Analysis
-
max time kernel
93s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
30/12/2024, 09:12
Static task
static1
General
-
Target
#Pa$$w0rD__2343-0peɴ_Set-Uᴘ@.7z
-
Size
12.6MB
-
MD5
033abb46b54a58bf510cc09bb562b5a3
-
SHA1
a632e329fd3b16afeec64441dc9194bc329dfa85
-
SHA256
6421ac5db43628a20f68f02f0a379c8e90f9a7250bb0f5f5f293a58db1a5a43f
-
SHA512
389f03ad82ffde5102f4bbb42026fdddccc92f2202562f474f05550b36173531d697bd7b9168ac74880325004425e1e74902a39c56b14f0adcfddc75fccee22a
-
SSDEEP
196608:pTKeKl0mTJv6AWwwV9uU5Ejp1DQTWUhnDdaeXQP5jkg2kw2anUCxLcANPCF:MzVen9ujDMlDKBOkw2yUCxJNE
Malware Config
Extracted
lumma
https://cloudewahsj.shop/api
https://rabidcowse.shop/api
https://noisycuttej.shop/api
https://tirepublicerj.shop/api
https://framekgirus.shop/api
https://wholersorie.shop/api
https://abruptyopsn.shop/api
https://nearycrepso.shop/api
Extracted
lumma
https://abruptyopsn.shop/api
https://wholersorie.shop/api
https://framekgirus.shop/api
https://tirepublicerj.shop/api
https://noisycuttej.shop/api
https://rabidcowse.shop/api
https://cloudewahsj.shop/api
Signatures
-
Lumma family
-
Executes dropped EXE 1 IoCs
pid Process 2084 Setup.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Setup.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2084 Setup.exe 2084 Setup.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1108 7zFM.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeRestorePrivilege 1108 7zFM.exe Token: 35 1108 7zFM.exe Token: SeSecurityPrivilege 1108 7zFM.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1108 7zFM.exe 1108 7zFM.exe
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\#Pa$$w0rD__2343-0peɴ_Set-Uᴘ@.7z"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1108
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2064
-
C:\Users\Admin\Desktop\New folder\Setup.exe"C:\Users\Admin\Desktop\New folder\Setup.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2084