrote to memory of 1656	1980	msedge.exe	83
PID 1980 wrote to memory of 1656	1980	msedge.exe	83
PID 1980 wrote to memory of 1656	1980	msedge.exe	83

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drive.google.com/file/d/1fwJdsnnK8CE52uB6ttf5BOyA6_zlBL57/view?usp=drive_link
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa49bd3cb8,0x7ffa49bd3cc8,0x7ffa49bd3cd8
  2⤵
  PID:2092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1888,12860599166940678068,2735032593907262098,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1896 /prefetch:2
  2⤵
  PID:4360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1888,12860599166940678068,2735032593907262098,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2308 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1888,12860599166940678068,2735032593907262098,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2524 /prefetch:8
  2⤵
  PID:1656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,12860599166940678068,2735032593907262098,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
  2⤵
  PID:3544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,12860599166940678068,2735032593907262098,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
  2⤵
  PID:4212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,12860599166940678068,2735032593907262098,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4996 /prefetch:1
  2⤵
  PID:920
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1888,12860599166940678068,2735032593907262098,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5068 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1888,12860599166940678068,2735032593907262098,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5168 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,12860599166940678068,2735032593907262098,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5776 /prefetch:1
  2⤵
  PID:1380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1888,12860599166940678068,2735032593907262098,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5604 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,12860599166940678068,2735032593907262098,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5936 /prefetch:1
  2⤵
  PID:3664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,12860599166940678068,2735032593907262098,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6028 /prefetch:1
  2⤵
  PID:3984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,12860599166940678068,2735032593907262098,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5496 /prefetch:1
  2⤵
  PID:1780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,12860599166940678068,2735032593907262098,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5620 /prefetch:1
  2⤵
  PID:584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,12860599166940678068,2735032593907262098,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2992 /prefetch:1
  2⤵
  PID:1048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,12860599166940678068,2735032593907262098,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6104 /prefetch:1
  2⤵
  PID:3132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1888,12860599166940678068,2735032593907262098,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3316 /prefetch:8
  2⤵
  PID:792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1888,12860599166940678068,2735032593907262098,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3380 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:2352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,12860599166940678068,2735032593907262098,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6056 /prefetch:1
  2⤵
  PID:4024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,12860599166940678068,2735032593907262098,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4604 /prefetch:1
  2⤵
  PID:2296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,12860599166940678068,2735032593907262098,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6228 /prefetch:1
  2⤵
  PID:688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1888,12860599166940678068,2735032593907262098,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=1772 /prefetch:8
  2⤵
  PID:3604

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1476

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1976

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4340

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3212

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap9837:76:7zEvent26547
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1668

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\g\Tutorial.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:4276

C:\Users\Admin\Desktop\g\main.exe
"C:\Users\Admin\Desktop\g\main.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1892
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1892 -s 1240
  2⤵
  - Program crash
  PID:1696

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1892 -ip 1892
1⤵
PID:3132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0487ced0fdfd8d7a8e717211fcd7d709

SHA1
598605311b8ef24b0a2ba2ccfedeecabe7fec901

SHA256
76693c580fd4aadce2419a1b80795bb4ff78d70c1fd4330e777e04159023f571

SHA512
16e1c6e9373b6d5155310f64bb71979601852f18ee3081385c17ffb943ab078ce27cd665fb8d6f3bcc6b98c8325b33403571449fad044e22aa50a3bf52366993

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5578283903c07cc737a43625e2cbb093

SHA1
f438ad2bef7125e928fcde43082a20457f5df159

SHA256
7268c7d8375d50096fd5f773a0685ac724c6c2aece7dc273c7eb96b28e2935b2

SHA512
3b29531c0bcc70bfc0b1af147fe64ce0a7c4d3cbadd2dbc58d8937a8291daae320206deb0eb2046c3ffad27e01af5aceca4708539389da102bff4680afaa1601

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
14185e4fd2df9bb6c5f766b7670ea3bb

SHA1
a50067c226ebe6ad49feb45ba640d85408e02f43

SHA256
ef71d792e6dd786ad2833868b3c227924b5a21a92628f322c925078a7befd855

SHA512
519bc7a773bd020d3ec1e07a983814eddda3eeb08250a648d5e0168580fd5cb5b3e7f1d63fcf49f8fb1733a4e1f1a3b0f4ce547fbb59404be73a444c47625f7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
408B

MD5
f90c8916e7707c86e13f00d508945f43

SHA1
16efc06c39be98105228d672808d1e5352606cec

SHA256
906453c2d6971840b3d2e776a3f6ff0e0546f62dd25e3673db251c36964e03c7

SHA512
eb70406a3abf3fd55f3f27657ffeca413cac041f74a44bd6d6214a48352b51a5057730ef61ad80cfde14f9917d2fb367e7a07d06ac8968cb5087e4336d3e8c72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
1333c1c933f39c12c7242d601faccb38

SHA1
6ee605a94aa558779a0cc36b7d41623f219fe88b

SHA256
ffc350d0eb56f190e2c3cc7f6685ee4e9a91416e0900cf3f4fc9cb94e3ad1024

SHA512
8c6aeda78d6f36c122d98dbc2ea6dc6b592efa6f8fb7a98957abcff30faee73b2ae6ba8fb97fd6b995f2065554e3f302745ebe7e746e128af39818e89bc63258

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
45a54f7a02509515704b091c4de548cc

SHA1
a8d5b01aace5a9aea709219c122c7f189fbd4c2d

SHA256
8d4e8f9f31dbd0528865b7cd8bf9eb912fbb330f223766ed2b45c5bd19ba0f37

SHA512
ef60cde7de31241d38becd5fea8d1c1a6ad6ab189148a39abb9ee293a367d4d1c2746bb42f0bc307387eeb3cb22b954f1adea6bf2e445ceb439cfb4cf3e2fda2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
25c9d1e4627323229b42f02c1ca82ee3

SHA1
e22d2e666b55db46162eedb1a50bfed71f9a9095

SHA256
e59b8eecb202ce47337b3d3d4b96ca10bc46b51bd28d183e614bbddea6917651

SHA512
f099357af9ae68e5143c5c452eb6a45d5a4b74dfa2762d5ba9705cf5c4eb6f9de8ab508bf12893cb576161c5889fa6a3c85fcbe8f140115f2a6778da2f60d4ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
977fdbc4fed57056d80ef05815aeb9d2

SHA1
773fad16b5cb86c87ba705eb3c0898b96096c71b

SHA256
bcd87f6a2907d6259203bdfc0f3117b01a1319cb9a620c6a0e19dba592543048

SHA512
e2e1d6a2317e7ca0dae064a9b1c73ee86823052a46ee30b15ef31d7064a9b85e58501c86e57671481ab97eaabc46c947513a0b9c9600baa3a2d9fab5c887585e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
7d038994e567cb60041bc913b72368da

SHA1
87941b8ed79a90835a3adfbf1330980652ab2549

SHA256
c64437d19a7ef9cf4884ec8628b7d29ee9ffd71c712f0c171a8c2db0ac7c5d3f

SHA512
a02d08870f70190f93c4903f102d646c56d94bb5bf2d8781a3fed400e51866c225ada4178c8274f1b292a1b1b26c97b56cd34dd70c4f83664d0deffeefe950b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
cec12606d6d615cf6c5dd78174441c2e

SHA1
ba456115e427d8b49f06571e047ae21c6a7f6feb

SHA256
e6cbd7fe96375344c262276b85d292aa5ce792f2787d957ede1ddd74f6395500

SHA512
1f6f08e9a30f7323c5f27f9884c012a4e1e6e892449f2f3dd79b46a4e335a1327b597030834b9cc3c67a36e7cf48b30f669fb676776876a1d575ce0906049980

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
6be1c28b7761380fd9384824b2185bae

SHA1
d0578e0ffb25b5ad3548ea65bfcd14a8f35386e2

SHA256
958a38edda25cf794d54245a3626dbbf56a7f675a6a55ec4eedbb6151a826608

SHA512
2e0eda6f38ada44b17c15a3fbbdef102ff01ce95ac88d332cc75f3c8e8156dcedc16991f26a6a68ce37ff37b7fc408d9c85e0d8d6309e93f60fd43c0a5f5d08a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ca9b869a1810a661bec327d917049262

SHA1
20c3f942684090c9acda7c9df9eee3db77c9aa42

SHA256
d8ede85c40c8c131e5729a1053952296b3cde0ccae8f5dc0cf23513c1ba43b68

SHA512
36427be89003f887eb47ca942758da00c42f8c66f9f5d20fc8e87b4806b98f476974c717544fa07e87faf0b1987343fe86ba3777e0ec9db496831a5dc12b6528

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58894f.TMP

Filesize
1KB

MD5
ed3987229b272afe64f3964daefa7107

SHA1
e11459e2154bed658bba9453052ba7f9a2a8166b

SHA256
67f7fb83fb6cd8d18597d0919c8e5749a82e003f3da09eb87d1f388f613ab031

SHA512
0aca557c3b37c26ab8be2b3aa53342b73c1ae3990632c55a8360da7cfc0fa69f5bd2ae954ba743550a371cbc976df9d27326af2e1a6d12027e489827b73e7e68

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
cb44fca4834142fe70e6450d8beaa555

SHA1
c837d5673b22be12af18ed37b40d0de7395be48c

SHA256
d663c1883989ec157e94caf642190baab082091902005b31afeebe56d6e34a53

SHA512
0c5caa1981dc16bf22266b789afea130c95ecb3d740991e823dd38473823df41fd9d93b96e0054e726997b3802d15b47590cd794603d685189ce907149c12f64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c881faacab955be8ef00264f8ea3ab1a

SHA1
089fd2107eaaa37a2837a02d679c5b4e2221dd1b

SHA256
20e26f1f97ee7fbc7437c643e04d13d0202a4b90541200053513221eea5954df

SHA512
79811ac68776b8ae7c290907ff3c00d4652d2481d4b8b22a3bc82b42d6a5e9da44adea80e10d13bb555a64df0703e1e17829c96503c264d4a0b9e2497a984143

Download Submit
C:\Users\Admin\Desktop\g\Tutorial.txt

Filesize
136B

MD5
ee6277d8476011bb2c294156b84c4d74

SHA1
c7fcb8b2ac1a6ba858a4f72f0ae21bcf4c278dc2

SHA256
dfbf6f42ab6d461d1a7533ff30a7c81c80c58704b0933f52c79987e9f66ed95c

SHA512
8f777642a54be57c7022bcdd34005914a0b9ee38e3875ee0a26c7290b04fde619c3a8aab5119de79960fa66b9a79754296516d9a2d87150e1c34bdb0ea30a6ec

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 90563.crdownload

Filesize
448KB

MD5
4564a9a35d9e7e7883faa2ed3361e0e4

SHA1
79a611b96bc0cdab0bea30423814b4ad7245800c

SHA256
06ce088beb65731be6268934f89d44a00d386e517ad88f8e28a8968c0a43b7e0

SHA512
efcec8c64edc5e23a7d24610c4a7e7facd3c682eb42875bc0b19e95ffc3479749d044a78f274cbdabd4252a07ef3da567aabe995abf2f5790da139203075fa51

Download Submit
C:\Users\Admin\Downloads\install.rar:Zone.Identifier

Filesize
173B

MD5
3b3b5b65739ba297d62a8f4eab72fe83

SHA1
b02ce2411ce7fc6e5def4964580d4ebbb4a39ecc

SHA256
d69901e2df83d13995c7ebbb5d6a63272c20e62a06e54d63222e867dd6a080a5

SHA512
dcb1c613f0c91093a0c8aad760963ccdd3e4d3e096e54e67742e113be8263fa47918b57ca3b9871843ed5958afa928501f38b9e58b1475be9ee07ed292fd9296

Download Submit
memory/1892-505-0x0000000074C60000-0x0000000074DC4000-memory.dmp

Filesize
1.4MB

Download
memory/1892-509-0x0000000074C60000-0x0000000074DC4000-memory.dmp

Filesize
1.4MB

Download
memory/1892-507-0x0000000000E40000-0x0000000000E95000-memory.dmp

Filesize
340KB

Download
memory/1892-506-0x0000000000E40000-0x0000000000E95000-memory.dmp

Filesize
340KB

Download
memory/1892-504-0x00000000002E0000-0x00000000002ED000-memory.dmp

Filesize
52KB

Download
memory/3200-497-0x0000022779F40000-0x0000022779F41000-memory.dmp

Filesize
4KB

Download
memory/3200-502-0x0000022779F40000-0x0000022779F41000-memory.dmp

Filesize
4KB

Download
memory/3200-501-0x0000022779F40000-0x0000022779F41000-memory.dmp

Filesize
4KB

Download
memory/3200-500-0x0000022779F40000-0x0000022779F41000-memory.dmp

Filesize
4KB

Download
memory/3200-498-0x0000022779F40000-0x0000022779F41000-memory.dmp

Filesize
4KB

Download
memory/3200-503-0x0000022779F40000-0x0000022779F41000-memory.dmp

Filesize
4KB

Download
memory/3200-499-0x0000022779F40000-0x0000022779F41000-memory.dmp

Filesize
4KB

Download
memory/3200-491-0x0000022779F40000-0x0000022779F41000-memory.dmp

Filesize
4KB

Download
memory/3200-492-0x0000022779F40000-0x0000022779F41000-memory.dmp

Filesize
4KB

Download
memory/3200-493-0x0000022779F40000-0x0000022779F41000-memory.dmp

Filesize
4KB

Download