lumma | 940c1abb65e2518711e47202e4dc8525aa7c8e895eb80a5b1ed2ae20f0c5eeb3

Analysis

max time kernel
119s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
30/01/2025, 08:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Set-up.exe
Size

80.0MB
MD5

ad357b13635d86920b9d1b010c988695
SHA1

055227c79d141a1dd2d971868a68625ce46ada65
SHA256

a085fc669f08a141040364f1a57bbaf323e147c6f3994f8fe1eabbc49f627fb7
SHA512

1b567746abb360d576060c8033abace8df8e97331978e60e5e452c2e4b6e07b97a715b5a072a4050e8dc78f3b64c47a55293aebabdaba0e59a396d8d668bbcef
SSDEEP

24576:1x/ma9CefrwEKy9iF/9U+ndQwmunIW/4znJY/34L8rzLD3Z2U6vhvVL:h9TwEKEk/mcL6bznmv4L8XLzih1

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://warmconfuse.biz/api

https://toppyneedus.biz/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Executes dropped EXE 1 IoCs

pid	Process
2668	Vienna.com

Loads dropped DLL 1 IoCs

pid	Process
2288	cmd.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
264	tasklist.exe
1680	tasklist.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\OngoingMove	Set-up.exe
File opened for modification	C:\Windows\LiesDish	Set-up.exe
File opened for modification	C:\Windows\WaterArkansas	Set-up.exe
File opened for modification	C:\Windows\MwArm	Set-up.exe
File opened for modification	C:\Windows\DeckNight	Set-up.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Vienna.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Set-up.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies system certificate store 2 TTPs 6 IoCs

defense_evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Vienna.com
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Vienna.com
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Vienna.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	Vienna.com
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Vienna.com
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Vienna.com

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2668	Vienna.com
2668	Vienna.com
2668	Vienna.com

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	264	tasklist.exe
Token: SeDebugPrivilege	1680	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2668	Vienna.com
2668	Vienna.com
2668	Vienna.com

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2668	Vienna.com
2668	Vienna.com
2668	Vienna.com

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 1868 wrote to memory of 2288	1868	Set-up.exe	28
PID 1868 wrote to memory of 2288	1868	Set-up.exe	28
PID 1868 wrote to memory of 2288	1868	Set-up.exe	28
PID 1868 wrote to memory of 2288	1868	Set-up.exe	28
PID 2288 wrote to memory of 264	2288	cmd.exe	30
PID 2288 wrote to memory of 264	2288	cmd.exe	30
PID 2288 wrote to memory of 264	2288	cmd.exe	30
PID 2288 wrote to memory of 264	2288	cmd.exe	30
PID 2288 wrote to memory of 1060	2288	cmd.exe	31
PID 2288 wrote to memory of 1060	2288	cmd.exe	31
PID 2288 wrote to memory of 1060	2288	cmd.exe	31
PID 2288 wrote to memory of 1060	2288	cmd.exe	31
PID 2288 wrote to memory of 1680	2288	cmd.exe	33
PID 2288 wrote to memory of 1680	2288	cmd.exe	33
PID 2288 wrote to memory of 1680	2288	cmd.exe	33
PID 2288 wrote to memory of 1680	2288	cmd.exe	33
PID 2288 wrote to memory of 448	2288	cmd.exe	34
PID 2288 wrote to memory of 448	2288	cmd.exe	34
PID 2288 wrote to memory of 448	2288	cmd.exe	34
PID 2288 wrote to memory of 448	2288	cmd.exe	34
PID 2288 wrote to memory of 352	2288	cmd.exe	35
PID 2288 wrote to memory of 352	2288	cmd.exe	35
PID 2288 wrote to memory of 352	2288	cmd.exe	35
PID 2288 wrote to memory of 352	2288	cmd.exe	35
PID 2288 wrote to memory of 1336	2288	cmd.exe	36
PID 2288 wrote to memory of 1336	2288	cmd.exe	36
PID 2288 wrote to memory of 1336	2288	cmd.exe	36
PID 2288 wrote to memory of 1336	2288	cmd.exe	36
PID 2288 wrote to memory of 2364	2288	cmd.exe	37
PID 2288 wrote to memory of 2364	2288	cmd.exe	37
PID 2288 wrote to memory of 2364	2288	cmd.exe	37
PID 2288 wrote to memory of 2364	2288	cmd.exe	37
PID 2288 wrote to memory of 2856	2288	cmd.exe	38
PID 2288 wrote to memory of 2856	2288	cmd.exe	38
PID 2288 wrote to memory of 2856	2288	cmd.exe	38
PID 2288 wrote to memory of 2856	2288	cmd.exe	38
PID 2288 wrote to memory of 1584	2288	cmd.exe	39
PID 2288 wrote to memory of 1584	2288	cmd.exe	39
PID 2288 wrote to memory of 1584	2288	cmd.exe	39
PID 2288 wrote to memory of 1584	2288	cmd.exe	39
PID 2288 wrote to memory of 2668	2288	cmd.exe	40
PID 2288 wrote to memory of 2668	2288	cmd.exe	40
PID 2288 wrote to memory of 2668	2288	cmd.exe	40
PID 2288 wrote to memory of 2668	2288	cmd.exe	40
PID 2288 wrote to memory of 2716	2288	cmd.exe	41
PID 2288 wrote to memory of 2716	2288	cmd.exe	41
PID 2288 wrote to memory of 2716	2288	cmd.exe	41
PID 2288 wrote to memory of 2716	2288	cmd.exe	41

C:\Users\Admin\AppData\Local\Temp\Set-up.exe
"C:\Users\Admin\AppData\Local\Temp\Set-up.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1868
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy Legal Legal.cmd & Legal.cmd
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2288
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:264
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "opssvc wrsa"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1060
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1680
- - C:\Windows\SysWOW64\findstr.exe
    findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:448
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 66244
    3⤵
    - System Location Discovery: System Language Discovery
    PID:352
- - C:\Windows\SysWOW64\extrac32.exe
    extrac32 /Y /E Geometry
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1336
- - C:\Windows\SysWOW64\findstr.exe
    findstr /V "Ut" Boring
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2364
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b 66244\Vienna.com + Exec + Balance + Competing + Choosing + Western + Treasure + Enjoy + Sale + Gold + Bk + Ruled 66244\Vienna.com
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2856
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Viewing + ..\Guns + ..\Diameter + ..\Ny + ..\Advisor + ..\Implemented + ..\Updating y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1584
- - C:\Users\Admin\AppData\Local\Temp\66244\Vienna.com
    Vienna.com y
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2668
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\66244\Vienna.com

Filesize
124KB

MD5
b7b445ee4901026da770d94bd3faf321

SHA1
7666f5b98ab2e9a8e6425024d1cf3665b68d7505

SHA256
d70649d9f61e11325d84592d8c0389bc7388c037119956a5550c9a31e441b7b1

SHA512
910cd5634c4501561d2f4cf6a4fc33c86a08ec1dce76ad047ad22d8bae5820c5b205007c2db697df063b372c25c7a751808c03ad6334ab9e70e33ea29b30f392

Download Submit
C:\Users\Admin\AppData\Local\Temp\66244\y

Filesize
518KB

MD5
0ede316775012dbddba46eec8fee26df

SHA1
bf0f33d86758e0dfbcf6d471760bd132cac76250

SHA256
b659f76b0b79fe5bbda5411e7f02d393973a443c664527d9888b786a63733aaf

SHA512
c81d661e4a354eb4f9862e1b32b92bcb3c9af72af05d83ce59767f9feb990e3ac1bef69d26623ff26bb95716a3fe69fa73ace05b81c9a282e75e403d93471a51

Download Submit
C:\Users\Admin\AppData\Local\Temp\Advisor

Filesize
91KB

MD5
aaabab6186acf1e95a5e8b54012e7172

SHA1
4436a84779e811c8ba8a2c95c1ee41412c9a102d

SHA256
0cc93e9fec1a1db8f081aa5f09eb0658b2b21bd65f5c097de915775ca07464e2

SHA512
68ba62a8da4b5419cb1a4923202d53d139bd6fd548fa8c2cc3a8de365da7017ab5ac41d2c4012d6c352720705b415a7b608c77fc2cb3f62fef3f38cea8a3733d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Balance

Filesize
145KB

MD5
3b1716a1a0e1fe526b3d04b60a8d26a0

SHA1
9f9147dcecbb9fe992dda80011ae1aaffe200612

SHA256
712165435377b5053568c4b5b584bd9aea4c25660cc5d25b8a583df699e2bdde

SHA512
626e03ec7cb954d210306f2607b2cfae5db192e2e87eac881b0e4fb659c9361189668f2bebea40c39142a1613a3ae97b849b2bf7bb66b2c39d7d49ce82ec4179

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bk

Filesize
114KB

MD5
dffff8a703909b197f06aaa4a413b154

SHA1
f2ef10aaac0b1744aebedff7d60e49c398193818

SHA256
c4312c0367c33053b58aedc5afb860193bb34e04b0f32193ef66bb96d4103054

SHA512
923bf4b1368514f54cb441c53e6135fd1770798e95b291e934a4c26f6cfa9d1a9b172fa968c9746c7e91bd782e7e3031038e7da9c4528140e1de1e6b40c92567

Download Submit
C:\Users\Admin\AppData\Local\Temp\Boring

Filesize
2KB

MD5
847a20b7d9e4a038d85e5c42b2334171

SHA1
3ee5afd56bb0b07f8ba09b2e0743dae0ddfe9fdb

SHA256
4aaabf99fbbdf4a3e4cb7542eba2af79aa754c981b1382361af464cd8ca8871f

SHA512
e19644283dd161843d1748749daf8e57f21b6b0d3a3e74cb80869572917fcfe79bc41cc9d3c4257a3624c61c2ffe9927947f021c4658bc4997045ecec4eae5a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabCF23.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Choosing

Filesize
84KB

MD5
540d9d8e7844e6d480c8e1bae182cf92

SHA1
b0a761f8d3fd1c78eae42eb11f57ebef3bab5a82

SHA256
6ba6ecef1f2f33a03256c0a45d8050f84d4107ddd82d7b06b5990e854a36604b

SHA512
b42f5ddfb7189240f1c6f45a40ee5c7091fdf56e2f697ef5b84cb01dd60650730fc8e711be18831c725adc15a7e74be56548eb6ad225ed47736b0106ea85a275

Download Submit
C:\Users\Admin\AppData\Local\Temp\Competing

Filesize
59KB

MD5
e938b253f488779855c2beeb957444a4

SHA1
469bb4e03a3e7f467f396c19d1ee9e6bf7655c7a

SHA256
38de23e30d953f47d68ecc44c94bd9f8a06db2abc199a2a5a13d7bbdc286e426

SHA512
1aabf6cba809b28d7774f30340a6cec64ec11889bf4da011080ac5d6a0119ff21445fec9e8fd3fdb41351cba94ed314e15caf8344d9042c163796213d07c1692

Download Submit
C:\Users\Admin\AppData\Local\Temp\Diameter

Filesize
71KB

MD5
592fd038183d2c6c4e234a4bc098683c

SHA1
12361e14525f8701deaa81e039184932ca5ecdb6

SHA256
c2119f000e7b741376315a1be438d354264bb21950d043cc251f25579e93871d

SHA512
e34333d1a23679a6248cdf9bb17d94292b7e35cc0141635d72be7a8fe266e5cfe939036ed32c61dc2218552df228dbc66dbcdacf90a5e844ba27e9977235ee37

Download Submit
C:\Users\Admin\AppData\Local\Temp\Enjoy

Filesize
64KB

MD5
0951a1587058743d28143e2249f3ec33

SHA1
faeeb08143c96a2285caa00468157a8a563a17cf

SHA256
f30b58980983543bd78de80d2f4ca335d3d76258e95df0958ff0197a76fdc6a3

SHA512
1d9a32635cf3be3c7498e74b035fe824c784a6ba20d267c5e8494cb1b3c1cf93f74b33e8d7c44b9a3e83b1cdeb6aa43726dd7fd5bf26d7322096719f7b655159

Download Submit
C:\Users\Admin\AppData\Local\Temp\Exec

Filesize
122KB

MD5
c7113026b0bdb9bc2d8273cac9fb214d

SHA1
5a775d55e57a129199a3f4274f27f4c7b4a5e109

SHA256
0790c25d6c99c1a56aea2383d294ccda3709e672bbd1830c353b7facecee329f

SHA512
dad67a42f0438094127e0713d6aa71d109e55c97d6d31ab234d22b42463c014a3278cc5dd390788d827c65ebc0547bef91f292a64db373077cf45ca830218f27

Download Submit
C:\Users\Admin\AppData\Local\Temp\Geometry

Filesize
477KB

MD5
d3eef3cb48068d69166992e56b45dd6f

SHA1
1e18f6b757536102f797649b3b9a0140f508fec0

SHA256
6f9c76c31cf67770c1a4d50ef50a045b81d3883d543e8443a8daa3335cfa034b

SHA512
3ce8a62757b82b19094fc7006736ddfb001244e4163c9819a8c90d0be8874a195f643297875793d97fd88642179644e842c2a552bc463de52fc73755d4e7ee9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gold

Filesize
76KB

MD5
2ebd861273fafe439a29e5df27b68207

SHA1
40147e337dfa9e6d153dcedb7c987957607f70eb

SHA256
fb98fe7c34dd12688061b1162bdf6a30cee3425a6e3c2a83ce7662b77384e9d1

SHA512
a613ab0d62814e82ea3aec402ad3f8ecf9d90c94d2f544080888872b5cc35fc1795c3e21fb80c3572bdf2a7f34ca904d7d22e9fe2b1da67083d728e0f3b4a7e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Guns

Filesize
55KB

MD5
25e82949bfbd3b40b979f8c2e00ad7a3

SHA1
605a91295d6dacef34c87b5f3696ea453137e983

SHA256
8261459a567531699bf3093cee24dce008e3eb12ff8e725106cd32b27fe36c49

SHA512
3d9360178a1054bd9dbcfbd87ea8a058d9a08e3c0c28589698cc37eb10525b76a31240907b91505d1dbbf0d44b3270c17e8d2b961c2edec4e2af2bf2f06be2c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Implemented

Filesize
77KB

MD5
181cd38c0996cd22844471c8fe4be47e

SHA1
f951ab2a395633b853a4d167a9734c70923790db

SHA256
7e1478f886c05a2ce217b9c72b0c003c1cb43b8322ae02924097f1cb1f232237

SHA512
7ea02f6e3f5b3ea3bea6c245caf4c1dd6df5ab7810b26d6d36d6fe784dd5c8e2d10dd6d8e97339824b59a701b4d993d71f1d37067c65927b60b9473c52c02048

Download Submit
C:\Users\Admin\AppData\Local\Temp\Legal

Filesize
32KB

MD5
abe5115d11ab3bf6d656dfd583d72b33

SHA1
8c35aa92e3d5ac8b351a816cc7c7dd64d28093ff

SHA256
df3daf8b3bd92d6615515d52b752c14ac40d52135f9d966ea7695a05d0397e85

SHA512
9329c3a30b09e8c6007a6cf749943c110be8695d69aaa674415d15f10c9148c2a51325a1ad4b18c14ab79e7f786905e78cd8d7dd6bb31ab551e3e00f860241b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ny

Filesize
56KB

MD5
feb2ffb7768c77bbaee63ec226ffff53

SHA1
fae3b5c6a6fdafba14e8fadcb3157d104c75ac42

SHA256
9b187162e38692fba26058377520b454c0e574da854d71dbc6f0609bd9f7249c

SHA512
09c03d00f82e57749e87625575e830283f2977ffe0e9c477bd625acaf5542f70ba8df29290d11f210509da186846c2dd4381e4d45269a031455e4a1325d2e39e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ruled

Filesize
3KB

MD5
b3abe2d07e8f064a674ec26ba6a57320

SHA1
4486f400aac0b03c536c7b26ddc7064198489116

SHA256
41263d3ff61652fd1ff66c070cb26e7fe2190af5ab21dc0008f71881aebc6301

SHA512
b16e5bb5e319c6198222b3f408aea57bf09caa2d3f5b5ac538f091bdfc237a0182b496be9beaf1e83512b20e83961d7478bf6e63a203a91e1689f40b34ad67e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sale

Filesize
100KB

MD5
041521ae3d806f7b04ba8463b2a3fc3a

SHA1
628d4f44fec64f5a121bfcda84f82dcc45fe2a2c

SHA256
962c7b981d1a4963c94393460e2a2da2bce4892b18c349525f5fd4cae9e298ca

SHA512
2e2ea76cecf664cd8e953d1a64903d0afd5f1fcc62ca1e9551f3fbcf8a8c9c3d1082980d1d9f9427fab22f61148b2fd15acc2f71764a2651ac839e8fdc2e15d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarCF46.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Treasure

Filesize
89KB

MD5
6a4821fea6d6de767c59c3a2871ae6ad

SHA1
7f3b041e33b6c1c40e18bebe91ec6760eb447096

SHA256
00d97cea4c51f0789b3547717e3b868ae1147dd960f9feb06f289cd041fc3c37

SHA512
012bac39fe17c38154b6033e157ef80a59b7918727aa57579317a809149487d6bf13fa9d81ac225f286644f03e63b9f83a19159d7c20053523a0afb226e3eab1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Updating

Filesize
71KB

MD5
e9f83a07ce606abeecc54bc1fac78ce1

SHA1
ae0827b4a692b4bafa3782462a1636707715b836

SHA256
fa8610ba996ee7e666c7332d7b3fd5647564efafc38368e284c263c68df70c38

SHA512
ba16ed12380585da650037b924ba307ee447c995f118c4fab0a1684cff42d81fc994d5f0fd6a9f194f268559bb60510e006336d66d87f1ee6c04414d799f5133

Download Submit
C:\Users\Admin\AppData\Local\Temp\Viewing

Filesize
97KB

MD5
a3194c17c65ef624f1a5e8df0193d654

SHA1
0b6f1b412e2163eb7fb6229f0bd9fa22ab66e274

SHA256
f3ae92f0a232d4ba11d42a34c78303bc29fd4bfe0e06b3554081de2fb31ccd80

SHA512
6865610a54d16f49e9e6f5c4609a52f798753a7b86055b9ee80b968d4982a11f6c52d07b6034dc344a09240430e9154557258d00a79c9af394eef673b2aa9e8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Western

Filesize
66KB

MD5
f24f697665b1bac344c203ba6f54de4a

SHA1
244054b589b7ea2f86535aed0aa1ade4f11898b8

SHA256
87eb487ec89a028436c934ef12a8c924c04729fb5cfc8ab3f676c3358bc902fb

SHA512
e535e6a7e7fa2d0086a85d245e57eb987d18ef3cc6f9a0239173d6822e1c132a1e80da69c75767dfea497805bf06c1767dc8dc6fc01d587ec451f759b0324e3e

Download Submit
\Users\Admin\AppData\Local\Temp\66244\Vienna.com

Filesize
925KB

MD5
62d09f076e6e0240548c2f837536a46a

SHA1
26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

SHA256
1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

SHA512
32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

Download Submit
memory/2668-776-0x0000000003B30000-0x0000000003B8F000-memory.dmp

Filesize
380KB

Download
memory/2668-775-0x0000000003B30000-0x0000000003B8F000-memory.dmp

Filesize
380KB

Download
memory/2668-773-0x0000000003B30000-0x0000000003B8F000-memory.dmp

Filesize
380KB

Download
memory/2668-774-0x0000000003B30000-0x0000000003B8F000-memory.dmp

Filesize
380KB

Download
memory/2668-772-0x0000000003B30000-0x0000000003B8F000-memory.dmp

Filesize
380KB

Download