lumma | e56496d1737c356ed7feacebe0daaf34781975fcae1fbd368cb5a7b2c2a1eae3

Analysis

max time kernel
122s
max time network
127s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
30/12/2024, 02:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e56496d1737c356ed7feacebe0daaf34781975fcae1fbd368cb5a7b2c2a1eae3.exe
Size

1.1MB
MD5

609acb4f45e7e7692dfedaee6c2854ad
SHA1

cd297298395ceb03f27c4f38e6e99c0deb6df88c
SHA256

e56496d1737c356ed7feacebe0daaf34781975fcae1fbd368cb5a7b2c2a1eae3
SHA512

67d3dc5399453a3a90c7af014542c60b93b41bbe00fcbcf4b18434e4011c400f7da1868d8865f629c7e2df7b2b9b11a3d52a004e7b139635ae1bd20becb648a4
SSDEEP

24576:+DJMEy2UJyOqKbUbnGfiBc8EFuoThlhZCq4ktw7:+Ny9qKbWnGC+FzThlhEqZtw

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://cloudewahsj.shop/api

https://rabidcowse.shop/api

https://noisycuttej.shop/api

https://tirepublicerj.shop/api

https://framekgirus.shop/api

https://wholersorie.shop/api

https://abruptyopsn.shop/api

https://nearycrepso.shop/api

Extracted

Family

lumma

https://abruptyopsn.shop/api

https://wholersorie.shop/api

https://framekgirus.shop/api

https://tirepublicerj.shop/api

https://noisycuttej.shop/api

https://rabidcowse.shop/api

https://cloudewahsj.shop/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Executes dropped EXE 1 IoCs

pid	Process
2316	Accidents.com

Loads dropped DLL 1 IoCs

pid	Process
2724	cmd.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
3004	tasklist.exe
2676	tasklist.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\PeersReproduced	e56496d1737c356ed7feacebe0daaf34781975fcae1fbd368cb5a7b2c2a1eae3.exe
File opened for modification	C:\Windows\RequestsRid	e56496d1737c356ed7feacebe0daaf34781975fcae1fbd368cb5a7b2c2a1eae3.exe
File opened for modification	C:\Windows\CoversTrackbacks	e56496d1737c356ed7feacebe0daaf34781975fcae1fbd368cb5a7b2c2a1eae3.exe
File opened for modification	C:\Windows\BlakeSchools	e56496d1737c356ed7feacebe0daaf34781975fcae1fbd368cb5a7b2c2a1eae3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accidents.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e56496d1737c356ed7feacebe0daaf34781975fcae1fbd368cb5a7b2c2a1eae3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Accidents.com
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Accidents.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	Accidents.com
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Accidents.com
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Accidents.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Accidents.com

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2316	Accidents.com
2316	Accidents.com
2316	Accidents.com

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3004	tasklist.exe
Token: SeDebugPrivilege	2676	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2316	Accidents.com
2316	Accidents.com
2316	Accidents.com

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2316	Accidents.com
2316	Accidents.com
2316	Accidents.com

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 2448 wrote to memory of 2724	2448	e56496d1737c356ed7feacebe0daaf34781975fcae1fbd368cb5a7b2c2a1eae3.exe	30
PID 2448 wrote to memory of 2724	2448	e56496d1737c356ed7feacebe0daaf34781975fcae1fbd368cb5a7b2c2a1eae3.exe	30
PID 2448 wrote to memory of 2724	2448	e56496d1737c356ed7feacebe0daaf34781975fcae1fbd368cb5a7b2c2a1eae3.exe	30
PID 2448 wrote to memory of 2724	2448	e56496d1737c356ed7feacebe0daaf34781975fcae1fbd368cb5a7b2c2a1eae3.exe	30
PID 2724 wrote to memory of 3004	2724	cmd.exe	32
PID 2724 wrote to memory of 3004	2724	cmd.exe	32
PID 2724 wrote to memory of 3004	2724	cmd.exe	32
PID 2724 wrote to memory of 3004	2724	cmd.exe	32
PID 2724 wrote to memory of 2736	2724	cmd.exe	33
PID 2724 wrote to memory of 2736	2724	cmd.exe	33
PID 2724 wrote to memory of 2736	2724	cmd.exe	33
PID 2724 wrote to memory of 2736	2724	cmd.exe	33
PID 2724 wrote to memory of 2676	2724	cmd.exe	35
PID 2724 wrote to memory of 2676	2724	cmd.exe	35
PID 2724 wrote to memory of 2676	2724	cmd.exe	35
PID 2724 wrote to memory of 2676	2724	cmd.exe	35
PID 2724 wrote to memory of 2620	2724	cmd.exe	36
PID 2724 wrote to memory of 2620	2724	cmd.exe	36
PID 2724 wrote to memory of 2620	2724	cmd.exe	36
PID 2724 wrote to memory of 2620	2724	cmd.exe	36
PID 2724 wrote to memory of 2684	2724	cmd.exe	37
PID 2724 wrote to memory of 2684	2724	cmd.exe	37
PID 2724 wrote to memory of 2684	2724	cmd.exe	37
PID 2724 wrote to memory of 2684	2724	cmd.exe	37
PID 2724 wrote to memory of 2696	2724	cmd.exe	38
PID 2724 wrote to memory of 2696	2724	cmd.exe	38
PID 2724 wrote to memory of 2696	2724	cmd.exe	38
PID 2724 wrote to memory of 2696	2724	cmd.exe	38
PID 2724 wrote to memory of 3032	2724	cmd.exe	39
PID 2724 wrote to memory of 3032	2724	cmd.exe	39
PID 2724 wrote to memory of 3032	2724	cmd.exe	39
PID 2724 wrote to memory of 3032	2724	cmd.exe	39
PID 2724 wrote to memory of 2840	2724	cmd.exe	40
PID 2724 wrote to memory of 2840	2724	cmd.exe	40
PID 2724 wrote to memory of 2840	2724	cmd.exe	40
PID 2724 wrote to memory of 2840	2724	cmd.exe	40
PID 2724 wrote to memory of 2328	2724	cmd.exe	41
PID 2724 wrote to memory of 2328	2724	cmd.exe	41
PID 2724 wrote to memory of 2328	2724	cmd.exe	41
PID 2724 wrote to memory of 2328	2724	cmd.exe	41
PID 2724 wrote to memory of 2316	2724	cmd.exe	42
PID 2724 wrote to memory of 2316	2724	cmd.exe	42
PID 2724 wrote to memory of 2316	2724	cmd.exe	42
PID 2724 wrote to memory of 2316	2724	cmd.exe	42
PID 2724 wrote to memory of 2804	2724	cmd.exe	43
PID 2724 wrote to memory of 2804	2724	cmd.exe	43
PID 2724 wrote to memory of 2804	2724	cmd.exe	43
PID 2724 wrote to memory of 2804	2724	cmd.exe	43

C:\Users\Admin\AppData\Local\Temp\e56496d1737c356ed7feacebe0daaf34781975fcae1fbd368cb5a7b2c2a1eae3.exe
"C:\Users\Admin\AppData\Local\Temp\e56496d1737c356ed7feacebe0daaf34781975fcae1fbd368cb5a7b2c2a1eae3.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2448
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c move Boats Boats.cmd & Boats.cmd
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2724
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3004
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "opssvc wrsa"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2736
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2676
- - C:\Windows\SysWOW64\findstr.exe
    findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2620
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 573646
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2684
- - C:\Windows\SysWOW64\extrac32.exe
    extrac32 /Y /E Mistakes
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2696
- - C:\Windows\SysWOW64\findstr.exe
    findstr /V "Married" Close
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3032
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b 573646\Accidents.com + Kb + Term + Stadium + Rh + Katie + Doubt + Prefers + Virginia + Nepal + Collectables + Efficiently 573646\Accidents.com
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2840
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Fp + ..\Cleveland + ..\Hey + ..\Commissioner + ..\Shipped + ..\Trucks f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2328
- - C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\573646\Accidents.com
    Accidents.com f
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2316
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\573646\Accidents.com

Filesize
2KB

MD5
b8cb6631b99d3c3075818d39bd31299e

SHA1
124e3c405713761dd04a600070813d1d86d78084

SHA256
c7b6df985a043734f7e36fb8f81525300b649c264d14be5f6cdfea76c0b47efd

SHA512
97a5c5764cafa1bc45ff0cc3180ad5092abc7393163ed52d1bece3807d7537add2ad29de04e2c3095bb9d08f79e54c6d6b2b05f6da85eef8b3997bc83ed92b89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\573646\f

Filesize
494KB

MD5
7fdaf8100e377300a67c112f8a5e180f

SHA1
20ecdcceca68e6b515879c1006f7927bbfbf1d72

SHA256
62c0615fae70be0002139cc66db8fc9b48fca03935b4a04ba797010d3313b9db

SHA512
b075f8ea9f7693692f82b46a23b6d9775013e8b37ce3a35d0e55bd3cf3f9cb770f0253bc327dc7e68e6fa1eb340ed58fdde88c14a6e1cff5fc1fc8efa8957f40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Boats

Filesize
21KB

MD5
e16cc9e45b0287ec95a0dfe8f0817e87

SHA1
7d11569c6b8e7d3de687fc88185e3c218fb82792

SHA256
741e3dcc5b789be04df3da5c2d9522b52a287454a6d079eb03a3af342d14432c

SHA512
06654a1d0ddc2f1e6eb3f180ceb275b67ec2ac9ae9578124e1523a36fad9973ad9678eaf93dc4e5b3b2367357e12984b6294ca06da3a60d2f75ec31a598b7b3f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Cleveland

Filesize
83KB

MD5
648e78e3cefc7321a7bb3ab56dd6215c

SHA1
f91718baf226edd5f19af34bbac990ed4cfb5182

SHA256
463bc8676255e5458d0830ec6fed19dccd48296ed702028d3ecc807470a8fb7e

SHA512
36ab654c3c943e6416a709c0585367ca932a0ea7d5982f988e58eaae3775ee1f0fbfb7ac82acd4ec92443a169d4d3d7e7603e90a30f0526fcd44537d31a6bb14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Close

Filesize
2KB

MD5
d4167dbc80914f9f6d46183d51781900

SHA1
19953bb846aee1ed290ad0b7606948dbbd309c11

SHA256
1e92a1904a69a1f2a2875f6c63d88c9320be8038516dc256d642c3b94b0cfa21

SHA512
f1b481aa1c67b35a2ac78b139791f0449e813812c0cdf4b9360b19d8e542f900fd8b5e0aa036ef8387ff8acd5862e8c95af686e2bfaae41a8466e47762f2b112

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Collectables

Filesize
149KB

MD5
528e4eb9ddd26eb5974ad2ad0889a609

SHA1
e139cefd6ad0dcdb5153378a8b523172fc3d2773

SHA256
d3616dbef31b4ef4feb98f515b5691993c9c8ede366015f54404251a69c6bd54

SHA512
9c01c4fd97b7d6232cc2677a2aa9c2be2a1f1569a08b91566eaa5f69bb00233fec5122f8b83bb038f542ddbb8290c974649c94ea86699e6c9010ea0178e8ed1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Commissioner

Filesize
71KB

MD5
b56d5438b2cd2d92937c55d19846ab7d

SHA1
bdbf992b214e27f7509514a48c3b3a3e02044957

SHA256
f7d1d40f30ae128d0cdb593f5aba8f4a43db3fff79d91d627428e324864d2430

SHA512
e26ef1702d6348be6aee6ba40617fb489f58dfcff4aa6474a4669d643f55a08b9316e6917f6eac724b57cd56cb2f71084817c290127dcdf84a98d1f6025815be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Doubt

Filesize
126KB

MD5
a89e447b4bd303865f1d1aacfd90091f

SHA1
020146542e22fbf616ab7a39441432221809f97d

SHA256
0a90fd52e5b92114f67c5d9c12414cbe8a438ef4b2f047e831d0fc5667ae0368

SHA512
33c680de6951526869c3b58b28b97596465c0c06e9a1bc1babccbd13673e9987ed7c151f1bbd2cad2f310e8c489f8c687c73077c9d107b73457ba415477bc71b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Efficiently

Filesize
6KB

MD5
93c1a13c474bccb6ae2ade9784f2a737

SHA1
7b5ad30789447f55b00361fb8fdc62a9c45f0b4d

SHA256
19876065b1759982937b744c324cd1dd5b20b8dbd140a85eade08bcf3ade9915

SHA512
02f91645ae40fa70a4bdc8af269fed369483e6b4a737990b0e5b1f93cef36265574a14855792c4c91df7a1973ebd84cc8bc3abbe389ce5c7095af16fc785c798

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Fp

Filesize
97KB

MD5
cbda6368ca1e35c82635a2b323947b28

SHA1
4bc9c8138a93e7b8d744bcbe10c513cb4efc6c9d

SHA256
0552a05ac9243ac61d2f07f923685d71123e640cb220cbd92256f95c0dbd9f32

SHA512
a51eb20a576961b2ce960d8b55454f98fbd44e2184476552ce80615800751fe5632d79cad7e14445a5ba0d9c7d031e6ea0b7a8ffc6c01290518659351ae95f45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Hey

Filesize
86KB

MD5
826275e10df62a29c02af2c5b7ae7131

SHA1
d8ffdff19452ac9a2f05d978983f2ef8dd29074f

SHA256
88a68c2b1405918b70a4761361de09ef176cc76d50b27b11744ac26d2b0c8017

SHA512
01fc1758d756cca9548c5142b775d9c5c2884419af9c38c26258b1460b7a290e5b614424d943479b4d15d8b3c867f07049376e00a9f5b660ab7873db5c5b8d90

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Katie

Filesize
130KB

MD5
4efee3976793476fd1824d2b685d95f1

SHA1
7431761d6d50607f27998e27ba9b23c63c1a6042

SHA256
060370f9e98bf278df8aa1960098810b4851aa671949a0f62bb809e7cf0e38fd

SHA512
d1a6400900ae9eca846d4c0f8c2ff0da42efda18edbc2b6de670a24820e650491d5dc82e678423cdd507bc9934f7e740145deb893081d97a3216247297df8519

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Kb

Filesize
58KB

MD5
7c3f3e06ca625e560bd276043d7fa606

SHA1
0e9fecfa1e84877da5d75262aa7e17fb6667550f

SHA256
428c27fa151e29e288ec1d74685dad80b795ff369d50eef5c5bd59a193c9626a

SHA512
c8291ecdaa87b65910cc0643f00aedc9254020b22bb7bacb285cbeabafb9dfa4ebfd50a0d38a64460055d9a215a587f15756144107a9db92fdbfdc2a9caa8ba7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Mistakes

Filesize
477KB

MD5
d91ce740e5f8f3be6881a2ce77f51bde

SHA1
44bf136df7b994cd2f749a64bf8f5690c6426d82

SHA256
6535abb80d136e32b3a9c8ae4129e02e90b404f03786df9a1c2e8cd21ee6ab6e

SHA512
17bd7a4794bbf266907d052c37d41dcc7abbc3ea904ac0af3a297cd0e1412439dbc755289656042c33ea3708426ce300d60bdbb90629442e08a00e514c6395c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Nepal

Filesize
75KB

MD5
f4cd165863a2fda57348c277bf9028b8

SHA1
4d3a96c88ca1e3afa82c76268734d0c1a7a11150

SHA256
44793aa76472bd4acb48cbdb9ac029d39156f37e491918e693b071d802eb3d47

SHA512
f65cfd56926c91f8c30cc02da83c77257e6e0c6dd06d2bb2e6c0277fc301570bd0c55f7769f92831a66ecf5f0a014e472a9d1faf8ff574f0dbf22c726e82b265

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Prefers

Filesize
55KB

MD5
c2a386429946c87f7b05a774c7e846d1

SHA1
34194fe9fc68933d1dbffdb665a7099323772319

SHA256
96ebeef10f7b1719c4cf0f65ae2dd590dedcf947004c10489675817057614fa3

SHA512
64c2a6318bf2d6075a49e219408f12942a86ba2101a83439719982b1193f52d01307c99d238120e3ecfe0819339def7706fe1575f50280ce91dc4e17e0eacc64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Rh

Filesize
116KB

MD5
95fc6a6e2095558409b8e89e7e09ba7d

SHA1
8f12d738dd917e28f4276eabf73300604761ee1e

SHA256
fd0191099aa495c1804461bbb29c7deb293d6b410769428427a562df7e613a47

SHA512
e39f720f7a10a917fe1171c30f1c46948a24dfe77439d0d2ed956b47ec49d5f5d820f42a0805ff2f51c55521ca30605e9bd5153267e94b7080de8ee6457eda85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Shipped

Filesize
85KB

MD5
d41a9302a777c16fd62cf6783fe56e47

SHA1
f5da8dfe49924c38df9686be6ff2c05e75391270

SHA256
d70c48ef46c6c40c5c7cce3937e5f1a70c8fc64fd9aa41e08da3332fb61be6ee

SHA512
c191d874c38fb7379658572fe8dae646d79db73849e56f03835212b438f2a0e72ee761daafa7c37438efb015378ded60dcd06718bc804adccd2223f175a44178

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Stadium

Filesize
59KB

MD5
e2a01ed2358455d40c9e7ac34e1e87df

SHA1
242a2c8739f9db3bad861542f7c7d82979f098ef

SHA256
6c455da51250ad8ee230938f07c304b64db9f295729bc6da9491a2511efa06fb

SHA512
4e4c9654f48b9c8783088edc8fc4611118be84361829ab017e96a0f2eb14ebdd35759e82d205a18dbb50ed756397798388406f49e968ac34be6532156724309a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Term

Filesize
81KB

MD5
2d4ce320a2476dd950299a6be89ed7ce

SHA1
bd070bdc24a7b6b037b03148a1be7584ec80670c

SHA256
52bc43dd3b9c0aa196cf3e19c5f7f1612b94879f526c156b9e8050462a4f150d

SHA512
37506f56782d67fedbe71174baf92d1f5933fe9d55e9eb6dff324139443c116c15d097e239031a40e5343e14bd720ffae042c9712193fdc6c38012e37f2772c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Trucks

Filesize
72KB

MD5
aae8c0558d9c8fb22798acd2b09d752f

SHA1
3ea9259c227a87aeb12aec508cfd50ce46a692ae

SHA256
fb0c6ea82a1d315c0ec66825e020b481d4035867277d9c79c1565fda23186231

SHA512
5541b83b6ab33b89104f3cff19ae31a5a850a18e85754419c4903e9d240642f90c133980e09e1c385fbe6f3684cd4c88955813a5fd767ac4fcb208801a7581f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virginia

Filesize
67KB

MD5
bca97a41e01b9a2733dc9730a6aeda76

SHA1
74e158ff5a8322a98628c7b6ab306ec99574a162

SHA256
7cf2b204eed76bc835e744755b3697450f23db6dbbcad40fe67dda248e6d870b

SHA512
06d7ea32b6a9dfc17150dad874dec05f66b843193db3f77c286396afbfa2313f9914e15ee229aee6c6d2297f3d152e753ff0ac73048ee028892f641e0864ab55

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabB482.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarB4E3.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\573646\Accidents.com

Filesize
925KB

MD5
62d09f076e6e0240548c2f837536a46a

SHA1
26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

SHA256
1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

SHA512
32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

Download Submit
memory/2316-73-0x0000000005820000-0x0000000005877000-memory.dmp

Filesize
348KB

Download
memory/2316-75-0x0000000005820000-0x0000000005877000-memory.dmp

Filesize
348KB

Download
memory/2316-74-0x0000000005820000-0x0000000005877000-memory.dmp

Filesize
348KB

Download
memory/2316-76-0x0000000005820000-0x0000000005877000-memory.dmp

Filesize
348KB

Download
memory/2316-77-0x0000000005820000-0x0000000005877000-memory.dmp

Filesize
348KB

Download