lumma | 34c3a5d70230d93968cc2db047398cef644fb500740bbc20d09feb8e754ae197

Analysis

max time kernel
120s
max time network
124s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12-01-2025 14:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

installer_1.05_37.4.exe
Size

1.1MB
MD5

a2e9824e77be1fbc29913ffd0b324823
SHA1

42dd1e05ec49639d9d8ad318e732a66a1451fd6f
SHA256

34c3a5d70230d93968cc2db047398cef644fb500740bbc20d09feb8e754ae197
SHA512

d42a7f8c2d032a46dd664e6941c3496359ecc865d7a5394c782ecfd66fbd17b9bfefa1671068c869803c99cb9e00553242286c71b180341e003299d64ff4ed8c
SSDEEP

24576:eAp1czyvnORvabmyJFMwOQ75wWkGR+1FaFEddGuL9NfSvtzH:lczyvORiRJxwJ1FYxG2lzH

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://goldyhanders.cyou/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Executes dropped EXE 1 IoCs

pid	Process
2528	Luther.com

Loads dropped DLL 1 IoCs

pid	Process
2700	cmd.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
2132	tasklist.exe
2764	tasklist.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\MonoQuery	installer_1.05_37.4.exe
File opened for modification	C:\Windows\CorrespondenceSerbia	installer_1.05_37.4.exe
File opened for modification	C:\Windows\OverNodes	installer_1.05_37.4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	installer_1.05_37.4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Luther.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	Luther.com
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Luther.com
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Luther.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Luther.com
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Luther.com
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Luther.com

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2528	Luther.com
2528	Luther.com
2528	Luther.com

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2132	tasklist.exe
Token: SeDebugPrivilege	2764	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2528	Luther.com
2528	Luther.com
2528	Luther.com

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2528	Luther.com
2528	Luther.com
2528	Luther.com

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 1728 wrote to memory of 2700	1728	installer_1.05_37.4.exe	30
PID 1728 wrote to memory of 2700	1728	installer_1.05_37.4.exe	30
PID 1728 wrote to memory of 2700	1728	installer_1.05_37.4.exe	30
PID 1728 wrote to memory of 2700	1728	installer_1.05_37.4.exe	30
PID 2700 wrote to memory of 2132	2700	cmd.exe	32
PID 2700 wrote to memory of 2132	2700	cmd.exe	32
PID 2700 wrote to memory of 2132	2700	cmd.exe	32
PID 2700 wrote to memory of 2132	2700	cmd.exe	32
PID 2700 wrote to memory of 2940	2700	cmd.exe	33
PID 2700 wrote to memory of 2940	2700	cmd.exe	33
PID 2700 wrote to memory of 2940	2700	cmd.exe	33
PID 2700 wrote to memory of 2940	2700	cmd.exe	33
PID 2700 wrote to memory of 2764	2700	cmd.exe	35
PID 2700 wrote to memory of 2764	2700	cmd.exe	35
PID 2700 wrote to memory of 2764	2700	cmd.exe	35
PID 2700 wrote to memory of 2764	2700	cmd.exe	35
PID 2700 wrote to memory of 2716	2700	cmd.exe	36
PID 2700 wrote to memory of 2716	2700	cmd.exe	36
PID 2700 wrote to memory of 2716	2700	cmd.exe	36
PID 2700 wrote to memory of 2716	2700	cmd.exe	36
PID 2700 wrote to memory of 2548	2700	cmd.exe	37
PID 2700 wrote to memory of 2548	2700	cmd.exe	37
PID 2700 wrote to memory of 2548	2700	cmd.exe	37
PID 2700 wrote to memory of 2548	2700	cmd.exe	37
PID 2700 wrote to memory of 2556	2700	cmd.exe	38
PID 2700 wrote to memory of 2556	2700	cmd.exe	38
PID 2700 wrote to memory of 2556	2700	cmd.exe	38
PID 2700 wrote to memory of 2556	2700	cmd.exe	38
PID 2700 wrote to memory of 892	2700	cmd.exe	39
PID 2700 wrote to memory of 892	2700	cmd.exe	39
PID 2700 wrote to memory of 892	2700	cmd.exe	39
PID 2700 wrote to memory of 892	2700	cmd.exe	39
PID 2700 wrote to memory of 1712	2700	cmd.exe	40
PID 2700 wrote to memory of 1712	2700	cmd.exe	40
PID 2700 wrote to memory of 1712	2700	cmd.exe	40
PID 2700 wrote to memory of 1712	2700	cmd.exe	40
PID 2700 wrote to memory of 1240	2700	cmd.exe	41
PID 2700 wrote to memory of 1240	2700	cmd.exe	41
PID 2700 wrote to memory of 1240	2700	cmd.exe	41
PID 2700 wrote to memory of 1240	2700	cmd.exe	41
PID 2700 wrote to memory of 2528	2700	cmd.exe	42
PID 2700 wrote to memory of 2528	2700	cmd.exe	42
PID 2700 wrote to memory of 2528	2700	cmd.exe	42
PID 2700 wrote to memory of 2528	2700	cmd.exe	42
PID 2700 wrote to memory of 2952	2700	cmd.exe	43
PID 2700 wrote to memory of 2952	2700	cmd.exe	43
PID 2700 wrote to memory of 2952	2700	cmd.exe	43
PID 2700 wrote to memory of 2952	2700	cmd.exe	43

C:\Users\Admin\AppData\Local\Temp\installer_1.05_37.4.exe
"C:\Users\Admin\AppData\Local\Temp\installer_1.05_37.4.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1728
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c move Unexpected Unexpected.cmd & Unexpected.cmd
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2700
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2132
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "opssvc wrsa"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2940
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2764
- - C:\Windows\SysWOW64\findstr.exe
    findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2716
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 224553
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2548
- - C:\Windows\SysWOW64\extrac32.exe
    extrac32 /Y /E Choosing
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2556
- - C:\Windows\SysWOW64\findstr.exe
    findstr /V "Readily" Departure
    3⤵
    - System Location Discovery: System Language Discovery
    PID:892
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b 224553\Luther.com + Remote + Priorities + Cho + Reliability + Rating + Dot + Holocaust + Page + Webshots 224553\Luther.com
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1712
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Crowd + ..\Leone + ..\Tutorial + ..\Architect + ..\Mutual + ..\Margin + ..\Many z
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1240
- - C:\Users\Admin\AppData\Local\Temp\224553\Luther.com
    Luther.com z
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2528
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\224553\Luther.com

Filesize
1001B

MD5
2d74dd690b587463fb169aa954177191

SHA1
38e1d4a4d6d27989eb66c7dab5d35107b549aee6

SHA256
548483df9a2c749dcf0b33585117e3316fc9286173c94da720afdf8faf2fbda6

SHA512
1f11fd88bbabdba5aeb83cfba4a4d94a5b6efdbce6d32937547b6385528dbafe59c0fffd2e908df7f7b17bc97aa2e7f6b3fb65c502a795917b0038872eb70fc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\224553\z

Filesize
474KB

MD5
33f702c6f174718d817b4605ed89b52f

SHA1
f5649e94bfa880c7aa8d2ebcc27cbbcf44901223

SHA256
1021afdcac174ac0bfeb373b28c4658b5dc7671fcd2f7301edb10746eaf4f333

SHA512
d6dabdacb753c46bb6d9043df7f02676f8ec5221742b5e861e62436bece904f92214498c5e3eecb0974cb47229a7356101c936b0acc26edc907d150efb01d1e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Architect

Filesize
52KB

MD5
af3ff719c0edacf7c2ac90c6259b85c4

SHA1
3df4efc47089e1dcc211bf19459c228fc36abf74

SHA256
97ae833cc88a6444656556032ad9d2ec0351233b41c5ec74a2d49341eeffa1b6

SHA512
2368493619e85c862997179945cecfcb4f824ba85b5b7e3b7278b6974edacfe9a95960bab8f436ea6e380965b3ee1be6c6fc3b274b42bed7200726fcf5d593d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab7DAA.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cho

Filesize
88KB

MD5
5fa589ca1812f594c0773aea5adaa1af

SHA1
d7e9b77324d0da50b2d3b253fe57ada8100e2dd9

SHA256
43f6fa8cd5131cdb725ae40bc9643a0126c9ff356333d757e6ab105e1274cfb2

SHA512
490a3dab1f7a50e7da3dcea5bb39af7ced6326caee9d332f12b4f0ded6a235e612c53ab3fa2a7695c83630c5f8252a3e86140f3c6dedddb7912e228dabc9735d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Choosing

Filesize
477KB

MD5
72c5f20b52aeca0923566a34b9133cf2

SHA1
7832a2b158078e5bf463f54e54d6538fb340b6f0

SHA256
87aa8213c3409de46457a2fdbb278ff529caac10391f36687617fa149406b5ea

SHA512
2f0f8231c1a90d91db5701ebc57941b673f036b859607b22815e372613a348e1c3ea46ec10f785f77f091612c987dd3a6cb7ba6f2b922c640cb4d099d1510455

Download Submit
C:\Users\Admin\AppData\Local\Temp\Crowd

Filesize
94KB

MD5
e6391427848508dc0ac92258cc6fd6af

SHA1
6722e7bcf38c1c2013499f725850abcbcdc06007

SHA256
65e9e6bfccd8ab7acac8e56e74410059512477c47dff1acbcaba22f3611ebd06

SHA512
0ff1ed8d2f55169991c20f9884e97d73d91b24639c0e1813d4f2c5c1231904f5d829a567a2bc88a869fb9f544b16844f439947cbad5573b28e3e30662cc93260

Download Submit
C:\Users\Admin\AppData\Local\Temp\Departure

Filesize
1008B

MD5
f5189566c9c39e1c2d0d72e8c10b8b79

SHA1
c59598a96aa3b5939d663fd80fbd591ee3291929

SHA256
1abe59bf2eccf033889f006f7e47709ec38d5e36e795dc959e68ad60a1c1425a

SHA512
353580a4b7d04d7fc6aaf5df3cb9d84aaf39264e371263f1fac6e1680a863bc42757658171c36fd84e19eb555f2eaff1596511e0af1dc62d1de7358fc793befb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dot

Filesize
83KB

MD5
bc5a5c27bbda4f3ee9d4df841ee733b1

SHA1
f5b47462614d2ba38709dc5e59860b2dffb4535a

SHA256
f232b85dbcfa04e0bf3881a1693f6d5a79031cde17c56cb819c94b844d61e8b9

SHA512
ad399cab38073200fa32b809eb25d7bf7576ffc23275ade88f4b72dca544f87e72ef02f24e608f51263154386e38c6ce48de9693332a61e02a030b8d7e667aad

Download Submit
C:\Users\Admin\AppData\Local\Temp\Holocaust

Filesize
132KB

MD5
7ebb69fb1e465b4d1c8e467ab5e583e0

SHA1
27ded234ec9e48f32738f6dcc15e2a34fb34455e

SHA256
82653165cc91bc33c0120101dc443294cbcdcdf02d19111ef906e5f00efad565

SHA512
c85781a91b3cd7ef626350bf50618043896fcec372624ccb900e9500b56dcd80deabd6a3a8b81bad558ab7ce5e3c87fd51f790893a63cd20ca8b153299b899a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Leone

Filesize
54KB

MD5
4cfe724fa55d354c9807368c7d6eef37

SHA1
6b7b271980fda4c942290a4e58625a4173c2719d

SHA256
cb198967c45747c5e6a2fd5c92ff5b13e4c10d4f7dc443b394601c8db65b8b71

SHA512
71daf1fb12364cc73d73b44ef5b63d7ac749fd2eacc36c53d3f47a4e7bcfcceacb50d85db14e67fba403e97f922bc43f03e1817c4fca00f945cf36c667f19892

Download Submit
C:\Users\Admin\AppData\Local\Temp\Many

Filesize
40KB

MD5
3510bf64cfa6df3631d880db920b568f

SHA1
397bb3156970d85919c7eea0559fcf55c4f42046

SHA256
d6b86d8d46d73f3df05a804615985008646dd078ecc4bb753b34c0026cab4473

SHA512
eb2826fc3036cf81b2517389bafc6960700a8c5aa5d0f6f6532e20ca983d3b621f96b479dd5ef6fe12fc78b895e2f862a2704f1514d88913c70d6a483f7a6b55

Download Submit
C:\Users\Admin\AppData\Local\Temp\Margin

Filesize
80KB

MD5
edad8ba829ce461df73b1c45419d06f7

SHA1
e5b34951d4bb4ad311413b0cf6075d6c70ae1d61

SHA256
2e5ffe7355a711ded6e0a037f2fd1eec67dd52d48a83117e7c35827c2c7af2c0

SHA512
1d9f069336f56434c9343f1a54d0391f5d8b273ac22a0c5713ff8645a8a828eb5b56b3d0b1a10da9f1e394527b421df31171691c57fc893f5649cfe5ff040e35

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mutual

Filesize
90KB

MD5
d6bdaae9e013495c5fb5e97f1203009a

SHA1
e4603f73d1289c0da115e8d7f95d7c78caca232e

SHA256
ceeaa6ad552ba0189f32c51153c882a9772e6fc3d7d1d9a632106348840fabde

SHA512
ce5e9a2f6e63abc12d32d2cc88203b73c2b968d485701749ea8fa9c762794ab7059f396daa3e78aa2b238d1feccc0be929198cbff79a46ebc17f71405c066bb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Page

Filesize
142KB

MD5
849da478ec3b54458595ebc4797f5a03

SHA1
c88aa82b39fb85d77801370b5dca64a01cef7293

SHA256
9f080e2cb1c50c9646279cb6943bbf35016e61c89f5437ebfe32466109aaa291

SHA512
bfeabd47308f352a5fabaa04e443a7d6a7a7e94f99d443e6b01d229d6df2b6d718c3651fa115405eba8d1cc22b2d0003f4b6f25aac631ef4f662d1dbe89451db

Download Submit
C:\Users\Admin\AppData\Local\Temp\Priorities

Filesize
67KB

MD5
b212537407fe3aea1f37210f2c97fb34

SHA1
46029a7bd80781bf385138ec72a3aa0017b63119

SHA256
0f88efbb006b3b8924cb853643f944c7d1bc0e16162a8c9bb82483e8d65a4306

SHA512
9d314912490b65f2933967a3350a42fd7b378aca42d7449f05b0c1d1e9cbd79601c9939e71445ad918054314d02fe43ced13e0aa3b60953653751d53ee76a8fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rating

Filesize
134KB

MD5
5ed11c4b626451b04c76471c60785363

SHA1
1fa1bed97199f5366176a4f3e61552323102acae

SHA256
2601fbcbc756e49dd60f311b322bf80a6f1c7f4137c263097c5bf67162433ae2

SHA512
2d0d5193e7bee25ddd703bf59f6753838a279e72bca8eb64ff384b0d94221015152631a0ea3bf8f8881140febf389c27769040a212eda2326925dbc9cee88ad4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Reliability

Filesize
126KB

MD5
1bf9441983742c8780ab9cbea7cecd89

SHA1
43d35ec6eac2236590a4e1cafe9561c55e56d010

SHA256
ae0bdb2202869d1b4a823af93eeb97e1a6a2a0c2d44dfaf91f690bacc1b33ddd

SHA512
2dd2a71b448da383aefc47b0127752bd17246993d5149298248e9ea2b052e24e49d1a6303dd14632388fb7235d11ffbaedc0793f4ec96df19f24f9e8173a7c42

Download Submit
C:\Users\Admin\AppData\Local\Temp\Remote

Filesize
80KB

MD5
ae602f582ec8b5d0d56cc531d658df4b

SHA1
85d748ae045139b463146c412436e4b95d03b350

SHA256
ca490cca0a853ed6f00f791a65e61aa478154968259b06e8d6ceeda76d006d67

SHA512
19a05a40539685a1eb1346476337e0e0a8d44128a609f94551e070f82c5051abf1a93e978a573d1bfda2f2627adce7bb747e849cf0e8221b52e0b54bd9ac4775

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar7DCC.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tutorial

Filesize
64KB

MD5
36da83a9b17eb16afcab4fce116634ba

SHA1
e5f806ce81683a7b12d6afcb900a440224c3ffba

SHA256
eaf7f69ed7cc6190d37788a127613ec90d3f9ad822b1f913e90cbf1b32613a6e

SHA512
250a6d82f1d2488808fed88f23cd83f6c45504b190cb5606df6fec628c9667357d2a850ed4631c6a9090b9105dd6646930552cfdc0437c2164b1e5439144b0f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unexpected

Filesize
15KB

MD5
63515f866844b279cef96864cb3348c0

SHA1
2276f6b26044eb3ff252fab4ece7a52b47b1e37c

SHA256
56331384e114b80d7f259411ef2b64c412206b5ad0680321f15387e37472cc7c

SHA512
e3df3cc2e447538009851f233c74fb54f51c3462647090824cc63043b872d3bb545aab11e65288681811a1346d34a3a7fa72a0a5e3df5857b59babb7a2846630

Download Submit
C:\Users\Admin\AppData\Local\Temp\Webshots

Filesize
72KB

MD5
ba4bd6472d1f50ff03bebbbaae89b22c

SHA1
29db7366a8db226219c1de45d2b7df6265730331

SHA256
0ebc95d7954aba8429745ed50884cd0629673be34386aa7c0cbac5a9a5b7aa02

SHA512
943b54aca2d2ac1400a21eeda356a34fcc1c85f93a3716423d169ffa0693bb7eb61fe4b0a4f99becd8aee7f944a3e4840542464788d87aeb8acff93fcbc43037

Download Submit
\Users\Admin\AppData\Local\Temp\224553\Luther.com

Filesize
925KB

MD5
62d09f076e6e0240548c2f837536a46a

SHA1
26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

SHA256
1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

SHA512
32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

Download Submit
memory/2528-68-0x00000000039B0000-0x0000000003A05000-memory.dmp

Filesize
340KB

Download
memory/2528-67-0x00000000039B0000-0x0000000003A05000-memory.dmp

Filesize
340KB

Download
memory/2528-69-0x00000000039B0000-0x0000000003A05000-memory.dmp

Filesize
340KB

Download
memory/2528-70-0x00000000039B0000-0x0000000003A05000-memory.dmp

Filesize
340KB

Download
memory/2528-71-0x00000000039B0000-0x0000000003A05000-memory.dmp

Filesize
340KB

Download