lumma | 921d75c8cbcf2c934df28a2f1e615fb468e663bcc94f8012d220a7f7cf9120d0

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
26/01/2025, 03:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

921d75c8cbcf2c934df28a2f1e615fb468e663bcc94f8012d220a7f7cf9120d0.exe
Size

1.1MB
MD5

3e8e6967fd4794ed4d29e34bdaaf939c
SHA1

36687e95877a56f1b8db8ed3771d6c208ec8422a
SHA256

921d75c8cbcf2c934df28a2f1e615fb468e663bcc94f8012d220a7f7cf9120d0
SHA512

af2232d188fd7a8617ba22bb83cf1cf6288243d9deeda4470c4d7d6b75592c0917684266d251fb7d20bf19f9bb2c31bd0e9880fa6b2117465493f5be09234267
SSDEEP

24576:4KUXU/58hwuSo0dGjhpcKwE9fY5bBIRZ84/gwW9TH+OLDR7C:TUE6hmo0dGgb5bMZ84/ZODR7C

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://toppyneedus.biz/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Executes dropped EXE 1 IoCs

pid	Process
1328	Chapel.com

Loads dropped DLL 1 IoCs

pid	Process
2516	cmd.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
2296	tasklist.exe
1248	tasklist.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\StoppedCoffee	921d75c8cbcf2c934df28a2f1e615fb468e663bcc94f8012d220a7f7cf9120d0.exe
File opened for modification	C:\Windows\CostaBryant	921d75c8cbcf2c934df28a2f1e615fb468e663bcc94f8012d220a7f7cf9120d0.exe
File opened for modification	C:\Windows\HellInterval	921d75c8cbcf2c934df28a2f1e615fb468e663bcc94f8012d220a7f7cf9120d0.exe
File opened for modification	C:\Windows\ImagingPolice	921d75c8cbcf2c934df28a2f1e615fb468e663bcc94f8012d220a7f7cf9120d0.exe
File opened for modification	C:\Windows\SubstancesPicking	921d75c8cbcf2c934df28a2f1e615fb468e663bcc94f8012d220a7f7cf9120d0.exe
File opened for modification	C:\Windows\LawFo	921d75c8cbcf2c934df28a2f1e615fb468e663bcc94f8012d220a7f7cf9120d0.exe
File opened for modification	C:\Windows\SkirtsMetallica	921d75c8cbcf2c934df28a2f1e615fb468e663bcc94f8012d220a7f7cf9120d0.exe
File opened for modification	C:\Windows\NeverthelessVolkswagen	921d75c8cbcf2c934df28a2f1e615fb468e663bcc94f8012d220a7f7cf9120d0.exe
File opened for modification	C:\Windows\EnjoyedRefresh	921d75c8cbcf2c934df28a2f1e615fb468e663bcc94f8012d220a7f7cf9120d0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	921d75c8cbcf2c934df28a2f1e615fb468e663bcc94f8012d220a7f7cf9120d0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chapel.com

Modifies system certificate store 2 TTPs 6 IoCs

defense_evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Chapel.com
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Chapel.com
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Chapel.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	Chapel.com
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Chapel.com
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Chapel.com

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1328	Chapel.com
1328	Chapel.com
1328	Chapel.com

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2296	tasklist.exe
Token: SeDebugPrivilege	1248	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1328	Chapel.com
1328	Chapel.com
1328	Chapel.com

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1328	Chapel.com
1328	Chapel.com
1328	Chapel.com

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 2996 wrote to memory of 2516	2996	921d75c8cbcf2c934df28a2f1e615fb468e663bcc94f8012d220a7f7cf9120d0.exe	30
PID 2996 wrote to memory of 2516	2996	921d75c8cbcf2c934df28a2f1e615fb468e663bcc94f8012d220a7f7cf9120d0.exe	30
PID 2996 wrote to memory of 2516	2996	921d75c8cbcf2c934df28a2f1e615fb468e663bcc94f8012d220a7f7cf9120d0.exe	30
PID 2996 wrote to memory of 2516	2996	921d75c8cbcf2c934df28a2f1e615fb468e663bcc94f8012d220a7f7cf9120d0.exe	30
PID 2516 wrote to memory of 2296	2516	cmd.exe	32
PID 2516 wrote to memory of 2296	2516	cmd.exe	32
PID 2516 wrote to memory of 2296	2516	cmd.exe	32
PID 2516 wrote to memory of 2296	2516	cmd.exe	32
PID 2516 wrote to memory of 1688	2516	cmd.exe	33
PID 2516 wrote to memory of 1688	2516	cmd.exe	33
PID 2516 wrote to memory of 1688	2516	cmd.exe	33
PID 2516 wrote to memory of 1688	2516	cmd.exe	33
PID 2516 wrote to memory of 1248	2516	cmd.exe	35
PID 2516 wrote to memory of 1248	2516	cmd.exe	35
PID 2516 wrote to memory of 1248	2516	cmd.exe	35
PID 2516 wrote to memory of 1248	2516	cmd.exe	35
PID 2516 wrote to memory of 1820	2516	cmd.exe	36
PID 2516 wrote to memory of 1820	2516	cmd.exe	36
PID 2516 wrote to memory of 1820	2516	cmd.exe	36
PID 2516 wrote to memory of 1820	2516	cmd.exe	36
PID 2516 wrote to memory of 1164	2516	cmd.exe	37
PID 2516 wrote to memory of 1164	2516	cmd.exe	37
PID 2516 wrote to memory of 1164	2516	cmd.exe	37
PID 2516 wrote to memory of 1164	2516	cmd.exe	37
PID 2516 wrote to memory of 1428	2516	cmd.exe	38
PID 2516 wrote to memory of 1428	2516	cmd.exe	38
PID 2516 wrote to memory of 1428	2516	cmd.exe	38
PID 2516 wrote to memory of 1428	2516	cmd.exe	38
PID 2516 wrote to memory of 2852	2516	cmd.exe	39
PID 2516 wrote to memory of 2852	2516	cmd.exe	39
PID 2516 wrote to memory of 2852	2516	cmd.exe	39
PID 2516 wrote to memory of 2852	2516	cmd.exe	39
PID 2516 wrote to memory of 2320	2516	cmd.exe	40
PID 2516 wrote to memory of 2320	2516	cmd.exe	40
PID 2516 wrote to memory of 2320	2516	cmd.exe	40
PID 2516 wrote to memory of 2320	2516	cmd.exe	40
PID 2516 wrote to memory of 2028	2516	cmd.exe	41
PID 2516 wrote to memory of 2028	2516	cmd.exe	41
PID 2516 wrote to memory of 2028	2516	cmd.exe	41
PID 2516 wrote to memory of 2028	2516	cmd.exe	41
PID 2516 wrote to memory of 1328	2516	cmd.exe	42
PID 2516 wrote to memory of 1328	2516	cmd.exe	42
PID 2516 wrote to memory of 1328	2516	cmd.exe	42
PID 2516 wrote to memory of 1328	2516	cmd.exe	42
PID 2516 wrote to memory of 2420	2516	cmd.exe	43
PID 2516 wrote to memory of 2420	2516	cmd.exe	43
PID 2516 wrote to memory of 2420	2516	cmd.exe	43
PID 2516 wrote to memory of 2420	2516	cmd.exe	43

C:\Users\Admin\AppData\Local\Temp\921d75c8cbcf2c934df28a2f1e615fb468e663bcc94f8012d220a7f7cf9120d0.exe
"C:\Users\Admin\AppData\Local\Temp\921d75c8cbcf2c934df28a2f1e615fb468e663bcc94f8012d220a7f7cf9120d0.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2996
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy Tablets Tablets.cmd & Tablets.cmd
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2516
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2296
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "opssvc wrsa"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1688
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1248
- - C:\Windows\SysWOW64\findstr.exe
    findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1820
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 40022
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1164
- - C:\Windows\SysWOW64\extrac32.exe
    extrac32 /Y /E Warrant
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1428
- - C:\Windows\SysWOW64\findstr.exe
    findstr /V "RAYS" Wales
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2852
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b 40022\Chapel.com + Double + Pirates + Herbal + Shoppercom + Ing + Preparing + Messages + Character + Dare + Knight 40022\Chapel.com
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2320
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Fleece + ..\Biographies + ..\Grew + ..\Allen + ..\Adaptive + ..\Wr + ..\Samples B
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2028
- - C:\Users\Admin\AppData\Local\Temp\40022\Chapel.com
    Chapel.com B
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1328
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\40022\B

Filesize
489KB

MD5
186e4c262bd05bed73b1a18a20c5c3a5

SHA1
538d2067c7b4ed1889fa6ca11d9c3f84c94735b5

SHA256
239bf24af782db4b812726dc5d03013ba5629d3e602d69bafeef48138c427325

SHA512
c25111b8abd90448882b4c18295be30094b0173e1e65cb443c3c9a9ccc72103f8cd15318f3da0cd83fd5df421b8a72cb9f69aaad6bdb98ddc6576321f9006c5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\40022\Chapel.com

Filesize
116KB

MD5
e958f00740a92b4ffe9f4e7579bafeac

SHA1
43b88740d20ea83e923d779bf519aefef9ec77d6

SHA256
df4e8b8b90e47ac19a2486a8246860ecea08319d2d31df901f19de1f215bdb71

SHA512
f47cea4bb0f7abea8998fdbc35d9d985b0319179ec9ca3f96990424d9b2ed704b1a760455cdcc1ac88ca9ced8b33cc50efcfca4135cba2ed8eff824ce2c6a712

Download Submit
C:\Users\Admin\AppData\Local\Temp\Adaptive

Filesize
71KB

MD5
43304e2bf651fc6b4d4c08dd596ec3a8

SHA1
d8cb201d4723fac49ef64f9483f42585021d3ad2

SHA256
8de1f7e2599a53151fd73854020886fc170c3253b9c7086116ec06e0ae3cd7fa

SHA512
a3e1945c99a2c69a4e2fd66417067a40325e10be486702c03267017d186a24821b9e3f0b54d3b06b39bae6b03e0e77c9464036e4d4dcae04b781f99cce41fe1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Allen

Filesize
54KB

MD5
cb2d7f2b2cb42cf703823ad5094f0249

SHA1
b0ec2a4e26788c874736c511ef816403a7f1d65c

SHA256
aafdaee3b609669cca866620035d15d4436fbad04f10a69116cdfa00fc66e2b6

SHA512
cb6b82819123c9858a21b62056217790d26e1d27642b8b3b0a8cc6cd65107e28214fdda5eec759eeba52e2f3cab1a2c170b3ecc01e99e384ef9546679f74d93f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Biographies

Filesize
92KB

MD5
cfb376113837f1eef5bf7d100b5c150a

SHA1
60489b33638771700b35417e20dd60c81bcd9564

SHA256
b91cfa84a2d15985db106de4517f04f08452b5ea9e04be8e3f6babd46b324250

SHA512
a24d9b7ce2bab937f754eac9ac9b0f6706ea09bbb0204ecfcc647b5a71a027a36e2448b04815b2d720f6f1c3dd9767ef616173dd010b35a8a763537c0b12932d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab9F2.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Character

Filesize
84KB

MD5
45867c0ad4cb24934a7692853ad9836e

SHA1
0a5fbd6875bac3fed917477906d193137efe8306

SHA256
0319704e4aff33195e5c53b30fa37c74090f42b5cb6529901649f3562d79b404

SHA512
7313ba4aae3af392b3ba715dddb59a103cfe9485f878ecdf6c18c701e52bbe280ea12b86df5eb472d5da7551a0be55868d985a23574a6fca53cc7aafc9be7d79

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dare

Filesize
139KB

MD5
2725cf453f8cc51359832b5017c309ab

SHA1
8359d6e8555778148dfd038f5133ab5ce3c13b0f

SHA256
243b130e24f26dae33c518d8d0fc2bcab0e7da2316e56b1ff566036a27ca137c

SHA512
3a57a6094b3bef8f9a82a29680de4d173002ed65c78c5c5d391cae0188e8187d4f648ca98c0e076a88ba21b8f499c97cae1627540182b75f824697ac500eb618

Download Submit
C:\Users\Admin\AppData\Local\Temp\Double

Filesize
116KB

MD5
463014b392d5ce12a1a7c54c91809cc8

SHA1
0fa6ab57d3de9e0e4742cbce60ee544de56cde0a

SHA256
2e81475f02ea37b711a19055847149b93c3bf58c288290f74a71abe52952ebf2

SHA512
32c59c053f16a5698fb6b569a89c074887deb815e0dd3bb31a514c4ae65e7ff0e9ed0ea86c19c528f6f5561c8108090113cebd4de8a9f3bf8c2a52bec3c6b946

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fleece

Filesize
83KB

MD5
c32242a35d1fa68238a93a1d8061a596

SHA1
aa29bac5963171c241909c6e46f86b082d5880ea

SHA256
cf826a278ecadbbbc2d4caa0f16ccbce08a836c411ad0049e2a8750f19efaf1e

SHA512
cd48b8dfd5555452596305201190223d7921a6a1ebf34b722c31f4c057a79eddeedf2458d4ffd2431a06385585ca2d5f5d889e23bf80d5b9ced08429732eb78a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Grew

Filesize
96KB

MD5
4fdbb6ad4882baacff4756473e2917bd

SHA1
bf240de2cb75212bdba466d5d9b84d383c91d2ce

SHA256
50e727843dbb81b79f0a1997aee66c6b50d4d2ea566532027dd21808e3756bc5

SHA512
06935059e66a06ace5fc216be316befaac18d696c13d1b87ad60dee2f902311f135f9e6025ec09dbe2035d850af8a28cfccce51a4d6ebb990cb9c9f41e9c161a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Herbal

Filesize
84KB

MD5
30b67b9074770d9d0e99ebbecc65ba12

SHA1
f77bdd42fec694bfdc5f05bd68500763f127b225

SHA256
117b92dff1bd6752250349e70d39f166910427dbe9d5f5fdee401bdba1bee94e

SHA512
dbedcf11cf98da20624a6aa07f9db8cd29c8b61ce854f88827339d7c5b28fd14e7697b28aff8845e96e1b3445010f038fdbb29c3e6395e1622ce14c86d75bd79

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ing

Filesize
117KB

MD5
10a41fc2ac27270969f853aa1b4649f6

SHA1
739221d156dbd8ff9e2071b724243f0733184cdb

SHA256
494a928d3bce1f1d67afcc47218c27df66f8754ba786b4e3ed856066f0592d38

SHA512
62d0087e9d0af9fa7826c5e7268030428737dcd26d0285561ac5c7777c81928a1c51c0534979329fe850d6070881e3cbd826f76ffe8841aef8a00b50a073ed68

Download Submit
C:\Users\Admin\AppData\Local\Temp\Knight

Filesize
21KB

MD5
f23849fb71e6b80fc6573bb34179f612

SHA1
c198618b47f5fb024a8d8bba5362670994c8e9e3

SHA256
934d6f2398c7543d476ba9e7f2475b6fac4026915d113f6c09b5f11794857f45

SHA512
9ccf6aa0a20ccc31b005174bad7105232ecac3f99e58019d324066b0bf3d98e6c2ead0cf522e52c2c36335a177516bd6799007e935f967fb6aa65c6aea90f244

Download Submit
C:\Users\Admin\AppData\Local\Temp\Messages

Filesize
68KB

MD5
c532f5343c9922885bed411f3bfffa64

SHA1
2c8c5a77e854cad889a704f51b1fb5deac2e2b62

SHA256
da5e56bff21a616e46f1986a6b635485707e166206c100b1d468e7a5227917a5

SHA512
5631bfd802703d407c6bbb42b22a30526d9dbb564b7a93e6a6e4423353181efa3c95fb97b4719909a20c264f6721b2797d8f029d7927476832bad81ea7d8d253

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pirates

Filesize
125KB

MD5
5bc1cfb78da63f05d160241eb57124de

SHA1
8cbdd6470986462086456420eb017be47d12228f

SHA256
79f9a6798c82f77cd86165400b3bb4f95706764db6130395e5ddc636e1976536

SHA512
a15065714e88f36aecc0340f00b6e28861d90d9920531f1ce12c0d54f05527c219f14e5f3dd9c5d80412fcafb01751f828e2d3f4e99ef154309f803a85277abc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Preparing

Filesize
107KB

MD5
bd9cc5fab7ea9198cdf86903b17774fc

SHA1
2f08e6025f29b6ffd26961bfb15d9017280c9ca1

SHA256
30bd7d8782cffba502a24048afc94a2b40720ac74b9dc2ed48d1ca531a392297

SHA512
3929ad00fea55653eb2ed6155fa87ed9d0c958ba557b3b4d5a2326434504f2d43a11f855c836286d8860f086bba4347ef528f04450fcef04dc74d22bea675fdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Samples

Filesize
39KB

MD5
ab4078343b697bd58ef9ebb13255fece

SHA1
7d3a10804e32814eb9ecb0dda4bc45b29c24ef7c

SHA256
fcc391469d1e25c581d699431d7ef9bc894e749f691bfae3c4e35c01546ed4b2

SHA512
4d64978f79c76d47b7187ca2eba1a1ec3bef488a3db6a04fb2b1670066d7cb3a80f577ab469651440f13fec759621dd7793e432246ebd67efb21d5894adb4c3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Shoppercom

Filesize
63KB

MD5
2bf5dcf13dd0ec13b061c8c72bcb455a

SHA1
0c63eecb901450430fc660d8228fa565d37803c6

SHA256
82dd8e2b96918c33e6da0e1015ab88d0cbecfefbbf3cef3417d53f77c04775b6

SHA512
5ddd7e04f703dc9c009f666c88e4e667fb0c57e640ce204d91c7507f8488a1e3bd45d762fd3c0cab02539c32a6a6a40b90951377b884a358365e7166da932a2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tablets

Filesize
9KB

MD5
f44edfabf2f81f5ce5aefd194acdb498

SHA1
0c03343c487b2c836f9c099e443626b4028ea8c4

SHA256
eb1ef4721496a6bb97be758f81001a63cf3ae2f480a5fc7e24a1b80d2a01b878

SHA512
fe83d40305e46c848213cd257547367077afbc6a2f532a6b58b808133fdc8917f31ac5629b9a2c6adcc3f1671e73b7cb248904a5c95ab8e7845057dfb9625891

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarA14.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wales

Filesize
384B

MD5
64ec3f7282ff9687fa67cc957b99aa80

SHA1
4cf976e5472a35466198fd618f91d0bec3a44644

SHA256
f0f30c23b641948b923e76de92c59df1250e2db71de2b940c07f71f6ecac72b1

SHA512
85dcb954015ab88cc9e6993e0e4bd0080fe601d927b3dc0982b62539df8627c1df6884f58ff10b895c7873455ded7c82d19be61b852382df738b2b4186f878e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Warrant

Filesize
478KB

MD5
9beb1989b5fd1868c62ce28c370b148d

SHA1
9fcfac2c1e0faa65e9bb9c49b88a8ea8aa2ff260

SHA256
59eed3fa1e29686d0ac3ce1ed502b013d77b67772d666b1d75cd669f7ef00e21

SHA512
747a177d131bb0d606975dde8702bfe7297f0174c0836a156083273e7cdaccd6d5583350d9223574ffa33b22cfe1e02bbb3c0d255e80d459e4c7f4560d80ffc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wr

Filesize
54KB

MD5
2a571fb5bb8ea9fc4f2e46e5b26f701a

SHA1
bb3b08a45a156ca6afa1f6daeff6dc1ef472e95b

SHA256
1da5680e212b229c64db1a9ad0c7dbc6cb6ead77c4bef4382ef3793be8eb1158

SHA512
30e11cd017302c9a097a8b077f560d9a2dec7c5b0a501003fd17cc51e7bc7ca557d21cd8b11ac57f57df1df9620d4ce0d83875fdbd2f2f22a0b81e8c679ed4ee

Download Submit
\Users\Admin\AppData\Local\Temp\40022\Chapel.com

Filesize
925KB

MD5
62d09f076e6e0240548c2f837536a46a

SHA1
26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

SHA256
1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

SHA512
32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

Download Submit
memory/1328-285-0x0000000003660000-0x00000000036BD000-memory.dmp

Filesize
372KB

Download
memory/1328-288-0x0000000003660000-0x00000000036BD000-memory.dmp

Filesize
372KB

Download
memory/1328-287-0x0000000003660000-0x00000000036BD000-memory.dmp

Filesize
372KB

Download
memory/1328-286-0x0000000003660000-0x00000000036BD000-memory.dmp

Filesize
372KB

Download
memory/1328-284-0x0000000003660000-0x00000000036BD000-memory.dmp

Filesize
372KB

Download