Analysis
-
max time kernel
108s -
max time network
102s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
10-01-2025 21:21
General
-
Target
https://ryos.transfernow.net/ru/bld?utm_source=20241231mbPXRY6g
Malware Config
Extracted
lumma
https://toemagnifuy.biz/api
https://fraggielek.biz/api
https://grandiouseziu.biz/api
https://littlenotii.biz/api
https://marketlumpe.biz/api
https://nuttyshopr.biz/api
https://punishzement.biz/api
https://spookycappy.biz/api
https://truculengisau.biz/api
Signatures
-
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
-
Lumma family
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Program crash 4 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 1 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 23 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://ryos.transfernow.net/ru/bld?utm_source=20241231mbPXRY6g1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe25bf46f8,0x7ffe25bf4708,0x7ffe25bf47182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,13237242621517623652,468142162986836100,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,13237242621517623652,468142162986836100,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2304 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,13237242621517623652,468142162986836100,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2292 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13237242621517623652,468142162986836100,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13237242621517623652,468142162986836100,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,13237242621517623652,468142162986836100,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5420 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,13237242621517623652,468142162986836100,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5420 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2156,13237242621517623652,468142162986836100,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4848 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13237242621517623652,468142162986836100,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2156,13237242621517623652,468142162986836100,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5792 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13237242621517623652,468142162986836100,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2932 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13237242621517623652,468142162986836100,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1848 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13237242621517623652,468142162986836100,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4868 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13237242621517623652,468142162986836100,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5648 /prefetch:12⤵
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Downloads\0PENM3\BootstrapperV2.exe"C:\Users\Admin\Downloads\0PENM3\BootstrapperV2.exe"1⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4728 -s 11322⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4728 -ip 47281⤵
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\Downloads\0PENM3\BootstrapperV2.exe"C:\Users\Admin\Downloads\0PENM3\BootstrapperV2.exe"1⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3760 -s 12762⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3760 -ip 37601⤵
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\0PENM3\README.txt1⤵
- Opens file in notepad (likely ransom note)
-
C:\Users\Admin\Downloads\0PENM3\BootstrapperV2.exe"C:\Users\Admin\Downloads\0PENM3\BootstrapperV2.exe"1⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2524 -s 12362⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2524 -ip 25241⤵
-
C:\Users\Admin\Desktop\BootstrapperV2.exe"C:\Users\Admin\Desktop\BootstrapperV2.exe"1⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4336 -s 13082⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4336 -ip 43361⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k UnistackSvcGroup1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD50a9dc42e4013fc47438e96d24beb8eff
SHA1806ab26d7eae031a58484188a7eb1adab06457fc
SHA25658d66151799526b3fa372552cd99b385415d9e9a119302b99aadc34dd51dd151
SHA512868d6b421ae2501a519595d0c34ddef25b2a98b082c5203da8349035f1f6764ddf183197f1054e7e86a752c71eccbc0649e515b63c55bc18cf5f0592397e258f
-
Filesize
152B
MD561cef8e38cd95bf003f5fdd1dc37dae1
SHA111f2f79ecb349344c143eea9a0fed41891a3467f
SHA256ae671613623b4477fbd5daf1fd2d148ae2a09ddcc3804b2b6d4ffcb60b317e3e
SHA5126fb9b333fe0e8fde19fdd0bd01a1990a4e60a87c0a02bc8297da1206e42f8690d06b030308e58c862e9e77714a585eed7cc1627590d99a10aeb77fc0dd3d864d
-
Filesize
648B
MD56262cfbb3bc9bc207533e2a7c091cf8f
SHA15154d0e1f91d21920af763c69a2c6fe2fd8a64bd
SHA256b3feaa00ddde0edff0aa396586d2798cefefeb38b3009c28d8f9a88f73f97eae
SHA5124931b44928595ada5c55b9921e64bf11a2d8a4883713a1c5d51903ae77228a3f119a5da9d8295748e3d08e42bf437f054f095336421021a1bd59afd2770be2b7
-
Filesize
1KB
MD52e148de7fdc6fdc02c244154b57dd1e5
SHA18db2d0216f49337c77e778666e7c6a7ba08fd1f8
SHA256fc62faf6e106ccff7e1f6c0f5058e3ffcd6f7dc6322440d6b169e6182d3b3464
SHA512afab02d07029272a4c2b42d3c84aad282540ff41d1ca3fffa1831625d8fc6cee880f4c7c4851ba3dff3eb771df0fe043751855b5fdc35fba7699cd0e0ae0dd28
-
Filesize
5KB
MD5d59997175e9cd7b83ceaac2aefd5f13d
SHA1f7812859d6a1c8e69bfff05d5bd5d9fc9e2541a6
SHA256f545dbc9305cbe06de96ca613477e3d0f52fd5f647aeb634d5ca30f6872da981
SHA5128615dbb6438a8013dc2f5521019b5382bef184cd6ab26124579ad0ee9d52834346d122d166b35a7e2e626399c2d5da277746322c5a313b16f7dbf74caa339ae8
-
Filesize
6KB
MD577c615d6ad3d0bd507b657b3494e3bba
SHA19892b04bf78d77ce143959702e6ff54f1a1eb694
SHA2561e3dd39b23f3be6ec8aca9b37fe088de63b1606d09d492befdfa80b8c1793eaa
SHA512c2b005bb9e9cc8c62341859e5ca6b324664ddf2094d4bdf3ce8776925f57f856bb17a2ee09437ac21365b33f92ff9edc44e72f125347325a340bf3e1d2868a4a
-
Filesize
6KB
MD5abef2d86c8cccfc517884fe78a7aa3f0
SHA1235af3f6ff86509f75d834decc6ce2a891a5647b
SHA256e8884703f1f51bc2a05abf985c984d73ce841690c77f8f18889ca0ff8eb5cdaa
SHA5126cad476b9fa7a14a750fa7a9c5bdc9689bb228e66ae3d9bc90401c3fc9009a02497193e23cfd0bc43245bfbc6f0b781abd9f73ad239ef33b89e9487168f6a7dd
-
Filesize
1KB
MD59dd55629a84894a35e5203968b22646c
SHA1efb19415cedaf66f74fb153a2c8278916b04bcdd
SHA25653acc7e4245448888b692e09e2c1693b6a59291c1bc014fe19b07ff7c49c0d06
SHA51224654360bbeb55b43e56ea4614011fdfe834c29c76fba98abbaa856940114ede3aaf20cad26eb4d53ebd097fddf2aba126ea5c315d46b502ee1207e452cbbca4
-
Filesize
1KB
MD51f5453bec27f3c8a80e00a070ba2b58e
SHA1191d1c1626ca173242e64cceb10caa29eade0aa9
SHA25619efa984fc524647dacf5decbb91374bf8a02c693b95824e7dc5355aaa038e23
SHA51238ad264e5b36614c7da30cbc68263386b6ee6a8b303acaf44ccbe72b29d351b850bd7dc005fc77149ad1cefca093bf8c7cee913c1c8e1040ed2be84be4ed9eff
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD516e752a268cf616540df1e98b9c7408d
SHA10efa3a5f858272fccac25e6c04a834b0e7525133
SHA2563f70d56d798c722091435627f61eb1aae9f7d871b03e96e861c1afc1909f5f5f
SHA512f77aec5bd83b492c2a258ab3193196e8d46773cbe7f700d12af48a549192dc0d6992976220c2a347cd225a7c9dc99279a2675c5b960a8b6522be357c5c48a159
-
Filesize
10KB
MD51fe7900505a743fb7a42b0a78923d094
SHA1a3cc1c4c0b549ed16f70f4a8d938f7a16cce6075
SHA256e107e4709f5dd71d41fa5fd4d819eec44c5b9261d54b2640b744721595df2861
SHA512e13898897f98040eebad0455e11f7733b26577b0f025f9ad05b1bcf77db57f485b5f5eb211d8a3f382d4475099d1900603898c6d8a9700289c820a63013dcc1e
-
Filesize
10KB
MD5cea47ede651d85bb15038a0a49a6baed
SHA1beb2f07799c8583f16020cd4165da396c2e85572
SHA2560040c86936a1321e505d5a230c4ba3b8aa08531fbe46540438dec1e3df174543
SHA512a8eed5d1b4006dd846ad34491286b2dadfa478915503e7001bd70638da41bb6b76fda690a27d016ff25be7230d3e6a83c0e12c551c51da372a5cc63c114ad762
-
Filesize
425KB
MD5c92cbf636d43ae6362c93356d0dfeb91
SHA1b673238c002005a112e9373bcc82e28c23f3d084
SHA2562b398b95f0c44e153baec6826e16da2620f389c3621d26f66a12ef903c00370a
SHA512bd8c02851e3ff4e91c856671f53b17f60c383a3f3f7bf77d75c6e0bd89118d9016c7fdbe4a75bce3ee56cc168bf3ba2c8a9be4754d180f8d6b95babf1b3da548
-
Filesize
860KB
-
Filesize
860KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
860KB
-
Filesize
860KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB