Overview
overview
10Static
static
9Captiva.exe
windows7-x64
10Captiva.exe
windows10-2004-x64
10autoexec/bin.dll
windows7-x64
3autoexec/bin.dll
windows10-2004-x64
3locales/re...ng.dll
windows7-x64
1locales/re...ng.dll
windows10-2004-x64
1locales/re...ng.dll
windows7-x64
1locales/re...ng.dll
windows10-2004-x64
1locales/re...ng.dll
windows7-x64
3locales/re...ng.dll
windows10-2004-x64
1locales/re...er.dll
windows7-x64
1locales/re...er.dll
windows10-2004-x64
1locales/re...-1.dll
windows7-x64
1locales/re...-1.dll
windows10-2004-x64
1runtimes/w...er.dll
windows7-x64
1runtimes/w...er.dll
windows10-2004-x64
1runtimes/w...er.dll
windows7-x64
1runtimes/w...er.dll
windows10-2004-x64
1runtimes/w...er.dll
windows7-x64
3runtimes/w...er.dll
windows10-2004-x64
3scripts/Dex.js
windows7-x64
3scripts/Dex.js
windows10-2004-x64
3scripts/In...eld.js
windows7-x64
3scripts/In...eld.js
windows10-2004-x64
3scripts/UN...Env.js
windows7-x64
3scripts/UN...Env.js
windows10-2004-x64
3Analysis
-
max time kernel
122s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
28/02/2025, 06:14
Behavioral task
behavioral1
Sample
Captiva.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral2
Sample
Captiva.exe
Resource
win10v2004-20250217-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
autoexec/bin.dll
Resource
win7-20250207-en
windows7-x64
Behavioral task
behavioral4
Sample
autoexec/bin.dll
Resource
win10v2004-20250217-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
locales/resources/app.asar.unpacked/node_modules/btime/binding.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral6
Sample
locales/resources/app.asar.unpacked/node_modules/btime/binding.dll
Resource
win10v2004-20250217-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
locales/resources/app.asar.unpacked/node_modules/get-fonts/binding.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral8
Sample
locales/resources/app.asar.unpacked/node_modules/get-fonts/binding.dll
Resource
win10v2004-20250217-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
locales/resources/app.asar.unpacked/node_modules/vibrancy-win/binding.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral10
Sample
locales/resources/app.asar.unpacked/node_modules/vibrancy-win/binding.dll
Resource
win10v2004-20250217-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
locales/resources/vk_swiftshader.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral12
Sample
locales/resources/vk_swiftshader.dll
Resource
win10v2004-20250217-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
locales/resources/vulkan-1.dll
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral14
Sample
locales/resources/vulkan-1.dll
Resource
win10v2004-20250217-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
runtimes/win-arm64/native/WebView2Loader.dll
Resource
win7-20241023-en
windows7-x64
Behavioral task
behavioral16
Sample
runtimes/win-arm64/native/WebView2Loader.dll
Resource
win10v2004-20250217-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
runtimes/win-x64/native/WebView2Loader.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral18
Sample
runtimes/win-x64/native/WebView2Loader.dll
Resource
win10v2004-20250217-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
runtimes/win-x86/native/WebView2Loader.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral20
Sample
runtimes/win-x86/native/WebView2Loader.dll
Resource
win10v2004-20250217-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
scripts/Dex.js
Resource
win7-20241023-en
windows7-x64
Behavioral task
behavioral22
Sample
scripts/Dex.js
Resource
win10v2004-20250217-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
scripts/Infinite Yield.js
Resource
win7-20250207-en
windows7-x64
Behavioral task
behavioral24
Sample
scripts/Infinite Yield.js
Resource
win10v2004-20250217-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
scripts/UNCCheckEnv.js
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral26
Sample
scripts/UNCCheckEnv.js
Resource
win10v2004-20250217-en
windows10-2004-x64
General
-
Target
Captiva.exe
-
Size
7.0MB
-
MD5
8b7343c22fb99c26da8f3122c6cecdcd
-
SHA1
898ebaa6ae8293f24306475ea5029520a1533dbc
-
SHA256
fd37270bdce8937cc3cb0d4d99300f537daba57e70f36f40e4c767411f7938cd
-
SHA512
8d806c124656ebdf151f92ce9bb6024cb2fe17a5dafeb90c0ceff783c6e8c9044f00bc846727465f64f79946096d60d81d2434ae6cb05b6a18aee5bc05e4ba81
-
SSDEEP
98304:c3d8QkJDJ3m0R1yQXvCyCE28yW1cadMykTmERn50gxIbgSZtwzn05A4tcqQVIhvQ:p+0ncq/aDDWqR
Malware Config
Extracted
lumma
https://uprootquincju.shop/api
Signatures
-
Lumma family
-
Program crash 1 IoCs
pid pid_target Process procid_target 2732 2628 WerFault.exe 29 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Captiva.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 2528 taskmgr.exe 2528 taskmgr.exe 2528 taskmgr.exe 2528 taskmgr.exe 2528 taskmgr.exe 2528 taskmgr.exe 2528 taskmgr.exe 2528 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2528 taskmgr.exe -
Suspicious use of FindShellTrayWindow 34 IoCs
pid Process 2528 taskmgr.exe 2528 taskmgr.exe 2528 taskmgr.exe 2528 taskmgr.exe 2528 taskmgr.exe 2528 taskmgr.exe 2528 taskmgr.exe 2528 taskmgr.exe 2528 taskmgr.exe 2528 taskmgr.exe 2528 taskmgr.exe 2528 taskmgr.exe 2528 taskmgr.exe 2528 taskmgr.exe 2528 taskmgr.exe 2528 taskmgr.exe 2528 taskmgr.exe 2528 taskmgr.exe 2528 taskmgr.exe 2528 taskmgr.exe 2528 taskmgr.exe 2528 taskmgr.exe 2528 taskmgr.exe 2528 taskmgr.exe 2528 taskmgr.exe 2528 taskmgr.exe 2528 taskmgr.exe 2528 taskmgr.exe 2528 taskmgr.exe 2528 taskmgr.exe 2528 taskmgr.exe 2528 taskmgr.exe 2528 taskmgr.exe 2528 taskmgr.exe -
Suspicious use of SendNotifyMessage 34 IoCs
pid Process 2528 taskmgr.exe 2528 taskmgr.exe 2528 taskmgr.exe 2528 taskmgr.exe 2528 taskmgr.exe 2528 taskmgr.exe 2528 taskmgr.exe 2528 taskmgr.exe 2528 taskmgr.exe 2528 taskmgr.exe 2528 taskmgr.exe 2528 taskmgr.exe 2528 taskmgr.exe 2528 taskmgr.exe 2528 taskmgr.exe 2528 taskmgr.exe 2528 taskmgr.exe 2528 taskmgr.exe 2528 taskmgr.exe 2528 taskmgr.exe 2528 taskmgr.exe 2528 taskmgr.exe 2528 taskmgr.exe 2528 taskmgr.exe 2528 taskmgr.exe 2528 taskmgr.exe 2528 taskmgr.exe 2528 taskmgr.exe 2528 taskmgr.exe 2528 taskmgr.exe 2528 taskmgr.exe 2528 taskmgr.exe 2528 taskmgr.exe 2528 taskmgr.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2628 wrote to memory of 2732 2628 Captiva.exe 30 PID 2628 wrote to memory of 2732 2628 Captiva.exe 30 PID 2628 wrote to memory of 2732 2628 Captiva.exe 30 PID 2628 wrote to memory of 2732 2628 Captiva.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\Captiva.exe"C:\Users\Admin\AppData\Local\Temp\Captiva.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2628 -s 8482⤵
- Program crash
PID:2732
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2528