Analysis
-
max time kernel
93s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
05-01-2025 01:32
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3e558e5afa7c9a71c3dff2dc161a96df7e8aa9711d480501622d13a5e4015122.exe
Resource
win7-20241010-en
windows7-x64
5 signatures
150 seconds
General
-
Target
3e558e5afa7c9a71c3dff2dc161a96df7e8aa9711d480501622d13a5e4015122.exe
-
Size
1.2MB
-
MD5
8cb303a0d38bfd91163192b53ce3b01d
-
SHA1
f4634ef2bcd87793c7d926712b419a64337e5c37
-
SHA256
3e558e5afa7c9a71c3dff2dc161a96df7e8aa9711d480501622d13a5e4015122
-
SHA512
4d3f3b2ab4651548bb23b58d23e595c14760c8e1da7729a59d1d28ae9cd4930045f1873ad54464383074afbb6c505bb0a3fd87021e5a9e89331e0972c7c3387c
-
SSDEEP
24576:EDnubmjlREOivWlyVPWemgkv2MtQnHnejg6EQ6EqmgiPT:OqsbEwS/Dy1qxQ6EqY
Malware Config
Extracted
Family
lumma
Signatures
-
Lumma family
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 4636 3e558e5afa7c9a71c3dff2dc161a96df7e8aa9711d480501622d13a5e4015122.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3e558e5afa7c9a71c3dff2dc161a96df7e8aa9711d480501622d13a5e4015122.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4636 3e558e5afa7c9a71c3dff2dc161a96df7e8aa9711d480501622d13a5e4015122.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3e558e5afa7c9a71c3dff2dc161a96df7e8aa9711d480501622d13a5e4015122.exe"C:\Users\Admin\AppData\Local\Temp\3e558e5afa7c9a71c3dff2dc161a96df7e8aa9711d480501622d13a5e4015122.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4636
Network
-
Remote address:8.8.8.8:53Requestclockersspic.clickIN AResponseclockersspic.clickIN A104.21.85.66clockersspic.clickIN A172.67.203.16
-
POSThttps://clockersspic.click/api3e558e5afa7c9a71c3dff2dc161a96df7e8aa9711d480501622d13a5e4015122.exeRemote address:104.21.85.66:443RequestPOST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: clockersspic.click
ResponseHTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=4d2h9epedu73a45rc4rcaput7t; expires=Wed, 30 Apr 2025 19:19:25 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
cf-cache-status: DYNAMIC
vary: accept-encoding
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uvJpqnZqlzdRAVoB6PkiN02HoWxQWGIctd%2Bg9qIKfwBAwWVcfqK%2BPtG564AK5wWHItwaaxzjzjEFTcOQvMesQW7PufUl9FV%2FMy7qktpUb9jEyXV8mWQ5YUIU5ZmuTDaDMRNmBW0%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8fcfb762fa346376-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=64865&min_rtt=59818&rtt_var=22340&sent=6&recv=7&lost=0&retrans=0&sent_bytes=3302&recv_bytes=609&delivery_rate=62778&cwnd=253&unsent_bytes=0&cid=6af2835932fad37a&ts=320&x=0"
-
Remote address:8.8.8.8:53Requestgrannyejh.latIN AResponse
-
Remote address:8.8.8.8:53Requestdiscokeyus.latIN AResponse
-
Remote address:8.8.8.8:53Requestnecklacebudi.latIN AResponse
-
Remote address:8.8.8.8:53Requestenergyaffai.latIN AResponse
-
Remote address:8.8.8.8:53Request209.205.72.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request66.85.21.104.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request179.101.123.92.in-addr.arpaIN PTRResponse179.101.123.92.in-addr.arpaIN PTRa92-123-101-179deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Requestaspecteirs.latIN AResponse
-
Remote address:8.8.8.8:53Requestsustainskelet.latIN AResponse
-
Remote address:8.8.8.8:53Requestcrosshuaht.latIN AResponse
-
Remote address:8.8.8.8:53Requestrapeflowwj.latIN AResponse
-
Remote address:8.8.8.8:53Requeststeamcommunity.comIN AResponsesteamcommunity.comIN A23.59.52.127
-
GEThttps://steamcommunity.com/profiles/765611997243319003e558e5afa7c9a71c3dff2dc161a96df7e8aa9711d480501622d13a5e4015122.exeRemote address:23.59.52.127:443RequestGET /profiles/76561199724331900 HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Host: steamcommunity.com
ResponseHTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache
Date: Sun, 05 Jan 2025 01:32:47 GMT
Content-Length: 25984
Connection: keep-alive
Set-Cookie: sessionid=26f0e0624b2bf9a8f347b3bb; Path=/; Secure; SameSite=None
Set-Cookie: steamCountry=GB%7C7d625a3b038bb98f68b4e14dac147806; Path=/; Secure; HttpOnly; SameSite=None
-
Remote address:8.8.8.8:53Request2.159.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request127.52.59.23.in-addr.arpaIN PTRResponse127.52.59.23.in-addr.arpaIN PTRa23-59-52-127deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request241.150.49.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request200.163.202.172.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request198.187.3.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request137.101.123.92.in-addr.arpaIN PTRResponse137.101.123.92.in-addr.arpaIN PTRa92-123-101-137deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request43.229.111.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request218.101.123.92.in-addr.arpaIN PTRResponse218.101.123.92.in-addr.arpaIN PTRa92-123-101-218deploystaticakamaitechnologiescom
-
104.21.85.66:443https://clockersspic.click/apitls, http3e558e5afa7c9a71c3dff2dc161a96df7e8aa9711d480501622d13a5e4015122.exe1.0kB 4.9kB 9 9
HTTP Request
POST https://clockersspic.click/apiHTTP Response
200 -
23.59.52.127:443https://steamcommunity.com/profiles/76561199724331900tls, http3e558e5afa7c9a71c3dff2dc161a96df7e8aa9711d480501622d13a5e4015122.exe1.4kB 33.2kB 18 29
HTTP Request
GET https://steamcommunity.com/profiles/76561199724331900HTTP Response
200
-
8.8.8.8:53clockersspic.clickdns3e558e5afa7c9a71c3dff2dc161a96df7e8aa9711d480501622d13a5e4015122.exe64 B 96 B 1 1
DNS Request
clockersspic.click
DNS Response
104.21.85.66172.67.203.16
-
59 B 124 B 1 1
DNS Request
grannyejh.lat
-
60 B 125 B 1 1
DNS Request
discokeyus.lat
-
8.8.8.8:53necklacebudi.latdns3e558e5afa7c9a71c3dff2dc161a96df7e8aa9711d480501622d13a5e4015122.exe62 B 127 B 1 1
DNS Request
necklacebudi.lat
-
61 B 126 B 1 1
DNS Request
energyaffai.lat
-
72 B 158 B 1 1
DNS Request
209.205.72.20.in-addr.arpa
-
71 B 133 B 1 1
DNS Request
66.85.21.104.in-addr.arpa
-
73 B 139 B 1 1
DNS Request
179.101.123.92.in-addr.arpa
-
60 B 125 B 1 1
DNS Request
aspecteirs.lat
-
8.8.8.8:53sustainskelet.latdns3e558e5afa7c9a71c3dff2dc161a96df7e8aa9711d480501622d13a5e4015122.exe63 B 128 B 1 1
DNS Request
sustainskelet.lat
-
60 B 125 B 1 1
DNS Request
crosshuaht.lat
-
60 B 125 B 1 1
DNS Request
rapeflowwj.lat
-
8.8.8.8:53steamcommunity.comdns3e558e5afa7c9a71c3dff2dc161a96df7e8aa9711d480501622d13a5e4015122.exe64 B 80 B 1 1
DNS Request
steamcommunity.com
DNS Response
23.59.52.127
-
71 B 157 B 1 1
DNS Request
2.159.190.20.in-addr.arpa
-
71 B 135 B 1 1
DNS Request
127.52.59.23.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
241.150.49.20.in-addr.arpa
-
74 B 160 B 1 1
DNS Request
200.163.202.172.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
198.187.3.20.in-addr.arpa
-
73 B 139 B 1 1
DNS Request
137.101.123.92.in-addr.arpa
-
73 B 139 B 1 1
DNS Request
218.101.123.92.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
43.229.111.52.in-addr.arpa