lumma | hxxps://drive[.]google[.]com/file/d/1Vw7SUKVxO1lKgMkEdq2KMOXZXSwwHU_b/view

Analysis

max time kernel
127s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20240802-es
resource tags

arch:x64arch:x86image:win10v2004-20240802-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
24-08-2024 18:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/1Vw7SUKVxO1lKgMkEdq2KMOXZXSwwHU_b/view

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://twilightsizp.shop/api

https://locatedblsoqp.shop/api

https://traineiwnqo.shop/api

https://condedqpwqm.shop/api

https://millyscroqwp.shop/api

https://stagedchheiqwo.shop/api

https://stamppreewntnq.shop/api

https://caffegclasiqwp.shop/api

https://tenntysjuxmz.shop/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma

Executes dropped EXE 4 IoCs

pid	Process
4340	Main.exe
2156	Main.exe
4064	Main.exe
4576	Main.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
4	drive.google.com
9	drive.google.com
10	drive.google.com

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 4340 set thread context of 1968	4340	Main.exe	119
PID 2156 set thread context of 3016	2156	Main.exe	122
PID 4064 set thread context of 1580	4064	Main.exe	125
PID 4576 set thread context of 3492	4576	Main.exe	138

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\display.PNF	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Main.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Main.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Main.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Main.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133689981203833765"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	taskmgr.exe

Opens file in notepad (likely ransom note) 2 IoCs

ransomware

pid	Process
2916	NOTEPAD.EXE
3956	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 58 IoCs

pid	Process
428	chrome.exe
428	chrome.exe
1376	taskmgr.exe
1376	taskmgr.exe
1376	taskmgr.exe
1376	taskmgr.exe
1376	taskmgr.exe
1376	taskmgr.exe
1376	taskmgr.exe
1376	taskmgr.exe
1376	taskmgr.exe
1376	taskmgr.exe
1376	taskmgr.exe
1376	taskmgr.exe
1376	taskmgr.exe
1376	taskmgr.exe
1376	taskmgr.exe
1376	taskmgr.exe
1376	taskmgr.exe
1376	taskmgr.exe
1376	taskmgr.exe
1376	taskmgr.exe
1376	taskmgr.exe
1376	taskmgr.exe
1376	taskmgr.exe
1376	taskmgr.exe
1376	taskmgr.exe
1376	taskmgr.exe
1376	taskmgr.exe
1376	taskmgr.exe
1376	taskmgr.exe
1376	taskmgr.exe
1376	taskmgr.exe
1376	taskmgr.exe
1376	taskmgr.exe
1376	taskmgr.exe
1376	taskmgr.exe
1376	taskmgr.exe
1376	taskmgr.exe
1376	taskmgr.exe
1376	taskmgr.exe
1376	taskmgr.exe
1376	taskmgr.exe
1376	taskmgr.exe
1376	taskmgr.exe
1376	taskmgr.exe
1376	taskmgr.exe
1376	taskmgr.exe
1376	taskmgr.exe
1376	taskmgr.exe
1376	taskmgr.exe
1376	taskmgr.exe
1376	taskmgr.exe
1376	taskmgr.exe
3836	chrome.exe
3836	chrome.exe
3836	chrome.exe
3836	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	428	chrome.exe
Token: SeCreatePagefilePrivilege	428	chrome.exe
Token: SeShutdownPrivilege	428	chrome.exe
Token: SeCreatePagefilePrivilege	428	chrome.exe
Token: SeShutdownPrivilege	428	chrome.exe
Token: SeCreatePagefilePrivilege	428	chrome.exe
Token: SeShutdownPrivilege	428	chrome.exe
Token: SeCreatePagefilePrivilege	428	chrome.exe
Token: SeShutdownPrivilege	428	chrome.exe
Token: SeCreatePagefilePrivilege	428	chrome.exe
Token: SeShutdownPrivilege	428	chrome.exe
Token: SeCreatePagefilePrivilege	428	chrome.exe
Token: SeShutdownPrivilege	428	chrome.exe
Token: SeCreatePagefilePrivilege	428	chrome.exe
Token: SeShutdownPrivilege	428	chrome.exe
Token: SeCreatePagefilePrivilege	428	chrome.exe
Token: SeShutdownPrivilege	428	chrome.exe
Token: SeCreatePagefilePrivilege	428	chrome.exe
Token: SeShutdownPrivilege	428	chrome.exe
Token: SeCreatePagefilePrivilege	428	chrome.exe
Token: SeShutdownPrivilege	428	chrome.exe
Token: SeCreatePagefilePrivilege	428	chrome.exe
Token: SeShutdownPrivilege	428	chrome.exe
Token: SeCreatePagefilePrivilege	428	chrome.exe
Token: SeShutdownPrivilege	428	chrome.exe
Token: SeCreatePagefilePrivilege	428	chrome.exe
Token: SeShutdownPrivilege	428	chrome.exe
Token: SeCreatePagefilePrivilege	428	chrome.exe
Token: SeShutdownPrivilege	428	chrome.exe
Token: SeCreatePagefilePrivilege	428	chrome.exe
Token: SeShutdownPrivilege	428	chrome.exe
Token: SeCreatePagefilePrivilege	428	chrome.exe
Token: SeShutdownPrivilege	428	chrome.exe
Token: SeCreatePagefilePrivilege	428	chrome.exe
Token: SeShutdownPrivilege	428	chrome.exe
Token: SeCreatePagefilePrivilege	428	chrome.exe
Token: SeShutdownPrivilege	428	chrome.exe
Token: SeCreatePagefilePrivilege	428	chrome.exe
Token: SeShutdownPrivilege	428	chrome.exe
Token: SeCreatePagefilePrivilege	428	chrome.exe
Token: SeShutdownPrivilege	428	chrome.exe
Token: SeCreatePagefilePrivilege	428	chrome.exe
Token: SeShutdownPrivilege	428	chrome.exe
Token: SeCreatePagefilePrivilege	428	chrome.exe
Token: SeShutdownPrivilege	428	chrome.exe
Token: SeCreatePagefilePrivilege	428	chrome.exe
Token: SeShutdownPrivilege	428	chrome.exe
Token: SeCreatePagefilePrivilege	428	chrome.exe
Token: SeShutdownPrivilege	428	chrome.exe
Token: SeCreatePagefilePrivilege	428	chrome.exe
Token: SeShutdownPrivilege	428	chrome.exe
Token: SeCreatePagefilePrivilege	428	chrome.exe
Token: SeShutdownPrivilege	428	chrome.exe
Token: SeCreatePagefilePrivilege	428	chrome.exe
Token: SeShutdownPrivilege	428	chrome.exe
Token: SeCreatePagefilePrivilege	428	chrome.exe
Token: SeShutdownPrivilege	428	chrome.exe
Token: SeCreatePagefilePrivilege	428	chrome.exe
Token: SeShutdownPrivilege	428	chrome.exe
Token: SeCreatePagefilePrivilege	428	chrome.exe
Token: SeRestorePrivilege	772	7zG.exe
Token: 35	772	7zG.exe
Token: SeSecurityPrivilege	772	7zG.exe
Token: SeSecurityPrivilege	772	7zG.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
772	7zG.exe
2916	NOTEPAD.EXE
1376	taskmgr.exe
1376	taskmgr.exe
1376	taskmgr.exe
1376	taskmgr.exe
1376	taskmgr.exe
1376	taskmgr.exe
1376	taskmgr.exe
1376	taskmgr.exe
1376	taskmgr.exe
1376	taskmgr.exe
1376	taskmgr.exe
1376	taskmgr.exe
1376	taskmgr.exe
1376	taskmgr.exe
1376	taskmgr.exe
1376	taskmgr.exe
1376	taskmgr.exe
1376	taskmgr.exe
1376	taskmgr.exe
1376	taskmgr.exe
1376	taskmgr.exe
1376	taskmgr.exe
1376	taskmgr.exe
1376	taskmgr.exe
1376	taskmgr.exe
1376	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
428	chrome.exe
1376	taskmgr.exe
1376	taskmgr.exe
1376	taskmgr.exe
1376	taskmgr.exe
1376	taskmgr.exe
1376	taskmgr.exe
1376	taskmgr.exe
1376	taskmgr.exe
1376	taskmgr.exe
1376	taskmgr.exe
1376	taskmgr.exe
1376	taskmgr.exe
1376	taskmgr.exe
1376	taskmgr.exe
1376	taskmgr.exe
1376	taskmgr.exe
1376	taskmgr.exe
1376	taskmgr.exe
1376	taskmgr.exe
1376	taskmgr.exe
1376	taskmgr.exe
1376	taskmgr.exe
1376	taskmgr.exe
1376	taskmgr.exe
1376	taskmgr.exe
1376	taskmgr.exe
1376	taskmgr.exe
1376	taskmgr.exe
1376	taskmgr.exe
1376	taskmgr.exe
1376	taskmgr.exe
1376	taskmgr.exe
1376	taskmgr.exe
1376	taskmgr.exe
1376	taskmgr.exe
1376	taskmgr.exe
1376	taskmgr.exe
1376	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 428 wrote to memory of 696	428	chrome.exe	84
PID 428 wrote to memory of 696	428	chrome.exe	84
PID 428 wrote to memory of 1756	428	chrome.exe	85
PID 428 wrote to memory of 1756	428	chrome.exe	85
PID 428 wrote to memory of 1756	428	chrome.exe	85
PID 428 wrote to memory of 1756	428	chrome.exe	85
PID 428 wrote to memory of 1756	428	chrome.exe	85
PID 428 wrote to memory of 1756	428	chrome.exe	85
PID 428 wrote to memory of 1756	428	chrome.exe	85
PID 428 wrote to memory of 1756	428	chrome.exe	85
PID 428 wrote to memory of 1756	428	chrome.exe	85
PID 428 wrote to memory of 1756	428	chrome.exe	85
PID 428 wrote to memory of 1756	428	chrome.exe	85
PID 428 wrote to memory of 1756	428	chrome.exe	85
PID 428 wrote to memory of 1756	428	chrome.exe	85
PID 428 wrote to memory of 1756	428	chrome.exe	85
PID 428 wrote to memory of 1756	428	chrome.exe	85
PID 428 wrote to memory of 1756	428	chrome.exe	85
PID 428 wrote to memory of 1756	428	chrome.exe	85
PID 428 wrote to memory of 1756	428	chrome.exe	85
PID 428 wrote to memory of 1756	428	chrome.exe	85
PID 428 wrote to memory of 1756	428	chrome.exe	85
PID 428 wrote to memory of 1756	428	chrome.exe	85
PID 428 wrote to memory of 1756	428	chrome.exe	85
PID 428 wrote to memory of 1756	428	chrome.exe	85
PID 428 wrote to memory of 1756	428	chrome.exe	85
PID 428 wrote to memory of 1756	428	chrome.exe	85
PID 428 wrote to memory of 1756	428	chrome.exe	85
PID 428 wrote to memory of 1756	428	chrome.exe	85
PID 428 wrote to memory of 1756	428	chrome.exe	85
PID 428 wrote to memory of 1756	428	chrome.exe	85
PID 428 wrote to memory of 1756	428	chrome.exe	85
PID 428 wrote to memory of 3880	428	chrome.exe	86
PID 428 wrote to memory of 3880	428	chrome.exe	86
PID 428 wrote to memory of 4300	428	chrome.exe	87
PID 428 wrote to memory of 4300	428	chrome.exe	87
PID 428 wrote to memory of 4300	428	chrome.exe	87
PID 428 wrote to memory of 4300	428	chrome.exe	87
PID 428 wrote to memory of 4300	428	chrome.exe	87
PID 428 wrote to memory of 4300	428	chrome.exe	87
PID 428 wrote to memory of 4300	428	chrome.exe	87
PID 428 wrote to memory of 4300	428	chrome.exe	87
PID 428 wrote to memory of 4300	428	chrome.exe	87
PID 428 wrote to memory of 4300	428	chrome.exe	87
PID 428 wrote to memory of 4300	428	chrome.exe	87
PID 428 wrote to memory of 4300	428	chrome.exe	87
PID 428 wrote to memory of 4300	428	chrome.exe	87
PID 428 wrote to memory of 4300	428	chrome.exe	87
PID 428 wrote to memory of 4300	428	chrome.exe	87
PID 428 wrote to memory of 4300	428	chrome.exe	87
PID 428 wrote to memory of 4300	428	chrome.exe	87
PID 428 wrote to memory of 4300	428	chrome.exe	87
PID 428 wrote to memory of 4300	428	chrome.exe	87
PID 428 wrote to memory of 4300	428	chrome.exe	87
PID 428 wrote to memory of 4300	428	chrome.exe	87
PID 428 wrote to memory of 4300	428	chrome.exe	87
PID 428 wrote to memory of 4300	428	chrome.exe	87
PID 428 wrote to memory of 4300	428	chrome.exe	87
PID 428 wrote to memory of 4300	428	chrome.exe	87
PID 428 wrote to memory of 4300	428	chrome.exe	87
PID 428 wrote to memory of 4300	428	chrome.exe	87
PID 428 wrote to memory of 4300	428	chrome.exe	87
PID 428 wrote to memory of 4300	428	chrome.exe	87
PID 428 wrote to memory of 4300	428	chrome.exe	87

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://drive.google.com/file/d/1Vw7SUKVxO1lKgMkEdq2KMOXZXSwwHU_b/view
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffe0545cc40,0x7ffe0545cc4c,0x7ffe0545cc58
  2⤵
  PID:696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1684,i,13296868492871851469,13218026700440104188,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=376 /prefetch:2
  2⤵
  PID:1756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2152,i,13296868492871851469,13218026700440104188,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2164 /prefetch:3
  2⤵
  PID:3880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2224,i,13296868492871851469,13218026700440104188,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2420 /prefetch:8
  2⤵
  PID:4300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3100,i,13296868492871851469,13218026700440104188,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3132 /prefetch:1
  2⤵
  PID:1848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3124,i,13296868492871851469,13218026700440104188,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3216 /prefetch:1
  2⤵
  PID:4364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4544,i,13296868492871851469,13218026700440104188,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4520 /prefetch:1
  2⤵
  PID:3032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4736,i,13296868492871851469,13218026700440104188,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4744 /prefetch:8
  2⤵
  PID:1448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=5000,i,13296868492871851469,13218026700440104188,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5044 /prefetch:1
  2⤵
  PID:424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4948,i,13296868492871851469,13218026700440104188,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5264 /prefetch:8
  2⤵
  PID:2916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5128,i,13296868492871851469,13218026700440104188,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4924 /prefetch:8
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:3836

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3408

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2928

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap5306:66:7zEvent7177
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:772

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1364

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Main\Instruction.txt
1⤵
- Opens file in notepad (likely ransom note)
- Suspicious use of FindShellTrayWindow
PID:2916

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Main\proxy.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:3956

C:\Users\Admin\Desktop\Main\Main.exe
"C:\Users\Admin\Desktop\Main\Main.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4340
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1968

C:\Users\Admin\Desktop\Main\Main.exe
"C:\Users\Admin\Desktop\Main\Main.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2156
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3016

C:\Users\Admin\Desktop\Main\Main.exe
"C:\Users\Admin\Desktop\Main\Main.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4064
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1580

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1376

C:\Users\Admin\Desktop\Main\Main.exe
"C:\Users\Admin\Desktop\Main\Main.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4576
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Network Share Discovery

T1135

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
4fa397f324207bd68c9be7649d6e7d8f

SHA1
9013c5116938b0b151ec1073678b48320a9baeab

SHA256
3edc2d1bfa38159b2a3c7e15531bcf616e82f730309de9e89a25655411a06922

SHA512
b4194f8488ce43f2720f45ab70603b91af5b862c32cdfcf5dabc14f35fe3af871a2129a8916110bddbb12db765ff16eda2120a515abe290d7e99f3cf26df77e3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
336B

MD5
f63523a88571b74ca11f942be365a203

SHA1
1680f69bc179f1420c2dff11205f2b9ac5081c95

SHA256
a70c283342ac4d821042733f4bd6645364b02470d7d564c68b1cc4f3b68210eb

SHA512
e43041790257e54514feb97a3df02eeb04215451d9cabc8d06c044a2a9e14cf10d587efeec88b01c863635db292f5d920bbf5239f9033eea671e2c668ed0980b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
7d98a292745951513c7fa44dc38c3a27

SHA1
b15f5ff39108dc97582602b34c100c16e9f64770

SHA256
46cec6b069abbdfe8adf5eb917e67511a72e80760c9696903f3a00f34bd58a49

SHA512
307064e859a093e2f81a8cec423089c68910f0517095f72dfdd8eb51259f701ac4089def2513cd7f3f3a11afad693b007711bf898bc85a8482fdbe48f830cbd1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1016B

MD5
7a0e6d4495c22a39183e70cbefa9734a

SHA1
f824950b18213282f2de1876215bed195ef0d1b4

SHA256
605749316a79a233b23fec2e88b70612f41aa65b520186c7bf3b05d7613022d8

SHA512
55db64655485dfabcab36aef5b9c3294cabc4e028487f72b82b9f638e51e6b72d184343dc19e8551770bc978f82211e7fc8b50fe241f64cdcd7706514504bcb0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1d5d104625bb14cad6a270c8c32d1e10

SHA1
27ca5065560cddc0f3fdc36e9c9e6e721feb31d8

SHA256
432541e3872451a1738c58ab15d31851f9e1b5b3808fcf68c237547e90355f2b

SHA512
b48ac11144c53a5b33ac7adb5f80d10f932320bc589b4e8e12551a372c6c22894788f4e3db1ac350cf06a076e19ae7441d069a25219c1c829d068ef7c28da52c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a8b3199961c77bf1ce69d2e9ccabd091

SHA1
c500b6fbca1b6a2b637487ecac4dfb0f8fdba6de

SHA256
e43132d15b1e87daeef0df54a0184d798ae1eb3693d80b20a1d8e58415001363

SHA512
7bc488a87c56560e83595a78db9d7af7f27cc02aac3d73f10454d5d416fd9a29f0268415ab7780d0a18be4d7e6a728721fad0b6bd1ff6e71ec7fa890a4947d9b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d88aaa1380794393c62f102da2bb4c14

SHA1
5ccac49df876b0f3bf5227ba37d45730634043d7

SHA256
7567129098490ff2e3cfa11753c04c49e254a453c6ad9ade99ea46625547b54a

SHA512
72b22d47cdc3b9e90022dc623a81c2611bb97df4059f8493bf03f3b2692513e867ab574f06520d31741826d9eb40f4d03450c1041ef69f7487480dccbde2b74c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
942507316e1d01bc8cdb29ea3fff37c9

SHA1
52f31ba64ac0810d4e11d1592f8638528f522838

SHA256
c09331e5840ee80d3c9e4e7e4417b1da067651d6aa77f0b048bf86f41142d92f

SHA512
beb85b62f67b648cf3e789b2274d579b6a53a9764168f9065b7e41f8d3abd422ce79cf1cb4f51a6121486d7d4ec4b72ca865ea674131018ff3f35578d9fb394b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
0364595b4d30f5ad3fec2d4b5671c40d

SHA1
fdc8759895d36c6f57c016f629bea91a71a61279

SHA256
3c19549d8c2c34c15524c544ce0b290a684c12d92d01dcd439832032214cca59

SHA512
89120a299ec9c543a04b5da9cf7b2204d5570386e28c8faf7792eb8f3879bc5610e8c5097eba10e71e4ec07e92f177e75dfd09b0eb7f0d58926ea7bdab25d8a2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
e70af03008315253123cd133eef5460b

SHA1
b1a3624f95a99b2d98a0cad9e6a4ae38fec3cb18

SHA256
8a7d94345dc3da365c73aecb43a03cb07d238d009ccc160ff7d8c65a50f042eb

SHA512
60d68089b108418f63cd70d20793058e24283654e103e5030e53e65d59870bc9f2440da60e3a28e1bcc69039573639288ebafb10d76fe11324c694221069ac81

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
072ea91217b7bc1495c524e7fc2f7b50

SHA1
7dcec2e9cd371d9a1b5a59395543978f1d62e5b6

SHA256
8915216f9cdf764cda9b03e83a3095a4e170b972a9c7f120f33de5c441606f33

SHA512
649cc6a9e901cca09d98d98aea906db31fd8097bf98ae03adb52b2c3ea84ce78c09ee0409d83ff483533be1d5eb83c198bbf707f5a0528a34673918994f4b97c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
8d4b969df5b88eec3fec08464b2ded8b

SHA1
a1a63141808f956d9ac188c0930895e9d05b8f03

SHA256
18e026bcf73cb308607f36dd0b85156ca68eb1dee3250f9cb5c6f5bc7d76d2e3

SHA512
66fc7ea2aeb58ed84c1815335b352914293f9d525d1fafa3c9b940fa369cf39378e4116bcf1f107c14a76670fa7bec27af36d6b634294d1749ad27e72f90ed0a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
7827a82ac0d60e2491826fc11b04facc

SHA1
58915382a89b2c8925072d2d7e1d92aa0c307421

SHA256
f6f2e569744ef2d8afb536bbb5a198c6e01d0fd16fffed143814015f68e40f11

SHA512
5ba60ebc0359b8e9997960f907913c83fb9b34cfe4dedfbdd804c168c8d53d8e244909ad81b972ad722d50e75085d10b8d4196d83c231121796c83f6fbe5fdd5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
1b4b4196621bf2afd561741ae76b6cbb

SHA1
39f05cf3cdde928a9f9e1da8ac45bbbdf74279ad

SHA256
298d3a83a430f602037fa7d6d14b585ae24d465dbbadf22b36f1f1c57b93fd01

SHA512
1e397bac2439107fecb4fd2bb403ffa03e56400ff131bf46bda1e4c4e693f5d59a01c980576d3e75f0552ac8456e195e661b48dd5f47d12a98998044ef88500b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
f59d4c322da6a09e4d6313c55b46fbcb

SHA1
453af420516a57ae7789aab52fab55a66f19aa96

SHA256
771e5d59ddfcab8488069aecded1b57d4c38fe2631d0e6e9f2c646658286a695

SHA512
2496d357292fe694e8a41b8b2888edbac325fce30c197f64bf02ca6228bcfd8799fb04df13f730e65918a478e42df3dfeb1671539a186a7f871253f11881a6c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Main.exe.log

Filesize
42B

MD5
84cfdb4b995b1dbf543b26b86c863adc

SHA1
d2f47764908bf30036cf8248b9ff5541e2711fa2

SHA256
d8988d672d6915b46946b28c06ad8066c50041f6152a91d37ffa5cf129cc146b

SHA512
485f0ed45e13f00a93762cbf15b4b8f996553baa021152fae5aba051e3736bcd3ca8f4328f0e6d9e3e1f910c96c4a9ae055331123ee08e3c2ce3a99ac2e177ce

Download Submit
C:\Users\Admin\Desktop\Main\Instruction.txt

Filesize
98B

MD5
607c2ea855554986a7d5cd12be8a5680

SHA1
77fff96bbf55a4ff66c085e4c3892fd44a31089b

SHA256
ea239113e89243b6420400812dc8e7f802531589f03d86a4ab17700daf65ea53

SHA512
06c22c7c13cb75bee2e6b48f542f96c8c64d6fa1d2c2a496d590791f2cb00be1713f7df1f8e1c2990bc96c6f0942f919bec3faf2a05e36d2eadea04c469626c6

Download Submit
C:\Users\Admin\Desktop\Main\Main.exe

Filesize
280KB

MD5
84267a613161a435ed534ab781850d81

SHA1
ec4a40a77c0d4e6438e68c4c387742f144a2028c

SHA256
4b784fae6cdb17f5a187a546b2d11f2d6ae2dd8a70d3803dd307c65b517e264e

SHA512
8a5b23cbc5b6e694a2837dbbc4bdec70ca37317de0a62c504bc27cd3afac4d73476daaf6c8ac5ed5f098d82c418065601f45f6f3fbea2acf0404ed41f5a3b677

Download Submit
C:\Users\Admin\Downloads\Main.zip.crdownload

Filesize
304KB

MD5
18c132835e24d15282848e14b2d644a3

SHA1
264a74e264a1088adb302dacf237841a6b652d6a

SHA256
9b93e404ae3755e35478e323aea047807d281ba5d32f8ee23b9b8b0eaf04bb97

SHA512
a79e14008b25b8b831af1c4ec894571c41eab26855f683302df467b92b4f7c793dbbf97e4ebd685c287b60c9f510d835b896e552fda41303b1288a624dcee9a5

Download Submit
C:\Windows\System32\0zy1bv.exe

Filesize
7.2MB

MD5
f6d8913637f1d5d2dc846de70ce02dc5

SHA1
5fc9c6ab334db1f875fbc59a03f5506c478c6c3e

SHA256
4e72ca1baee2c7c0f50a42614d101159a9c653a8d6f7498f7bf9d7026c24c187

SHA512
21217a0a0eca58fc6058101aa69cf30d5dbe419c21fa7a160f44d8ebbcf5f4011203542c8f400a9bb8ee3826706417f2939c402f605817df597b7ff812b43036

Download Submit
memory/1376-187-0x000001CEA69E0000-0x000001CEA69E1000-memory.dmp

Filesize
4KB

Download
memory/1376-179-0x000001CEA69E0000-0x000001CEA69E1000-memory.dmp

Filesize
4KB

Download
memory/1376-178-0x000001CEA69E0000-0x000001CEA69E1000-memory.dmp

Filesize
4KB

Download
memory/1376-189-0x000001CEA69E0000-0x000001CEA69E1000-memory.dmp

Filesize
4KB

Download
memory/1376-188-0x000001CEA69E0000-0x000001CEA69E1000-memory.dmp

Filesize
4KB

Download
memory/1376-177-0x000001CEA69E0000-0x000001CEA69E1000-memory.dmp

Filesize
4KB

Download
memory/1376-186-0x000001CEA69E0000-0x000001CEA69E1000-memory.dmp

Filesize
4KB

Download
memory/1376-185-0x000001CEA69E0000-0x000001CEA69E1000-memory.dmp

Filesize
4KB

Download
memory/1376-184-0x000001CEA69E0000-0x000001CEA69E1000-memory.dmp

Filesize
4KB

Download
memory/1376-183-0x000001CEA69E0000-0x000001CEA69E1000-memory.dmp

Filesize
4KB

Download
memory/1968-147-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1968-149-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1968-145-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/4340-143-0x00000000008C0000-0x000000000090C000-memory.dmp

Filesize
304KB

Download