Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
06-01-2025 02:16
Static task
static1
Behavioral task
behavioral1
Sample
2254c1261c9c6aa2dd777a2ebf9cc28e634f1f6249f4c352b0451ef9f6406ff1.exe
Resource
win7-20240708-en
General
-
Target
2254c1261c9c6aa2dd777a2ebf9cc28e634f1f6249f4c352b0451ef9f6406ff1.exe
-
Size
70.0MB
-
MD5
d07b60405395929fa6cc003b858c2f37
-
SHA1
c1a890e84c98de3f8e330c78c534cf434b677a97
-
SHA256
2254c1261c9c6aa2dd777a2ebf9cc28e634f1f6249f4c352b0451ef9f6406ff1
-
SHA512
d6f0ba6d9bebfeca0c3e30361d30ea84120423491236687af277d7d1bb68affaea202eafada86384282329c9cd37bc9e6f87a4ac9ef981478a4aaaff66a0097c
-
SSDEEP
24576:3iDV9lNv94RgIN8KCABMAAgSfFnhk0+H3epbMwsIF2r1Sxvf:OlNv9eg9QOAIfFnhk0o3VIUr1m
Malware Config
Extracted
lumma
https://cloudewahsj.shop/api
https://rabidcowse.shop/api
https://noisycuttej.shop/api
https://tirepublicerj.shop/api
https://framekgirus.shop/api
https://wholersorie.shop/api
https://abruptyopsn.shop/api
https://nearycrepso.shop/api
Extracted
lumma
https://abruptyopsn.shop/api
https://wholersorie.shop/api
https://framekgirus.shop/api
https://tirepublicerj.shop/api
https://noisycuttej.shop/api
https://rabidcowse.shop/api
https://cloudewahsj.shop/api
Signatures
-
Lumma family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation 2254c1261c9c6aa2dd777a2ebf9cc28e634f1f6249f4c352b0451ef9f6406ff1.exe -
Executes dropped EXE 1 IoCs
pid Process 4036 Edgar.com -
Enumerates processes with tasklist 1 TTPs 2 IoCs
pid Process 2140 tasklist.exe 3512 tasklist.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification C:\Windows\VacanciesTerry 2254c1261c9c6aa2dd777a2ebf9cc28e634f1f6249f4c352b0451ef9f6406ff1.exe File opened for modification C:\Windows\RevolutionAimed 2254c1261c9c6aa2dd777a2ebf9cc28e634f1f6249f4c352b0451ef9f6406ff1.exe File opened for modification C:\Windows\FormulaGraphics 2254c1261c9c6aa2dd777a2ebf9cc28e634f1f6249f4c352b0451ef9f6406ff1.exe File opened for modification C:\Windows\DuckForestry 2254c1261c9c6aa2dd777a2ebf9cc28e634f1f6249f4c352b0451ef9f6406ff1.exe File opened for modification C:\Windows\BelievedChrist 2254c1261c9c6aa2dd777a2ebf9cc28e634f1f6249f4c352b0451ef9f6406ff1.exe File opened for modification C:\Windows\CamerasDonors 2254c1261c9c6aa2dd777a2ebf9cc28e634f1f6249f4c352b0451ef9f6406ff1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 13 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edgar.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2254c1261c9c6aa2dd777a2ebf9cc28e634f1f6249f4c352b0451ef9f6406ff1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language extrac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language choice.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4036 Edgar.com 4036 Edgar.com 4036 Edgar.com 4036 Edgar.com 4036 Edgar.com 4036 Edgar.com -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2140 tasklist.exe Token: SeDebugPrivilege 3512 tasklist.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 4036 Edgar.com 4036 Edgar.com 4036 Edgar.com -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 4036 Edgar.com 4036 Edgar.com 4036 Edgar.com -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 4152 wrote to memory of 2820 4152 2254c1261c9c6aa2dd777a2ebf9cc28e634f1f6249f4c352b0451ef9f6406ff1.exe 83 PID 4152 wrote to memory of 2820 4152 2254c1261c9c6aa2dd777a2ebf9cc28e634f1f6249f4c352b0451ef9f6406ff1.exe 83 PID 4152 wrote to memory of 2820 4152 2254c1261c9c6aa2dd777a2ebf9cc28e634f1f6249f4c352b0451ef9f6406ff1.exe 83 PID 2820 wrote to memory of 2140 2820 cmd.exe 85 PID 2820 wrote to memory of 2140 2820 cmd.exe 85 PID 2820 wrote to memory of 2140 2820 cmd.exe 85 PID 2820 wrote to memory of 1472 2820 cmd.exe 86 PID 2820 wrote to memory of 1472 2820 cmd.exe 86 PID 2820 wrote to memory of 1472 2820 cmd.exe 86 PID 2820 wrote to memory of 3512 2820 cmd.exe 88 PID 2820 wrote to memory of 3512 2820 cmd.exe 88 PID 2820 wrote to memory of 3512 2820 cmd.exe 88 PID 2820 wrote to memory of 4520 2820 cmd.exe 89 PID 2820 wrote to memory of 4520 2820 cmd.exe 89 PID 2820 wrote to memory of 4520 2820 cmd.exe 89 PID 2820 wrote to memory of 3484 2820 cmd.exe 90 PID 2820 wrote to memory of 3484 2820 cmd.exe 90 PID 2820 wrote to memory of 3484 2820 cmd.exe 90 PID 2820 wrote to memory of 1168 2820 cmd.exe 91 PID 2820 wrote to memory of 1168 2820 cmd.exe 91 PID 2820 wrote to memory of 1168 2820 cmd.exe 91 PID 2820 wrote to memory of 3632 2820 cmd.exe 92 PID 2820 wrote to memory of 3632 2820 cmd.exe 92 PID 2820 wrote to memory of 3632 2820 cmd.exe 92 PID 2820 wrote to memory of 4664 2820 cmd.exe 93 PID 2820 wrote to memory of 4664 2820 cmd.exe 93 PID 2820 wrote to memory of 4664 2820 cmd.exe 93 PID 2820 wrote to memory of 2976 2820 cmd.exe 94 PID 2820 wrote to memory of 2976 2820 cmd.exe 94 PID 2820 wrote to memory of 2976 2820 cmd.exe 94 PID 2820 wrote to memory of 4036 2820 cmd.exe 95 PID 2820 wrote to memory of 4036 2820 cmd.exe 95 PID 2820 wrote to memory of 4036 2820 cmd.exe 95 PID 2820 wrote to memory of 1748 2820 cmd.exe 96 PID 2820 wrote to memory of 1748 2820 cmd.exe 96 PID 2820 wrote to memory of 1748 2820 cmd.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\2254c1261c9c6aa2dd777a2ebf9cc28e634f1f6249f4c352b0451ef9f6406ff1.exe"C:\Users\Admin\AppData\Local\Temp\2254c1261c9c6aa2dd777a2ebf9cc28e634f1f6249f4c352b0451ef9f6406ff1.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4152 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c move Unlock Unlock.cmd & Unlock.cmd2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2140
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "opssvc wrsa"3⤵
- System Location Discovery: System Language Discovery
PID:1472
-
-
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3512
-
-
C:\Windows\SysWOW64\findstr.exefindstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"3⤵
- System Location Discovery: System Language Discovery
PID:4520
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 960533⤵
- System Location Discovery: System Language Discovery
PID:3484
-
-
C:\Windows\SysWOW64\extrac32.exeextrac32 /Y /E Gap3⤵
- System Location Discovery: System Language Discovery
PID:1168
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V "Reprint" Shower3⤵
- System Location Discovery: System Language Discovery
PID:3632
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b 96053\Edgar.com + Lightweight + Surely + Prohibited + Pensions + Vid + Bm + Diagram + Value + Temperature + Skill + Pics 96053\Edgar.com3⤵
- System Location Discovery: System Language Discovery
PID:4664
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Firewall + ..\Rape + ..\Introduced + ..\Infrastructure + ..\Transcript + ..\Lower + ..\Lease R3⤵
- System Location Discovery: System Language Discovery
PID:2976
-
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\96053\Edgar.comEdgar.com R3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4036
-
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 53⤵
- System Location Discovery: System Language Discovery
PID:1748
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD508dd313f64b3f81dd8727781b9722cf5
SHA126cdfdfae5be30d98f72cc69c64bc9817c2fdf42
SHA256d6b355699e0412c87fcc5ef146c4284234a521fc4b3aeb477d6bed1512ece41e
SHA512ee83eb61b3a2edf579b7a3894798d768974af5a011559620adba0bb7169950269ddd163140170539a8ca616e106e7328ca46cc98e56afa7d27c8d4dc76582075
-
Filesize
925KB
MD562d09f076e6e0240548c2f837536a46a
SHA126bdbc63af8abae9a8fb6ec0913a307ef6614cf2
SHA2561300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49
SHA51232de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f
-
Filesize
493KB
MD5e59404c5a5787107cc8cb274ab149970
SHA19a30f344c1f9e1fccd5383c7f530d18de39b2c0a
SHA256b55119e36dfbf05434ff361764dae01fd4d598af37a558c30fb0f40a8edc4b28
SHA512d5798826f178dc363903af43a14e647498ee681d77d7a827338eb9897008bf2d698dbcc66a045b80d87dc60b228cff21dbfb62b07c8be75bab626f390a961938
-
Filesize
110KB
MD5ef7b92a852bb3c322c8ac2f87f9cc32b
SHA1281826c69f34d16ab92eba0c1f2e55dd504eb132
SHA256dc49a9ef92f8c8d08b1023ce717033dfddd79cd9f8c53585cd0715812662419b
SHA51223741f1c9bb550a9c2c5da9e161dc2da14c3890df9e8bd00baef11d89d84024891726fd6055e79b8db9d586c4619f3dc4e2a2cf6e219094079b0f1af68c788eb
-
Filesize
121KB
MD5cf95ccef30a0a6799aeb5b00461ca7b6
SHA180d2b05eac6d32bf00bb02d6496b2d3718505caf
SHA2564b8c552e44ca7f0605051c6ddbbbe7818a6ef88c06aca1e2af1490738a1af19b
SHA512de7879e7a73116dfdbce52c448e3b5621a40b43ec5d1a88cf6c6aed2c14077ee0566372a1338cd91d30584353b2cd9d35c55946b3bcfd973ef5de7f0e59df8c3
-
Filesize
73KB
MD593fa1abf956f5f09e6c76e6a0a00a1e8
SHA13b2fc5eb697d7cee1d6d190c3d27f9e32c8d4ee0
SHA25679aafe29a567a7df1d56898a12f3f6db0b6f68a56d586548e1e49c69752f2877
SHA512af3055002baa5239f9a0a76d2bf9867257dee668ca61c759d24d4771f506b40bc9eadb3879c121ad56b2091734caeb0e970a3f81a2ab57ab2a2fbda127e215c4
-
Filesize
478KB
MD58551c994295dbaf5342fc97bc8191885
SHA143e94e01568015dca01be83fd53c1b6eb213ae30
SHA25642b80aaf9d51f5c06252086d514f75855ae08d45a7f911149bda20ea95d68f9f
SHA512b75761565b000283f56ad3028c22a56af80b2d73245541c3c244c3d55be038d9068c9eba4dd3a2db18b9a9b8bc9aaee3c2f2a8dd4269e79b5e17248dad82ee37
-
Filesize
76KB
MD58484d3b7ebd3a4b441b972e506a1aee6
SHA1c8d4db6bc9af210667c0fb5081f9423f942937bd
SHA25686fcc5536f55c6b32bfb0fb54aaf69a8258acb236d124707d5e79a76f919e93d
SHA5124591027405a7afa294736f922f581f9ffef46eafd8ec5de49b978b815c3ecd1e415467332cf23562675f5d98edfc0992a7c6621ad36fc49cabde20e558834d9e
-
Filesize
77KB
MD545786914ab6e4fffc1f9d5cfa88473a7
SHA1b0d5d9747f32647d20c6d1ed1ed127d9ac8d113b
SHA256b08db981476d928b52495574c51f24176c80943f326ba8ba157b8eab6639eb45
SHA5128b7698eff9f196fdfca54b9661f3c12dc91d2743215881db2c69990388af6b38be57907bddf204c538b1a7f6eae97376b12b7520cf3c0b1b4b9e0f146a246166
-
Filesize
24KB
MD53339d864370a4663433c2e085a7a16ad
SHA1dd0d727ef48aba2491417a47625a49871beb5d92
SHA256756b0060498fcc33bea3afb4776912ebb4b6ece8eb9238efe37aff8826fd4dc0
SHA512561c1015fa1a937db78b37665b3cdc42dadfb3941d55fbe807df25bc4df462c4845d3d062c8b913d4637b0d0585b6d937e488263f1772f4e215e3c9ebf2ca76b
-
Filesize
58KB
MD54a9973318e69e5faae764083caece51e
SHA1aedb85551f03f94b1f846e7ede93d9045c8dcb30
SHA256ec7dc2c756910f4ef4392fc94cd070f4c2b7764444a74206ad6942468b29a1d6
SHA512729cc7084a473f12425f585eba7c05c019b07ec7ade819f109fb836b5308d6a35c643ee357ec2b2f79f71de8a06794d65afbd328fe058bef4ca888d032b4608f
-
Filesize
96KB
MD55462fe76c75711c21778c3b499fcd9a7
SHA1b9a151a87b65c37fd882d7a5ee4474cbeb748354
SHA256ef7b4833a564e0890de35338f825700340bdcade0a49176121c34c6af44621aa
SHA5127d14f81bb7698bd8f3610202730f851d830b401f0fae11a4c71be5894e4e41737df25ef97de9bf39c6a89ca3e7f8c005fc87531b2cf6f8ffb9f5c4e5aba5c7ea
-
Filesize
145KB
MD50c674b81d1b8738e9b536816b1ad5c91
SHA10462072f00ab0c3d8907e083ff10e03663a56e81
SHA2564f140ac392750cf3549ffa50cbe1026439373588b5164a55eed5aa86e4c50797
SHA512813412a69ebd9a6acb93a89c32174d74d8e8b66d0cba29c036821da9136a45abe0d52177a16bfff3d433a8ae71ce5449efa675a484a145dbf41856d7224f792c
-
Filesize
8KB
MD5cfceb0700b3998964a633a489cdaeb64
SHA1c5135bcdc233e7c6305aea27700d7fce4efe78c9
SHA256731b9a7e8d392e552b727883d99f520024b29e0d28313738a56da4706205a3d6
SHA51277e2c170b0399254d6e5ffea54836eaffe4d47c5b864d44ab7f3f665cadfa25b672b91ba341c950abd39f424e107c019027e7854b0c635872d915a315568ffa5
-
Filesize
62KB
MD5644a35348d18f92edb8699850d8f2866
SHA1ddf18b6117baec11ee94cd05654fe3650e93b3dc
SHA256f2a974919abbf5d0d5c3dfe2728903717e2b69cbfd55e8458d0961a33bea1937
SHA512c15686cf73719f99a97c7af5f112f003655cd4c60f7bd8547c87fbc727a13d8399835448ddf3e466ce495c8e351b4afb1bd0550ee6bca81e6405c33296182b28
-
Filesize
82KB
MD5bd6567111e9801b5ce1e5bcb3024fa15
SHA155e4f491fe2a962bf6cb19b1b4fe7586399d45e2
SHA256fc018eded4b251c497267c05b63c7b4d8e1ab4b91e6786d095f78a4fee5187e7
SHA512368dddb1481a7c55acf696895bd79004e41f93cf16f7d8f2ecb11c80052338ebbdfa420bf987c863a27441898e10e3dcdfe8461aac4f8bf03c3bddd40001a8a5
-
Filesize
2KB
MD5c59f9cb2846d8824a39d1f8644e84713
SHA18dc3f9f2d5a1e0be87f21f9706d0dcf463a5147d
SHA256d74f4f06aa9b2e75068555105838ab939dd4a3baa85107c721f693be6143a130
SHA512e6329fe1f0a075118b04c9cdf9dff5853873315406038eebaeaf8a11cfda9fd57bac4c56d1208a60bc0922ffe88b0e7ab511047f17862927383d9389b5c2025e
-
Filesize
75KB
MD51da9cd54dc12a1a0a45e6efa5b9a2574
SHA1f3cbee5d20933dbdb5cab5c8f7277e8170b84525
SHA256104e10c52d076e17ae975e043272c91540820e6983789d9568664de5e18cef03
SHA512c9d802a8da0696d0cd470e4c0821b9f2f6d9593bd6dfe56e5be5201d4d5cc75952c5d821e054820889512b3c3b319edd45277a59d18c563011534a4bb5a0ff56
-
Filesize
94KB
MD5c898f63d5a713dae5bc763316cc6a292
SHA17c0ec7b1a4da9045fe00fce43abb2f3d019b0158
SHA256d9a91267445238d6abf2641e1afb1199f18e09811dd9841de8456d867b960aed
SHA512efe5378c6c9ccc61c3ff5cb9e38d90d5988d4809addf04f27fc707e5cdda83535bd30cac5d0fcdcb858f66406ded060ce29c27b80924a5f2a96176dadbafbd98
-
Filesize
77KB
MD5828b2fc8ac7982d069777fce75ca25d5
SHA18a97786574b936ca9bb9c56ac9906d5952802f79
SHA2569e2bcfd0d917fc75bc40a7408bd89b1ea75b197a8491f31d9373275295fc724e
SHA512849b86982e9c0fc08833e74d3f082069da7e1334975322b2af2dd0a337f39160c18d831803c173677baabb101ff2c3e63365e8c93510e77c4661e8b9fda17437
-
Filesize
65KB
MD5dfda17f8f4515d1eef79265d1a2ff791
SHA10c0526c5dd79d91db98f7faaa113675f90f11c1c
SHA256407a778fb653fb4c9d3a26e8064dd1a0a24e2cb8e7161b078cf2050d768d0a4a
SHA512e5d8a2724f92a2c3b5da55680317b75c0b2fdedddce89e14dbed36516ce7b1d15a894c99752d98f9594d543008f534b27d19e590d864787a2a6edb01831f2efd
-
Filesize
8KB
MD51410be93a6eff263d42c7d4250c1ccb1
SHA1ad994800d63ac724834ab4089227f0f75653ecd8
SHA256ac4170846ea44b51daeb38d2e66c145fbdb18e28c7694264a2a982112b0d54b0
SHA5122658e9b2eefd5e658a79929dcd431f139c92881b7d4d5223be8ab43432aad63bd18d5860925e62ed72128dcb4cdeea79ca2ceafd86f89ede8cbd79d96ed5fba7
-
Filesize
113KB
MD53e3c694dc96c4390e112d095742705e6
SHA16000188e615a6bf3fcabcd0e6774784e00833ec6
SHA2565e736fd708445183a49226da4da6829a47395fdf836960dde33d7e08fbf9c343
SHA51244e79ccfac5b322b8326cb09922a645489034ba26dd7f7a1b06dc6d8f7b3cad609e8ee480b3685ae1d53968b8386e0c3318b4983bec0723effc63f8951ada9bf
-
Filesize
59KB
MD53e5bf525eacd718956b00cd0af1668d2
SHA1108417a3019a12632572c55e0fb56f04f648ac0a
SHA256a9a79ed17dfca135c42846da7d14202b83147050c0c91b87215c392a8d72006b
SHA5125f369ccc975ce3c227d86690dbfad896b33ea87178618ee7ad7b7062ac1ed8ec8a96f8fe15f6bd4694e968f05c6d02156da38bb6d34beb0fabbfd59eefc94d71