Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

quarantine...a5.exe

windows7-x64

10

quarantine...a5.exe

windows10-2004-x64

10

quarantine...Uv.exe

windows7-x64

8

quarantine...Uv.exe

windows10-2004-x64

8

quarantine...cc.exe

windows7-x64

10

quarantine...cc.exe

windows10-2004-x64

10

quarantine...Ja.exe

windows7-x64

10

quarantine...Ja.exe

windows10-2004-x64

10

quarantine...8e.exe

windows7-x64

3

quarantine...8e.exe

windows10-2004-x64

3

quarantine...zx.exe

windows7-x64

7

quarantine...zx.exe

windows10-2004-x64

7

quarantine...FJ.exe

windows7-x64

9

quarantine...FJ.exe

windows10-2004-x64

9

quarantine...on.exe

windows7-x64

10

quarantine...on.exe

windows10-2004-x64

10

quarantine/random.exe

windows7-x64

quarantine/random.exe

windows10-2004-x64

3

quarantine..._2.exe

windows7-x64

10

quarantine..._2.exe

windows10-2004-x64

10

quarantine..._3.exe

windows7-x64

10

quarantine..._3.exe

windows10-2004-x64

10

quarantine..._4.exe

windows7-x64

10

quarantine..._4.exe

windows10-2004-x64

10

quarantine..._5.exe

windows7-x64

10

quarantine..._5.exe

windows10-2004-x64

10

quarantine...me.exe

windows7-x64

10

quarantine...me.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    quarantine.7z

  • Size

    24.6MB

  • Sample

    250217-1yxnlatnaz

  • MD5

    f9e59b0217c1676ef91a3754ed3e7cd6

  • SHA1

    96393b22d27d6f6a3cb3ec786f12b1630f06d691

  • SHA256

    0d7db567df0c03f033db70107c7699d21fdc046d3b502160e45b6c26a7a5291d

  • SHA512

    53281172b57773847cd97e8127ac3fdf99059321e6928ba5cab7954ccf1ac0f887bf6134ae8b163306aa5f01ce9ff751fea2d237c2138263a122a251abb4e44f

  • SSDEEP

    393216:MW41YxjRBsR0arpMBfHBpuM37XLzb+2lJMq/VYFqyY14Dpbo0WroM3AF:M1YxjRBshpMBfhpN77zoqSFqyIfb0NF

Score
10/10
cryptbotgcleanerlummaredlinesectopratsocks5systemzcheatbotnetcredential_accessdefense_evasiondiscoveryexecutioninfostealerloaderratspywarestealertrojan

Malware Config

Extracted

Family

lumma

C2

https://mercharena.biz/api

Extracted

Family

gcleaner

C2

185.156.73.73

Extracted

Family

cryptbot

C2

http://home.fivecc5vs.top/RkxPTSBLYxNxxrPaLizI17

Extracted

Family

redline

Botnet

cheat

C2

103.84.89.222:33791

Targets

    • Target

      quarantine/30adb2328b17bd15cdeb5059c621bd6e9bf0b7e03dd2cdfbadfc837737d424a5.exe

    • Size

      1.4MB

    • MD5

      7725406519fdb2d4597eb70e03576461

    • SHA1

      3c4998416fcd4367c6cb93c84e5527ffb782554f

    • SHA256

      30adb2328b17bd15cdeb5059c621bd6e9bf0b7e03dd2cdfbadfc837737d424a5

    • SHA512

      36492df42a99d9881f9723aea964d30606e18584021735a902848ef8d80937dd2e1106b89398dffc1b981c150bc7b891268b901ba0c14ebdcadb09a2137bd373

    • SSDEEP

      24576:OMgzKuSuOZFObZbEeUbihDe4EJMqsYrXKPkP8y5v1Ksn6iK:ZgzTZQtb6De4EeqrTWFyt1Y

    Score
    10/10
    lummadiscoveryspywarestealer

    • Lumma Stealer, LummaC

      Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

      stealerlumma

    • Lumma family

      lumma

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Enumerates processes with tasklist

      discovery
    behavioral1behavioral2

    • Target

      quarantine/FKza3Uv.exe

    • Size

      53KB

    • MD5

      2fd40e86c527911aa8d73806c9416845

    • SHA1

      56f71ff5165326f8c8df3b5aff0a8a2b81ccaf98

    • SHA256

      562bb2261dbda517ca4751b1918f8dcf88ecd3fcd15ee521744cb9d9f6b50c22

    • SHA512

      292bfb2f489a2d0ac08d7ebf23441cdd2feba4113dee24186bb3694c9bf30f95d1620144752a85e69a5cb3b7ea5c2f778ff0b380f50e1d1823168a67c80c8920

    • SSDEEP

      768:O71LYWE2CBE+t5Gqk/S5wVQn5NuH3pR9ZJv1bUDe2uASFoT/5jY11Xh:OhLYWE2CBEdSKW0v1beeVoTxjY1b

    Score
    8/10
    discoveryexecution

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution
    behavioral3behavioral4

    • Target

      quarantine/af8fa1c9ee24035cb342fee0773983a2aa4af97b630ccc6b38aef13b0f8602cc.exe

    • Size

      3.6MB

    • MD5

      4d00204c805a047237431defbb66eac2

    • SHA1

      0348a3e6aa4c353aedbfb32280c24113edb142e0

    • SHA256

      af8fa1c9ee24035cb342fee0773983a2aa4af97b630ccc6b38aef13b0f8602cc

    • SHA512

      bb1471e1b1d1da7d1f57b9028184f68e266ebe9923e5f56015fdfc9bee29b5ac66cfeeb4667b023f656a7569df2291af243376e8567293bb2be4d8a10608739e

    • SSDEEP

      98304:3c16jhPDcUCQcIMq2DMm0kXp6DzAqiVrfzhcn:AUhbcRHMmlSzAqiVtcn

    Score
    10/10
    socks5systemzbotnetdiscovery

    • Detect Socks5Systemz Payload

    • Socks5Systemz

      Socks5Systemz is a botnet written in C++.

      botnetsocks5systemz

    • Socks5systemz family

      socks5systemz

    • Executes dropped EXE

    • Loads dropped DLL

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral5behavioral6

    • Target

      quarantine/d2YQIJa.exe

    • Size

      2.0MB

    • MD5

      c51ea7f18b1f25150b3c6fe237ee63fd

    • SHA1

      17566341231ac3316c325a23cdaf9a3c766ebe11

    • SHA256

      55015b4080cea86f2e750440ff1bcabe87d2e0ffb35e4b940a385048c3e0535b

    • SHA512

      deceadf703491d36218f133475b93e834552838fee14a6de187167d4cc0dacdbb16bfa156650fdbc73a85fb9b86a2c84884c51be8caeffdb599ef091c0e5eba0

    • SSDEEP

      49152:AXAejEWyxSeJKr0e/BtUd5gbbu9jT7mhxpfSi:u5rt/B7bbu97mh

    Score
    10/10
    lummadefense_evasiondiscoveryspywarestealer

    • Lumma Stealer, LummaC

      Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

      stealerlumma

    • Lumma family

      lumma

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      defense_evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      defense_evasion

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral7behavioral8

    • Target

      quarantine/f2b4b0d3be4e4be0527e1a2a4255df1ce093829e31212afdbd34f0dadc6b398e.exe

    • Size

      1.1MB

    • MD5

      9e2e378d3752661619257b383c7e248c

    • SHA1

      68063571bc4f56bd9a6b2f7d26f208a36980895d

    • SHA256

      f2b4b0d3be4e4be0527e1a2a4255df1ce093829e31212afdbd34f0dadc6b398e

    • SHA512

      8662f15668eb89acfce2fc4a68e1b8743148b846ee5c07b25cf8ea91073655aa4143fd9abb8bf0045e7adb9e78766335dc796ed39b320546ae078b247b5c38d1

    • SSDEEP

      12288:vstqocI4DK2IQKaR9Zb9nQb5VIE19YdouyBn2nbCybbYVcAi28P+QFqO/vt+sJ0G:vfoIxKK9PnWBbYLG2W9cATA14ucsI+

    Score
    3/10
    discovery
    behavioral10behavioral9

    • Target

      quarantine/jROrnzx.exe

    • Size

      681KB

    • MD5

      73d3580f306b584416925e7880b11328

    • SHA1

      b610c76f7c5310561e2def5eb78acb72c51fe84f

    • SHA256

      291f2ea4af0020b9d0dcd566e97dd586cb03988ab71272d511f134ac8b1924b7

    • SHA512

      3bae075ef47734d4c27092314dece8846bccaaf0548abf4b8fa718a07a643a7fbe96153d40e4c04783a8711d865b6a4758adc9a93729b70105e4dcd247a3e82f

    • SSDEEP

      12288:znWeizBbiU4vQDb1aLUSk1jpS+Lb4HlVYnWeizBbiU4vQDb1aLUSk1jpS+Lb4HlY:rW1z8Dvob1zrE+LkHloW1z8Dvob1zrEA

    Score
    7/10
    discoveryspywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral11behavioral12

    • Target

      quarantine/kgI01FJ.exe

    • Size

      7.6MB

    • MD5

      ee1ca9f7868eb93c0a8b6891507bab6d

    • SHA1

      a43ad5bfe9ed485b8363bd5573fc87bc098ffbf2

    • SHA256

      286df9f984db6b4cfefa68164dd3e3159314e86ce7cd304f143b3feb3a427c33

    • SHA512

      ccc7c26668019ab9fc1f91af5d90d9f69629227f18c2e1bbd9509ae098788233023e9935e5f58dfa72cb79e9f4eb2a47e7931a26e72693241ae283a075b15b0b

    • SSDEEP

      98304:wwwl6p5TJWYJQla+XGfjCnJJUKIixXPsDM0Nc/Uhv+eUf/xPgsI3EmdJ/zIod02b:wmEXPsDiyvDv3EgJ2QGY6WDMBpoQ9Vn

    Score
    9/10
    defense_evasiondiscoveryspyware

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      defense_evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      defense_evasion

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral13behavioral14

    • Target

      quarantine/monthdragon.exe

    • Size

      345KB

    • MD5

      3987c20fe280784090e2d464dd8bb61a

    • SHA1

      22427e284b6d6473bacb7bc09f155ef2f763009c

    • SHA256

      e9af37031ed124a76401405412fe2348dad28687ac8f25bf8a992299152bd6d9

    • SHA512

      5419469496f663cedcfa4acc6d13018a8ee957a43ff53f6ffa5d30483480838e4873ff64d8879996a32d93c11e727f0dded16ca04ab2e942ed5376ba29b10018

    • SSDEEP

      6144:IbuOXoQYLNnZXCHh+qF8tkT3CjqmeY0bE9ZPRrCSn+aoG0jQl:ICOYvLqoBEbsrCNkp

    Score
    10/10
    lummadiscoveryspywarestealer

    • Lumma Stealer, LummaC

      Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

      stealerlumma

    • Lumma family

      lumma

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral15behavioral16

    • Target

      quarantine/random.exe

    • Size

      51KB

    • MD5

      ff254c1778aefe5af06889f1f999dee3

    • SHA1

      65f2c51cf46831799dc9acf96f07bd7e48a812ea

    • SHA256

      94bc0c01641801f258e207eca8227845f3f1c686e7394ce3864a6b2538b8eadb

    • SHA512

      0ed308c5e88352aad28848e5908267015308f628d15d5da11649c43e26a0492f311f3f4384f920ac7090d0068eff4ce9064829640b469308ae45dd57432e7957

    • SSDEEP

      1536:h6AW73JSiwUKlzbzSSfDiG/FN3PbY8s7CEe+94eu0ADroTXQIfQIhp7q06GBF1MC:h6AW73JSnUKlzbzSSriG/FN3PbY8s7Ca

    Score
    3/10
    discovery
    behavioral17behavioral18

    • Target

      quarantine/random_2.exe

    • Size

      3.7MB

    • MD5

      ff29a4631f60ccbe8844522cb56f13d4

    • SHA1

      b6b97814827a755ffc8b519452ccdc2acf2bc702

    • SHA256

      51af8a171cb7c4a6ff8b609de204a24004a1ba6c759e8fb21d5dc1dfc5ab4e49

    • SHA512

      9d14c6dc5469e308fb98be43bb342d8f3acda70e0fd0572bfec21ce88179993ef8bfc28d0b06675d19510b3aaa617de50570015ba345734a331f9850ba484835

    • SSDEEP

      98304:XV+uV1x+LyoyA4NyO/bGbH889uErrLRQ:XVzxkyZBGH3R

    Score
    10/10
    gcleanerdefense_evasiondiscoveryloader

    • GCleaner

      GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

      loadergcleaner

    • Gcleaner family

      gcleaner

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      defense_evasion

    • Downloads MZ/PE file

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      defense_evasion

    • Loads dropped DLL

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral19behavioral20

    • Target

      quarantine/random_3.exe

    • Size

      6.3MB

    • MD5

      1a533bf2a9707420075ab7386176fc46

    • SHA1

      54df68776bb4295174666cef86ec80d95694b9c5

    • SHA256

      e89155ae9e51d3ed7403f9b4cf95415304b01d14c3805dbaec64a37200b463f1

    • SHA512

      d18ca94d3a260b215bad490863edbb890c104afc111b96cfdd7a43a93b48921aac02fa760577c5dbf4a0d677fda8f51cc8b1cdfe1fb92286c6ec5b116ec52bef

    • SSDEEP

      98304:HJxCVdmLVwA7N/1Kc30bI7w/me7R+aF1ydNvdBKtdh5xNX8mWW1GHUXL:HqVmxIKOAUMaiSTr

    Score
    10/10
    cryptbotcredential_accessdefense_evasiondiscoveryspywarestealer

    • CryptBot

      CryptBot is a C++ stealer distributed widely in bundle with other software.

      spywarestealercryptbot

    • Cryptbot family

      cryptbot

    • Detects CryptBot payload

      CryptBot is a C++ stealer distributed widely in bundle with other software.

      spywarestealer

    • Enumerates VirtualBox registry keys

      defense_evasion

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      defense_evasion

    • Uses browser remote debugging

      Can be used control the browser and steal sensitive information such as credentials and session cookies.

      credential_accessstealer

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      defense_evasion

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral21behavioral22

    • Target

      quarantine/random_4.exe

    • Size

      1.7MB

    • MD5

      f662cb18e04cc62863751b672570bd7d

    • SHA1

      1630d460c4ca5061d1d10ecdfd9a3c7d85b30896

    • SHA256

      1e9ff1fc659f304a408cff60895ef815d0a9d669a3d462e0046f55c8c6feafc2

    • SHA512

      ce51435c8fb272e40c323f03e8bb6dfa92d89c97bf1e26dc960b7cab6642c2e4bc4804660d0adac61e3b77c46bca056f6d53bedabcbeb3be5b6151bf61cee8f4

    • SSDEEP

      24576:+ShI0oE/JeMqdgRvsVsV3/AvUeCgzXw2UT+9E8tftrvOHcLQgrICC1UVAmWy/IW:+STZJPqyhWzXRU6l3rIDUmGhgscIa

    Score
    10/10
    redlinesectopratcheatdefense_evasiondiscoveryinfostealerratspywarestealertrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • Redline family

      redline

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

      trojanratsectoprat

    • SectopRAT payload

    • Sectoprat family

      sectoprat

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      defense_evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      defense_evasion

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral23behavioral24

    • Target

      quarantine/random_5.exe

    • Size

      2.0MB

    • MD5

      f8c018216f57f1b72509a7663c044336

    • SHA1

      cd4eaf58d8fc646506cb32a70ed06e4db5498bbc

    • SHA256

      83523e1530308956b4e9a18ea660e8f14d6fac7a799fbc9e5fb547242a246348

    • SHA512

      66bd5c32186622fe4fbca0012e187925e60ef0744f11aadc278414faef2165b360395c2e4499e0d47ca02bd12296af95f65f18a820c7036a3068205ad3701a11

    • SSDEEP

      49152:JV+vACGSmFWBWAknqpBcHbpJE2TTVJQ90xm9QS+WqsU9/x6+:b0xmWwPnqSf1HVawmCShZU2+

    Score
    10/10
    lummadefense_evasiondiscoveryspywarestealer

    • Lumma Stealer, LummaC

      Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

      stealerlumma

    • Lumma family

      lumma

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      defense_evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      defense_evasion

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral25behavioral26

    • Target

      quarantine/sHN20me.exe

    • Size

      2.0MB

    • MD5

      a3ae0e4950d93c81741684ba4f797b02

    • SHA1

      79f36f99919c49381a7530c7a68c0fea289b009e

    • SHA256

      a3156be254792eabe82f364124352724f8bdc55eaf8b998239eb4065a9e5c252

    • SHA512

      99588543ea466af2b9ae5c9f645309206248d4a3fb2591b2f4831130415adf602759b073f183cc968f63c1a314a7053ab6a586abf94f1416ebb1c0e5c95523b8

    • SSDEEP

      49152:2rnynqqthR2kwPbUyRUoIv1KVQUxxkbBpiNmb5Ve:2rynqchM8cM1QtbkK

    Score
    10/10
    lummadefense_evasiondiscoveryspywarestealer

    • Lumma Stealer, LummaC

      Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

      stealerlumma

    • Lumma family

      lumma

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      defense_evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      defense_evasion

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral27behavioral28

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Modify Authentication Process

1
T1556

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Modify Authentication Process

1
T1556

Modify Registry

1
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Virtualization/Sandbox Evasion

3
T1497

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Modify Authentication Process

1
T1556

Steal Web Session Cookie

1
T1539

Unsecured Credentials

3
T1552

Credentials In Files

3
T1552.001

Discovery

Browser Information Discovery

1
T1217

Process Discovery

1
T1057

Query Registry

8
T1012

System Information Discovery

5
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Virtualization/Sandbox Evasion

3
T1497

Lateral Movement

Collection

Data from Local System

3
T1005

Command and Control

Exfiltration

Impact

Tasks

static1

Score
3/10

behavioral1

lummadiscoveryspywarestealer
Score
10/10

behavioral2

lummadiscoveryspywarestealer
Score
10/10

behavioral3

discoveryexecution
Score
8/10

behavioral4

discoveryexecution
Score
8/10

behavioral5

socks5systemzbotnetdiscovery
Score
10/10

behavioral6

socks5systemzbotnetdiscovery
Score
10/10

behavioral7

lummadefense_evasiondiscoveryspywarestealer
Score
10/10

behavioral8

lummadefense_evasiondiscoveryspywarestealer
Score
10/10

behavioral9

discovery
Score
3/10

behavioral10

discovery
Score
3/10

behavioral11

discoveryspywarestealer
Score
7/10

behavioral12

discoveryspywarestealer
Score
7/10

behavioral13

defense_evasiondiscoveryspyware
Score
9/10

behavioral14

defense_evasiondiscoveryspyware
Score
9/10

behavioral15

lummadiscoveryspywarestealer
Score
10/10

behavioral16

lummadiscoveryspywarestealer
Score
10/10

behavioral17

Score
1/10

behavioral18

discovery
Score
3/10

behavioral19

gcleanerdefense_evasiondiscoveryloader
Score
10/10

behavioral20

gcleanerdefense_evasiondiscoveryloader
Score
10/10

behavioral21

cryptbotcredential_accessdefense_evasiondiscoveryspywarestealer
Score
10/10

behavioral22

cryptbotcredential_accessdefense_evasiondiscoveryspywarestealer
Score
10/10

behavioral23

redlinesectopratcheatdefense_evasiondiscoveryinfostealerratspywarestealertrojan
Score
10/10

behavioral24

redlinesectopratcheatdefense_evasiondiscoveryinfostealerratspywarestealertrojan
Score
10/10

behavioral25

lummadefense_evasiondiscoveryspywarestealer
Score
10/10

behavioral26

lummadefense_evasiondiscoveryspywarestealer
Score
10/10

behavioral27

lummadefense_evasiondiscoveryspywarestealer
Score
10/10

behavioral28

lummadefense_evasiondiscoveryspywarestealer
Score
10/10