lumma | d94fafd3cbab6f1fc8486ba4f56f21723aa4934e04a8d91e1fec10c5d8fdf67f

Analysis

max time kernel
211s
max time network
198s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-01-2025 15:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Collapse.zip
Size

54.3MB
MD5

c9c09a7de133528b18d8687475099f00
SHA1

92efc6c5a138d5631dd113cbc0f501f8e1d6f5c2
SHA256

d94fafd3cbab6f1fc8486ba4f56f21723aa4934e04a8d91e1fec10c5d8fdf67f
SHA512

d8a2eded28250713e55475258c769156300ff5770c28ae447690ed4fbe33ababf2972577f67c9d0f09ad55811f16e439d89789238be56992068f18e44bc7957e
SSDEEP

1572864:YHEcPNHBrThiiGaNh7YQU44tu/Thr2hL4Yyqxb:YH7FVThZNVYn4euQF47qV

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://whisperusz.biz/api

https://fraggielek.biz/api

https://grandiouseziu.biz/api

https://littlenotii.biz/api

https://marketlumpe.biz/api

https://nuttyshopr.biz/api

https://punishzement.biz/api

https://spookycappy.biz/api

https://truculengisau.biz/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Executes dropped EXE 16 IoCs

pid	Process
4020	Collapse.exe
3096	Collapse.exe
4088	Collapse.exe
2808	Collapse.exe
4896	Collapse.exe
2472	Collapse.exe
2312	Collapse.exe
3580	Collapse.exe
2300	Collapse.exe
1224	Collapse.exe
628	Collapse.exe
3704	Collapse.exe
4872	Collapse.exe
3940	Collapse.exe
2820	Collapse.exe
4792	Collapse.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 4020 set thread context of 4088	4020	Collapse.exe	107
PID 2808 set thread context of 4896	2808	Collapse.exe	114
PID 2472 set thread context of 2312	2472	Collapse.exe	120
PID 3580 set thread context of 4872	3580	Collapse.exe	131
PID 3940 set thread context of 4792	3940	Collapse.exe	138

Program crash 5 IoCs

pid	pid_target	Process	procid_target
4516	4020	WerFault.exe	102
3928	2808	WerFault.exe	112
2800	2472	WerFault.exe	118
3992	3580	WerFault.exe	125
2600	3940	WerFault.exe	135

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Collapse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Collapse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Collapse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Collapse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Collapse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Collapse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Collapse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Collapse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Collapse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Collapse.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Modifies registry class 16 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\lua_auto_file\shell	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\lua_auto_file\shell\open\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\lua_auto_file	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\㄰ə\ = "lua_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\lua_auto_file\shell\edit\command	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\lua_auto_file\shell\open\command	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\潤瑭敲e圶㙝	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\lua_auto_file\shell\open	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\.lua\ = "lua_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\㄰ə	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\潤瑭敲e圶㙝𐀀\ = "lua_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\lua_auto_file\shell\edit	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\lua_auto_file\shell\edit\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\.lua	OpenWith.exe

Opens file in notepad (likely ransom note) 5 IoCs

ransomware

pid	Process
1672	NOTEPAD.EXE
2312	NOTEPAD.EXE
1864	NOTEPAD.EXE
1996	NOTEPAD.EXE
2720	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2320	7zFM.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeRestorePrivilege	2320	7zFM.exe
Token: 35	2320	7zFM.exe
Token: SeSecurityPrivilege	2320	7zFM.exe
Token: SeDebugPrivilege	4044	taskmgr.exe
Token: SeSystemProfilePrivilege	4044	taskmgr.exe
Token: SeCreateGlobalPrivilege	4044	taskmgr.exe

Suspicious use of FindShellTrayWindow 56 IoCs

pid	Process
2320	7zFM.exe
2320	7zFM.exe
2312	NOTEPAD.EXE
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe

Suspicious use of SendNotifyMessage 53 IoCs

pid	Process
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe

Suspicious use of SetWindowsHookEx 28 IoCs

pid	Process
4020	OpenWith.exe
4020	OpenWith.exe
4020	OpenWith.exe
4020	OpenWith.exe
4020	OpenWith.exe
4020	OpenWith.exe
4020	OpenWith.exe
4020	OpenWith.exe
4020	OpenWith.exe
4020	OpenWith.exe
4020	OpenWith.exe
4020	OpenWith.exe
4020	OpenWith.exe
4020	OpenWith.exe
4020	OpenWith.exe
4020	OpenWith.exe
4020	OpenWith.exe
4020	OpenWith.exe
4020	OpenWith.exe
4020	OpenWith.exe
4020	OpenWith.exe
768	OpenWith.exe
768	OpenWith.exe
768	OpenWith.exe
768	OpenWith.exe
768	OpenWith.exe
768	OpenWith.exe
768	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4020 wrote to memory of 3096	4020	Collapse.exe	106
PID 4020 wrote to memory of 3096	4020	Collapse.exe	106
PID 4020 wrote to memory of 3096	4020	Collapse.exe	106
PID 4020 wrote to memory of 4088	4020	Collapse.exe	107
PID 4020 wrote to memory of 4088	4020	Collapse.exe	107
PID 4020 wrote to memory of 4088	4020	Collapse.exe	107
PID 4020 wrote to memory of 4088	4020	Collapse.exe	107
PID 4020 wrote to memory of 4088	4020	Collapse.exe	107
PID 4020 wrote to memory of 4088	4020	Collapse.exe	107
PID 4020 wrote to memory of 4088	4020	Collapse.exe	107
PID 4020 wrote to memory of 4088	4020	Collapse.exe	107
PID 4020 wrote to memory of 4088	4020	Collapse.exe	107
PID 2808 wrote to memory of 4896	2808	Collapse.exe	114
PID 2808 wrote to memory of 4896	2808	Collapse.exe	114
PID 2808 wrote to memory of 4896	2808	Collapse.exe	114
PID 2808 wrote to memory of 4896	2808	Collapse.exe	114
PID 2808 wrote to memory of 4896	2808	Collapse.exe	114
PID 2808 wrote to memory of 4896	2808	Collapse.exe	114
PID 2808 wrote to memory of 4896	2808	Collapse.exe	114
PID 2808 wrote to memory of 4896	2808	Collapse.exe	114
PID 2808 wrote to memory of 4896	2808	Collapse.exe	114
PID 2472 wrote to memory of 2312	2472	Collapse.exe	120
PID 2472 wrote to memory of 2312	2472	Collapse.exe	120
PID 2472 wrote to memory of 2312	2472	Collapse.exe	120
PID 2472 wrote to memory of 2312	2472	Collapse.exe	120
PID 2472 wrote to memory of 2312	2472	Collapse.exe	120
PID 2472 wrote to memory of 2312	2472	Collapse.exe	120
PID 2472 wrote to memory of 2312	2472	Collapse.exe	120
PID 2472 wrote to memory of 2312	2472	Collapse.exe	120
PID 2472 wrote to memory of 2312	2472	Collapse.exe	120
PID 3580 wrote to memory of 2300	3580	Collapse.exe	127
PID 3580 wrote to memory of 2300	3580	Collapse.exe	127
PID 3580 wrote to memory of 2300	3580	Collapse.exe	127
PID 3580 wrote to memory of 1224	3580	Collapse.exe	128
PID 3580 wrote to memory of 1224	3580	Collapse.exe	128
PID 3580 wrote to memory of 1224	3580	Collapse.exe	128
PID 3580 wrote to memory of 628	3580	Collapse.exe	129
PID 3580 wrote to memory of 628	3580	Collapse.exe	129
PID 3580 wrote to memory of 628	3580	Collapse.exe	129
PID 3580 wrote to memory of 3704	3580	Collapse.exe	130
PID 3580 wrote to memory of 3704	3580	Collapse.exe	130
PID 3580 wrote to memory of 3704	3580	Collapse.exe	130
PID 3580 wrote to memory of 4872	3580	Collapse.exe	131
PID 3580 wrote to memory of 4872	3580	Collapse.exe	131
PID 3580 wrote to memory of 4872	3580	Collapse.exe	131
PID 3580 wrote to memory of 4872	3580	Collapse.exe	131
PID 3580 wrote to memory of 4872	3580	Collapse.exe	131
PID 3580 wrote to memory of 4872	3580	Collapse.exe	131
PID 3580 wrote to memory of 4872	3580	Collapse.exe	131
PID 3580 wrote to memory of 4872	3580	Collapse.exe	131
PID 3580 wrote to memory of 4872	3580	Collapse.exe	131
PID 3940 wrote to memory of 2820	3940	Collapse.exe	137
PID 3940 wrote to memory of 2820	3940	Collapse.exe	137
PID 3940 wrote to memory of 2820	3940	Collapse.exe	137
PID 3940 wrote to memory of 4792	3940	Collapse.exe	138
PID 3940 wrote to memory of 4792	3940	Collapse.exe	138
PID 3940 wrote to memory of 4792	3940	Collapse.exe	138
PID 3940 wrote to memory of 4792	3940	Collapse.exe	138
PID 3940 wrote to memory of 4792	3940	Collapse.exe	138
PID 3940 wrote to memory of 4792	3940	Collapse.exe	138
PID 3940 wrote to memory of 4792	3940	Collapse.exe	138
PID 3940 wrote to memory of 4792	3940	Collapse.exe	138
PID 3940 wrote to memory of 4792	3940	Collapse.exe	138
PID 4020 wrote to memory of 1996	4020	OpenWith.exe	143

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Collapse.zip"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2320

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1540

C:\Users\Admin\Desktop\Collapse\Collapse.exe
"C:\Users\Admin\Desktop\Collapse\Collapse.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4020
- C:\Users\Admin\Desktop\Collapse\Collapse.exe
  "C:\Users\Admin\Desktop\Collapse\Collapse.exe"
  2⤵
  - Executes dropped EXE
  PID:3096
- C:\Users\Admin\Desktop\Collapse\Collapse.exe
  "C:\Users\Admin\Desktop\Collapse\Collapse.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4088
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4020 -s 140
  2⤵
  - Program crash
  PID:4516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4020 -ip 4020
1⤵
PID:2424

C:\Users\Admin\Desktop\Collapse\Collapse.exe
"C:\Users\Admin\Desktop\Collapse\Collapse.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2808
- C:\Users\Admin\Desktop\Collapse\Collapse.exe
  "C:\Users\Admin\Desktop\Collapse\Collapse.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4896
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2808 -s 156
  2⤵
  - Program crash
  PID:3928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2808 -ip 2808
1⤵
PID:4716

C:\Users\Admin\Desktop\Collapse\Collapse.exe
"C:\Users\Admin\Desktop\Collapse\Collapse.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2472
- C:\Users\Admin\Desktop\Collapse\Collapse.exe
  "C:\Users\Admin\Desktop\Collapse\Collapse.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2312
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2472 -s 140
  2⤵
  - Program crash
  PID:2800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2472 -ip 2472
1⤵
PID:4800

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Collapse\config.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:1864

C:\Users\Admin\Desktop\Collapse\Collapse.exe
"C:\Users\Admin\Desktop\Collapse\Collapse.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3580
- C:\Users\Admin\Desktop\Collapse\Collapse.exe
  "C:\Users\Admin\Desktop\Collapse\Collapse.exe"
  2⤵
  - Executes dropped EXE
  PID:2300
- C:\Users\Admin\Desktop\Collapse\Collapse.exe
  "C:\Users\Admin\Desktop\Collapse\Collapse.exe"
  2⤵
  - Executes dropped EXE
  PID:1224
- C:\Users\Admin\Desktop\Collapse\Collapse.exe
  "C:\Users\Admin\Desktop\Collapse\Collapse.exe"
  2⤵
  - Executes dropped EXE
  PID:628
- C:\Users\Admin\Desktop\Collapse\Collapse.exe
  "C:\Users\Admin\Desktop\Collapse\Collapse.exe"
  2⤵
  - Executes dropped EXE
  PID:3704
- C:\Users\Admin\Desktop\Collapse\Collapse.exe
  "C:\Users\Admin\Desktop\Collapse\Collapse.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4872
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3580 -s 796
  2⤵
  - Program crash
  PID:3992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3580 -ip 3580
1⤵
PID:2960

C:\Users\Admin\Desktop\Collapse\Collapse.exe
"C:\Users\Admin\Desktop\Collapse\Collapse.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3940
- C:\Users\Admin\Desktop\Collapse\Collapse.exe
  "C:\Users\Admin\Desktop\Collapse\Collapse.exe"
  2⤵
  - Executes dropped EXE
  PID:2820
- C:\Users\Admin\Desktop\Collapse\Collapse.exe
  "C:\Users\Admin\Desktop\Collapse\Collapse.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4792
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3940 -s 772
  2⤵
  - Program crash
  PID:2600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3940 -ip 3940
1⤵
PID:4536

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4020
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Collapse\loader\Dexy.lua
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:1996

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:768
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Collapse\loader\InfiniteYield.lua
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:2720

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Collapse\loader\SineWave.lua
1⤵
- Opens file in notepad (likely ransom note)
PID:1672

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Collapse\loader\Spinning Donut.lua
1⤵
PID:4908

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Collapse\loader\UNCCheckEnv.lua
1⤵
- Opens file in notepad (likely ransom note)
- Suspicious use of FindShellTrayWindow
PID:2312

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zE0195D1B8\Collapse\cfg\resources\hi.pak

Filesize
787KB

MD5
1185163466551aacae45329c93e92a91

SHA1
0dcbfed274934991966ce666d6d941cfe8366323

SHA256
eda355e3785313e3d982c1d3652266dce1b6e08832056fe58854b825e0712ca5

SHA512
6fad3e24eb868acf78db0591c7ba77abc84e92cda28e8bffee435ea89940a8607e7628c6c5159349377a8d933f373db2dfa4e5715ca404bc3e67fd4a0f22a606

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zE0195D1B8\Collapse\library\test\isfile.txt

Filesize
7B

MD5
260ca9dd8a4577fc00b7bd5810298076

SHA1
53a5687cb26dc41f2ab4033e97e13adefd3740d6

SHA256
aee408847d35e44e99430f0979c3357b85fe8dbb4535a494301198adbee85f27

SHA512
51e85deb51c2b909a21ec5b8e83b1cb28da258b1be227620105a345a2bd4c6aea549cd5429670f2df33324667b9f623a420b3a0bdbbd03ad48602211e75478a7

Download Submit
C:\Users\Admin\Desktop\Collapse\Collapse.exe

Filesize
343KB

MD5
e2a9eba329355a37c5b560736a9f8405

SHA1
34795e62a0327c8495da8df5382b4ad6594c548e

SHA256
4201ef2a7f468deb182f23c26691b813c066525cb89b1fa6b91dac6d51233269

SHA512
a783a81c3961f37993f81ff56e7923a7a35b49bb0babbbde9d7bf83cd9581fe92603b03e9fa20790e4dcea0d9df231e7a4ca9795abe098fbe512ba1a5814b159

Download Submit
C:\Users\Admin\Desktop\Collapse\loader\Dexy.lua

Filesize
410KB

MD5
e37374a8aa47cf8ac6d56901436e199f

SHA1
5d62f5db07614f3b548702faa4f7a06e235c9b12

SHA256
47cc5f1102fda0eba76b9570a1b943326f2170f270d5280e1f8dd5723c43fc14

SHA512
efee19e8109a48d49f099dd1767c722935123c4ea4d6e0ab905703e16fcb7196d31c45826d4398a5b7249e686ca90db3f671416909ce3440d4709edf1bd55775

Download Submit
C:\Users\Admin\Desktop\Collapse\loader\InfiniteYield.lua

Filesize
464KB

MD5
b7fd97a54c618754ceab75e8a5c2de10

SHA1
feb96643a76f785177fa4e841b92e6a0af364180

SHA256
784f1c6ac0d4a3abdce59e09b0e9b52da6c426136cf0bfd775445e8194b77ddc

SHA512
078f305142e6b2d3300d249ba305897374e0d5a78e6db9ac902370b1eee433ee83322568735b3d82706fd1fc117dcbd3fe60ad5c2d8cada8deb36b2de6da7921

Download Submit
C:\Users\Admin\Desktop\Collapse\loader\SineWave.lua

Filesize
1KB

MD5
0bbb2aebfadc119226992045dcaa30b4

SHA1
6939f7c1f4fa7ac0f81e9dabef32fdb24d120e72

SHA256
a5f5aca3ac216ac9040d0425eb52b1465674d8cd79d928474562d9a644ff4f0b

SHA512
b433ad6f5d365c58e2260588fae7a3cbecbfe734daff125ce18b6673c629c1b6bccd6142ea49c2c77d57dbe9ab2d02b2897fd2d7c592d524952a62348715bbf8

Download Submit
C:\Users\Admin\Desktop\Collapse\loader\Spinning Donut.lua

Filesize
1KB

MD5
967403f0ecb43917e841a085851b732d

SHA1
b09f3bef3e9fe87970b48db46529c611c302db16

SHA256
cb1a35b6ae394e479b97aa1f946ca21b8794dd0d60b08b85bf89fa5b35a4d8da

SHA512
34e83a25f330243faf86b62923a873a9104fa62f756a66074905f7980475581eded0a92cd88b6beba9b6424fb7f2a9cd743627871f80d51ff36c39f28ccb29b3

Download Submit
C:\Users\Admin\Desktop\Collapse\loader\UNCCheckEnv.lua

Filesize
28KB

MD5
b76726d10354343d9af5c268e40b47c4

SHA1
7103c78071be0c65c8b3a217168cf7909aef748e

SHA256
e8d53406c916b8e827c65c8f00d8a18b1379e693fd0379e8116e749bdf860cf5

SHA512
5caffd8a06058e890fe4ae35430539281cf53fa791221189f0f6660778a83fa42cc3e5374ce06ff325420d92006c2bfe1003f1486714e889964075da66b046eb

Download Submit
memory/4020-302-0x000000007483E000-0x000000007483F000-memory.dmp

Filesize
4KB

Download
memory/4020-303-0x0000000000810000-0x000000000086C000-memory.dmp

Filesize
368KB

Download
memory/4020-304-0x00000000055D0000-0x0000000005B74000-memory.dmp

Filesize
5.6MB

Download
memory/4020-311-0x0000000074830000-0x0000000074FE0000-memory.dmp

Filesize
7.7MB

Download
memory/4044-345-0x00000137D0160000-0x00000137D0161000-memory.dmp

Filesize
4KB

Download
memory/4044-350-0x00000137D0160000-0x00000137D0161000-memory.dmp

Filesize
4KB

Download
memory/4044-352-0x00000137D0160000-0x00000137D0161000-memory.dmp

Filesize
4KB

Download
memory/4044-351-0x00000137D0160000-0x00000137D0161000-memory.dmp

Filesize
4KB

Download
memory/4044-344-0x00000137D0160000-0x00000137D0161000-memory.dmp

Filesize
4KB

Download
memory/4044-346-0x00000137D0160000-0x00000137D0161000-memory.dmp

Filesize
4KB

Download
memory/4044-354-0x00000137D0160000-0x00000137D0161000-memory.dmp

Filesize
4KB

Download
memory/4044-355-0x00000137D0160000-0x00000137D0161000-memory.dmp

Filesize
4KB

Download
memory/4044-356-0x00000137D0160000-0x00000137D0161000-memory.dmp

Filesize
4KB

Download
memory/4044-353-0x00000137D0160000-0x00000137D0161000-memory.dmp

Filesize
4KB

Download
memory/4088-313-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4088-307-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4088-310-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4088-312-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download