Analysis
-
max time kernel
96s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-11-2024 05:20
Static task
static1
Behavioral task
behavioral1
Sample
aaaa.ps1
Resource
win7-20240903-en
General
-
Target
aaaa.ps1
-
Size
451B
-
MD5
9a6ccc9afb164bff29d969bb8e6b5624
-
SHA1
79e602dee0b7a411e5db13739b43fae1ac2c0dd3
-
SHA256
b9f126c04bb56be08519685eb906a650027fc68931015b7202e09373766155ea
-
SHA512
03faa5b073947f90fbba90f2292537442dc91b89c9778c3cc4ee81c5e7cc5b662558c6b30284f7fbc16ea8af7ec80ea6990b4f22f5f5620037a76789fbde11b6
Malware Config
Extracted
lumma
https://stopruthless.cyou/api
Signatures
-
Lumma family
-
Blocklisted process makes network request 7 IoCs
flow pid Process 4 4452 powershell.exe 34 3984 msiexec.exe 37 3984 msiexec.exe 40 3984 msiexec.exe 46 3984 msiexec.exe 50 3984 msiexec.exe 53 3984 msiexec.exe -
Executes dropped EXE 1 IoCs
pid Process 4120 222.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4120 set thread context of 4772 4120 222.exe 97 -
pid Process 4452 powershell.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language more.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4452 powershell.exe 4452 powershell.exe 4120 222.exe 4120 222.exe 4772 more.com 4772 more.com -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 4120 222.exe 4772 more.com -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4452 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4120 222.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 4452 wrote to memory of 4120 4452 powershell.exe 96 PID 4452 wrote to memory of 4120 4452 powershell.exe 96 PID 4120 wrote to memory of 4772 4120 222.exe 97 PID 4120 wrote to memory of 4772 4120 222.exe 97 PID 4120 wrote to memory of 4772 4120 222.exe 97 PID 4120 wrote to memory of 4772 4120 222.exe 97 PID 4772 wrote to memory of 3984 4772 more.com 102 PID 4772 wrote to memory of 3984 4772 more.com 102 PID 4772 wrote to memory of 3984 4772 more.com 102 PID 4772 wrote to memory of 3984 4772 more.com 102 PID 4772 wrote to memory of 3984 4772 more.com 102
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\aaaa.ps11⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4452 -
C:\Users\Admin\AppData\Roaming\Extracted1\222.exe"C:\Users\Admin\AppData\Roaming\Extracted1\222.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4120 -
C:\Windows\SysWOW64\more.comC:\Windows\SysWOW64\more.com3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4772 -
C:\Windows\SysWOW64\msiexec.exeC:\Windows\SysWOW64\msiexec.exe4⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
PID:3984
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD55a75f659ffc75a302f528fe7081777ad
SHA188bd1061283e27f2c9dfa059c724f741e92a05a4
SHA2566c2ed09d1333bab38fa4380b22ecb5149b3dd361b694217402264b121c4cf7f8
SHA512fdf08ed9a66d2c01f9b998477ec416c7000afc777826b0ea022f62bc521a53b1f09f724b0def1f2347a5d3a4c4d5229fdeaef35bccc44176c162e46dbfe858d3
-
Filesize
1022KB
MD5e3a8dbb1a1e8b5c54f3f87fa4f812990
SHA14c0c049e3c6c24c492d72d6ca812ae56d4ede157
SHA2566420a8e5dfa7b8237d911a5cf7c34879a7be424db3579775ef48c4a7bfabd708
SHA512fdafd52ae2c9d74e67b64092822cdb12735dafca56965f4ddd16accbb5ca9ed17c984b459579ca4174365203275db6d0e9eaf9c33d58fae51f71a903742861dc
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
11.0MB
MD5b3450f42aa8c6ed0aaca0be210da8d0a
SHA1eeeaea9f807d1c99bc41f6600fe7b7acda8de22d
SHA256bbceb39ab4cd6bdcb75169c0010a72be880f071728c270f31e22ab7cf28adf2b
SHA51200749482865dca1429d6fbfea7642d89432d617e6523c3f1c70c9e23434b74452a775c38b0581f767575593b2f35a0385fbd12b2f0cbfd324bddd9494be054ae