Analysis
-
max time kernel
93s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
31-12-2024 07:14
Static task
static1
Behavioral task
behavioral1
Sample
4c6a4865f91eb5b226c260ff5fe90dee53500bd58b7b4d122734b832f8b93873N.exe
Resource
win7-20240903-en
General
-
Target
4c6a4865f91eb5b226c260ff5fe90dee53500bd58b7b4d122734b832f8b93873N.exe
-
Size
1.3MB
-
MD5
8ebe173ef15f3f077c14f0ac60221d30
-
SHA1
366be85692a300a27a79549350c314acf0bac2db
-
SHA256
4c6a4865f91eb5b226c260ff5fe90dee53500bd58b7b4d122734b832f8b93873
-
SHA512
8058484f9c472b43d29674a06cadf3c791f686ecbfac0c189fc1224aeb9c29f6e9be044e933bccc403e682758d8cab3a090e6d88d7328c8e6d0acee5f2cbb9fa
-
SSDEEP
24576:aE7Cf2MeIDYktoF8/vcipzlE6mnkOGCUOFm4dxT+YDhYDYZvRuxFt49CBa5OdQw:xCO71q/finkOGCE4dZ+YDhYDYZv0x74M
Malware Config
Extracted
lumma
https://sordid-snaked.cyou/api
https://awake-weaves.cyou/api
https://wrathful-jammy.cyou/api
https://debonairnukk.xyz/api
https://diffuculttan.xyz/api
https://effecterectz.xyz/api
https://deafeninggeh.biz/api
https://immureprech.biz/api
https://tacitglibbr.biz/api
Signatures
-
Lumma family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation 4c6a4865f91eb5b226c260ff5fe90dee53500bd58b7b4d122734b832f8b93873N.exe -
Executes dropped EXE 1 IoCs
pid Process 1772 Compare.com -
Enumerates processes with tasklist 1 TTPs 2 IoCs
pid Process 2152 tasklist.exe 1188 tasklist.exe -
Drops file in Windows directory 10 IoCs
description ioc Process File opened for modification C:\Windows\IndividualDeaf 4c6a4865f91eb5b226c260ff5fe90dee53500bd58b7b4d122734b832f8b93873N.exe File opened for modification C:\Windows\VendorsIce 4c6a4865f91eb5b226c260ff5fe90dee53500bd58b7b4d122734b832f8b93873N.exe File opened for modification C:\Windows\NecklaceCharming 4c6a4865f91eb5b226c260ff5fe90dee53500bd58b7b4d122734b832f8b93873N.exe File opened for modification C:\Windows\PublicCameron 4c6a4865f91eb5b226c260ff5fe90dee53500bd58b7b4d122734b832f8b93873N.exe File opened for modification C:\Windows\OrgasmRetain 4c6a4865f91eb5b226c260ff5fe90dee53500bd58b7b4d122734b832f8b93873N.exe File opened for modification C:\Windows\DosageManagers 4c6a4865f91eb5b226c260ff5fe90dee53500bd58b7b4d122734b832f8b93873N.exe File opened for modification C:\Windows\ClarityBoolean 4c6a4865f91eb5b226c260ff5fe90dee53500bd58b7b4d122734b832f8b93873N.exe File opened for modification C:\Windows\DirectoriesEssex 4c6a4865f91eb5b226c260ff5fe90dee53500bd58b7b4d122734b832f8b93873N.exe File opened for modification C:\Windows\FirstCorpus 4c6a4865f91eb5b226c260ff5fe90dee53500bd58b7b4d122734b832f8b93873N.exe File opened for modification C:\Windows\AssMiles 4c6a4865f91eb5b226c260ff5fe90dee53500bd58b7b4d122734b832f8b93873N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 11 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4c6a4865f91eb5b226c260ff5fe90dee53500bd58b7b4d122734b832f8b93873N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Compare.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language choice.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1772 Compare.com 1772 Compare.com 1772 Compare.com 1772 Compare.com 1772 Compare.com 1772 Compare.com -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2152 tasklist.exe Token: SeDebugPrivilege 1188 tasklist.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 1772 Compare.com 1772 Compare.com 1772 Compare.com -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 1772 Compare.com 1772 Compare.com 1772 Compare.com -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 2716 wrote to memory of 1192 2716 4c6a4865f91eb5b226c260ff5fe90dee53500bd58b7b4d122734b832f8b93873N.exe 85 PID 2716 wrote to memory of 1192 2716 4c6a4865f91eb5b226c260ff5fe90dee53500bd58b7b4d122734b832f8b93873N.exe 85 PID 2716 wrote to memory of 1192 2716 4c6a4865f91eb5b226c260ff5fe90dee53500bd58b7b4d122734b832f8b93873N.exe 85 PID 1192 wrote to memory of 2152 1192 cmd.exe 87 PID 1192 wrote to memory of 2152 1192 cmd.exe 87 PID 1192 wrote to memory of 2152 1192 cmd.exe 87 PID 1192 wrote to memory of 5012 1192 cmd.exe 88 PID 1192 wrote to memory of 5012 1192 cmd.exe 88 PID 1192 wrote to memory of 5012 1192 cmd.exe 88 PID 1192 wrote to memory of 1188 1192 cmd.exe 90 PID 1192 wrote to memory of 1188 1192 cmd.exe 90 PID 1192 wrote to memory of 1188 1192 cmd.exe 90 PID 1192 wrote to memory of 1788 1192 cmd.exe 91 PID 1192 wrote to memory of 1788 1192 cmd.exe 91 PID 1192 wrote to memory of 1788 1192 cmd.exe 91 PID 1192 wrote to memory of 2608 1192 cmd.exe 92 PID 1192 wrote to memory of 2608 1192 cmd.exe 92 PID 1192 wrote to memory of 2608 1192 cmd.exe 92 PID 1192 wrote to memory of 5088 1192 cmd.exe 93 PID 1192 wrote to memory of 5088 1192 cmd.exe 93 PID 1192 wrote to memory of 5088 1192 cmd.exe 93 PID 1192 wrote to memory of 4820 1192 cmd.exe 94 PID 1192 wrote to memory of 4820 1192 cmd.exe 94 PID 1192 wrote to memory of 4820 1192 cmd.exe 94 PID 1192 wrote to memory of 1772 1192 cmd.exe 95 PID 1192 wrote to memory of 1772 1192 cmd.exe 95 PID 1192 wrote to memory of 1772 1192 cmd.exe 95 PID 1192 wrote to memory of 116 1192 cmd.exe 96 PID 1192 wrote to memory of 116 1192 cmd.exe 96 PID 1192 wrote to memory of 116 1192 cmd.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\4c6a4865f91eb5b226c260ff5fe90dee53500bd58b7b4d122734b832f8b93873N.exe"C:\Users\Admin\AppData\Local\Temp\4c6a4865f91eb5b226c260ff5fe90dee53500bd58b7b4d122734b832f8b93873N.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy Regards Regards.cmd && Regards.cmd2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1192 -
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2152
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "opssvc wrsa"3⤵
- System Location Discovery: System Language Discovery
PID:5012
-
-
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1188
-
-
C:\Windows\SysWOW64\findstr.exefindstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"3⤵
- System Location Discovery: System Language Discovery
PID:1788
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 639333⤵
- System Location Discovery: System Language Discovery
PID:2608
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V "FLOYD" Benefits3⤵
- System Location Discovery: System Language Discovery
PID:5088
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Ada + ..\Pac + ..\Hidden + ..\Murder + ..\Billy + ..\Tree U3⤵
- System Location Discovery: System Language Discovery
PID:4820
-
-
C:\Users\Admin\AppData\Local\Temp\63933\Compare.comCompare.com U3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1772
-
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 53⤵
- System Location Discovery: System Language Discovery
PID:116
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
925KB
MD562d09f076e6e0240548c2f837536a46a
SHA126bdbc63af8abae9a8fb6ec0913a307ef6614cf2
SHA2561300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49
SHA51232de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f
-
Filesize
468KB
MD59ddbc6f3c0992b62cae004a83523fa4f
SHA1aba36e7a19f0194aeaeb513845ff3524d47115cf
SHA2565d3b6fb7ad2684de36a7e35ab0007665661f419f59eeea23af227fdd69e23d55
SHA512f6a08a8d8264c658aa8e753f2fbd022eff78b11faf82458183c97e88eb3b7e92ad8fb2d95977a81f2d744fb147513b21f07a8f57389f45be98c1b320bc87167d
-
Filesize
85KB
MD5572765e3533d7edf424941f84889c7fb
SHA1172192b1443476f3a67979045947d254a96ad28c
SHA256447dd3ddeabe2ee7a5eb1134fa09a7b3ce28f9f23c50e863ca3cd48d983cf87e
SHA5122e0a1eb73c49a0948d899ad6d63cdf383ec3fb1eb34f88067062f2cf2d7aae161b3ada18093ccec7f7a16877ccfd4f1377dfe46ed0fd281cd57c6c2ca7d7d746
-
Filesize
123KB
MD5ac8e53279c542fb983ff32be08887477
SHA12a3db44f11f2c759d24e44dc907e40ccf91f0bdf
SHA2565220bdb2fef7452be3cd0b3b1d62a525660a35710ce27644fe72454ddd020bcc
SHA51290ea81bea63d9ee78db41631053b477f732791907cedcfb3794f62331412a5d954df8422a3d201a1c7d1c69928795cb4de99c76933e8e772ebca4f76fe287766
-
Filesize
1KB
MD5558727433b13c0e50c574240f6ba47c6
SHA13c94f3820a2e9003e5ecc024240225ef337ffdad
SHA256372cef0cb2dd963ff4400d53757d26330d704174f42bee2672f7bd023c473980
SHA5129d4d0af01bca6bbf4b62d587355453b110fdd93bd1bf475a016cdc3f48ffb5745672cc04370a6a27cf4289896aa6ec18f416ca583c0fad09105896a896f5b3fc
-
Filesize
70KB
MD5a3843f499291980bc0aa44677b2dde67
SHA121d766d0f1d82560889514d9f435d849be0c9809
SHA25694fd435c86e9a3a96f9cf24d3647c22c0c2bc59f6f2a7e5459cf42a856939e16
SHA512d981aaa0ffd7ae4dd7e44c5e64371c2c9c3d9b70729282e68965841225f413c4bf98f4457f4b860c5742207da1a9c20c7cfbb53c16488149c92484973d845dfc
-
Filesize
18KB
MD5b1424ba46b55c44b8b6a863813d76084
SHA1a773b48b51e639477848d7e34c536a1d1ae28213
SHA256598c4f845dd14984a8d883120c40021a9276e4eb1c6e4b9eec7a01f7a61bf27e
SHA5127ffbe088dc2b601b042c87446cf12cb3a7a955efc780432a84e6a7880777714dd8cf347a424944f037f140f2455c5f6153aebef6846051cea25ee266ad72c287
-
Filesize
61KB
MD514ec61ec00a2bfe96034a7fbdfe07eab
SHA1c80f99c4f300a91335911be2e8afd2609e6af1d4
SHA256f589d7b08b87bd1955f1c87b8da10187e6e583b6c0c8184e547a2b04c0adefac
SHA5123398428e6169823e7ecff9d1e3d9bdd13fbe0b00a2d857c3f3c63a0b71bc75f4b2e82738ab6989f6fe6d67cd2baa74cf30c708a76399730460102817ac251dd3
-
Filesize
65KB
MD5023697fe11a98da9b784c5d79df67271
SHA1783f0773e94f8c31133cb437a318a89d199082b0
SHA256adaf981f6187dbb7c0089039d1e316bdd43cdbc83ae88ce100b322e610c64e61
SHA51245ebae92d5709cb9c140d442b97eb0fdc64e837f0fca911a489b9b32a4f650da2f329223410deedd6961057cd50e0501cc7252b270020012148a3c44ad8dd7cd
-
Filesize
97KB
MD5d1257688e6e845c4b354d7f7bf9e62b5
SHA1a3d736d4ccf6d711f75dda29e61c369db41f1787
SHA2562f182be17bfbc7f5539153e93b17f12935fcbbab3f2cbc4b43c2710a20531e8e
SHA5126c6b4dcd7836bccd9fb00c17bd225c1fddf68a914d486b07123bd004fe73c206675c2fbf113bcd63a9a301d2793e3a3f353280e1c852267e56d06cd1f2561441
-
Filesize
117KB
MD584f86aafc5b60874096506beb0495562
SHA1aa0bc8d60df328d1fff514cee20666c6569e00d7
SHA2566d0a88ae29d79fc9339ffbfdf4acd775e4a1fc7e8a361a3e2bbb3ae8b3ea11ba
SHA512389d65609738d36fb3a83f1b5f5451d17af33881b36c8326eb7f0a1b6b0690852277f107bb27ad245aa4f690352d96e0d8aeb8ae58587d9b87ef8fe7701f77ab
-
Filesize
58KB
MD55e101d6fce9a8f49fe52f06d20ab1986
SHA17ccfc584ba6b8fe18d4c4e7b4996797a23cc9a34
SHA2560193896d3f430963179e6c2c205e1379a6c5e67bb8b8dc2edc33cb029089ab05
SHA5123d4a26bc13814bb487481a1b30053489bbbfeba4f6453631a1b6fe8801ab2602ca6b425800d67cad15a0ffcca07bd043a1af4f815a61da09057f234472a7b4b9
-
Filesize
108KB
MD5015f102a59ef199628aea96ad1abc7f5
SHA1d7217c0d029a8faa50175d9dcda1be5054301fa6
SHA256deba36b81dd30e3552f59a6228e288c57b1ac0fb06831c4b36ca8b74625b526c
SHA512fe876f727335b278d49075a0cbdb44d75f321cc2b66faf3bdacad79356d868277bb95104cf894350dc8616908f11ba77b6d2f0aa0b4724f46d7a566970717eef
-
Filesize
116KB
MD53d49859f103afc62f7ca44b56fb1e3d2
SHA19482acc5b8eb643f84d58508a67cdd0ad571f895
SHA2569a498853621da4c0c749f17a20f067be6b989d416fbe198e6f339cb482dbeb70
SHA512ef0186670704a682c3bbcb95c4a18ec16edfefe3086220523cbbc479aed744e240eee23b65db69d84bca4ff61152334045581b745e3a556a4222fc78737f3bc0
-
Filesize
73KB
MD522cc3e7a9e2b41175ce96192153976b1
SHA18799e7bb491e50f35fac259368439505aa626533
SHA2564722ae236e09f912aa59320e636f17546adfbae4c8d9018aa88e5a9dfb1b0ec1
SHA5121b22d4334cb3af7190b149265511ab3304c262ed1b71e0209e484ca09479d4cb207a6ba96d356a9de61918d42482050494fcc4d3e5544631c9fddf9eccae84db
-
Filesize
99KB
MD58c055f2536394da01f2f4f89094933c8
SHA1cc7ed4b7b39e915f5659d2d562c493ab95a77d3a
SHA256052d4165e402692097e963c7754ca2db16f81e909d66dd160f31d5baef13c433
SHA512260fc6e254f75eafa5a4e5eff6d12e0eea84b5f0e6f639f50c348fa0defd76c0db0fde477090cb2141589161fb8f63659b5c7a2b3ee90e88800dd2b4b02f1839
-
Filesize
56KB
MD59eb5ab8b9762d1104b76841a147a47e9
SHA1be761b276c5d086e1b119c6834ec3d6ae0f0eb7a
SHA25619d806b5883d0da104aacc6b4a3449cee32c13d4f50d604af0b4f7bc5b3ee9ac
SHA5124f5b658e3c194a713eae87d706d7933c1fe81fb03d0259224b2013ba10eda97954c1ae6109cf9bd8940ecbc157e15326f441d835d04cae28867940a8004aa1af
-
Filesize
9KB
MD5337c9e7f6c3d1244d2a7f977540f6543
SHA1ed017d14aef9f585112c99dab0ab440ef200736e
SHA2562f8cf4f585106302aac7778b662c02e5be45ee7f6fa98c128fc0ee8c2463b51a
SHA512bd75530e03d2146d5b83076cd76da7e178f53259d892cab2776dfb1833f1478990f4afa1911dc10858328e475a75bfb227d1f69d35b860cbaf791734ffe89187
-
Filesize
71KB
MD532f05ff849745d873a8ba45c37ffc2e7
SHA111a5e49705329f973127bf18c21ed4a71f0643fe
SHA2561e8b134efe1c131edef569445da98287ce82881b2be8dbb137fd31024e5078e3
SHA512b3f41c64498f8622ad4fb24b497b45842a3e798ac179d689f01af506be67578d49348ccb4a644861d559ea4f9abe0ce4fc5c9cbc6b85e1982fc7cd3c703fc319
-
Filesize
55KB
MD5065636bb55b8c9175f08faa1e2768988
SHA1b5c9c62589a7a4a8ec0ba59aa152cd70251c61e9
SHA2561836e1f36ebd51487b7bcb29d3707bee7b7d9e32b7be339e8dc6526b69af922a
SHA512da397f759f9bc22f2dac365f81cdb316e1a3a79870191a75a5c41721a271e6b829282bc3f5a8f07a17865627acd2824c60e0f71618d288b4230d9d50a8735ab4
-
Filesize
75KB
MD5fb6a357b559218affeb06c70f1b37507
SHA18ffd07ee5a7717c1b4e70ef377fc278254521b64
SHA256e740cc0ec551361cb5ce2991011f77a6e59757acec70a0f53a91d732d677f535
SHA512951d096ba5ac99a682782ad34f4e3b1148e7148813d13a2130ed382e1e194d4e8058e63c775523f2bfba50c92fca039ac30fe8d95ddbef444b5b5a2d039ee05f
-
Filesize
44KB
MD5453b2b4c96ca03db9a82166c6a062783
SHA1980ccc803659ab48a65453aca6f8d9d81d319eb8
SHA256d43e7585d2e0e3172b4f7069f72a2c37baed60bd6b57f91873e2d3ac9c5acf4c
SHA512deac4b555c8a5ee93899aaabc0d3ca9f899f9c8909d7dd413f623ffbe3caaf6e3c54fc72c9b9ae334f97b01db6af2d9dd1146512447a42c334544dc74f7d0bf2