Analysis
-
max time kernel
94s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18-01-2025 17:17
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
random.exe
Resource
win7-20240903-en
6 signatures
150 seconds
General
-
Target
random.exe
-
Size
358KB
-
MD5
92bf5eeea4fc551ed2d5090a3061704d
-
SHA1
e3d11cce21d1ecb7457f583539f5e92a54271bad
-
SHA256
84b2ae5fc55b2394ffc16022d5dce9b11fb232f14ccedf0cde7b6af44d0c5bc9
-
SHA512
47b156c503ebe5844bf712b431733f45f9e27797bb929f00293536d8c152a005638aade8a8cf386ca7fcdc1177755ca36aa46754d189daecd093009ad2a9dea6
-
SSDEEP
6144:TyJN9fUcPi6NViFY1mIHYH2bOVOWX74DscbbQHzm5ZO0zg8lMSKkbgbTjXx7x:2JN9JPi6a4mIG2yVlLKPb+zm5ZzOSL23
Malware Config
Extracted
Family
lumma
C2
https://wordemnyauop.shop/api
Signatures
-
Lumma family
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4532 set thread context of 3948 4532 random.exe 83 -
Program crash 1 IoCs
pid pid_target Process procid_target 4016 4532 WerFault.exe 82 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language random.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language random.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4532 wrote to memory of 3948 4532 random.exe 83 PID 4532 wrote to memory of 3948 4532 random.exe 83 PID 4532 wrote to memory of 3948 4532 random.exe 83 PID 4532 wrote to memory of 3948 4532 random.exe 83 PID 4532 wrote to memory of 3948 4532 random.exe 83 PID 4532 wrote to memory of 3948 4532 random.exe 83 PID 4532 wrote to memory of 3948 4532 random.exe 83 PID 4532 wrote to memory of 3948 4532 random.exe 83 PID 4532 wrote to memory of 3948 4532 random.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\random.exe"C:\Users\Admin\AppData\Local\Temp\random.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4532 -
C:\Users\Admin\AppData\Local\Temp\random.exe"C:\Users\Admin\AppData\Local\Temp\random.exe"2⤵
- System Location Discovery: System Language Discovery
PID:3948
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4532 -s 8002⤵
- Program crash
PID:4016
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4532 -ip 45321⤵PID:4724
Network
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTRResponse8.8.8.8.in-addr.arpaIN PTRdnsgoogle
-
Remote address:8.8.8.8:53Request217.106.137.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestwordemnyauop.shopIN AResponsewordemnyauop.shopIN A104.21.80.1wordemnyauop.shopIN A104.21.32.1wordemnyauop.shopIN A104.21.48.1wordemnyauop.shopIN A104.21.112.1wordemnyauop.shopIN A104.21.96.1wordemnyauop.shopIN A104.21.16.1wordemnyauop.shopIN A104.21.64.1
-
Remote address:104.21.80.1:443RequestPOST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: wordemnyauop.shop
ResponseHTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=dnoqeslo0tmr8pn5m1b57msnjq; expires=Wed, 14 May 2025 11:03:48 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
cf-cache-status: DYNAMIC
vary: accept-encoding
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GpOpoP%2BtlceSFOIEgcKvna9x89gTilSwLdmjbvy2VGaoGNJiXyRcbhT0UFLRZJ%2BcbCbSgwcKCImi4AXRP%2BQy98RP4s%2B6e28FJZRFj1i%2BFP%2FGsb0D0F3bDuqiDaBXKEtTcH9ySg%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 90403ca80dd193f7-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=31064&min_rtt=26451&rtt_var=12387&sent=6&recv=7&lost=0&retrans=0&sent_bytes=3302&recv_bytes=607&delivery_rate=131956&cwnd=252&unsent_bytes=0&cid=6b60de45604ea46b&ts=284&x=0"
-
Remote address:8.8.8.8:53Requeststrivehelpeu.bondIN AResponse
-
Remote address:8.8.8.8:53Requestcrookedfoshe.bondIN AResponse
-
Remote address:8.8.8.8:53Requestimmolatechallen.bondIN AResponse
-
Remote address:8.8.8.8:53Requeststripedre-lot.bondIN AResponse
-
Remote address:8.8.8.8:53Requestgrowthselec.bondIN AResponse
-
Remote address:8.8.8.8:53Requestjarry-deatile.bondIN AResponse
-
Remote address:8.8.8.8:53Requestpain-temper.bondIN AResponse
-
Remote address:8.8.8.8:53Requestjarry-fixxer.bondIN AResponse
-
Remote address:8.8.8.8:53Requeststeamcommunity.comIN AResponsesteamcommunity.comIN A104.124.170.33
-
Remote address:8.8.8.8:53Request73.144.22.2.in-addr.arpaIN PTRResponse73.144.22.2.in-addr.arpaIN PTRa2-22-144-73deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request1.80.21.104.in-addr.arpaIN PTRResponse
-
Remote address:104.124.170.33:443RequestGET /profiles/76561199724331900 HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Host: steamcommunity.com
ResponseHTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache
Date: Sat, 18 Jan 2025 17:17:10 GMT
Content-Length: 25984
Connection: keep-alive
Set-Cookie: sessionid=fd087003652d22e92a6dcc9a; Path=/; Secure; SameSite=None
Set-Cookie: steamCountry=GB%7C7d625a3b038bb98f68b4e14dac147806; Path=/; Secure; HttpOnly; SameSite=None
-
Remote address:8.8.8.8:53Request33.170.124.104.in-addr.arpaIN PTRResponse33.170.124.104.in-addr.arpaIN PTRa104-124-170-33deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request167.173.78.104.in-addr.arpaIN PTRResponse167.173.78.104.in-addr.arpaIN PTRa104-78-173-167deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request209.205.72.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request196.249.167.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request228.249.119.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request197.87.175.4.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request241.42.69.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request86.49.80.91.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.214.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request13.227.111.52.in-addr.arpaIN PTRResponse
-
1.0kB 4.9kB 9 9
HTTP Request
POST https://wordemnyauop.shop/apiHTTP Response
200 -
1.3kB 33.2kB 17 29
HTTP Request
GET https://steamcommunity.com/profiles/76561199724331900HTTP Response
200
-
66 B 90 B 1 1
DNS Request
8.8.8.8.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
217.106.137.52.in-addr.arpa
-
63 B 175 B 1 1
DNS Request
wordemnyauop.shop
DNS Response
104.21.80.1104.21.32.1104.21.48.1104.21.112.1104.21.96.1104.21.16.1104.21.64.1
-
63 B 128 B 1 1
DNS Request
strivehelpeu.bond
-
63 B 128 B 1 1
DNS Request
crookedfoshe.bond
-
66 B 131 B 1 1
DNS Request
immolatechallen.bond
-
64 B 129 B 1 1
DNS Request
stripedre-lot.bond
-
62 B 127 B 1 1
DNS Request
growthselec.bond
-
64 B 129 B 1 1
DNS Request
jarry-deatile.bond
-
62 B 127 B 1 1
DNS Request
pain-temper.bond
-
63 B 128 B 1 1
DNS Request
jarry-fixxer.bond
-
64 B 80 B 1 1
DNS Request
steamcommunity.com
DNS Response
104.124.170.33
-
70 B 133 B 1 1
DNS Request
73.144.22.2.in-addr.arpa
-
70 B 132 B 1 1
DNS Request
1.80.21.104.in-addr.arpa
-
73 B 139 B 1 1
DNS Request
33.170.124.104.in-addr.arpa
-
73 B 139 B 1 1
DNS Request
167.173.78.104.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
209.205.72.20.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
196.249.167.52.in-addr.arpa
-
73 B 159 B 1 1
DNS Request
228.249.119.40.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
197.87.175.4.in-addr.arpa
-
71 B 145 B 1 1
DNS Request
241.42.69.40.in-addr.arpa
-
70 B 145 B 1 1
DNS Request
86.49.80.91.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.214.232.199.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
13.227.111.52.in-addr.arpa