lumma | 56a7f2bcc9956a3ab23be18b0d44fa0ff30921ba87bc258eb8e800ce9f21f798

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
27/11/2024, 16:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AffeliOxy.zip
Size

32.5MB
MD5

fdd807d3a9362890cd5ec88474c15338
SHA1

7c890f558ab5a894a8750bec0c2b1ca4db589c78
SHA256

56a7f2bcc9956a3ab23be18b0d44fa0ff30921ba87bc258eb8e800ce9f21f798
SHA512

554081aedfaa2cd69edfd4f043a3f17c12008917fd36ac7e5031a7dba6d3e0c2fd61630eb3f70383564e5d7727298a0d95d0ae1fa78e8ac9e0391c4505c6870b
SSDEEP

786432:EPV8ydWkQRYkhZ5AQ9L2fELTw+xrn5ONFP:EmydUxiQ6EwknQj

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://powerful-avoids.sbs

https://motion-treesz.sbs

https://disobey-curly.sbs

https://leg-sate-boat.sbs

https://story-tense-faz.sbs

https://blade-govern.sbs

https://occupy-blushi.sbs

https://frogs-severz.sbs

https://milk-of-horned.cyou

Extracted

Family

lumma

https://milk-of-horned.cyou/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Executes dropped EXE 4 IoCs

pid	Process
2756	IndianaDirective.exe
3068	Clerk.com
696	IndianaDirective.exe
2432	Clerk.com

Loads dropped DLL 2 IoCs

pid	Process
2876	cmd.exe
2652	cmd.exe

Enumerates processes with tasklist 1 TTPs 4 IoCs

discovery

Process Discovery

T1057

pid	Process
908	tasklist.exe
828	tasklist.exe
2632	tasklist.exe
2336	tasklist.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\AccompaniedGovt	IndianaDirective.exe
File opened for modification	C:\Windows\BuilderTear	IndianaDirective.exe
File opened for modification	C:\Windows\WashSinging	IndianaDirective.exe
File opened for modification	C:\Windows\AccompaniedGovt	IndianaDirective.exe
File opened for modification	C:\Windows\BuilderTear	IndianaDirective.exe
File opened for modification	C:\Windows\WashSinging	IndianaDirective.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 20 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IndianaDirective.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IndianaDirective.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clerk.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clerk.com

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Clerk.com
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Clerk.com
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Clerk.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	Clerk.com

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3068	Clerk.com
3068	Clerk.com
3068	Clerk.com
2068	7zFM.exe
2432	Clerk.com
2432	Clerk.com
2432	Clerk.com
2068	7zFM.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2068	7zFM.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeRestorePrivilege	2068	7zFM.exe
Token: 35	2068	7zFM.exe
Token: SeSecurityPrivilege	2068	7zFM.exe
Token: SeDebugPrivilege	908	tasklist.exe
Token: SeDebugPrivilege	828	tasklist.exe
Token: SeSecurityPrivilege	2068	7zFM.exe
Token: SeDebugPrivilege	2632	tasklist.exe
Token: SeDebugPrivilege	2336	tasklist.exe
Token: SeSecurityPrivilege	2068	7zFM.exe
Token: SeSecurityPrivilege	2068	7zFM.exe
Token: SeSecurityPrivilege	2068	7zFM.exe

Suspicious use of FindShellTrayWindow 13 IoCs

pid	Process
2068	7zFM.exe
2068	7zFM.exe
2068	7zFM.exe
3068	Clerk.com
3068	Clerk.com
3068	Clerk.com
2068	7zFM.exe
2432	Clerk.com
2432	Clerk.com
2432	Clerk.com
2068	7zFM.exe
2068	7zFM.exe
2068	7zFM.exe

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
3068	Clerk.com
3068	Clerk.com
3068	Clerk.com
2432	Clerk.com
2432	Clerk.com
2432	Clerk.com

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2068 wrote to memory of 2756	2068	7zFM.exe	30
PID 2068 wrote to memory of 2756	2068	7zFM.exe	30
PID 2068 wrote to memory of 2756	2068	7zFM.exe	30
PID 2068 wrote to memory of 2756	2068	7zFM.exe	30
PID 2756 wrote to memory of 2876	2756	IndianaDirective.exe	31
PID 2756 wrote to memory of 2876	2756	IndianaDirective.exe	31
PID 2756 wrote to memory of 2876	2756	IndianaDirective.exe	31
PID 2756 wrote to memory of 2876	2756	IndianaDirective.exe	31
PID 2876 wrote to memory of 908	2876	cmd.exe	33
PID 2876 wrote to memory of 908	2876	cmd.exe	33
PID 2876 wrote to memory of 908	2876	cmd.exe	33
PID 2876 wrote to memory of 908	2876	cmd.exe	33
PID 2876 wrote to memory of 2920	2876	cmd.exe	34
PID 2876 wrote to memory of 2920	2876	cmd.exe	34
PID 2876 wrote to memory of 2920	2876	cmd.exe	34
PID 2876 wrote to memory of 2920	2876	cmd.exe	34
PID 2876 wrote to memory of 828	2876	cmd.exe	36
PID 2876 wrote to memory of 828	2876	cmd.exe	36
PID 2876 wrote to memory of 828	2876	cmd.exe	36
PID 2876 wrote to memory of 828	2876	cmd.exe	36
PID 2876 wrote to memory of 2072	2876	cmd.exe	37
PID 2876 wrote to memory of 2072	2876	cmd.exe	37
PID 2876 wrote to memory of 2072	2876	cmd.exe	37
PID 2876 wrote to memory of 2072	2876	cmd.exe	37
PID 2876 wrote to memory of 2220	2876	cmd.exe	38
PID 2876 wrote to memory of 2220	2876	cmd.exe	38
PID 2876 wrote to memory of 2220	2876	cmd.exe	38
PID 2876 wrote to memory of 2220	2876	cmd.exe	38
PID 2876 wrote to memory of 1204	2876	cmd.exe	39
PID 2876 wrote to memory of 1204	2876	cmd.exe	39
PID 2876 wrote to memory of 1204	2876	cmd.exe	39
PID 2876 wrote to memory of 1204	2876	cmd.exe	39
PID 2876 wrote to memory of 3068	2876	cmd.exe	40
PID 2876 wrote to memory of 3068	2876	cmd.exe	40
PID 2876 wrote to memory of 3068	2876	cmd.exe	40
PID 2876 wrote to memory of 3068	2876	cmd.exe	40
PID 2876 wrote to memory of 2264	2876	cmd.exe	41
PID 2876 wrote to memory of 2264	2876	cmd.exe	41
PID 2876 wrote to memory of 2264	2876	cmd.exe	41
PID 2876 wrote to memory of 2264	2876	cmd.exe	41
PID 2068 wrote to memory of 696	2068	7zFM.exe	42
PID 2068 wrote to memory of 696	2068	7zFM.exe	42
PID 2068 wrote to memory of 696	2068	7zFM.exe	42
PID 2068 wrote to memory of 696	2068	7zFM.exe	42
PID 696 wrote to memory of 2652	696	IndianaDirective.exe	43
PID 696 wrote to memory of 2652	696	IndianaDirective.exe	43
PID 696 wrote to memory of 2652	696	IndianaDirective.exe	43
PID 696 wrote to memory of 2652	696	IndianaDirective.exe	43
PID 2652 wrote to memory of 2632	2652	cmd.exe	45
PID 2652 wrote to memory of 2632	2652	cmd.exe	45
PID 2652 wrote to memory of 2632	2652	cmd.exe	45
PID 2652 wrote to memory of 2632	2652	cmd.exe	45
PID 2652 wrote to memory of 848	2652	cmd.exe	46
PID 2652 wrote to memory of 848	2652	cmd.exe	46
PID 2652 wrote to memory of 848	2652	cmd.exe	46
PID 2652 wrote to memory of 848	2652	cmd.exe	46
PID 2652 wrote to memory of 2336	2652	cmd.exe	47
PID 2652 wrote to memory of 2336	2652	cmd.exe	47
PID 2652 wrote to memory of 2336	2652	cmd.exe	47
PID 2652 wrote to memory of 2336	2652	cmd.exe	47
PID 2652 wrote to memory of 2360	2652	cmd.exe	48
PID 2652 wrote to memory of 2360	2652	cmd.exe	48
PID 2652 wrote to memory of 2360	2652	cmd.exe	48
PID 2652 wrote to memory of 2360	2652	cmd.exe	48

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\AffeliOxy.zip"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2068
- C:\Users\Admin\AppData\Local\Temp\7zO41895167\IndianaDirective.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO41895167\IndianaDirective.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2756
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c copy Charges Charges.cmd && Charges.cmd
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2876
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:908
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "wrsa opssvc"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2920
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:828
  - - C:\Windows\SysWOW64\findstr.exe
      findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2072
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c md 578846
      4⤵
      System Location Discovery: System Language Discovery
      PID:2220
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b ..\Smtp + ..\Miles + ..\Hacker + ..\Mild + ..\Routing + ..\Tons J
      4⤵
      System Location Discovery: System Language Discovery
      PID:1204
  - - C:\Users\Admin\AppData\Local\Temp\578846\Clerk.com
      Clerk.com J
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:3068
  - - C:\Windows\SysWOW64\choice.exe
      choice /d y /t 5
      4⤵
      System Location Discovery: System Language Discovery
      PID:2264
- C:\Users\Admin\AppData\Local\Temp\7zO41893787\IndianaDirective.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO41893787\IndianaDirective.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:696
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c copy Charges Charges.cmd && Charges.cmd
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2652
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2632
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "wrsa opssvc"
      4⤵
      System Location Discovery: System Language Discovery
      PID:848
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2336
  - - C:\Windows\SysWOW64\findstr.exe
      findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2360
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c md 578846
      4⤵
      System Location Discovery: System Language Discovery
      PID:2780
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b ..\Smtp + ..\Miles + ..\Hacker + ..\Mild + ..\Routing + ..\Tons J
      4⤵
      System Location Discovery: System Language Discovery
      PID:804
  - - C:\Users\Admin\AppData\Local\Temp\578846\Clerk.com
      Clerk.com J
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:2432
  - - C:\Windows\SysWOW64\choice.exe
      choice /d y /t 5
      4⤵
      System Location Discovery: System Language Discovery
      PID:2220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\578846\J

Filesize
455KB

MD5
46c03e199147f6486ef8eab66c75ae97

SHA1
1ef3c34e179a2476887a96d6a90a8eb556dc89fb

SHA256
0dd57d3dcd7021154b098723822066b89af51e0f0b6aab45a80c25489e419caa

SHA512
4064a04bdb0fe83cfe9e1cb648ca8e03480610434fd0ed578ac9ff0d572c76955080e9c1b223c22c7f2442a73b959d34ac1d80467929154ef29e83e8473ec2e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zE4182D758\jres\doc\lib\images\cursors\win32_LinkNoDrop32x32.gif

Filesize
153B

MD5
1e9d8f133a442da6b0c74d49bc84a341

SHA1
259edc45b4569427e8319895a444f4295d54348f

SHA256
1a1d3079d49583837662b84e11d8c0870698511d9110e710eb8e7eb20df7ae3b

SHA512
63d6f70c8cab9735f0f857f5bf99e319f6ae98238dc7829dd706b7d6855c70be206e32e3e55df884402483cf8bebad00d139283af5c0b85dc1c5bf8f253acd37

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC8EC.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Charges

Filesize
8KB

MD5
84f71beefe526a40a64f8b35f300bd01

SHA1
96035a8a6fd37190defde59863fd20590bf7e608

SHA256
c4d52edc00bca5dd9245dc473b769ff1ca23c7d6aa643b34006be2715f9582fa

SHA512
6a0d8e8dbbbf48b1f24692932349379a6254637023cd4be2eb07d482ba79b32f9eada1fb2da0df83f9f547fddc230a1bfe470ff0083a3d4996f48f0770e23113

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hacker

Filesize
88KB

MD5
337754ee90f41a9482c65866157abd24

SHA1
cf10e938ba353823dd717b9f0331fbd417f6aa43

SHA256
4633376d6caf430bcafb0e09386a9a1df296e9953da7c7ad407d1eef9a9c6366

SHA512
7a08ee54ba3fc8fe7a66737b06f59ccf9f798bd94f5105be358d4da9626e18f72901a70154c258aec6c89b870235e9153b7d99ec12defd661c94b0ed669fe80b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mild

Filesize
77KB

MD5
20cdf0fd6a305c2eec28ef7b637c050f

SHA1
9c4379218b192efd8d8455ae8e47ba6052c218af

SHA256
06ac72c2e649a70f3305a4cb8ea79ca2d9bbe5433fad7ead1a6ad3d7fef6af84

SHA512
169b15e900cc231ff8854aa23e47332a4b4c82c3d1d5613e99a271bf54986c06d386fc5b30f407527d823ccf8176b43bc13bac9dfea08ae43fa67962e6f1a824

Download Submit
C:\Users\Admin\AppData\Local\Temp\Miles

Filesize
90KB

MD5
6ce23865286e0bdb0f318ca9fbb0b15f

SHA1
3a8d77624f46d7df409c529a45371e9838df9fbe

SHA256
5696e3eb404d0975b599d315b4de90aa0d1ee1b355a66b868e86fdc4265b1d9a

SHA512
6ffd98c0282e01684b0d802e44215e2823822bad8517248f2667aebe48eb5d4d722740e78a2b3087fb50a6d3f1b939ad1916d6a5b38089a49020c83e2d914f2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Routing

Filesize
60KB

MD5
9329a23150348ac5dcfa3110738b13d5

SHA1
42179cdc1e966c6c89f932ede43c7f0ffa5392f5

SHA256
cd68b3a59211a02bbaf82a226238c2ff12d4b0aa3d2c77ddf26b3713f2be5f88

SHA512
ef15a6ba80243f9c4d9242c69bd63428ef4900d7e5879bb5743e90a633fc1dfb17e773f7dc2b8c570b74fa2aa9092f45c917e50baa6e41eb335f62483f603769

Download Submit
C:\Users\Admin\AppData\Local\Temp\Smtp

Filesize
86KB

MD5
457891d75fb4b5d1ac8803a1769ebe55

SHA1
63d1fa366ba9e68483582d4a4d5241f0effb37a0

SHA256
73fa3440ac5936600db30afc343071820885fa00d7ee3af031df66165cc4a610

SHA512
982ccf867690a4b7f44eebc65688906b4e8ea3ee6c03838be051aa00adb3b8b6f8e12e46001067cf83bd478f80579fdce355cd255361522a6b196df2285ae297

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC8FF.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tons

Filesize
54KB

MD5
31f97e9d552f1dcea927a8ec63be7994

SHA1
8befe0f1c35f2d1aff719e050d4402c0dce9daf1

SHA256
41cd044cd5e80be25c62544cbe726a8fe3f373a7882ec26c5534cea43360234a

SHA512
860ee85f79e6d86897067236ecc7f6aa3d895a06378abc28b6918edb7764b0d0a3daf459890d9f5e37ff83e849d722d5ba185ce9cc31b4588b012879e568d071

Download Submit
C:\Users\Admin\AppData\Local\Temp\Validity

Filesize
872KB

MD5
6ee7ddebff0a2b78c7ac30f6e00d1d11

SHA1
f2f57024c7cc3f9ff5f999ee20c4f5c38bfc20a2

SHA256
865347471135bb5459ad0e647e75a14ad91424b6f13a5c05d9ecd9183a8a1cf4

SHA512
57d56de2bb882f491e633972003d7c6562ef2758c3731b913ff4d15379ada575062f4de2a48ca6d6d9241852a5b8a007f52792753fd8d8fee85b9a218714efd0

Download Submit
memory/3068-444-0x0000000003570000-0x00000000035C9000-memory.dmp

Filesize
356KB

Download
memory/3068-446-0x0000000003570000-0x00000000035C9000-memory.dmp

Filesize
356KB

Download
memory/3068-449-0x0000000003570000-0x00000000035C9000-memory.dmp

Filesize
356KB

Download
memory/3068-448-0x0000000003570000-0x00000000035C9000-memory.dmp

Filesize
356KB

Download
memory/3068-447-0x0000000003570000-0x00000000035C9000-memory.dmp

Filesize
356KB

Download
memory/3068-445-0x0000000003570000-0x00000000035C9000-memory.dmp

Filesize
356KB

Download