lumma | 62bd169a33d75b7f682c786a8639cc867d4be43628def65757c31c1efd5c4905

Analysis

max time kernel
133s
max time network
138s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
20/08/2024, 11:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup.exe
Size

13.8MB
MD5

c2e7bc36cece182777218c4ecf80221b
SHA1

efa9720f1f9958df679b20a855a0c1d462204fcc
SHA256

62bd169a33d75b7f682c786a8639cc867d4be43628def65757c31c1efd5c4905
SHA512

e83a89f7f9eba92deccbc772b43d99021d0715c7d29a8ad5f212ff289ca1d787bd3a1ba383b429ef49459363393d88b132bf722ec4514087059106fbe6db029f
SSDEEP

393216:+1ECk1gOQf/BvJ5+zrGPdBgNNmH+SS8XRzS9JJ4EybE03:zCk1GBhIzsnS5SS8XRzsJ1yA03

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://wollfsoaisvz.shop/api

https://potentioallykeos.shop/api

https://interactiedovspm.shop/api

https://charecteristicdxp.shop/api

https://cagedwifedsozm.shop/api

https://deicedosmzj.shop/api

https://southedhiscuso.shop/api

https://consciousourwi.shop/api

https://tenntysjuxmz.shop/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma

Executes dropped EXE 4 IoCs

pid	Process
1896	Setup.tmp
3500	Setup.tmp
2108	file.exe
4216	StrCmp.exe

Loads dropped DLL 2 IoCs

pid	Process
1896	Setup.tmp
3500	Setup.tmp

Enumerates processes with tasklist 1 TTPs 6 IoCs

discovery

Process Discovery

T1057

pid	Process
1200	tasklist.exe
4940	tasklist.exe
4948	tasklist.exe
4212	tasklist.exe
2632	tasklist.exe
4100	tasklist.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2108 set thread context of 1624	2108	file.exe	103

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AddInProcess32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	file.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StrCmp.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	file.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	file.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ProxyStubClsid\ = "{00020420-0000-0000-C000-000000000046}"	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ = "cBluetoothDaemon"	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\TypeLib\Version = "2.1"	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BtDaemon.cBluetoothDaemon\Clsid\ = "{4F7FA487-8CC1-493E-AF0A-E7A294474F25}"	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8A84C003-E3A6-4E71-8E33-5B929D40B81D}\ProxyStubClsid32	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ProxyStubClsid	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ = "_cBluetoothDaemon"	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ProxyStubClsid32	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8A84C003-E3A6-4E71-8E33-5B929D40B81D}\ = "cBluetoothDaemon"	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1\HELPDIR	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1\HELPDIR\ = "C:\\temp"	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ = "_cBluetoothDaemon"	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1\0	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\TypeLib	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ProxyStubClsid	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{10E6A3D4-CABA-4E61-BD8B-83BA76283791}\ProxyStubClsid32	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\TypeLib\Version = "2.1"	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\TypeLib\ = "{F477A542-C370-42A1-A166-F9CDAF2AF8C6}"	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8A84C003-E3A6-4E71-8E33-5B929D40B81D}	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8A84C003-E3A6-4E71-8E33-5B929D40B81D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BtDaemon.cBluetoothDaemon	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\ = "BtDaemon.cBluetoothDaemon"	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\VERSION\ = "2.1"	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{10E6A3D4-CABA-4E61-BD8B-83BA76283791}\ = "cBluetoothDaemon"	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{10E6A3D4-CABA-4E61-BD8B-83BA76283791}\ProxyStubClsid\ = "{00020420-0000-0000-C000-000000000046}"	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\TypeLib\ = "{F477A542-C370-42A1-A166-F9CDAF2AF8C6}"	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BtDaemon.cBluetoothDaemon\ = "BtDaemon.cBluetoothDaemon"	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ProxyStubClsid32	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{10E6A3D4-CABA-4E61-BD8B-83BA76283791}	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{10E6A3D4-CABA-4E61-BD8B-83BA76283791}\Forward\ = "{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}"	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\Programmable	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ProxyStubClsid32	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ = "__cBluetoothDaemon"	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\TypeLib	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\TypeLib\Version = "2.1"	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\TypeLib	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\ProgID	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1\0\win32\ = "C:\\temp\\StrCmp.exe"	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\TypeLib\Version = "2.1"	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\VERSION	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8A84C003-E3A6-4E71-8E33-5B929D40B81D}\Forward	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\LocalServer32	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\LocalServer32\ = "C:\\temp\\StrCmp.exe"	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\TypeLib	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ = "__cBluetoothDaemon"	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8A84C003-E3A6-4E71-8E33-5B929D40B81D}\ProxyStubClsid	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\TypeLib	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1\ = "BtDaemon"	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1\FLAGS	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1\0\win32	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8A84C003-E3A6-4E71-8E33-5B929D40B81D}\Forward\ = "{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}"	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ = "cBluetoothDaemon"	StrCmp.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3500	Setup.tmp
3500	Setup.tmp

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	4100	tasklist.exe
Token: SeDebugPrivilege	1200	tasklist.exe
Token: SeDebugPrivilege	4940	tasklist.exe
Token: SeDebugPrivilege	4948	tasklist.exe
Token: SeDebugPrivilege	4212	tasklist.exe
Token: SeDebugPrivilege	2632	tasklist.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3500	Setup.tmp

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4216	StrCmp.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 2828 wrote to memory of 1896	2828	Setup.exe	73
PID 2828 wrote to memory of 1896	2828	Setup.exe	73
PID 2828 wrote to memory of 1896	2828	Setup.exe	73
PID 1896 wrote to memory of 208	1896	Setup.tmp	74
PID 1896 wrote to memory of 208	1896	Setup.tmp	74
PID 1896 wrote to memory of 208	1896	Setup.tmp	74
PID 208 wrote to memory of 3500	208	Setup.exe	75
PID 208 wrote to memory of 3500	208	Setup.exe	75
PID 208 wrote to memory of 3500	208	Setup.exe	75
PID 3500 wrote to memory of 5016	3500	Setup.tmp	76
PID 3500 wrote to memory of 5016	3500	Setup.tmp	76
PID 5016 wrote to memory of 4100	5016	cmd.exe	78
PID 5016 wrote to memory of 4100	5016	cmd.exe	78
PID 5016 wrote to memory of 4928	5016	cmd.exe	79
PID 5016 wrote to memory of 4928	5016	cmd.exe	79
PID 3500 wrote to memory of 4652	3500	Setup.tmp	81
PID 3500 wrote to memory of 4652	3500	Setup.tmp	81
PID 4652 wrote to memory of 1200	4652	cmd.exe	83
PID 4652 wrote to memory of 1200	4652	cmd.exe	83
PID 4652 wrote to memory of 2924	4652	cmd.exe	84
PID 4652 wrote to memory of 2924	4652	cmd.exe	84
PID 3500 wrote to memory of 4620	3500	Setup.tmp	85
PID 3500 wrote to memory of 4620	3500	Setup.tmp	85
PID 4620 wrote to memory of 4940	4620	cmd.exe	87
PID 4620 wrote to memory of 4940	4620	cmd.exe	87
PID 4620 wrote to memory of 668	4620	cmd.exe	88
PID 4620 wrote to memory of 668	4620	cmd.exe	88
PID 3500 wrote to memory of 2184	3500	Setup.tmp	89
PID 3500 wrote to memory of 2184	3500	Setup.tmp	89
PID 2184 wrote to memory of 4948	2184	cmd.exe	91
PID 2184 wrote to memory of 4948	2184	cmd.exe	91
PID 2184 wrote to memory of 5028	2184	cmd.exe	92
PID 2184 wrote to memory of 5028	2184	cmd.exe	92
PID 3500 wrote to memory of 784	3500	Setup.tmp	93
PID 3500 wrote to memory of 784	3500	Setup.tmp	93
PID 784 wrote to memory of 4212	784	cmd.exe	95
PID 784 wrote to memory of 4212	784	cmd.exe	95
PID 784 wrote to memory of 4988	784	cmd.exe	96
PID 784 wrote to memory of 4988	784	cmd.exe	96
PID 3500 wrote to memory of 4524	3500	Setup.tmp	97
PID 3500 wrote to memory of 4524	3500	Setup.tmp	97
PID 4524 wrote to memory of 2632	4524	cmd.exe	99
PID 4524 wrote to memory of 2632	4524	cmd.exe	99
PID 4524 wrote to memory of 4576	4524	cmd.exe	100
PID 4524 wrote to memory of 4576	4524	cmd.exe	100
PID 3500 wrote to memory of 2108	3500	Setup.tmp	101
PID 3500 wrote to memory of 2108	3500	Setup.tmp	101
PID 3500 wrote to memory of 2108	3500	Setup.tmp	101
PID 2108 wrote to memory of 4216	2108	file.exe	102
PID 2108 wrote to memory of 4216	2108	file.exe	102
PID 2108 wrote to memory of 4216	2108	file.exe	102
PID 2108 wrote to memory of 1624	2108	file.exe	103
PID 2108 wrote to memory of 1624	2108	file.exe	103
PID 2108 wrote to memory of 1624	2108	file.exe	103
PID 2108 wrote to memory of 1624	2108	file.exe	103
PID 2108 wrote to memory of 1624	2108	file.exe	103

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2828
- C:\Users\Admin\AppData\Local\Temp\is-J1TNU.tmp\Setup.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-J1TNU.tmp\Setup.tmp" /SL5="$601E0,10143287,735744,C:\Users\Admin\AppData\Local\Temp\Setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1896
- - C:\Users\Admin\AppData\Local\Temp\Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\Setup.exe" /VERYSILENT /NORESTART
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:208
  - - C:\Users\Admin\AppData\Local\Temp\is-HS9Q6.tmp\Setup.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-HS9Q6.tmp\Setup.tmp" /SL5="$701E0,10143287,735744,C:\Users\Admin\AppData\Local\Temp\Setup.exe" /VERYSILENT /NORESTART
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:3500
    - - C:\Windows\system32\cmd.exe
        
        "cmd.exe" /C tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH | find /I "wrsa.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:5016
      - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4100
      - C:\Windows\system32\find.exe
        
        find /I "wrsa.exe"
        6⤵
        
        PID:4928
    - - C:\Windows\system32\cmd.exe
        
        "cmd.exe" /C tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH | find /I "opssvc.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4652
      - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1200
      - C:\Windows\system32\find.exe
        
        find /I "opssvc.exe"
        6⤵
        
        PID:2924
    - - C:\Windows\system32\cmd.exe
        
        "cmd.exe" /C tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH | find /I "avastui.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4620
      - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4940
      - C:\Windows\system32\find.exe
        
        find /I "avastui.exe"
        6⤵
        
        PID:668
    - - C:\Windows\system32\cmd.exe
        
        "cmd.exe" /C tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH | find /I "avgui.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2184
      - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4948
      - C:\Windows\system32\find.exe
        
        find /I "avgui.exe"
        6⤵
        
        PID:5028
    - - C:\Windows\system32\cmd.exe
        
        "cmd.exe" /C tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH | find /I "nswscsvc.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:784
      - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4212
      - C:\Windows\system32\find.exe
        
        find /I "nswscsvc.exe"
        6⤵
        
        PID:4988
    - - C:\Windows\system32\cmd.exe
        
        "cmd.exe" /C tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH | find /I "sophoshealth.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4524
      - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2632
      - C:\Windows\system32\find.exe
        
        find /I "sophoshealth.exe"
        6⤵
        
        PID:4576
    - - C:\Users\Admin\AppData\Local\infusoriform\file.exe
        
        "C:\Users\Admin\AppData\Local\infusoriform\\file.exe" "C:\Users\Admin\AppData\Local\infusoriform\\OinkCrust.a3x"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious use of WriteProcessMemory
        
        PID:2108
      - C:\temp\StrCmp.exe
        
        "C:\temp\StrCmp.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:4216
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-J1TNU.tmp\Setup.tmp

Filesize
2.9MB

MD5
6503a172502e252a5f5f96bd2e8e6cd7

SHA1
10f85c242ffd8997c1e46e9b1afef3f04e5f73bb

SHA256
da584a9a7ff4100f97b3a07f323c49fad89512c251d5e505ba501fc1e131b3b0

SHA512
2e62f589f453c2bf252c00c6ba4b2c3e82a96c84d62db703bffe9e768da69ec67e2785cbaef6b577c7d22d7ec90d1dae36347a8d2eb3a3b1ac4bb83c001cc679

Download Submit
C:\Users\Admin\AppData\Local\infusoriform\OinkCrust.a3x

Filesize
494KB

MD5
089ba3f8c49e5c5656baa22951dadaa7

SHA1
15d24c50c7c41700b57673a85d82cf337a872648

SHA256
d1c39c1a5bb19f5ba4ef36cedbd3ad1c8cafc83e658230c0efd77b105510bbae

SHA512
0d4c8e374a44248fda567d7449fc8b76282e0c9341f7dc47c8887e6ea7cc085e54429079829b8cfb745aef53c1036772255774614ddeeec3baafa7600474e174

Download Submit
C:\Users\Admin\AppData\Local\infusoriform\file.exe

Filesize
921KB

MD5
3f58a517f1f4796225137e7659ad2adb

SHA1
e264ba0e9987b0ad0812e5dd4dd3075531cfe269

SHA256
1da298cab4d537b0b7b5dabf09bff6a212b9e45731e0cc772f99026005fb9e48

SHA512
acf740aafce390d06c6a76c84e7ae7c0f721731973aadbe3e57f2eb63241a01303cc6bf11a3f9a88f8be0237998b5772bdaf569137d63ba3d0f877e7d27fc634

Download Submit
C:\temp\StrCmp.exe

Filesize
47KB

MD5
916d7425a559aaa77f640710a65f9182

SHA1
23d25052aef9ba71ddeef7cfa86ee43d5ba1ea13

SHA256
118de01fb498e81eab4ade980a621af43b52265a9fcbae5dedc492cdf8889f35

SHA512
d0c260a0347441b4e263da52feb43412df217c207eba594d59c10ee36e47e1a098b82ce633851c16096b22f4a4a6f8282bdd23d149e337439fe63a77ec7343bc

Download Submit
\Users\Admin\AppData\Local\Temp\is-LCJ7N.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
memory/208-13-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/208-174-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/1624-181-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1624-180-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1896-6-0x0000000000400000-0x00000000006F5000-memory.dmp

Filesize
3.0MB

Download
memory/1896-15-0x0000000000400000-0x00000000006F5000-memory.dmp

Filesize
3.0MB

Download
memory/2828-17-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2828-2-0x0000000000401000-0x00000000004A9000-memory.dmp

Filesize
672KB

Download
memory/2828-0-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/3500-172-0x0000000000400000-0x00000000006F5000-memory.dmp

Filesize
3.0MB

Download