lumma | 6d8a4ad90fe9e228e39f576ed197f0b6461a8a8fb4329cd9fa006f2334de29c3

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21-09-2024 03:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tera14.zip
Size

29.8MB
MD5

6548d61374d80065810401552665a33c
SHA1

a66fccc4542290776e2cebbd585858d8ebfc4bd8
SHA256

6d8a4ad90fe9e228e39f576ed197f0b6461a8a8fb4329cd9fa006f2334de29c3
SHA512

0eba3a9c3e7237ee5298ee3cf65b62b7196d4e783827a899ed2e99fd81320959e897f0f848a70d3000d1b9c55941e79f89844c63d01dd975951be8c2acc4a8d5
SSDEEP

786432:VggqugvEwiLPoGJQF2kF1xEOGmVU0mGmV8JIcRDqKnw+:ygqugv9+QG3kvGf0mGkcRDqKnw+

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://ohhyhousedmxznw.shop/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma

Executes dropped EXE 1 IoCs

pid	Process
3056	StrCmp.exe

Loads dropped DLL 2 IoCs

pid	Process
908	Entangled.a3x
1756	Entangled.a3x

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3588 set thread context of 5024	3588	Set-up.exe	98
PID 832 set thread context of 4860	832	Set-up.exe	101

Program crash 3 IoCs

pid	pid_target	Process	procid_target
228	908	WerFault.exe	103
4336	908	WerFault.exe	103
3336	908	WerFault.exe	103

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	more.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Set-up.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	more.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Entangled.a3x
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Set-up.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StrCmp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ProxyStubClsid32	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BtDaemon.cBluetoothDaemon\ = "BtDaemon.cBluetoothDaemon"	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8A84C003-E3A6-4E71-8E33-5B929D40B81D}\Forward\ = "{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}"	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ = "cBluetoothDaemon"	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{10E6A3D4-CABA-4E61-BD8B-83BA76283791}\ProxyStubClsid32	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1\FLAGS	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1\FLAGS\ = "0"	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ = "__cBluetoothDaemon"	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8A84C003-E3A6-4E71-8E33-5B929D40B81D}\ProxyStubClsid	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{10E6A3D4-CABA-4E61-BD8B-83BA76283791}\ = "cBluetoothDaemon"	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\TypeLib	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\VERSION\ = "2.1"	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BtDaemon.cBluetoothDaemon\Clsid\ = "{4F7FA487-8CC1-493E-AF0A-E7A294474F25}"	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{10E6A3D4-CABA-4E61-BD8B-83BA76283791}\ProxyStubClsid	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1\ = "BtDaemon"	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\TypeLib\ = "{F477A542-C370-42A1-A166-F9CDAF2AF8C6}"	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ProxyStubClsid32	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ProxyStubClsid\ = "{00020420-0000-0000-C000-000000000046}"	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{10E6A3D4-CABA-4E61-BD8B-83BA76283791}\Forward\ = "{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}"	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\TypeLib	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8A84C003-E3A6-4E71-8E33-5B929D40B81D}\ = "cBluetoothDaemon"	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ProxyStubClsid	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\TypeLib\Version = "2.1"	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ = "cBluetoothDaemon"	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\VERSION	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8A84C003-E3A6-4E71-8E33-5B929D40B81D}\Forward	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{10E6A3D4-CABA-4E61-BD8B-83BA76283791}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8A84C003-E3A6-4E71-8E33-5B929D40B81D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\Programmable	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ = "_cBluetoothDaemon"	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\ProgID\ = "BtDaemon.cBluetoothDaemon"	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\LocalServer32	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{10E6A3D4-CABA-4E61-BD8B-83BA76283791}\ProxyStubClsid\ = "{00020420-0000-0000-C000-000000000046}"	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ProxyStubClsid	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\ProgID	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8A84C003-E3A6-4E71-8E33-5B929D40B81D}\ProxyStubClsid32	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\TypeLib\ = "{F477A542-C370-42A1-A166-F9CDAF2AF8C6}"	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ = "__cBluetoothDaemon"	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ProxyStubClsid32	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\ = "BtDaemon.cBluetoothDaemon"	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8A84C003-E3A6-4E71-8E33-5B929D40B81D}	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1\0	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\TypeLib\Version = "2.1"	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\TypeLib	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\TypeLib\ = "{F477A542-C370-42A1-A166-F9CDAF2AF8C6}"	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\rzfc\\ANHOKOIHKJDTDHIVJF\\StrCmp.exe"	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1\HELPDIR	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\TypeLib\Version = "2.1"	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Roaming\\rzfc\\ANHOKOIHKJDTDHIVJF"	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\TypeLib	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8A84C003-E3A6-4E71-8E33-5B929D40B81D}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\TypeLib\ = "{F477A542-C370-42A1-A166-F9CDAF2AF8C6}"	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\TypeLib\ = "{F477A542-C370-42A1-A166-F9CDAF2AF8C6}"	StrCmp.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3588	Set-up.exe
3588	Set-up.exe
832	Set-up.exe
832	Set-up.exe
5024	more.com
5024	more.com
4860	more.com
4860	more.com

Suspicious behavior: MapViewOfSection 4 IoCs

pid	Process
3588	Set-up.exe
832	Set-up.exe
5024	more.com
4860	more.com

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3056	StrCmp.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 3588 wrote to memory of 3056	3588	Set-up.exe	97
PID 3588 wrote to memory of 3056	3588	Set-up.exe	97
PID 3588 wrote to memory of 3056	3588	Set-up.exe	97
PID 3588 wrote to memory of 5024	3588	Set-up.exe	98
PID 3588 wrote to memory of 5024	3588	Set-up.exe	98
PID 3588 wrote to memory of 5024	3588	Set-up.exe	98
PID 3588 wrote to memory of 5024	3588	Set-up.exe	98
PID 832 wrote to memory of 4860	832	Set-up.exe	101
PID 832 wrote to memory of 4860	832	Set-up.exe	101
PID 832 wrote to memory of 4860	832	Set-up.exe	101
PID 832 wrote to memory of 4860	832	Set-up.exe	101
PID 5024 wrote to memory of 908	5024	more.com	103
PID 5024 wrote to memory of 908	5024	more.com	103
PID 5024 wrote to memory of 908	5024	more.com	103
PID 5024 wrote to memory of 908	5024	more.com	103
PID 5024 wrote to memory of 908	5024	more.com	103
PID 4860 wrote to memory of 1756	4860	more.com	105
PID 4860 wrote to memory of 1756	4860	more.com	105
PID 4860 wrote to memory of 1756	4860	more.com	105
PID 4860 wrote to memory of 1756	4860	more.com	105
PID 4860 wrote to memory of 1756	4860	more.com	105

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\tera14.zip
1⤵
PID:1884

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2624

C:\Users\Admin\Documents\tera14\Set-up.exe
"C:\Users\Admin\Documents\tera14\Set-up.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3588
- C:\Users\Admin\AppData\Roaming\rzfc\ANHOKOIHKJDTDHIVJF\StrCmp.exe
  C:\Users\Admin\AppData\Roaming\rzfc\ANHOKOIHKJDTDHIVJF\StrCmp.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:3056
- C:\Windows\SysWOW64\more.com
  C:\Windows\SysWOW64\more.com
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:5024
- - C:\Users\Admin\AppData\Local\Temp\Entangled.a3x
    C:\Users\Admin\AppData\Local\Temp\Entangled.a3x
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:908
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 908 -s 1288
      4⤵
      Program crash
      PID:228
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 908 -s 1256
      4⤵
      Program crash
      PID:4336
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 908 -s 1300
      4⤵
      Program crash
      PID:3336

C:\Users\Admin\Documents\tera14\Set-up.exe
"C:\Users\Admin\Documents\tera14\Set-up.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:832
- C:\Windows\SysWOW64\more.com
  C:\Windows\SysWOW64\more.com
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:4860
- - C:\Users\Admin\AppData\Local\Temp\Entangled.a3x
    C:\Users\Admin\AppData\Local\Temp\Entangled.a3x
    3⤵
    - Loads dropped DLL
    PID:1756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 908 -ip 908
1⤵
PID:1856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 908 -ip 908
1⤵
PID:860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 908 -ip 908
1⤵
PID:1272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7cc42c46

Filesize
2.1MB

MD5
1d3c469294ab1a5f4a96c0540cf938cc

SHA1
0ece47cae0041732cf5c664abdfc4543414bc772

SHA256
2731dfc373fae58ae7b93e9828af645eca4df3c461027cc8a10578ee15ebb532

SHA512
97e87f7fe5d2cd5101e597582853dcabd44d1309a2cf2b608ab2ff5b4c6263b2518a22df49541176fe48352066a354a26223666ed88215da1a4698ab858d455f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Entangled.a3x

Filesize
921KB

MD5
3f58a517f1f4796225137e7659ad2adb

SHA1
e264ba0e9987b0ad0812e5dd4dd3075531cfe269

SHA256
1da298cab4d537b0b7b5dabf09bff6a212b9e45731e0cc772f99026005fb9e48

SHA512
acf740aafce390d06c6a76c84e7ae7c0f721731973aadbe3e57f2eb63241a01303cc6bf11a3f9a88f8be0237998b5772bdaf569137d63ba3d0f877e7d27fc634

Download Submit
C:\Users\Admin\AppData\Local\Temp\cbb34747

Filesize
2.1MB

MD5
4d052c24bb31bbc6aa0f6ae4044fd63b

SHA1
807575f860cc83099449cd4f447a7846d028be80

SHA256
a702ccb5cac034b3c0861937b8f34037831749c892bf2bb13359b21c7da3e354

SHA512
992cddcdacefdb6924840ca374d8bc7e9a296bc502e7944c3ad190c9f85fc10a637ce3375bce1d7579dfb75f9d49e19f57d95771a5d4e57ec37b81a150fa2c52

Download Submit
C:\Users\Admin\AppData\Roaming\rzfc\ANHOKOIHKJDTDHIVJF\StrCmp.exe

Filesize
47KB

MD5
916d7425a559aaa77f640710a65f9182

SHA1
23d25052aef9ba71ddeef7cfa86ee43d5ba1ea13

SHA256
118de01fb498e81eab4ade980a621af43b52265a9fcbae5dedc492cdf8889f35

SHA512
d0c260a0347441b4e263da52feb43412df217c207eba594d59c10ee36e47e1a098b82ce633851c16096b22f4a4a6f8282bdd23d149e337439fe63a77ec7343bc

Download Submit
C:\Users\Admin\AppData\Roaming\rzfc\WebUI.dll

Filesize
7.6MB

MD5
ac8d3401796d6d5e71524c3c921f689d

SHA1
76da5e0435569d4344ddb51894c350a4785b16f6

SHA256
7055ecd2d4da72d9b5369bdfd355ea46e01e209a66848286aaa5f93038bf48b3

SHA512
241732f8099e15c31db934563906ce161fe6a98994f2e0c5e84ebb340ec82ca6c0bb40b54d7401ad26f52531823c159e8195b106f4b4176fc619af416a77d59e

Download Submit
C:\Users\Admin\AppData\Roaming\rzfc\ehmbs

Filesize
1.5MB

MD5
33d84db91d9d427973a9669f7f95f480

SHA1
2004603452655ed3e2807078dd25648018a6f22b

SHA256
a118ffce4e69d34084cefa0df33719eb576d07d6aaa1c431169bbdf03ff26e0c

SHA512
4509a84f9dc5de50db50e94a900e40552def0109000189501ad6f9d1144bbdc5f1e2822a3db71cdcf32417737bb9cf5798df915d18ae0a1242ca01b368d5c523

Download Submit
memory/832-23-0x00007FFA71690000-0x00007FFA71885000-memory.dmp

Filesize
2.0MB

Download
memory/832-33-0x0000000000400000-0x000000000061B000-memory.dmp

Filesize
2.1MB

Download
memory/832-22-0x0000000075D20000-0x00000000762D3000-memory.dmp

Filesize
5.7MB

Download
memory/832-31-0x0000000075D20000-0x00000000762D3000-memory.dmp

Filesize
5.7MB

Download
memory/908-43-0x0000000000800000-0x0000000000878000-memory.dmp

Filesize
480KB

Download
memory/908-44-0x00007FFA71690000-0x00007FFA71885000-memory.dmp

Filesize
2.0MB

Download
memory/908-47-0x0000000000800000-0x0000000000878000-memory.dmp

Filesize
480KB

Download
memory/1756-52-0x0000000000C90000-0x0000000000D08000-memory.dmp

Filesize
480KB

Download
memory/1756-53-0x00007FFA71690000-0x00007FFA71885000-memory.dmp

Filesize
2.0MB

Download
memory/1756-54-0x0000000000C90000-0x0000000000D08000-memory.dmp

Filesize
480KB

Download
memory/3588-15-0x0000000075D20000-0x00000000762D3000-memory.dmp

Filesize
5.7MB

Download
memory/3588-19-0x0000000000400000-0x000000000061B000-memory.dmp

Filesize
2.1MB

Download
memory/3588-16-0x0000000075D33000-0x0000000075D34000-memory.dmp

Filesize
4KB

Download
memory/3588-0-0x0000000075D20000-0x00000000762D3000-memory.dmp

Filesize
5.7MB

Download
memory/3588-12-0x0000000075D20000-0x00000000762D3000-memory.dmp

Filesize
5.7MB

Download
memory/3588-9-0x0000000075D20000-0x00000000762D3000-memory.dmp

Filesize
5.7MB

Download
memory/3588-7-0x0000000075D20000-0x00000000762D3000-memory.dmp

Filesize
5.7MB

Download
memory/3588-5-0x0000000075D33000-0x0000000075D34000-memory.dmp

Filesize
4KB

Download
memory/3588-1-0x00007FFA71690000-0x00007FFA71885000-memory.dmp

Filesize
2.0MB

Download
memory/4860-35-0x00007FFA71690000-0x00007FFA71885000-memory.dmp

Filesize
2.0MB

Download
memory/5024-30-0x00007FFA71690000-0x00007FFA71885000-memory.dmp

Filesize
2.0MB

Download
memory/5024-37-0x0000000075D20000-0x00000000762D3000-memory.dmp

Filesize
5.7MB

Download