lumma | 6087227bb35383f28a21d99cdb8a110f28648fa4e12cb7f0f6b6c3b521765f2e

Analysis

max time kernel
119s
max time network
124s
platform
windows7_x64
resource
win7-20240903-es
resource tags

arch:x64arch:x86image:win7-20240903-eslocale:es-esos:windows7-x64systemwindows
submitted
25/01/2025, 15:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

native instruments monark v1.0 win mac.exe
Size

807.2MB
MD5

0b2a30ec0be8ecf3a2a89736f67a225e
SHA1

b08014503cf64c53eed2b27e56966811fe78fa32
SHA256

cd7344a1923fca79d26161b9a325af852fa617fc1cd81e555df0148e017d27a4
SHA512

d17fc2dea04b508844ceb87940f87ae7c9e472e68c28857a8a3a6701de82d7ab761542bc3e36a109338cdc898632f95da229ae9912e5a17516429c9c10636600
SSDEEP

393216:C07UqU4R/N+Z4hxQDd3GLHOA/YQbDFMUshconFqxit:C0XHBSsbDFah

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://toppyneedus.biz/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Executes dropped EXE 1 IoCs

pid	Process
1400	Uniprotkb.com

Loads dropped DLL 1 IoCs

pid	Process
2828	cmd.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
2196	tasklist.exe
3004	tasklist.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\PreviewsFreight	native instruments monark v1.0 win mac.exe
File opened for modification	C:\Windows\AngelesTrackback	native instruments monark v1.0 win mac.exe
File opened for modification	C:\Windows\HighsAudio	native instruments monark v1.0 win mac.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Uniprotkb.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	native instruments monark v1.0 win mac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe

Modifies system certificate store 2 TTPs 6 IoCs

defense_evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Uniprotkb.com
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Uniprotkb.com
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Uniprotkb.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	Uniprotkb.com
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Uniprotkb.com
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Uniprotkb.com

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1400	Uniprotkb.com
1400	Uniprotkb.com
1400	Uniprotkb.com

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3004	tasklist.exe
Token: SeDebugPrivilege	2196	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1400	Uniprotkb.com
1400	Uniprotkb.com
1400	Uniprotkb.com

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1400	Uniprotkb.com
1400	Uniprotkb.com
1400	Uniprotkb.com

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 776 wrote to memory of 2828	776	native instruments monark v1.0 win mac.exe	30
PID 776 wrote to memory of 2828	776	native instruments monark v1.0 win mac.exe	30
PID 776 wrote to memory of 2828	776	native instruments monark v1.0 win mac.exe	30
PID 776 wrote to memory of 2828	776	native instruments monark v1.0 win mac.exe	30
PID 2828 wrote to memory of 3004	2828	cmd.exe	32
PID 2828 wrote to memory of 3004	2828	cmd.exe	32
PID 2828 wrote to memory of 3004	2828	cmd.exe	32
PID 2828 wrote to memory of 3004	2828	cmd.exe	32
PID 2828 wrote to memory of 320	2828	cmd.exe	33
PID 2828 wrote to memory of 320	2828	cmd.exe	33
PID 2828 wrote to memory of 320	2828	cmd.exe	33
PID 2828 wrote to memory of 320	2828	cmd.exe	33
PID 2828 wrote to memory of 2196	2828	cmd.exe	35
PID 2828 wrote to memory of 2196	2828	cmd.exe	35
PID 2828 wrote to memory of 2196	2828	cmd.exe	35
PID 2828 wrote to memory of 2196	2828	cmd.exe	35
PID 2828 wrote to memory of 1644	2828	cmd.exe	36
PID 2828 wrote to memory of 1644	2828	cmd.exe	36
PID 2828 wrote to memory of 1644	2828	cmd.exe	36
PID 2828 wrote to memory of 1644	2828	cmd.exe	36
PID 2828 wrote to memory of 2232	2828	cmd.exe	37
PID 2828 wrote to memory of 2232	2828	cmd.exe	37
PID 2828 wrote to memory of 2232	2828	cmd.exe	37
PID 2828 wrote to memory of 2232	2828	cmd.exe	37
PID 2828 wrote to memory of 1028	2828	cmd.exe	38
PID 2828 wrote to memory of 1028	2828	cmd.exe	38
PID 2828 wrote to memory of 1028	2828	cmd.exe	38
PID 2828 wrote to memory of 1028	2828	cmd.exe	38
PID 2828 wrote to memory of 1660	2828	cmd.exe	39
PID 2828 wrote to memory of 1660	2828	cmd.exe	39
PID 2828 wrote to memory of 1660	2828	cmd.exe	39
PID 2828 wrote to memory of 1660	2828	cmd.exe	39
PID 2828 wrote to memory of 1460	2828	cmd.exe	40
PID 2828 wrote to memory of 1460	2828	cmd.exe	40
PID 2828 wrote to memory of 1460	2828	cmd.exe	40
PID 2828 wrote to memory of 1460	2828	cmd.exe	40
PID 2828 wrote to memory of 676	2828	cmd.exe	41
PID 2828 wrote to memory of 676	2828	cmd.exe	41
PID 2828 wrote to memory of 676	2828	cmd.exe	41
PID 2828 wrote to memory of 676	2828	cmd.exe	41
PID 2828 wrote to memory of 1400	2828	cmd.exe	42
PID 2828 wrote to memory of 1400	2828	cmd.exe	42
PID 2828 wrote to memory of 1400	2828	cmd.exe	42
PID 2828 wrote to memory of 1400	2828	cmd.exe	42
PID 2828 wrote to memory of 2064	2828	cmd.exe	43
PID 2828 wrote to memory of 2064	2828	cmd.exe	43
PID 2828 wrote to memory of 2064	2828	cmd.exe	43
PID 2828 wrote to memory of 2064	2828	cmd.exe	43

C:\Users\Admin\AppData\Local\Temp\native instruments monark v1.0 win mac.exe
"C:\Users\Admin\AppData\Local\Temp\native instruments monark v1.0 win mac.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:776
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy Manga Manga.cmd & Manga.cmd
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2828
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3004
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "opssvc wrsa"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:320
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2196
- - C:\Windows\SysWOW64\findstr.exe
    findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1644
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 697482
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2232
- - C:\Windows\SysWOW64\extrac32.exe
    extrac32 /Y /E Latitude
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1028
- - C:\Windows\SysWOW64\findstr.exe
    findstr /V "Disks" Medications
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1660
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b 697482\Uniprotkb.com + Deck + Firmware + Local + Commodity + Integrate + Worldcat + Disk + Duncan + Researchers + Franklin 697482\Uniprotkb.com
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1460
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Subsidiaries + ..\Briefly + ..\Prison + ..\Plains + ..\Tactics + ..\Passed + ..\Surf + ..\Postal O
    3⤵
    - System Location Discovery: System Language Discovery
    PID:676
- - C:\Users\Admin\AppData\Local\Temp\697482\Uniprotkb.com
    Uniprotkb.com O
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1400
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\697482\O

Filesize
519KB

MD5
90e8a27bf1d8e3010c5001ecaaabe7a5

SHA1
1338dfce062e7d852709f26462420ddcfebe4d0e

SHA256
a2f748539fe0c94d403732747cc9703f80e0b8fbeaad9188891b7f8f83aab6be

SHA512
edf558626258b12c4830e0b285e68ae2d428286a20a3a2d3c6725e7093247bdd300694ef94fe0c0326ddda22fe809e0cecc07646c07cd5ba57803e41350d0936

Download Submit
C:\Users\Admin\AppData\Local\Temp\697482\Uniprotkb.com

Filesize
674KB

MD5
cc2583ae92378d5975f9145f03faae05

SHA1
0ff81e81eb6644632a513496b8fbbd33f2491ca4

SHA256
7630010c3228fd87fefbb693bd6efbf70056c4b729232c37496858d15d5b7da8

SHA512
696117fdab27460c906ecb9294d0f71bc054b0dd86f2ed05d8c45c541ab5ca12067059b8be1cbf20e16976c8b5042c0cd5b298de7f1932b2f97d11266c7971df

Download Submit
C:\Users\Admin\AppData\Local\Temp\Briefly

Filesize
98KB

MD5
cae8dcb1f9bb563d2671047e919bbcb5

SHA1
ab3211970c80055d570f4ed7a8500f6b7ec93b5f

SHA256
8e9797b7bfe5c38cc53f5e2a6f95dc493320e776fd8a810c099655e53f26c9ff

SHA512
45e7a3d555faad2ce453f880a4bc0ffe5d51d7edab567d9d722190d50ca77a08eb2d43c5bf7164e2891038f78c5eee917186a012cf2b36e6c3422a877579b2d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabD04C.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Commodity

Filesize
67KB

MD5
1b96ceae949cae303867ee5f7e812f24

SHA1
ee9bc6bba5b6eff53acc41b9bb448d4c6e0f11f5

SHA256
8dd0e1bb36f01cddbb6b6134ce8ede34d6e5eae085e37d6457cd0bd8b8a4e8f1

SHA512
51f86a51355b8a0e2864b1c94c83b8ca8b19abdcb8242ef6c9098d0be931c17eeff373919e231eae592890662fc57cbbf0779f2114fc729b4f370e224178002b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deck

Filesize
90KB

MD5
2a83c974f2e4f3b54a3875f1e2d23ea3

SHA1
a5e0d3a1311050d49b7209a53549f1816242201a

SHA256
cf88444bf6afd916e090b758214d26eedd4967e1c3f377a582416b5f3a4e50ec

SHA512
7d19e57d9a512eed4608b1ba2da6660e369716fc9baddcc3b823463aacdf0af49a7d7643eedb509365477f1f0bb1fba38f5bf45abb58116ed3f6cd0c57c2fe21

Download Submit
C:\Users\Admin\AppData\Local\Temp\Disk

Filesize
120KB

MD5
d00fce75af39654d56c5b9e18d23b754

SHA1
94329d1e4e7720e0a7c1b93ed21e37bf0aff4270

SHA256
d934bae025156fff375534a7763de322ed21e74cdb902ed2aa9362f2ba9ff621

SHA512
13c96c9df84243d7e9bec45cbb0bfe2e480532ea3164320c85e0907fc61255986d707936cf793dea83e2dc89805913ade5101e0c8fb96305aaee9fd9f21f09d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Duncan

Filesize
111KB

MD5
314f0486e1cf02910784934cc1f33f8a

SHA1
9b37166b8945e0478b6054801fdf17e6f57dc83b

SHA256
ddd85519bb5addc43d28966e4853a86e26dd0d2a88d92929d2a905adb81049e5

SHA512
f5d7d0791a966fa514fa498abbb3edf4b667a3285912c25f5f45532271642bf75f6aa3581d27617a4fb59b0d19b25abed227f21af36a921ddae0481ea9f9632d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Firmware

Filesize
108KB

MD5
8c740362b829284d375f6a8dd2cf8c4a

SHA1
7351ab9d10cfb0c138fdadd4d7a348185aef6a29

SHA256
2771f19004542f7a55e135c11931d67bdb0f1c069e595a64bb0f54e98406b97a

SHA512
6c1d6657404c98728e79cfdcb0b20edcd1b447b72660d6cd6a1b5f287d2306f0fb8a268e75b5278db427b0167007eda4d0d1bd90382675346866c021c3247719

Download Submit
C:\Users\Admin\AppData\Local\Temp\Franklin

Filesize
82KB

MD5
e1677dfae45b1df9529e006de4177be5

SHA1
c577777da1b5fe1ec5e36e03be4797ae35d19e47

SHA256
8cb31427849b696a44d116859d711f9b152c062e3c243abb6538c2f16b99536e

SHA512
f2ab6f81699921b29571f34c46162e5aa2c13a3ade6ddd3fe33221eeffa88001dfb879ddbef88b8c677c0cad11cf9284e0986a251ecd5abbec89c438852540bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Integrate

Filesize
82KB

MD5
aae65503db290d40ce5dd2e4775b0704

SHA1
7974415581f365a92b20835ab6f3088697207cf8

SHA256
0235e7f925c9c4f36e3663ca3eb739c4d732d4341ea0604819caaf64d1b0be89

SHA512
3ce834b725ed5f93c7db2f103259ad5764eff7efe2719c480feea431aa9c1d134216cfec25f662f71191b039fac839680ff9e68f814e882e6a2edbe5e8f4ed37

Download Submit
C:\Users\Admin\AppData\Local\Temp\Latitude

Filesize
476KB

MD5
089124d0c187d58c606a2412ecb093bd

SHA1
0ced5703b7d4bcb76778ee9cc622755d98c4df29

SHA256
93b9d78fbda1edf0e076a5fde3e50ac440e8c2b0f8386e7b935a8d22ca8c86f8

SHA512
3b931aa879bd76500b345c1902d1e4694a7350b8aa82a9e34aaa6aa294ae628a0265a4cf8da2838abd911b192cf844e99949980615ef34205fcc4d37ffdb3f0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Local

Filesize
120KB

MD5
504753aef58694f48717c273a27530fa

SHA1
f86bb2661848e6c1687b5321506ffb972438ca24

SHA256
d68b89f865707119b14acc02bbaf18aea669ac000d453db8055f62efe2050d45

SHA512
a779176f09df25ad6c1d5175c9714a7cbec94e77fc0d6fe30de215e2928292dd6b12ef1a58e9a38ec23b5ab5895868a94394ed5e83f1965caaad37c139b4218d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Manga

Filesize
8KB

MD5
e981d4e0de467cdb5eac02b75128130a

SHA1
ebf5778756d052f757d6b818bed9c982649b9b83

SHA256
5af22e1ebc2763756759a350e515644b0b38981591cb2b8c7e254560e1afa7fb

SHA512
e9f16caf23155622cc1d129bb4c4eb011034c393da4ef51ce7c90a99709d3a763525e1f770002174a1ba38626c0598a1e7e106f64bae578977dd4b089bf9d6e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Medications

Filesize
2KB

MD5
1b5dd37c92b3e66032654979843459b3

SHA1
33cd6f3eba9f845b70c981c89aabea66b442b019

SHA256
277bfcc909d7834dd0e9258b3f313e1fc65c7f085479216bfd874acdffdab0ae

SHA512
053c2d2e2d204171433e0d64a699abe923fa1dedddb1c8ee2f1990e7851b32722b00cdac7d03d22566ea3d9a3cd488ac2175d37356f96042e7dbc805b4452215

Download Submit
C:\Users\Admin\AppData\Local\Temp\Passed

Filesize
56KB

MD5
57faf82635a958282890c277800a4c39

SHA1
077e733bf8d09e37f2f91284d9356d7ef07ae793

SHA256
2ef31e660f9449f0c6ce27483eb6fa39f88a1c280b539cd7d435e32fccc4d850

SHA512
94a7dddaba12f4f660e9130676798a0a5064f872251f7dcd90491d0980c616ae6e74913d776c04fd4c4426af1d9b1fc3b910126e5d76187fccd8de5022ca75d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Plains

Filesize
58KB

MD5
0d98238ed768a22251cf0dd763fc1938

SHA1
a19cb30956be9ddf0b18681137a1faa2a5fba487

SHA256
a834a37a99b006962e4958fa139451b45c72836f2d0055bca12983b31e3b990d

SHA512
e245c99d065bcea368c9ce6013b887ae0619b476240e6b2edd3ed927758d63ab592c29a4de6f4e99c65d828686d25ca24325719b86992d16f7820e809290d95d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Postal

Filesize
18KB

MD5
728de55c0ea34b3c00e2d6b7185e2fdc

SHA1
d352adcb51b9d7e76f819d64e7abf7ea8dc645a7

SHA256
db8645c89120a77e998d717a130e4c96c1cf45984c8cb2361e6d480e757874de

SHA512
3d0cb919f6b626f272536de768a32ca129b1fb9796dc081ccf9dde243d889f2fe2f4d529ae5c582c093cfc081e494e2220178ee444a6c86cbae560e1c502a51a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Prison

Filesize
64KB

MD5
5ac4420057a44be940c4a40a758aee69

SHA1
8fe369bf121e9898836008e406c9a9b1a76df736

SHA256
3c5796d1fb862d1ffcb5e820b7d4c6c2dcb6b63b5ffd17b55946bf7d352a0a27

SHA512
97f2fe2013413d9c2d1276b38c8cd2fe0f7520b86b77eb860206661dffc0e2e858757ad1eda4d0d256b9aeb8d1cfaa503bd6c4e3fda918d6322a77284988d6e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Researchers

Filesize
57KB

MD5
18c6503a3f8e41d9829e09b1b63ffb91

SHA1
0e820757b6ecd4e28d67015ec6c7ad5fbce4b96b

SHA256
fea57377e517e96f7ddbc5fba6675a88320b8790cb0ad454cdf2161291de4582

SHA512
fcedcfbf66d952b661ba565a55b6255bff02923f6edd5a863f70acebee5dbbad956a28325e64255c29097c037e0c5691cf847c8574e22505a3225df6bc65dd4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Subsidiaries

Filesize
79KB

MD5
8a439bfd9f9092561688349cd1eb9670

SHA1
ac56d340dd34e02bdc432f453ff6ab424156a424

SHA256
24f1a880e15e8af71f329f861d3dc8633227db43f4d58b88ebcd7523411dc365

SHA512
a849ab36a191277ba5e1d7e00350be815f3e1cef1dfadb9da5511ca9d2d890b697ef0ccb3a1eb936537af3fc8ee43019c935cf1da88ef0d3f41a30da7ae42738

Download Submit
C:\Users\Admin\AppData\Local\Temp\Surf

Filesize
65KB

MD5
d94f616a813e5c6d50931250d7ea3d43

SHA1
c87647cf7e46befcb21e8d2b94c808630e32ba6e

SHA256
7ed9ebbf4ca6146259fd01fadc83498e787724a24f49d2de9f6d74ad5c68bb1b

SHA512
c8869ba777f88f0f2b66107a479c8510c79f2d333c7e5d15ce953ed89482693c0d9851ee60bd3ca43bafcc05774a607fde870ecf05b938ed404c6a3aef837429

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tactics

Filesize
81KB

MD5
9ca954f25e6b75fbebbbcfd7f961620e

SHA1
30a9317730abe844dccbca85867d16c8feead90a

SHA256
5b10e47f30a33eb894694c6f13055adac2ab65fdc160ef0ed2c0f63317616feb

SHA512
0ab6b4e73828e1dee8865266e326434cab6b4aaae1fd0d8f719440f4d31886fe6968890005974700270545f5dd450ed2077612c1c61e434b67b4ed6e398e42eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD05E.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Worldcat

Filesize
85KB

MD5
5fdb9295e1e1d72eacb99954aca091df

SHA1
0cc223a9f5819569910f45f22bfe91747922d13d

SHA256
bfaad8f10a02e5ba7131d5362b2176995bae6dd5ea10fc544adc00f22ffe1283

SHA512
3c8ff497fd182d6cf6a2f56e81ab559c7098e4dd3ed8515883faf8ed55c6280ffd80ea3916993a91336f777570c40b700d824cd22705ac42c0a8047fc471892d

Download Submit
\Users\Admin\AppData\Local\Temp\697482\Uniprotkb.com

Filesize
925KB

MD5
62d09f076e6e0240548c2f837536a46a

SHA1
26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

SHA256
1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

SHA512
32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

Download Submit
memory/1400-265-0x0000000003A40000-0x0000000003AA0000-memory.dmp

Filesize
384KB

Download
memory/1400-268-0x0000000003A40000-0x0000000003AA0000-memory.dmp

Filesize
384KB

Download
memory/1400-269-0x0000000003A40000-0x0000000003AA0000-memory.dmp

Filesize
384KB

Download
memory/1400-266-0x0000000003A40000-0x0000000003AA0000-memory.dmp

Filesize
384KB

Download
memory/1400-267-0x0000000003A40000-0x0000000003AA0000-memory.dmp

Filesize
384KB

Download