Analysis
-
max time kernel
93s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-11-2024 17:45
Behavioral task
behavioral1
Sample
857270428d9d88c5da6d8b9d33059d4e29347637879a17975631408c5359b623.exe
Resource
win7-20241010-en
General
-
Target
857270428d9d88c5da6d8b9d33059d4e29347637879a17975631408c5359b623.exe
-
Size
6.8MB
-
MD5
9cf2fcabd10ee683a3652815014b368c
-
SHA1
f49914f1cf2b7fbba812eb8fd807b19065008b23
-
SHA256
857270428d9d88c5da6d8b9d33059d4e29347637879a17975631408c5359b623
-
SHA512
8dcf40e92d40627fb79413c6662e43e87d1dcd23e2825aa87a96e09706cff25e5e894376fdf5570d0e8470c36a4574810fc8afea3c720595fac07b93d0904117
-
SSDEEP
196608:e741InG5lNniIbZg4TYc1vR31A4zur5MOjjDDTTVCjE/gsOt0G1:e741ZbPH1AJCY/Ur
Malware Config
Extracted
lumma
https://drawwyobstacw.sbs
https://condifendteu.sbs
https://ehticsprocw.sbs
https://vennurviot.sbs
https://resinedyw.sbs
https://enlargkiw.sbs
https://allocatinow.sbs
https://mathcucom.sbs
https://droppyrelivei.cfd
Signatures
-
Lumma family
-
Loads dropped DLL 9 IoCs
Processes:
857270428d9d88c5da6d8b9d33059d4e29347637879a17975631408c5359b623.exepid process 432 857270428d9d88c5da6d8b9d33059d4e29347637879a17975631408c5359b623.exe 432 857270428d9d88c5da6d8b9d33059d4e29347637879a17975631408c5359b623.exe 432 857270428d9d88c5da6d8b9d33059d4e29347637879a17975631408c5359b623.exe 432 857270428d9d88c5da6d8b9d33059d4e29347637879a17975631408c5359b623.exe 432 857270428d9d88c5da6d8b9d33059d4e29347637879a17975631408c5359b623.exe 432 857270428d9d88c5da6d8b9d33059d4e29347637879a17975631408c5359b623.exe 432 857270428d9d88c5da6d8b9d33059d4e29347637879a17975631408c5359b623.exe 432 857270428d9d88c5da6d8b9d33059d4e29347637879a17975631408c5359b623.exe 432 857270428d9d88c5da6d8b9d33059d4e29347637879a17975631408c5359b623.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
857270428d9d88c5da6d8b9d33059d4e29347637879a17975631408c5359b623.exedescription pid process target process PID 432 set thread context of 4416 432 857270428d9d88c5da6d8b9d33059d4e29347637879a17975631408c5359b623.exe ngentask.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
857270428d9d88c5da6d8b9d33059d4e29347637879a17975631408c5359b623.exe857270428d9d88c5da6d8b9d33059d4e29347637879a17975631408c5359b623.exengentask.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 857270428d9d88c5da6d8b9d33059d4e29347637879a17975631408c5359b623.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 857270428d9d88c5da6d8b9d33059d4e29347637879a17975631408c5359b623.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ngentask.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
857270428d9d88c5da6d8b9d33059d4e29347637879a17975631408c5359b623.exe857270428d9d88c5da6d8b9d33059d4e29347637879a17975631408c5359b623.exedescription pid process target process PID 3380 wrote to memory of 432 3380 857270428d9d88c5da6d8b9d33059d4e29347637879a17975631408c5359b623.exe 857270428d9d88c5da6d8b9d33059d4e29347637879a17975631408c5359b623.exe PID 3380 wrote to memory of 432 3380 857270428d9d88c5da6d8b9d33059d4e29347637879a17975631408c5359b623.exe 857270428d9d88c5da6d8b9d33059d4e29347637879a17975631408c5359b623.exe PID 3380 wrote to memory of 432 3380 857270428d9d88c5da6d8b9d33059d4e29347637879a17975631408c5359b623.exe 857270428d9d88c5da6d8b9d33059d4e29347637879a17975631408c5359b623.exe PID 432 wrote to memory of 4416 432 857270428d9d88c5da6d8b9d33059d4e29347637879a17975631408c5359b623.exe ngentask.exe PID 432 wrote to memory of 4416 432 857270428d9d88c5da6d8b9d33059d4e29347637879a17975631408c5359b623.exe ngentask.exe PID 432 wrote to memory of 4416 432 857270428d9d88c5da6d8b9d33059d4e29347637879a17975631408c5359b623.exe ngentask.exe PID 432 wrote to memory of 4416 432 857270428d9d88c5da6d8b9d33059d4e29347637879a17975631408c5359b623.exe ngentask.exe PID 432 wrote to memory of 4416 432 857270428d9d88c5da6d8b9d33059d4e29347637879a17975631408c5359b623.exe ngentask.exe PID 432 wrote to memory of 4416 432 857270428d9d88c5da6d8b9d33059d4e29347637879a17975631408c5359b623.exe ngentask.exe PID 432 wrote to memory of 4416 432 857270428d9d88c5da6d8b9d33059d4e29347637879a17975631408c5359b623.exe ngentask.exe PID 432 wrote to memory of 4416 432 857270428d9d88c5da6d8b9d33059d4e29347637879a17975631408c5359b623.exe ngentask.exe PID 432 wrote to memory of 4416 432 857270428d9d88c5da6d8b9d33059d4e29347637879a17975631408c5359b623.exe ngentask.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\857270428d9d88c5da6d8b9d33059d4e29347637879a17975631408c5359b623.exe"C:\Users\Admin\AppData\Local\Temp\857270428d9d88c5da6d8b9d33059d4e29347637879a17975631408c5359b623.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3380 -
C:\Users\Admin\AppData\Local\Temp\857270428d9d88c5da6d8b9d33059d4e29347637879a17975631408c5359b623.exe"C:\Users\Admin\AppData\Local\Temp\857270428d9d88c5da6d8b9d33059d4e29347637879a17975631408c5359b623.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeC:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\ngentask.exe3⤵
- System Location Discovery: System Language Discovery
PID:4416
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
74KB
MD531ce620cb32ac950d31e019e67efc638
SHA1eaf02a203bc11d593a1adb74c246f7a613e8ef09
SHA2561e0f8f7f13502f5cee17232e9bebca7b44dd6ec29f1842bb61033044c65b2bbf
SHA512603e8dceda4cb5b3317020e71f1951d01ace045468eaf118b422f4f44b8b6b2794f5002ea2e3fe9107c222e4cb55b932ed0d897a1871976d75f8ee10d5d12374
-
Filesize
114KB
MD5de2f88b18fabe8586c38074b6fb80873
SHA1cf4b533ffeb9792b33516ec05d3375260ff32b98
SHA256f5480114cf3118e561c4dc55cb733f9d06fae897875d91bb324263b4aedd31b9
SHA5123d89ccc9f9d6bca35f2ce5dbdaff2fd571c3e4c89056aec4de97466aea49d5bd9c7de0a0d345f249f1a33b43597f9c3a1687da246f6c832434391638a10dcd04
-
Filesize
51KB
MD53ad5e39cbe6354bb1ce82e29d4b2c072
SHA1c4a18ce9e803ca6a7e33f1bef422f5006df651ff
SHA256eddeedd5fd8a1c49ecaab51ff5117d9fb1fed5637e8ca31f35698bc6d68ca39d
SHA512a9ecab892469c79b50b7c1c79394bb96fcb10beab03114961be5c0c05622765c0f105856065988ed31a7d21911d91c7a5fcdf4a9d33ac35ab99ba5550e91a823
-
Filesize
70KB
MD56ba36034bc861f44e90f547c667da40a
SHA17fc6d70ac9c80e600b14760b47396369f1c3d9be
SHA2565a3e41a8c91eb5d81ac9d4a7477461414d5431754ffb9d6ad49369238d25fdd4
SHA512ad49ebe8b11592088ccfda6813de3629c1c0ef6663d56724b6db8f5b6b827b8cf28ef71dd7154c223f836059029cd25ff48e57edb3d9b665157716172443b59f
-
Filesize
20KB
MD52c4dbaa2151c458c8eea5f37b2cfe673
SHA172aeb5de5e25e67f8f798aed198718b9c4a5cd97
SHA25699dd17fe2d43ed007b301aa5ce80364f2c7d9bbd033e4ce0166defb23140db38
SHA512399491b8d9736732e404640216c8ece073795f9966ae6d2acfd6d64b7c6b35ab63c03287751c0ab46593b072c778e1d4051d667ba693adbafe0a15ae6e6019aa
-
Filesize
781KB
MD5a6277edd815f1d33215c41309aa0a3b4
SHA10522d880992f2bb46571e27610410a9d99b69984
SHA256a6e24deab93ca92bb3118081e10987fb7078b0d249e38911bd0c429563941317
SHA512ae83607b951996cc61bfc07aa6946bc8e6b409bc504aa92355c762420ece2d69c2e11bb6c88d4ce81c8d0136ac82e1e04157ed02cdca5b7d945d939d36c4ae39
-
Filesize
2.2MB
MD531c2130f39942ac41f99c77273969cd7
SHA1540edcfcfa75d0769c94877b451f5d0133b1826c
SHA256dd55258272eeb8f2b91a85082887463d0596e992614213730000b2dbc164bcad
SHA512cb4e0b90ea86076bd5c904b46f6389d0fd4afffe0bd3a903c7ff0338c542797063870498e674f86d58764cdbb73b444d1df4b4aa64f69f99b224e86ddaf74bb5
-
Filesize
28KB
MD5bc20614744ebf4c2b8acd28d1fe54174
SHA1665c0acc404e13a69800fae94efd69a41bdda901
SHA2560c7ec6de19c246a23756b8550e6178ac2394b1093e96d0f43789124149486f57
SHA5120c473e7070c72d85ae098d208b8d128b50574abebba874dda2a7408aea2aabc6c4b9018801416670af91548c471b7dd5a709a7b17e3358b053c37433665d3f6b
-
Filesize
4.3MB
MD55bafe23107e6df19de8f7ac9068ed26e
SHA1d2a88beaf959bd5331948b03330c98fe8fa85c7c
SHA256c1e5a847ae6aa9d9f42b482c7a20dcdc9dfe225f7186b0b01924225aa4e5e581
SHA5121c2372debc0e2e53ea281798f15243294430e4e7e4d3b82e4ab998a1b7c77cad68d50e196e37c6ff7ba83b08a12286af5d2797bfa707af5dad180862cce7efc7
-
Filesize
24KB
MD5e03b622acba9d02dc5a10364824ede8c
SHA140db1a1a0d81c5d165d043502b1205b22bc238a4
SHA256de914028bfddf19ef7279f04c92ef118c59b1ba8b5e27c76a7932e086bbc7978
SHA51202abe8c060a2e046e92db4fdf5efdeaf6a870703ad313d14d3e8a3a308cca032c1d7b7ac40b0c346c0d8bf3193c42dfc69bf50450c9545d6bb6704fc0f5d3d5b