Analysis
-
max time kernel
150s -
max time network
206s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-11-2024 05:14
Static task
static1
Behavioral task
behavioral1
Sample
aaaa.ps1
Resource
win7-20240903-en
General
-
Target
aaaa.ps1
-
Size
451B
-
MD5
9a6ccc9afb164bff29d969bb8e6b5624
-
SHA1
79e602dee0b7a411e5db13739b43fae1ac2c0dd3
-
SHA256
b9f126c04bb56be08519685eb906a650027fc68931015b7202e09373766155ea
-
SHA512
03faa5b073947f90fbba90f2292537442dc91b89c9778c3cc4ee81c5e7cc5b662558c6b30284f7fbc16ea8af7ec80ea6990b4f22f5f5620037a76789fbde11b6
Malware Config
Extracted
lumma
https://stopruthless.cyou/api
Signatures
-
Lumma family
-
Blocklisted process makes network request 7 IoCs
flow pid Process 4 2228 powershell.exe 41 3668 msiexec.exe 44 3668 msiexec.exe 47 3668 msiexec.exe 51 3668 msiexec.exe 58 3668 msiexec.exe 61 3668 msiexec.exe -
Executes dropped EXE 1 IoCs
pid Process 2360 222.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2360 set thread context of 4744 2360 222.exe 98 -
pid Process 2228 powershell.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language more.com -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2228 powershell.exe 2228 powershell.exe 2360 222.exe 2360 222.exe 4744 more.com 4744 more.com -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 2360 222.exe 4744 more.com -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2228 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2360 222.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2228 wrote to memory of 2360 2228 powershell.exe 97 PID 2228 wrote to memory of 2360 2228 powershell.exe 97 PID 2360 wrote to memory of 4744 2360 222.exe 98 PID 2360 wrote to memory of 4744 2360 222.exe 98 PID 2360 wrote to memory of 4744 2360 222.exe 98 PID 2360 wrote to memory of 4744 2360 222.exe 98 PID 4744 wrote to memory of 3668 4744 more.com 105 PID 4744 wrote to memory of 3668 4744 more.com 105 PID 4744 wrote to memory of 3668 4744 more.com 105 PID 4744 wrote to memory of 3668 4744 more.com 105 PID 4744 wrote to memory of 3668 4744 more.com 105
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\aaaa.ps11⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Users\Admin\AppData\Roaming\Extracted1\222.exe"C:\Users\Admin\AppData\Roaming\Extracted1\222.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\SysWOW64\more.comC:\Windows\SysWOW64\more.com3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4744 -
C:\Windows\SysWOW64\msiexec.exeC:\Windows\SysWOW64\msiexec.exe4⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
PID:3668
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD55a75f659ffc75a302f528fe7081777ad
SHA188bd1061283e27f2c9dfa059c724f741e92a05a4
SHA2566c2ed09d1333bab38fa4380b22ecb5149b3dd361b694217402264b121c4cf7f8
SHA512fdf08ed9a66d2c01f9b998477ec416c7000afc777826b0ea022f62bc521a53b1f09f724b0def1f2347a5d3a4c4d5229fdeaef35bccc44176c162e46dbfe858d3
-
Filesize
1022KB
MD555364661a5503fc418b413fca45fbb73
SHA1a4656fc310d435161ec67b04877ee4c8099ec934
SHA2565b6de94e26ea986ac6f92f9de2ebf0f0f0e199141da64782388b18b645125acf
SHA51207662049e10ad25af09f17a32151267f4c9e35f493509c1935c3317ef55b246094df94a16a86210ff9b505a73e56f8d6d4d9431f2d8cb526f468600586ec7966
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
11.0MB
MD5b3450f42aa8c6ed0aaca0be210da8d0a
SHA1eeeaea9f807d1c99bc41f6600fe7b7acda8de22d
SHA256bbceb39ab4cd6bdcb75169c0010a72be880f071728c270f31e22ab7cf28adf2b
SHA51200749482865dca1429d6fbfea7642d89432d617e6523c3f1c70c9e23434b74452a775c38b0581f767575593b2f35a0385fbd12b2f0cbfd324bddd9494be054ae