Overview
overview
10Static
static
1MilwaukeeRivers.exe
windows7-x64
10MilwaukeeRivers.exe
windows10-2004-x64
10.data
windows7-x64
3.data
windows10-2004-x64
3.rdata
windows7-x64
3.rdata
windows10-2004-x64
3.reloc
windows7-x64
3.reloc
windows10-2004-x64
3.rsrc/DIALOG/105
windows7-x64
1.rsrc/DIALOG/105
windows10-2004-x64
1.rsrc/DIALOG/106
windows7-x64
1.rsrc/DIALOG/106
windows10-2004-x64
1.rsrc/DIALOG/111
windows7-x64
1.rsrc/DIALOG/111
windows10-2004-x64
1.rsrc/GROUP_ICON/103
windows7-x64
1.rsrc/GROUP_ICON/103
windows10-2004-x64
1.rsrc/ICON/1.ico
windows7-x64
3.rsrc/ICON/1.ico
windows10-2004-x64
3.rsrc/MANIFEST/1.xml
windows7-x64
3.rsrc/MANIFEST/1.xml
windows10-2004-x64
1.rsrc/version.txt
windows7-x64
1.rsrc/version.txt
windows10-2004-x64
1.text
windows7-x64
3.text
windows10-2004-x64
3CERTIFICATE
windows7-x64
1CERTIFICATE
windows10-2004-x64
1[0]
windows7-x64
1[0]
windows10-2004-x64
1[1]
windows7-x64
1[1]
windows10-2004-x64
1Analysis
-
max time kernel
93s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-11-2024 10:18
Static task
static1
Behavioral task
behavioral1
Sample
MilwaukeeRivers.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
MilwaukeeRivers.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
.data
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
.data
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
.rdata
Resource
win7-20240708-en
Behavioral task
behavioral6
Sample
.rdata
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
.reloc
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
.reloc
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
.rsrc/DIALOG/105
Resource
win7-20241010-en
Behavioral task
behavioral10
Sample
.rsrc/DIALOG/105
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
.rsrc/DIALOG/106
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
.rsrc/DIALOG/106
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
.rsrc/DIALOG/111
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
.rsrc/DIALOG/111
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
.rsrc/GROUP_ICON/103
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
.rsrc/GROUP_ICON/103
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
.rsrc/ICON/1.ico
Resource
win7-20241010-en
Behavioral task
behavioral18
Sample
.rsrc/ICON/1.ico
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
.rsrc/MANIFEST/1.xml
Resource
win7-20240708-en
Behavioral task
behavioral20
Sample
.rsrc/MANIFEST/1.xml
Resource
win10v2004-20241007-en
Behavioral task
behavioral21
Sample
.rsrc/version.txt
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
.rsrc/version.txt
Resource
win10v2004-20241007-en
Behavioral task
behavioral23
Sample
.text
Resource
win7-20241010-en
Behavioral task
behavioral24
Sample
.text
Resource
win10v2004-20241007-en
Behavioral task
behavioral25
Sample
CERTIFICATE
Resource
win7-20240708-en
Behavioral task
behavioral26
Sample
CERTIFICATE
Resource
win10v2004-20241007-en
Behavioral task
behavioral27
Sample
[0]
Resource
win7-20240903-en
Behavioral task
behavioral28
Sample
[0]
Resource
win10v2004-20241007-en
Behavioral task
behavioral29
Sample
[1]
Resource
win7-20240903-en
Behavioral task
behavioral30
Sample
[1]
Resource
win10v2004-20241007-en
General
-
Target
MilwaukeeRivers.exe
-
Size
948KB
-
MD5
e922a4d7d2c3c937231aa937b9a2ad25
-
SHA1
b78ade0fbd78bff01d5c86079c9224d7b87f0770
-
SHA256
bdc7b917477bb49af7a5b06e5d9ed20e08fed25944f297a6b36a50d03d8a5777
-
SHA512
501a15eb4c5c64f2df9f454c11951907f33a834885113e14491a6823d8e3373c09523a3eedb52952aada8071dbeec88338dbdeb02a2c4d7a8e0af48eb1dbe5f6
-
SSDEEP
24576:7gk8NlvGOgHdQFQ/Dfw/EQky/vgNs9OHYkc:WvGOgHeFODfwcC3WsSS
Malware Config
Extracted
lumma
https://servicedny.site
https://authorisev.site
https://faulteyotk.site
https://dilemmadu.site
https://contemteny.site
https://goalyfeastz.site
https://opposezmny.site
https://seallysl.site
https://proggresinvj.cyou
Signatures
-
Lumma family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation MilwaukeeRivers.exe -
Executes dropped EXE 1 IoCs
pid Process 1072 Comparing.pif -
Enumerates processes with tasklist 1 TTPs 2 IoCs
pid Process 2284 tasklist.exe 3104 tasklist.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification C:\Windows\EarlTowards MilwaukeeRivers.exe File opened for modification C:\Windows\LakesDies MilwaukeeRivers.exe File opened for modification C:\Windows\NycOperational MilwaukeeRivers.exe File opened for modification C:\Windows\MrnaWasher MilwaukeeRivers.exe File opened for modification C:\Windows\StormCups MilwaukeeRivers.exe File opened for modification C:\Windows\AgePlants MilwaukeeRivers.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 11 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Comparing.pif Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MilwaukeeRivers.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language choice.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1072 Comparing.pif 1072 Comparing.pif 1072 Comparing.pif 1072 Comparing.pif 1072 Comparing.pif 1072 Comparing.pif -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3104 tasklist.exe Token: SeDebugPrivilege 2284 tasklist.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 1072 Comparing.pif 1072 Comparing.pif 1072 Comparing.pif -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 1072 Comparing.pif 1072 Comparing.pif 1072 Comparing.pif -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 4180 wrote to memory of 1168 4180 MilwaukeeRivers.exe 84 PID 4180 wrote to memory of 1168 4180 MilwaukeeRivers.exe 84 PID 4180 wrote to memory of 1168 4180 MilwaukeeRivers.exe 84 PID 1168 wrote to memory of 3104 1168 cmd.exe 86 PID 1168 wrote to memory of 3104 1168 cmd.exe 86 PID 1168 wrote to memory of 3104 1168 cmd.exe 86 PID 1168 wrote to memory of 2500 1168 cmd.exe 87 PID 1168 wrote to memory of 2500 1168 cmd.exe 87 PID 1168 wrote to memory of 2500 1168 cmd.exe 87 PID 1168 wrote to memory of 2284 1168 cmd.exe 92 PID 1168 wrote to memory of 2284 1168 cmd.exe 92 PID 1168 wrote to memory of 2284 1168 cmd.exe 92 PID 1168 wrote to memory of 3012 1168 cmd.exe 93 PID 1168 wrote to memory of 3012 1168 cmd.exe 93 PID 1168 wrote to memory of 3012 1168 cmd.exe 93 PID 1168 wrote to memory of 3960 1168 cmd.exe 94 PID 1168 wrote to memory of 3960 1168 cmd.exe 94 PID 1168 wrote to memory of 3960 1168 cmd.exe 94 PID 1168 wrote to memory of 4740 1168 cmd.exe 95 PID 1168 wrote to memory of 4740 1168 cmd.exe 95 PID 1168 wrote to memory of 4740 1168 cmd.exe 95 PID 1168 wrote to memory of 184 1168 cmd.exe 96 PID 1168 wrote to memory of 184 1168 cmd.exe 96 PID 1168 wrote to memory of 184 1168 cmd.exe 96 PID 1168 wrote to memory of 1072 1168 cmd.exe 99 PID 1168 wrote to memory of 1072 1168 cmd.exe 99 PID 1168 wrote to memory of 1072 1168 cmd.exe 99 PID 1168 wrote to memory of 3968 1168 cmd.exe 100 PID 1168 wrote to memory of 3968 1168 cmd.exe 100 PID 1168 wrote to memory of 3968 1168 cmd.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\MilwaukeeRivers.exe"C:\Users\Admin\AppData\Local\Temp\MilwaukeeRivers.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4180 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy Te Te.bat & Te.bat2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1168 -
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3104
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa opssvc"3⤵
- System Location Discovery: System Language Discovery
PID:2500
-
-
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2284
-
-
C:\Windows\SysWOW64\findstr.exefindstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"3⤵
- System Location Discovery: System Language Discovery
PID:3012
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 2156553⤵
- System Location Discovery: System Language Discovery
PID:3960
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V "GeologicalAllowStoryVirtually" Commitments3⤵
- System Location Discovery: System Language Discovery
PID:4740
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Started + ..\Spend + ..\Seek + ..\Etc + ..\Reliability + ..\Lingerie + ..\Washing g3⤵
- System Location Discovery: System Language Discovery
PID:184
-
-
C:\Users\Admin\AppData\Local\Temp\215655\Comparing.pifComparing.pif g3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1072
-
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 53⤵
- System Location Discovery: System Language Discovery
PID:3968
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
872KB
MD518ce19b57f43ce0a5af149c96aecc685
SHA11bd5ca29fc35fc8ac346f23b155337c5b28bbc36
SHA256d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd
SHA512a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558
-
Filesize
497KB
MD5d266b3c08227e9cb46232736b80e5aa0
SHA1173c8acee3adeae51142bd0e72c3309e34ee520f
SHA256ec2604a7647c0186b5e12315f62c27927dbb1cf8f939612e129dcdfc1392b998
SHA51259cfe54e855d98f3f4b01fa7670b9594376c450cfe210e5f626574dd7449e066f55b6c8d218428601ac526a9d0f2ba7a244d54c12b4dca6e0919800b58f31f0b
-
Filesize
6KB
MD595b88aac08c10ed0630bff6e25a48d22
SHA1ad839ffe077b94d8aa26523557826b66268db8ad
SHA2567c047d4bd015bf4db77fa60edadd2cd71a0969c8b6ba68c7a1799b63ab3a4ed3
SHA5125342208ef56103e9329f877aec12fc3e85dca2e1363f21960c8293841f0093463a16298ccb8be6d418835febfb3e3e10cee5336ba342a5d170942186974590a3
-
Filesize
77KB
MD5a2e6f3d6b4b15803fc39db66d53d5a68
SHA14d9e598b94c8a1c3f88a7d70c72c726b306b7da1
SHA256fc1405b7240e36717d575f651d792db859226ff4ea8ea80773bf7200b6a582b8
SHA51256254f9a620fb0e38e8252a8cc1dd7d0e599d9c4854ffb8ca69771ef9fb0b3deb6508492d4d2095ab8b7e1bbc0f381dd9fe743d1161ca344f4445d1c5e1b811c
-
Filesize
77KB
MD52f47e917ab451b39dee57628583e0e49
SHA19a5323f7f24a7d98acb6ad484f39ae2211297dc7
SHA256fe0de264e44fe42611ad2faafa7a97d45c48de38f251cbc446913611f170e3eb
SHA51271044cf3e0848e8d7bac6666e452690ef2ee623f408477f815235d0f737b1ec200f44152bfd59616bcd8db538765337c62019f3ff5a122c3fd6f6e8eff16f0c1
-
Filesize
866KB
MD525c0cca1b4b6c482fd0135e0e5e747a0
SHA1339571736c2fc5cde1ad6f9e7dc58ee62a863c63
SHA2561de377cc55c433743b916de2cfabda2ba5e73ff825f3e7f968ad8905bdd8dfb4
SHA512a5b2ade00f9f896578f97feccd320675fa1c2824934549352edc9bcb39ca411278ea8a91f0649c3a1aae3c46ee6b6f9b25bb6e2d0afaee57dc35bf50843b2089
-
Filesize
60KB
MD58c746ced3ce86327e752383866d630d8
SHA13d6befc5ad1e28419ad7834dae43a2b51dbb818a
SHA256e7db8c4fda3f419f74f3939af4984a4ff079541b02843d6805b048d8bdff0421
SHA51206b54b6279b80aab06d1e47c221058cae54fa5b9c875fc3c7f4d82f90dbc4acce9b246b678056c2a3d45493b82ceddcd5e2420ca4014c15cd9093cee2b0f27db
-
Filesize
88KB
MD554c81389f168a434cf19946888499a41
SHA13bcb690da7b8809ddf88e833a47dacc04633bc80
SHA256c9766c34ff13cbb3b62afbc794bc79171e1d573b5d4e2e3ff2c4b21885d537f6
SHA51261a2a3b2dcbca67ca41e5bb96bba3d31c4f17d491f6430f5b1584ca083310a4d4adb612b5baa6561b0aa5966ba062a0ba85a09e09065f0ec149eacd665328394
-
Filesize
90KB
MD53b05748621287f6259899970ef155a38
SHA1def8acf6355fbe03c1f369c86475a1880755fcb2
SHA256450619a5707d27235f489c4f5b6dbaa953405b7907dd23c03c6ccac08e1187a1
SHA512787fcbac6a9cea27f2033bdce73c0390d1c8c74d7fbd857fec66efb4d679a9981ec095d289801c92cafc4d5cfb6747f6fce87619d55c5ed10927d25731e9b0a4
-
Filesize
86KB
MD56517aa64b07030e6916dfaa84c900553
SHA140de8c112f344c59e045e3bcd9d7f9f9cb427d7e
SHA2563bfc145b382f207a3aded6e9ac0bc61f07c94c0b81658fd43cbb741a1aa7fefe
SHA512ad71d36193b99219e36cda11dc98bd4d44768c6ea0557f76c1902286942317a66cfab6359d36a7439ec7e30ca85041941e55d5bb77abbe9eb10183c7f7b8c7f6
-
Filesize
23KB
MD51e40cfd6dfe1b3c142469bec11eb51f7
SHA10e13c823035cbec02e0745e1970bfb7f3bdaa1bc
SHA256d720ff2ac7655230dc5cf3512402471ce822e7dea81e3cd6121ba34f93081c1e
SHA5123bfac352f9a61d151a2b217a893ca2e0c2819cf5e06a7c39d60f0fff8481482bde885596d4aaaacc0eba97f5e8d030937315d1df5ebc6768e0e7bdc8893837d4
-
Filesize
19KB
MD593654b776416f68061f5812121d460e3
SHA1917be2e9a18b06f4b49c9f506faa596d8da4084e
SHA2566cfb0951411a034c4b06886a3d8bbbe1b58c988c8280183d0409b49aa4069d92
SHA5126f0dae32fa26e7f02d1b781e7837d971b8e4fdab7ef03df2b1082ca9c7cc048dc23bbf092d827e2fc46b2fd293a26d1bdaeaff34d5c62d4a20b44c2c17cd4570