Analysis
-
max time kernel
54s -
max time network
57s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-12-2024 20:47
General
-
Target
Release.zip
-
Size
23.7MB
-
MD5
b713146a689751165d0698f46b183354
-
SHA1
1ab318cb8d7f10e912b240e1e6a67414695f5485
-
SHA256
f41fb55c41a0af6a511bbfe8aecabbb7ad67abcb7a7c4ffae7b517d6750787a7
-
SHA512
342db62453e1f0f044b97b26c0f47cd722b6b34476585285097438b47b352c8d6127a3e5941df63bc8d431fab0d0b56d4c2e4a1ff448686bc99eb4e888d85b3e
-
SSDEEP
393216:U6cGHhxQK/ZX8Fk6Z/+0weQtffYlIAy6mv9Yt6LYYK85ySqYtPhvOa9xnZ5zMkwr:xcmh4kW+0weZIPS6LRKdSqYtQ0Z5zo
Malware Config
Extracted
lumma
https://enterwahsh.biz/api
Extracted
lumma
https://enterwahsh.biz/api
Signatures
-
Lumma family
-
Executes dropped EXE 3 IoCs
pid Process 4856 BootstrapperClient.exe 4928 BootstrapperClient.exe 4120 BootstrapperClient.exe -
Program crash 3 IoCs
pid pid_target Process procid_target 1156 4856 WerFault.exe 97 4000 4928 WerFault.exe 109 3932 4120 WerFault.exe 123 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BootstrapperClient.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BootstrapperClient.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BootstrapperClient.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 560 7zFM.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeRestorePrivilege 560 7zFM.exe Token: 35 560 7zFM.exe Token: SeSecurityPrivilege 560 7zFM.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 560 7zFM.exe 560 7zFM.exe
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Release.zip"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:560
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1044
-
C:\Users\Admin\Desktop\Release\BootstrapperClient.exe"C:\Users\Admin\Desktop\Release\BootstrapperClient.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4856 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 12682⤵
- Program crash
PID:1156
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4856 -ip 48561⤵PID:3992
-
C:\Users\Admin\Desktop\Release\BootstrapperClient.exe"C:\Users\Admin\Desktop\Release\BootstrapperClient.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4928 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 12682⤵
- Program crash
PID:4000
-
-
C:\Windows\system32\notepad.exe"C:\Windows\system32\notepad.exe"1⤵PID:4580
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 4928 -ip 49281⤵PID:4888
-
C:\Users\Admin\Desktop\Release\BootstrapperClient.exe"C:\Users\Admin\Desktop\Release\BootstrapperClient.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4120 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4120 -s 13402⤵
- Program crash
PID:3932
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4120 -ip 41201⤵PID:440
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7B
MD5260ca9dd8a4577fc00b7bd5810298076
SHA153a5687cb26dc41f2ab4033e97e13adefd3740d6
SHA256aee408847d35e44e99430f0979c3357b85fe8dbb4535a494301198adbee85f27
SHA51251e85deb51c2b909a21ec5b8e83b1cb28da258b1be227620105a345a2bd4c6aea549cd5429670f2df33324667b9f623a420b3a0bdbbd03ad48602211e75478a7
-
C:\Users\Admin\AppData\Local\Temp\7zE0326E197\Release\workspace\Xeno.exe.WebView2\EBWebView\Default\DawnWebGPUCache\data_2
Filesize8KB
MD50962291d6d367570bee5454721c17e11
SHA159d10a893ef321a706a9255176761366115bedcb
SHA256ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed
-
C:\Users\Admin\AppData\Local\Temp\7zE0326E197\Release\workspace\Xeno.exe.WebView2\EBWebView\Default\Extension State\CURRENT
Filesize16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Temp\7zE0326E197\Release\workspace\Xeno.exe.WebView2\EBWebView\Default\Extension State\MANIFEST-000001
Filesize41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
C:\Users\Admin\AppData\Local\Temp\7zE0326E197\Release\workspace\Xeno.exe.WebView2\EBWebView\Default\GPUCache\data_0
Filesize8KB
MD5cf89d16bb9107c631daabf0c0ee58efb
SHA13ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA5128cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0
-
C:\Users\Admin\AppData\Local\Temp\7zE0326E197\Release\workspace\Xeno.exe.WebView2\EBWebView\Default\GPUCache\data_1
Filesize264KB
MD5a833653a021f29ee2ec1a845e0c2308f
SHA105071159d3c2516d67b765cef012a0a2d3337759
SHA2568e9f3538e43a68caa472fd47adaf43906e097cfb53ef55d1361caf1cc97efca7
SHA5120902a886c95cee1b34f9419ab0a10ce0fe96eae57c59ab4cefba99ba3fc2a0237741f31076ce065db14fe3dfecd325458209f0d1e9fcc8b9ac7bff8328e1744f
-
C:\Users\Admin\AppData\Local\Temp\7zE0326E197\Release\workspace\Xeno.exe.WebView2\EBWebView\Default\GPUCache\data_3
Filesize8KB
MD541876349cb12d6db992f1309f22df3f0
SHA15cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e
-
C:\Users\Admin\AppData\Local\Temp\7zE0326E197\Release\workspace\Xeno.exe.WebView2\EBWebView\Default\Shared Dictionary\cache\index
Filesize24B
MD554cb446f628b2ea4a5bce5769910512e
SHA1c27ca848427fe87f5cf4d0e0e3cd57151b0d820d
SHA256fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d
SHA5128f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0
-
Filesize
309KB
MD50d9e5d646d10bdf00e044b35e2915a78
SHA16ca9c97bc5a97cf4165a19250691ec75391168b5
SHA256ccc8068a6c0e80093c5cf63397dceace198035ddd09b4576c201b895cd578866
SHA512902a08d270684efb55cf3677a3ab634cc879f6e14f6426bb99902f9e8195cb95a89ba75951b44223b3b1f21c693a05ae504d874812e6a80b8c52804c31aac55d