Analysis
-
max time kernel
50s -
max time network
24s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
06-01-2025 21:46
Static task
static1
windows7-x64
11 signatures
150 seconds
windows10-2004-x64
2 signatures
150 seconds
General
-
Target
lnstalIer_Offiс[email protected]
-
Size
156.9MB
-
MD5
bff5c701c0dc7fa81d0efadec2536fe6
-
SHA1
ab72fea17671d08cfba210139816fc4f83a21b46
-
SHA256
0280259ae16e17c64e9e55c6dc03e13cd09393e410da233b3e895980f60d4098
-
SHA512
7f1a0bc633c56eb557675f4e39bef0781b26fba753968092615defac3c1721ca778d7e41f2ffff28971aa62c2d149fbd8025252f27ba3c2458afd75b3ddab9f7
-
SSDEEP
3145728:ya3cBxra5Pc5HUTg1HTEFSNuFIEZSVu8TnehNDDSnTHLknOuK4CWKApR2I:yaYrg40U1sSNcIE8u8LeTvSnbwaw/yI
Malware Config
Extracted
Family
lumma
C2
https://cloudewahsj.shop/api
https://rabidcowse.shop/api
https://noisycuttej.shop/api
https://tirepublicerj.shop/api
https://framekgirus.shop/api
https://wholersorie.shop/api
https://abruptyopsn.shop/api
https://nearycrepso.shop/api
Signatures
-
Lumma family
-
Executes dropped EXE 1 IoCs
pid Process 3032 Set-up.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3032 set thread context of 2948 3032 Set-up.exe 35 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DllHost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Set-up.exe -
Suspicious behavior: EnumeratesProcesses 21 IoCs
pid Process 968 taskmgr.exe 968 taskmgr.exe 968 taskmgr.exe 968 taskmgr.exe 968 taskmgr.exe 968 taskmgr.exe 968 taskmgr.exe 968 taskmgr.exe 968 taskmgr.exe 968 taskmgr.exe 968 taskmgr.exe 968 taskmgr.exe 968 taskmgr.exe 968 taskmgr.exe 968 taskmgr.exe 968 taskmgr.exe 968 taskmgr.exe 968 taskmgr.exe 968 taskmgr.exe 968 taskmgr.exe 968 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2600 7zFM.exe 968 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeRestorePrivilege 2600 7zFM.exe Token: 35 2600 7zFM.exe Token: SeSecurityPrivilege 2600 7zFM.exe Token: SeDebugPrivilege 968 taskmgr.exe -
Suspicious use of FindShellTrayWindow 50 IoCs
pid Process 2600 7zFM.exe 2600 7zFM.exe 968 taskmgr.exe 968 taskmgr.exe 968 taskmgr.exe 968 taskmgr.exe 968 taskmgr.exe 968 taskmgr.exe 968 taskmgr.exe 968 taskmgr.exe 968 taskmgr.exe 968 taskmgr.exe 968 taskmgr.exe 968 taskmgr.exe 968 taskmgr.exe 968 taskmgr.exe 968 taskmgr.exe 968 taskmgr.exe 968 taskmgr.exe 968 taskmgr.exe 968 taskmgr.exe 968 taskmgr.exe 968 taskmgr.exe 968 taskmgr.exe 968 taskmgr.exe 968 taskmgr.exe 968 taskmgr.exe 968 taskmgr.exe 968 taskmgr.exe 968 taskmgr.exe 968 taskmgr.exe 968 taskmgr.exe 968 taskmgr.exe 968 taskmgr.exe 968 taskmgr.exe 968 taskmgr.exe 968 taskmgr.exe 968 taskmgr.exe 968 taskmgr.exe 968 taskmgr.exe 968 taskmgr.exe 968 taskmgr.exe 968 taskmgr.exe 968 taskmgr.exe 968 taskmgr.exe 968 taskmgr.exe 968 taskmgr.exe 968 taskmgr.exe 968 taskmgr.exe 968 taskmgr.exe -
Suspicious use of SendNotifyMessage 47 IoCs
pid Process 968 taskmgr.exe 968 taskmgr.exe 968 taskmgr.exe 968 taskmgr.exe 968 taskmgr.exe 968 taskmgr.exe 968 taskmgr.exe 968 taskmgr.exe 968 taskmgr.exe 968 taskmgr.exe 968 taskmgr.exe 968 taskmgr.exe 968 taskmgr.exe 968 taskmgr.exe 968 taskmgr.exe 968 taskmgr.exe 968 taskmgr.exe 968 taskmgr.exe 968 taskmgr.exe 968 taskmgr.exe 968 taskmgr.exe 968 taskmgr.exe 968 taskmgr.exe 968 taskmgr.exe 968 taskmgr.exe 968 taskmgr.exe 968 taskmgr.exe 968 taskmgr.exe 968 taskmgr.exe 968 taskmgr.exe 968 taskmgr.exe 968 taskmgr.exe 968 taskmgr.exe 968 taskmgr.exe 968 taskmgr.exe 968 taskmgr.exe 968 taskmgr.exe 968 taskmgr.exe 968 taskmgr.exe 968 taskmgr.exe 968 taskmgr.exe 968 taskmgr.exe 968 taskmgr.exe 968 taskmgr.exe 968 taskmgr.exe 968 taskmgr.exe 968 taskmgr.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 3032 wrote to memory of 2948 3032 Set-up.exe 35 PID 3032 wrote to memory of 2948 3032 Set-up.exe 35 PID 3032 wrote to memory of 2948 3032 Set-up.exe 35 PID 3032 wrote to memory of 2948 3032 Set-up.exe 35 PID 3032 wrote to memory of 2948 3032 Set-up.exe 35 PID 3032 wrote to memory of 2948 3032 Set-up.exe 35 PID 3032 wrote to memory of 2948 3032 Set-up.exe 35 PID 3032 wrote to memory of 2948 3032 Set-up.exe 35 PID 3032 wrote to memory of 2948 3032 Set-up.exe 35 PID 3032 wrote to memory of 2948 3032 Set-up.exe 35
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\lnstalIer_Offiс[email protected]"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2600
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵
- System Location Discovery: System Language Discovery
PID:2956
-
C:\Users\Admin\Desktop\Set-up.exe"C:\Users\Admin\Desktop\Set-up.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"2⤵PID:2948
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:968
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.9MB
MD5b658a94e68445c21d254e389ed35d9ae
SHA1b248849dd4ae7e4af2b8376206e553d750ea2072
SHA256df337b24cedd269b5cdde4e9752aa14fa19ef264af7147c691d804ab973987c9
SHA512ea2de66ef9367c9531b74e8db1a4dbbacefe11d4612a4f0138f10a2e48d3a95480f12b78ebb1815914573e14b688c3662131d8aea7c7a091963658b76c4a5c36