Analysis
-
max time kernel
96s -
max time network
122s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
21/01/2025, 20:34 UTC
Static task
static1
Behavioral task
behavioral1
Sample
random.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
random.exe
Resource
win10v2004-20241007-en
General
-
Target
random.exe
-
Size
1.8MB
-
MD5
10f6e997bed045a8c840b09bc411b19f
-
SHA1
caf53afb90487800622d2bf05809921c6f565302
-
SHA256
32b01a63cca8f2d7c6828280387e0c7e1a2c909a8e09b0d5f65e32d066e7ba7e
-
SHA512
b50c19cf41e9c75feb21fd33eb5f9d7ac1f3756d200d433d31ffb3c6257a79afa8c66d4917c5379b6d352cc0c2cd6c5530a09b4b6d850f12234ccce03b963516
-
SSDEEP
49152:3f803pPTEzyLob2TBQYIKdMTfvgG+zkg:3f80ZLtLbT0skv+zk
Malware Config
Extracted
lumma
https://cloudewahsj.shop/api
https://rabidcowse.shop/api
https://noisycuttej.shop/api
https://tirepublicerj.shop/api
https://framekgirus.shop/api
https://wholersorie.shop/api
https://abruptyopsn.shop/api
https://nearycrepso.shop/api
Signatures
-
Lumma family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ random.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion random.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion random.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Wine random.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2124 random.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language random.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2124 random.exe 2124 random.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\random.exe"C:\Users\Admin\AppData\Local\Temp\random.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2124
Network
-
Remote address:8.8.8.8:53Request241.150.49.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requesttawdrydadysz.icuIN AResponse
-
Remote address:8.8.8.8:53Requestnearycrepso.shopIN AResponse
-
Remote address:8.8.8.8:53Requestabruptyopsn.shopIN AResponse
-
Remote address:8.8.8.8:53Requestabruptyopsn.shopIN AResponse
-
Remote address:8.8.8.8:53Requestwholersorie.shopIN AResponse
-
Remote address:8.8.8.8:53Requestframekgirus.shopIN AResponse
-
Remote address:8.8.8.8:53Requesttirepublicerj.shopIN AResponse
-
Remote address:8.8.8.8:53Requestnoisycuttej.shopIN AResponse
-
Remote address:8.8.8.8:53Requestrabidcowse.shopIN AResponse
-
Remote address:8.8.8.8:53Requestcloudewahsj.shopIN AResponse
-
Remote address:8.8.8.8:53Requeststeamcommunity.comIN AResponsesteamcommunity.comIN A23.57.170.97
-
Remote address:23.57.170.97:443RequestGET /profiles/76561199724331900 HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Host: steamcommunity.com
ResponseHTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache
Date: Tue, 21 Jan 2025 20:34:13 GMT
Content-Length: 35598
Connection: keep-alive
Set-Cookie: sessionid=2b3cced29ad8fd30a7265533; Path=/; Secure; SameSite=None
Set-Cookie: steamCountry=GB%7C7d625a3b038bb98f68b4e14dac147806; Path=/; Secure; HttpOnly; SameSite=None
-
Remote address:8.8.8.8:53Request159.96.196.23.in-addr.arpaIN PTRResponse159.96.196.23.in-addr.arpaIN PTRa23-196-96-159deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request22.160.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestyuriy-gagarin.comIN AResponseyuriy-gagarin.comIN A104.21.82.94yuriy-gagarin.comIN A172.67.199.224
-
Remote address:104.21.82.94:443RequestPOST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: yuriy-gagarin.com
ResponseHTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=h42joe1h0k2o72tp6jjdoqhqr1; expires=Sat, 17 May 2025 14:20:52 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
cf-cache-status: DYNAMIC
vary: accept-encoding
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=dD%2FHx4iazrP2jhN9zYWG7EM0EQaW4zkyO3CpsqO4kKY84pJHY7ZqsjEplRFGumCbcYg890gopszNURfsDfWvTFRVwFkrtUNBE9nM0zl%2BP0sTgtyPWmHCU%2BSZw%2Fa68%2FnKlBXXBQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 905a15729e9d418f-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=27187&min_rtt=26270&rtt_var=7012&sent=6&recv=7&lost=0&retrans=0&sent_bytes=3302&recv_bytes=607&delivery_rate=133318&cwnd=243&unsent_bytes=0&cid=30fc4edd32503a6b&ts=233&x=0"
-
Remote address:8.8.8.8:53Request94.82.21.104.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request97.170.57.23.in-addr.arpaIN PTRResponse97.170.57.23.in-addr.arpaIN PTRa23-57-170-97deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request53.210.109.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request28.118.140.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request209.205.72.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request180.129.81.91.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request134.130.81.91.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request13.227.111.52.in-addr.arpaIN PTRResponse
-
1.5kB 43.2kB 21 36
HTTP Request
GET https://steamcommunity.com/profiles/76561199724331900HTTP Response
200 -
1.0kB 4.9kB 9 9
HTTP Request
POST https://yuriy-gagarin.com/apiHTTP Response
200
-
72 B 158 B 1 1
DNS Request
241.150.49.20.in-addr.arpa
-
62 B 62 B 1 1
DNS Request
tawdrydadysz.icu
-
62 B 119 B 1 1
DNS Request
nearycrepso.shop
-
124 B 238 B 2 2
DNS Request
abruptyopsn.shop
DNS Request
abruptyopsn.shop
-
62 B 119 B 1 1
DNS Request
wholersorie.shop
-
62 B 119 B 1 1
DNS Request
framekgirus.shop
-
64 B 121 B 1 1
DNS Request
tirepublicerj.shop
-
62 B 119 B 1 1
DNS Request
noisycuttej.shop
-
61 B 118 B 1 1
DNS Request
rabidcowse.shop
-
62 B 119 B 1 1
DNS Request
cloudewahsj.shop
-
64 B 80 B 1 1
DNS Request
steamcommunity.com
DNS Response
23.57.170.97
-
72 B 137 B 1 1
DNS Request
159.96.196.23.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
22.160.190.20.in-addr.arpa
-
63 B 95 B 1 1
DNS Request
yuriy-gagarin.com
DNS Response
104.21.82.94172.67.199.224
-
71 B 133 B 1 1
DNS Request
94.82.21.104.in-addr.arpa
-
71 B 135 B 1 1
DNS Request
97.170.57.23.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
53.210.109.20.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
28.118.140.52.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
209.205.72.20.in-addr.arpa
-
72 B 147 B 1 1
DNS Request
180.129.81.91.in-addr.arpa
-
72 B 147 B 1 1
DNS Request
134.130.81.91.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
13.227.111.52.in-addr.arpa