Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
06-01-2025 02:35
Static task
static1
Behavioral task
behavioral1
Sample
522a7e03226188d88442e28eced425f155642961823eb06bead1ddabab431e5d.exe
Resource
win7-20241010-en
General
-
Target
522a7e03226188d88442e28eced425f155642961823eb06bead1ddabab431e5d.exe
-
Size
70.0MB
-
MD5
718cd3f9c7af9f5d66be359a52d591fa
-
SHA1
67e5a80879cc7e6ee2929fb54d1482d9aa5ac53d
-
SHA256
522a7e03226188d88442e28eced425f155642961823eb06bead1ddabab431e5d
-
SHA512
d36b5e3be074a4738c7299f074deca97dad04824e15a9b949657038d0d0c50c9b54824d2865dd5ecd5423dae083406d1b30e127383a1114b7eb3c1786d157ced
-
SSDEEP
24576:rD2ewUShGJHB3wws/zxDuL13EPe86Wsm04tRlJ1/K1fk2UQtNySW3Mb3g3:PShGNJwwyzKEPeLUnJ1ykxSWcb3g3
Malware Config
Extracted
lumma
https://cloudewahsj.shop/api
https://rabidcowse.shop/api
https://noisycuttej.shop/api
https://tirepublicerj.shop/api
https://framekgirus.shop/api
https://wholersorie.shop/api
https://abruptyopsn.shop/api
https://nearycrepso.shop/api
Signatures
-
Lumma family
-
Executes dropped EXE 1 IoCs
pid Process 2904 Auckland.com -
Loads dropped DLL 1 IoCs
pid Process 2712 cmd.exe -
Enumerates processes with tasklist 1 TTPs 2 IoCs
pid Process 2944 tasklist.exe 2524 tasklist.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\MistakeCoffee 522a7e03226188d88442e28eced425f155642961823eb06bead1ddabab431e5d.exe File opened for modification C:\Windows\KitsAttend 522a7e03226188d88442e28eced425f155642961823eb06bead1ddabab431e5d.exe File opened for modification C:\Windows\PullingFighters 522a7e03226188d88442e28eced425f155642961823eb06bead1ddabab431e5d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 13 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language extrac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Auckland.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language choice.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 522a7e03226188d88442e28eced425f155642961823eb06bead1ddabab431e5d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2904 Auckland.com 2904 Auckland.com 2904 Auckland.com -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2944 tasklist.exe Token: SeDebugPrivilege 2524 tasklist.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 2904 Auckland.com 2904 Auckland.com 2904 Auckland.com -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 2904 Auckland.com 2904 Auckland.com 2904 Auckland.com -
Suspicious use of WriteProcessMemory 48 IoCs
description pid Process procid_target PID 2172 wrote to memory of 2712 2172 522a7e03226188d88442e28eced425f155642961823eb06bead1ddabab431e5d.exe 30 PID 2172 wrote to memory of 2712 2172 522a7e03226188d88442e28eced425f155642961823eb06bead1ddabab431e5d.exe 30 PID 2172 wrote to memory of 2712 2172 522a7e03226188d88442e28eced425f155642961823eb06bead1ddabab431e5d.exe 30 PID 2172 wrote to memory of 2712 2172 522a7e03226188d88442e28eced425f155642961823eb06bead1ddabab431e5d.exe 30 PID 2712 wrote to memory of 2944 2712 cmd.exe 32 PID 2712 wrote to memory of 2944 2712 cmd.exe 32 PID 2712 wrote to memory of 2944 2712 cmd.exe 32 PID 2712 wrote to memory of 2944 2712 cmd.exe 32 PID 2712 wrote to memory of 2884 2712 cmd.exe 33 PID 2712 wrote to memory of 2884 2712 cmd.exe 33 PID 2712 wrote to memory of 2884 2712 cmd.exe 33 PID 2712 wrote to memory of 2884 2712 cmd.exe 33 PID 2712 wrote to memory of 2524 2712 cmd.exe 35 PID 2712 wrote to memory of 2524 2712 cmd.exe 35 PID 2712 wrote to memory of 2524 2712 cmd.exe 35 PID 2712 wrote to memory of 2524 2712 cmd.exe 35 PID 2712 wrote to memory of 1928 2712 cmd.exe 36 PID 2712 wrote to memory of 1928 2712 cmd.exe 36 PID 2712 wrote to memory of 1928 2712 cmd.exe 36 PID 2712 wrote to memory of 1928 2712 cmd.exe 36 PID 2712 wrote to memory of 2844 2712 cmd.exe 37 PID 2712 wrote to memory of 2844 2712 cmd.exe 37 PID 2712 wrote to memory of 2844 2712 cmd.exe 37 PID 2712 wrote to memory of 2844 2712 cmd.exe 37 PID 2712 wrote to memory of 1944 2712 cmd.exe 38 PID 2712 wrote to memory of 1944 2712 cmd.exe 38 PID 2712 wrote to memory of 1944 2712 cmd.exe 38 PID 2712 wrote to memory of 1944 2712 cmd.exe 38 PID 2712 wrote to memory of 2124 2712 cmd.exe 39 PID 2712 wrote to memory of 2124 2712 cmd.exe 39 PID 2712 wrote to memory of 2124 2712 cmd.exe 39 PID 2712 wrote to memory of 2124 2712 cmd.exe 39 PID 2712 wrote to memory of 2376 2712 cmd.exe 40 PID 2712 wrote to memory of 2376 2712 cmd.exe 40 PID 2712 wrote to memory of 2376 2712 cmd.exe 40 PID 2712 wrote to memory of 2376 2712 cmd.exe 40 PID 2712 wrote to memory of 2656 2712 cmd.exe 41 PID 2712 wrote to memory of 2656 2712 cmd.exe 41 PID 2712 wrote to memory of 2656 2712 cmd.exe 41 PID 2712 wrote to memory of 2656 2712 cmd.exe 41 PID 2712 wrote to memory of 2904 2712 cmd.exe 42 PID 2712 wrote to memory of 2904 2712 cmd.exe 42 PID 2712 wrote to memory of 2904 2712 cmd.exe 42 PID 2712 wrote to memory of 2904 2712 cmd.exe 42 PID 2712 wrote to memory of 3060 2712 cmd.exe 43 PID 2712 wrote to memory of 3060 2712 cmd.exe 43 PID 2712 wrote to memory of 3060 2712 cmd.exe 43 PID 2712 wrote to memory of 3060 2712 cmd.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\522a7e03226188d88442e28eced425f155642961823eb06bead1ddabab431e5d.exe"C:\Users\Admin\AppData\Local\Temp\522a7e03226188d88442e28eced425f155642961823eb06bead1ddabab431e5d.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c move Up Up.cmd & Up.cmd2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2944
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "opssvc wrsa"3⤵
- System Location Discovery: System Language Discovery
PID:2884
-
-
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2524
-
-
C:\Windows\SysWOW64\findstr.exefindstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"3⤵
- System Location Discovery: System Language Discovery
PID:1928
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 2711853⤵
- System Location Discovery: System Language Discovery
PID:2844
-
-
C:\Windows\SysWOW64\extrac32.exeextrac32 /Y /E Meetup3⤵
- System Location Discovery: System Language Discovery
PID:1944
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V "BURST" Lazy3⤵
- System Location Discovery: System Language Discovery
PID:2124
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b 271185\Auckland.com + Mono + Waves + Offered + Hotel + Statement + Bookstore + Oh + Alerts + Divisions + Az 271185\Auckland.com3⤵
- System Location Discovery: System Language Discovery
PID:2376
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Initiated + ..\Monitors + ..\Arrived + ..\Spoken + ..\Distribution + ..\Ranks + ..\Gotta f3⤵
- System Location Discovery: System Language Discovery
PID:2656
-
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\271185\Auckland.comAuckland.com f3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2904
-
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 53⤵
- System Location Discovery: System Language Discovery
PID:3060
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
289KB
MD52bcbd4da198bb866715c3eac237f4d45
SHA1850dd4cdc72b096a999a06017442e3b3a2a67f84
SHA256bd123559d08a993326acc49738aa4e4074936ecc66cdd2462078c5691bfc1ae4
SHA51225c13d24b57b0b39bf8e7f46084835eff65b34910577bf2610ae06271f6bc61e116240c34a70ac9c7abfde1b7b3dc0e1436dcd654e7295570c524cb943f559c1
-
Filesize
494KB
MD5c5db717a0b4ea0902e852617e33cdb96
SHA1c7b001315f8814c2886a0b084d8f42e1e6fd365c
SHA2560eebe193f4f9026bd721e824ca530b873a4a703a738227b275a76260aff7a4b0
SHA512fbfd1122c50db893370ecfe3843ef8d69840ffc93a5335feaab56b01e2e997ff380ddab28cd3e9b9dd59673a0a5f2951e1207d7616d6a92f41b2183ab3de575d
-
Filesize
93KB
MD50d08f4ef87c60a4e83c242ddf2ecfbcc
SHA1d6f31423cf6c80601a7c9d9f9a96d71f54782a33
SHA256d9575995ca551b9328bf6b57f7a2781edc739e9d7fbf2e6f3f89fc07a6be4ebe
SHA512c18159acf7cd36ab7f0224059c6ee141ab54fd776eee8c532811786992ae29487b97c42d131076a6201fd4179208bf1c2be18faeba144716507b9ad15d715fd2
-
Filesize
93KB
MD5fb9b92045c9739c8c6df0008edbd72e0
SHA1818ae291f5e58872d8463f37ccc3456b94ee89c4
SHA25603cd7f60407c763d7ea194e85f45ebf5cf3a81c62a7c33cc67af356841544ec0
SHA512058ebfb2dc888d558449e2bf7f254135ce3de37fd27077549fc5d4d29ab6f56394b56983f23ad3a27b0d6cb04dfd4297addfc1c69c3b355258dd5f2fa0c725ef
-
Filesize
27KB
MD5295c8627f790e81f5a4480e5880a6140
SHA1f6f65bc3ba6748dc2f84e5377ab1fd14b3789298
SHA2565bf736b8f4330c48e2471c499069d74199d641b1c95c6fbdc537c13216ce0251
SHA512655c4e8dcc842ba7b3d0d7147e26f3b52c03fea94bbddb9c18943d29e66b7db0a665239d043da19c72f51557d9274f5fee71684075b682b480d8a44eab3fa3bd
-
Filesize
140KB
MD501250fc80e2277fdbed3d6598eccdd78
SHA1fc72efeefbcf22be12f18fd83e90dd963b87e633
SHA256aefb99ac34a325ba9973cc71e0fc97a302c02d82af7937eed51f9ccb32446b0f
SHA512a67c5972d701d441052121d314e4b908cd914210e5d0acc709bc8ed6d756758573ac1ade7e2f88a43487260331ee17a5f835401ea111bf303c98c933cb82fc0e
-
Filesize
60KB
MD5098ab409373c96d30e4efed8d77ef61d
SHA16f578148ece90bb7dc7a82b9a39959ebc7493ffa
SHA256ac964eacf14b939e589429e1e51b5d7acd5053aa883a5f682fe2b20d2bf19122
SHA5128cf6d8bf6cb131ec9101125f85a634f1071c7ecd720d35c3fe03224d4e0e31a1111a4d8b46e4bda005ba4ee21f75504c0023d633b23fc217019aae7bfdd10f80
-
Filesize
74KB
MD5413c7b32b50e66644d36b64198bbae30
SHA16ed1a1259f3b3017c9d7d13d7f321111c0bc65a0
SHA2562c95efe0e6a5103b248f0937d9846b814187bd3ab9ae187bb3a61c913d45e68c
SHA512fe3d9f076d4093482b66af6273050a020df299bfda269bb9b9da3a8aec8fb7275a0fc61186578f09c4966a9dcc9cc25f79b9dc3f9e246f0a9759222550ba4c92
-
Filesize
73KB
MD54fbb0e5bb3dd365183f89d95d941ebdb
SHA10bf5db374fede40a2124e35c9fed2f508952a155
SHA256dc8fc72ee73abf05faf93b79d0fe37f5f96abfd5cd12f4af6da6fa279da6940c
SHA512908f3b270448fae88e5b7aacbd0048e37da163d44de4e0b542ab1b73202051b1da6bc577ffaaf0c6e72c34bb1da27b08ee0a151562c13045ee0054000520ee0d
-
Filesize
69KB
MD578d566d45dbd0680f7d821eae6077822
SHA1725609ad4cf18b386443392d38efedade08b808d
SHA256c869dea4d3e3c4a1f442311663cee4ae18c8c01339c0ef40dcce44f4ed858e90
SHA5126225b3f6b7e3bee9db6d70397ad362aeeefd2dd534e482a9c28eebb9eec4a663cf8e96f71c338625830a34ad90dac1f37cc9557fce7aa7e626ac236ffb0547b6
-
Filesize
53KB
MD58910d634fda8819c8abec4dbc9c834e5
SHA1df2d260def488fddeb6a5df1a7e95e3fc81d0b6d
SHA2568e6e9269c33f4ad1f3dbfc457f132ebb7a6adda17083dba393960a493a1c07b9
SHA51285fa34be8c935193a0e2609146c120f39b5289059da3ab7b183b4f545ccfc93661bfecfde830a94be8421099c360aea779ccdc7ae634554edb138d1f4daef247
-
Filesize
705B
MD51064dece319884bf3d6700b0027646b5
SHA1414893a76744c518b1b7d015d73299c52c816441
SHA2566a7e06362d504a1415d428d4a1511a35b756db1b7e75e095b5a4010e18c2a2cc
SHA5120ef82326a4940203e8535330e6dcf9125eb951be7d1eef4d22389110e23ce6a1536daa5e6f25ad1650e49dab49b39a126f38d5f371fd775e4805ca3d0500b2ec
-
Filesize
477KB
MD53ba9f0b1f5e14db1eabfd71eaf291c17
SHA11eaf2bd928f7178f5fbef2c6f74d1119388a7ff5
SHA25681d60a01e22e3c54e38043f3afa48b20502f208130800fc14fb875d6b4092be7
SHA512f48c6b48e44e50aa56115353b877b6f1b2cc8d5ddbab23ae21f220cc5d31c3e92ab16c08196a53ff71e8179284a966271fee0c45a7bdaaa13d8113870a05eaee
-
Filesize
54KB
MD5a6c6907d13820a4b694423b0820fcb30
SHA1f9ece9107d57ede9849438f4f9893ac281308744
SHA25600b2fb43e57410051bd202cb2e7ee0b7c720460d1e5b6d0663887caa8b01049b
SHA51282c3da34c932e47b1161af6ce7372cf3ab8373e1411999594644f6544aac4ba5304a72ccfca485e92b8dde5aab45c817c395905ef72544a58cd9c0846c509286
-
Filesize
106KB
MD51fddc4ed20c29e234ebd94663ede1a32
SHA100ca98af52f8a9ad20d810339b49b99c81f203d0
SHA256a54e1ff4a1737df5dd624a8c177cbc1d70ed313a49951a84f199f767a2ee0cf0
SHA512328aacb764896f54cbacc127b69f7129e6469e5508d7c88bbe807d2b1731ac9f60d320842b71f8c87adf4db18a2e22fd5787092d36bce7a2f897f5cb21aef443
-
Filesize
92KB
MD5e04ade289338f7e99f6163771caeff55
SHA1221e86baf8801d970e7ad9c24195c0a991b01882
SHA2563f8b178c61a5d3bd1b38ee245aa96b468a15e6e583c5210f84ffb9b6ec0431da
SHA512530726bba82b9ca02a4953e0a9619de1dd62fa8a13b5c121232786d4f972f509acf2bfe13d5e99e24a62c1317d698e7c978c2fb5ed4def59fbe58c31b8c3bd78
-
Filesize
128KB
MD5f1da0b23149ee3b281f610baf62825f1
SHA10640af421d6644a934b1a3bf4a6712d7369b53d9
SHA256d18d00e17c90c17d48bbc513b6ac9c5cdcd845a036e1fd2408057e79db160098
SHA5121534c8ed3f1ac2c1af9f858d1783c9ca29318eed7b08ac91d6cc798eb38a5f2170ac9f8371dca435a6490d4eb10836e5274d7085d7eb50a27b5277a7fe1194cc
-
Filesize
85KB
MD55097db4521c52386897a6afad3a2962e
SHA13424d5e04878130d81b3ec33df41894a36bb2fb6
SHA256568a22449644f3b77689522e56fd924107a90bb86ad1efeaf56865ae6d42a9af
SHA51256f05a6d6c9f5ee081c3abf03dcc7321254bae1408e57d29ede2f2109af6c9a454c38a62f7bb49c868d7e41ee0dc688acf546fd85c7ce2cf7f1ee1666c49eaed
-
Filesize
76KB
MD51c02c2606432beb35d2596713369ecfb
SHA17b96d324d21e3de201f7f4ab91d53ae8e96c8b66
SHA256ba268f88b6fab05bef777a7b4793f72046229321f7b98ef1df106edeab30fd4b
SHA512081df1d7f0f67a99b18cca4a70869ae8deaaf1ea58830f33af07a567c77cc3a1b75822ff077ef76a53c35230bce60d6fd9eff71782ce6cca23b4692ccb70afdf
-
Filesize
104KB
MD5e8c044b6537ea10d3c92226a437e5381
SHA171cbc8737b7b5c75c9c99fe3d8db8849d8c672c1
SHA256dcc66420e8487929a228901794d05108fca0df2e49e3cb717a38051647491788
SHA512b9c7e7c666f18bfef003de6fcd12157c5a9fd481d2a2227dc138c6936fe7d17bcd3d070ca3d35f6910cff61b2136ce0852b290a27a29dbf40eaeee7f9563c0f2
-
Filesize
31KB
MD5cab96e167e337a1d6d86e63a81a35545
SHA13d8a124fea249ccc0c75a23dbbf60dc80c7e1a83
SHA2562306fefcd0dd8a2e0d5455aad26abee68ad9a9f9ce38222cfb36e0bfe467ce62
SHA5129f464adaeee13b2873150e46a94abf8df69c9765ca1114b3d0e4d910fa92e4444ca08bbd9bc0c9a87bfb87518d65f5976c54c530dcdd41b82c2b3643761eb199
-
Filesize
91KB
MD5e7b2c614a3fff27b16910a2164a65d4e
SHA1e68eca6381ee6c718e3cb7f45cae5b0af69400b9
SHA25660fe4dc18fbbddf7b423397784a2df41a1debd3095d2ea5bba7b5e38f00a43c9
SHA512a5360fff00de50f01217ef86fffe5a4c9d5700ceb0e316d7d6a0b41e63b52ba9070fea1b016ebb8b67d032540a17300e181e89e6996a33a4122bbf474ed9dbb9
-
Filesize
925KB
MD562d09f076e6e0240548c2f837536a46a
SHA126bdbc63af8abae9a8fb6ec0913a307ef6614cf2
SHA2561300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49
SHA51232de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f