Overview
overview
10Static
static
9Release.zip
windows7-x64
10Release.zip
windows10-2004-x64
1Release/Bo...er.exe
windows7-x64
10Release/Bo...er.exe
windows10-2004-x64
10Release/au...in.dll
windows7-x64
3Release/au...in.dll
windows10-2004-x64
3Release/lo...v2.dll
windows7-x64
1Release/lo...v2.dll
windows10-2004-x64
1Release/lo...de.ps1
windows7-x64
3Release/lo...de.ps1
windows10-2004-x64
3Release/lo...ng.dll
windows7-x64
1Release/lo...ng.dll
windows10-2004-x64
1Release/lo...ng.dll
windows7-x64
1Release/lo...ng.dll
windows10-2004-x64
1Release/lo...ng.dll
windows7-x64
1Release/lo...ng.dll
windows10-2004-x64
1Release/lo...er.dll
windows7-x64
1Release/lo...er.dll
windows10-2004-x64
1Release/lo...-1.dll
windows7-x64
1Release/lo...-1.dll
windows10-2004-x64
1Release/ru...er.dll
windows7-x64
1Release/ru...er.dll
windows10-2004-x64
1Release/ru...er.dll
windows7-x64
1Release/ru...er.dll
windows10-2004-x64
1Release/ru...er.dll
windows7-x64
3Release/ru...er.dll
windows10-2004-x64
3Release/sc...Dex.js
windows7-x64
3Release/sc...Dex.js
windows10-2004-x64
3Release/sc...eld.js
windows7-x64
3Release/sc...eld.js
windows10-2004-x64
3Release/sc...Env.js
windows7-x64
3Release/sc...Env.js
windows10-2004-x64
3Analysis
-
max time kernel
142s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
20-12-2024 00:01
Behavioral task
behavioral1
Sample
Release.zip
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
Release.zip
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Release/Bootstrapper.exe
Resource
win7-20241023-en
Behavioral task
behavioral4
Sample
Release/Bootstrapper.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
Release/autoexec/bin.dll
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
Release/autoexec/bin.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
Release/locales/libGLESv2.dll
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
Release/locales/libGLESv2.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
Release/locales/locales/de.ps1
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
Release/locales/locales/de.ps1
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
Release/locales/resources/app.asar.unpacked/node_modules/btime/binding.dll
Resource
win7-20240708-en
Behavioral task
behavioral12
Sample
Release/locales/resources/app.asar.unpacked/node_modules/btime/binding.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
Release/locales/resources/app.asar.unpacked/node_modules/get-fonts/binding.dll
Resource
win7-20241010-en
Behavioral task
behavioral14
Sample
Release/locales/resources/app.asar.unpacked/node_modules/get-fonts/binding.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
Release/locales/resources/app.asar.unpacked/node_modules/vibrancy-win/binding.dll
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
Release/locales/resources/app.asar.unpacked/node_modules/vibrancy-win/binding.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
Release/locales/resources/vk_swiftshader.dll
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
Release/locales/resources/vk_swiftshader.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
Release/locales/resources/vulkan-1.dll
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
Release/locales/resources/vulkan-1.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral21
Sample
Release/runtimes/win-arm64/native/WebView2Loader.dll
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
Release/runtimes/win-arm64/native/WebView2Loader.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral23
Sample
Release/runtimes/win-x64/native/WebView2Loader.dll
Resource
win7-20240729-en
Behavioral task
behavioral24
Sample
Release/runtimes/win-x64/native/WebView2Loader.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral25
Sample
Release/runtimes/win-x86/native/WebView2Loader.dll
Resource
win7-20241010-en
Behavioral task
behavioral26
Sample
Release/runtimes/win-x86/native/WebView2Loader.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral27
Sample
Release/scripts/Dex.js
Resource
win7-20240903-en
Behavioral task
behavioral28
Sample
Release/scripts/Dex.js
Resource
win10v2004-20241007-en
Behavioral task
behavioral29
Sample
Release/scripts/Infinite Yield.js
Resource
win7-20241023-en
Behavioral task
behavioral30
Sample
Release/scripts/Infinite Yield.js
Resource
win10v2004-20241007-en
Behavioral task
behavioral31
Sample
Release/scripts/UNCCheckEnv.js
Resource
win7-20241010-en
Behavioral task
behavioral32
Sample
Release/scripts/UNCCheckEnv.js
Resource
win10v2004-20241007-en
General
-
Target
Release.zip
-
Size
37.8MB
-
MD5
6244f9a11555ee2cf7448e82507ecaa5
-
SHA1
293cf286e48182cfc9ead87b72a64734ed873daa
-
SHA256
6e0d32ab1bc8782648c009393a01443fbdf1ab119597d7e915df80cb1fefa84f
-
SHA512
415059cbd9c741f863d000c0e44fbceaaec0212270be7b095a9a1b0468ecf1ac951660d735c8ff4691f953e2159d50b3c037cf2e0104097f813b943e7ebbdbff
-
SSDEEP
786432:FL9wPFA0z7sgXBYJ5ebRgtxUEk8VbfSrQMY3P4xplfFQZv5FLidh20EfIVXGR:FuqIsgeJftWgbFMY/4ddQOtGR
Malware Config
Extracted
lumma
https://sordid-snaked.cyou/api
https://awake-weaves.cyou/api
https://wrathful-jammy.cyou/api
https://debonairnukk.xyz/api
https://diffuculttan.xyz/api
https://effecterectz.xyz/api
https://deafeninggeh.biz/api
https://immureprech.biz/api
https://spellshagey.biz/api
Extracted
lumma
https://spellshagey.biz/api
Signatures
-
Lumma family
-
Executes dropped EXE 4 IoCs
pid Process 2780 Bootstrapper.exe 2596 Bootstrapper.exe 1428 Bootstrapper.exe 2052 Bootstrapper.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bootstrapper.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bootstrapper.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bootstrapper.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bootstrapper.exe -
Suspicious behavior: EnumeratesProcesses 17 IoCs
pid Process 2780 Bootstrapper.exe 2780 Bootstrapper.exe 2780 Bootstrapper.exe 2780 Bootstrapper.exe 824 7zFM.exe 2596 Bootstrapper.exe 2596 Bootstrapper.exe 2596 Bootstrapper.exe 2596 Bootstrapper.exe 1428 Bootstrapper.exe 1428 Bootstrapper.exe 1428 Bootstrapper.exe 1428 Bootstrapper.exe 2052 Bootstrapper.exe 2052 Bootstrapper.exe 2052 Bootstrapper.exe 2052 Bootstrapper.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 824 7zFM.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeRestorePrivilege 824 7zFM.exe Token: 35 824 7zFM.exe Token: SeSecurityPrivilege 824 7zFM.exe Token: SeRestorePrivilege 2876 7zG.exe Token: 35 2876 7zG.exe Token: SeSecurityPrivilege 2876 7zG.exe Token: SeSecurityPrivilege 2876 7zG.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 824 7zFM.exe 824 7zFM.exe 2876 7zG.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 824 wrote to memory of 2780 824 7zFM.exe 31 PID 824 wrote to memory of 2780 824 7zFM.exe 31 PID 824 wrote to memory of 2780 824 7zFM.exe 31 PID 824 wrote to memory of 2780 824 7zFM.exe 31
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Release.zip"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:824 -
C:\Users\Admin\AppData\Local\Temp\7zO8337B3D6\Bootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\7zO8337B3D6\Bootstrapper.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2780
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:2572
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\" -an -ai#7zMap18878:94:7zEvent248951⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2876
-
C:\Users\Admin\AppData\Local\Temp\Release\Bootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\Release\Bootstrapper.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2596
-
C:\Users\Admin\AppData\Local\Temp\Release\Bootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\Release\Bootstrapper.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1428
-
C:\Users\Admin\AppData\Local\Temp\Release\Bootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\Release\Bootstrapper.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2052
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
331KB
MD53435c5c34e15c946884b4d2f90d326f9
SHA104ba456f3e9b7f7c4737c4b220d2c8c8f978d6cc
SHA256e6042c8081fccdf46c82cd7f1548cc9d135c5ef04af91f925c4e980bfcccee2e
SHA512049406cca513436b25501951df25abba69f21b0f1668ed9279b68157ef8bf480dd8038f8b54bc0078ab98787fbd39f65e7ad7ef111f16b03eee669c107611eda
-
Filesize
7B
MD5260ca9dd8a4577fc00b7bd5810298076
SHA153a5687cb26dc41f2ab4033e97e13adefd3740d6
SHA256aee408847d35e44e99430f0979c3357b85fe8dbb4535a494301198adbee85f27
SHA51251e85deb51c2b909a21ec5b8e83b1cb28da258b1be227620105a345a2bd4c6aea549cd5429670f2df33324667b9f623a420b3a0bdbbd03ad48602211e75478a7
-
C:\Users\Admin\AppData\Local\Temp\Release\workspace\Xeno.exe.WebView2\EBWebView\Default\DawnWebGPUCache\data_2
Filesize8KB
MD50962291d6d367570bee5454721c17e11
SHA159d10a893ef321a706a9255176761366115bedcb
SHA256ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed
-
C:\Users\Admin\AppData\Local\Temp\Release\workspace\Xeno.exe.WebView2\EBWebView\Default\Extension State\CURRENT
Filesize16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Temp\Release\workspace\Xeno.exe.WebView2\EBWebView\Default\Extension State\MANIFEST-000001
Filesize41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
C:\Users\Admin\AppData\Local\Temp\Release\workspace\Xeno.exe.WebView2\EBWebView\Default\GPUCache\data_0
Filesize8KB
MD5cf89d16bb9107c631daabf0c0ee58efb
SHA13ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA5128cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0
-
C:\Users\Admin\AppData\Local\Temp\Release\workspace\Xeno.exe.WebView2\EBWebView\Default\GPUCache\data_1
Filesize264KB
MD5a833653a021f29ee2ec1a845e0c2308f
SHA105071159d3c2516d67b765cef012a0a2d3337759
SHA2568e9f3538e43a68caa472fd47adaf43906e097cfb53ef55d1361caf1cc97efca7
SHA5120902a886c95cee1b34f9419ab0a10ce0fe96eae57c59ab4cefba99ba3fc2a0237741f31076ce065db14fe3dfecd325458209f0d1e9fcc8b9ac7bff8328e1744f
-
C:\Users\Admin\AppData\Local\Temp\Release\workspace\Xeno.exe.WebView2\EBWebView\Default\GPUCache\data_3
Filesize8KB
MD541876349cb12d6db992f1309f22df3f0
SHA15cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e
-
C:\Users\Admin\AppData\Local\Temp\Release\workspace\Xeno.exe.WebView2\EBWebView\Default\Shared Dictionary\cache\index
Filesize24B
MD554cb446f628b2ea4a5bce5769910512e
SHA1c27ca848427fe87f5cf4d0e0e3cd57151b0d820d
SHA256fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d
SHA5128f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0