Analysis
-
max time kernel
149s -
max time network
205s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-11-2024 05:22
Static task
static1
Behavioral task
behavioral1
Sample
protocol.ps1
Resource
win7-20240903-en
General
-
Target
protocol.ps1
-
Size
638B
-
MD5
438bdde142d374368c77b97a7a1561c6
-
SHA1
de1663c0d3760ed9c012610a85e58d21d2af90ca
-
SHA256
47b71556865351eaf445aaba6a0c6fd53322d8294ea2da5be78d184ce746ff3f
-
SHA512
86663e3284b95dd235417fee177bbc9e519abd05ae7cc03eab34b814e34a82fb8cb30939ba4bfa357ea70644a9504248514d951736d6de591668d6136dac9fba
Malware Config
Extracted
lumma
https://stopruthless.cyou/api
Signatures
-
Lumma family
-
Blocklisted process makes network request 7 IoCs
flow pid Process 5 4356 powershell.exe 44 432 msiexec.exe 47 432 msiexec.exe 50 432 msiexec.exe 56 432 msiexec.exe 60 432 msiexec.exe 63 432 msiexec.exe -
Executes dropped EXE 1 IoCs
pid Process 2424 222.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2424 set thread context of 996 2424 222.exe 92 -
pid Process 4356 powershell.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language more.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4356 powershell.exe 4356 powershell.exe 2424 222.exe 2424 222.exe 996 more.com 996 more.com -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 2424 222.exe 996 more.com -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4356 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2424 222.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 4356 wrote to memory of 2424 4356 powershell.exe 85 PID 4356 wrote to memory of 2424 4356 powershell.exe 85 PID 2424 wrote to memory of 996 2424 222.exe 92 PID 2424 wrote to memory of 996 2424 222.exe 92 PID 2424 wrote to memory of 996 2424 222.exe 92 PID 2424 wrote to memory of 996 2424 222.exe 92 PID 996 wrote to memory of 432 996 more.com 105 PID 996 wrote to memory of 432 996 more.com 105 PID 996 wrote to memory of 432 996 more.com 105 PID 996 wrote to memory of 432 996 more.com 105 PID 996 wrote to memory of 432 996 more.com 105
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\protocol.ps11⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4356 -
C:\Users\Admin\AppData\Roaming\Extract_9842\222.exe"C:\Users\Admin\AppData\Roaming\Extract_9842\222.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\SysWOW64\more.comC:\Windows\SysWOW64\more.com3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:996 -
C:\Windows\SysWOW64\msiexec.exeC:\Windows\SysWOW64\msiexec.exe4⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
PID:432
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1.2MB
MD55a75f659ffc75a302f528fe7081777ad
SHA188bd1061283e27f2c9dfa059c724f741e92a05a4
SHA2566c2ed09d1333bab38fa4380b22ecb5149b3dd361b694217402264b121c4cf7f8
SHA512fdf08ed9a66d2c01f9b998477ec416c7000afc777826b0ea022f62bc521a53b1f09f724b0def1f2347a5d3a4c4d5229fdeaef35bccc44176c162e46dbfe858d3
-
Filesize
1022KB
MD5cf3a44628ecccc91eb9bffb2cf7e1fc1
SHA15aff6da1414529fa3626406df19989e9caa40a4e
SHA25634d461e0e289e9aac1c4c2072e58f7d21df8b8bcb0ebddac810be444be4909de
SHA5126cc3553b23657ebe161cda678c0ade78001e2410e7885f2ae87ac49a73d17b57a21381d49158436931180bd35810a9453006981782e49bf24f3aeaada8f30075
-
Filesize
11.0MB
MD5b3450f42aa8c6ed0aaca0be210da8d0a
SHA1eeeaea9f807d1c99bc41f6600fe7b7acda8de22d
SHA256bbceb39ab4cd6bdcb75169c0010a72be880f071728c270f31e22ab7cf28adf2b
SHA51200749482865dca1429d6fbfea7642d89432d617e6523c3f1c70c9e23434b74452a775c38b0581f767575593b2f35a0385fbd12b2f0cbfd324bddd9494be054ae