Analysis
-
max time kernel
56s -
max time network
58s -
platform
windows10-2004_x64 -
resource
win10v2004-20250313-en -
resource tags
arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system -
submitted
14/03/2025, 08:52
Behavioral task
behavioral1
Sample
♦•Rèady•Fîlè•PassW0rd•Is•♦11148•.7z
Resource
win7-20240903-en
General
-
Target
♦•Rèady•Fîlè•PassW0rd•Is•♦11148•.7z
-
Size
8.0MB
-
MD5
5658f6a118b93d6739fb6f5e7efd9d81
-
SHA1
4a5bfbf68b0b464fa5702b23df7808eab7515291
-
SHA256
b49e1e47ae0a7ccee75280b0d13405811dd343b6b619e20cb33eee80e16aa3f2
-
SHA512
4100da7b792662e224244e36325152706b9599092b0a1cb23a6d6fec931a0a89729e8065e5e4d89b98454d43f052a54f6d0fa37acced287521e020c8ea8f985d
-
SSDEEP
196608:Lr3VkNhAwfYGVfk/toNrjLtTpQhCv5VkAd7jyZvW0eW50YnYt:LZkYvGVfmarj5Tb8mjyZvPN51m
Malware Config
Extracted
lumma
https://hingehjan.shop/api
https://featureccus.shop/api
https://wmrodularmall.top/api
https://jowinjoinery.icu/api
https://legenassedk.top/api
https://htardwarehu.icu/api
https://2cjlaspcorne.icu/api
https://bugildbett.top/api
https://6latchclan.shop/api
Extracted
latrodectus
1.4
https://remustarofilac.com/test/
https://horetimodual.com/test/
-
group
Ferrary
-
user_agent
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
Signatures
-
Latrodectus family
-
Latrodectus loader
Latrodectus is a loader written in C++.
-
Lumma family
-
Downloads MZ/PE file 2 IoCs
flow pid Process 17 6040 svchost.exe 30 2252 svchost.exe -
Executes dropped EXE 3 IoCs
pid Process 5372 Setup.exe 5228 Setup.exe 1824 Setup.exe -
Loads dropped DLL 27 IoCs
pid Process 5372 Setup.exe 5372 Setup.exe 5372 Setup.exe 5372 Setup.exe 5372 Setup.exe 5372 Setup.exe 5372 Setup.exe 5372 Setup.exe 5228 Setup.exe 5228 Setup.exe 5228 Setup.exe 5228 Setup.exe 5228 Setup.exe 5228 Setup.exe 5228 Setup.exe 5228 Setup.exe 1376 rundll32.exe 544 rundll32.exe 5384 rundll32.exe 1824 Setup.exe 1824 Setup.exe 1824 Setup.exe 1824 Setup.exe 1824 Setup.exe 1824 Setup.exe 1824 Setup.exe 1824 Setup.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 5372 set thread context of 2380 5372 Setup.exe 85 PID 1824 set thread context of 3212 1824 Setup.exe 95 -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language more.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language more.com -
Suspicious behavior: EnumeratesProcesses 25 IoCs
pid Process 5372 Setup.exe 5372 Setup.exe 2380 more.com 2380 more.com 6040 svchost.exe 6040 svchost.exe 6040 svchost.exe 6040 svchost.exe 5228 Setup.exe 6040 svchost.exe 6040 svchost.exe 6040 svchost.exe 6040 svchost.exe 1824 Setup.exe 1824 Setup.exe 3212 more.com 3212 more.com 2252 svchost.exe 2252 svchost.exe 2252 svchost.exe 2252 svchost.exe 2252 svchost.exe 2252 svchost.exe 2252 svchost.exe 2252 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4436 7zFM.exe -
Suspicious behavior: MapViewOfSection 4 IoCs
pid Process 5372 Setup.exe 2380 more.com 1824 Setup.exe 3212 more.com -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeRestorePrivilege 4436 7zFM.exe Token: 35 4436 7zFM.exe Token: SeSecurityPrivilege 4436 7zFM.exe Token: SeImpersonatePrivilege 6040 svchost.exe Token: SeImpersonatePrivilege 6040 svchost.exe Token: SeImpersonatePrivilege 2252 svchost.exe Token: SeImpersonatePrivilege 2252 svchost.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 4436 7zFM.exe 4436 7zFM.exe 4436 7zFM.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 5372 wrote to memory of 2380 5372 Setup.exe 85 PID 5372 wrote to memory of 2380 5372 Setup.exe 85 PID 5372 wrote to memory of 2380 5372 Setup.exe 85 PID 5372 wrote to memory of 2380 5372 Setup.exe 85 PID 2380 wrote to memory of 6040 2380 more.com 87 PID 2380 wrote to memory of 6040 2380 more.com 87 PID 2380 wrote to memory of 6040 2380 more.com 87 PID 2380 wrote to memory of 6040 2380 more.com 87 PID 2380 wrote to memory of 6040 2380 more.com 87 PID 6040 wrote to memory of 1376 6040 svchost.exe 91 PID 6040 wrote to memory of 1376 6040 svchost.exe 91 PID 6040 wrote to memory of 1376 6040 svchost.exe 91 PID 1376 wrote to memory of 544 1376 rundll32.exe 92 PID 1376 wrote to memory of 544 1376 rundll32.exe 92 PID 544 wrote to memory of 5384 544 rundll32.exe 93 PID 544 wrote to memory of 5384 544 rundll32.exe 93 PID 1824 wrote to memory of 3212 1824 Setup.exe 95 PID 1824 wrote to memory of 3212 1824 Setup.exe 95 PID 1824 wrote to memory of 3212 1824 Setup.exe 95 PID 1824 wrote to memory of 3212 1824 Setup.exe 95 PID 3212 wrote to memory of 2252 3212 more.com 97 PID 3212 wrote to memory of 2252 3212 more.com 97 PID 3212 wrote to memory of 2252 3212 more.com 97 PID 3212 wrote to memory of 2252 3212 more.com 97 PID 3212 wrote to memory of 2252 3212 more.com 97 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\♦•Rèady•Fîlè•PassW0rd•Is•♦11148•.7z"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4436
-
C:\Users\Admin\Desktop\Setup.exe"C:\Users\Admin\Desktop\Setup.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:5372 -
C:\Windows\SysWOW64\more.comC:\Windows\SysWOW64\more.com2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe3⤵
- Downloads MZ/PE file
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:6040 -
C:\Windows\SysWOW64\rundll32.exerundll32 "C:\Users\Admin\AppData\Local\Temp\93J7QVSU2QBZPCZGV06EX.dll",Editor4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1376 -
C:\Windows\system32\rundll32.exerundll32 "C:\Users\Admin\AppData\Local\Temp\93J7QVSU2QBZPCZGV06EX.dll",Editor5⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:544 -
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Roaming\Custom_update\Update_1168b247.dll", Editor6⤵
- Loads dropped DLL
PID:5384
-
-
-
-
-
-
C:\Users\Admin\Desktop\Setup.exe"C:\Users\Admin\Desktop\Setup.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5228
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1192
-
C:\Users\Admin\Desktop\Setup.exe"C:\Users\Admin\Desktop\Setup.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\Windows\SysWOW64\more.comC:\Windows\SysWOW64\more.com2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3212 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe3⤵
- Downloads MZ/PE file
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2252
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD5befd2068c7b84d164fae74547f75a8e1
SHA14248de5904dd5afd1f127434696a0674ea77cb53
SHA2569ce9359ce96453742739483bbd02f2cba2d9cb160e8aab64871ec62ea4ebee56
SHA512548238557857aaee38211ea55843db391bcf7bc16b8846cf94ea3c5fb5f653aaf67b73ca763ca9e0f5d94cca129e6abf71db8bd438d3101a22c427e012fa1646
-
Filesize
1.8MB
MD556f403ded2a31f25592afcc131cf378a
SHA13d7c8aa50ecc650ba161234272c532ec1d502145
SHA2565e9b53207cb53c38217fb443e9a84c0fa745fa7fc62ace3673a2c49c6e873749
SHA512653abb63d0e35ecb214daa27bea025df11ed5bf03183cdf17dc1e492e41831fbb99efaf921be120b7d8740f8d5faad8c64511b3ab589d11b40d3ad5c66cc1289
-
Filesize
1.1MB
MD5998ccab28eaa3dacfdae1d7bf1fea5c1
SHA1670e6a25b879a41e0a4ca178382159fe2fc81074
SHA256355f027a9572b3d12d4c0adf978b9ff4b91f88030298348d8a3431b1a08507a5
SHA5121ad955829270b821d6e45c4c9bb1e63ff718dd6b11bfb24f38c711900e880d2e3b22e1637602556898acafd11b982bfbdec3423fcff9d7d39752237f7e432e83
-
Filesize
349KB
MD5f76f5a566cbb5f561d26e7aca841c723
SHA14838fd2dd9dbfcdaf2b1f11091f15a17f93c29be
SHA2560576fc3b0c9381c47a8a9443abdd195eebb34ece0adc5c6d17624ca0e914e8e3
SHA5129f574f09a4c54b8e786846297fcfad7af647eb134d8e960b078a83e982ccae2956aa6c4c1014c01c7774461e31314904cb6dfc325c7a90c3e31130838beb24c0
-
Filesize
32KB
MD59770af8f7f17be5cd9e382c21b1d45d4
SHA1510f330d137e77b1f1cae30b2862f2202c0bed87
SHA256ad651b49484e5bafe951e1008f3c526e5f2cf7d7ca66f40ceda2922fc7e26035
SHA51254949b063934c20cfc0f451efcffd864b613e253a5949021888607708c769045a6aae6f66c4c727a6fa13fac043de378c8b1ce2c0c27f0dd2860874abace7fd5
-
Filesize
1KB
MD507ed7491eaeb2827fc43db885613e762
SHA17ac5fd487153addb79f97a4ad0521009f6b0c07c
SHA2563a3b8f9b73f2192eb1898167363ba65a064b9db611a98abd2f274686f69f8440
SHA512adbcb566296b9a493defb23c28091dcbfbeddc7708aa595f9ac98782149bda374ff1db376d3c0c03af12458c80fb614c9cccf79cb92e6bd744de9286f24fc944
-
Filesize
1KB
MD50663cb6d365a509905989f9456f63b69
SHA12f55ce4842ffd86a91f266487688cc1e7bd1764e
SHA2560cb2a2d5116f1ce2227be2f09cb374811dc2d766def2e33fe9c4818bbf3ec3c0
SHA512c7e1fc9231b60429816a2ffbacd7a99e2679bc77ce7d3a6c127347d471ab52f06ce86765bae5ad3f18ac1bf0192a33cd79a0fc4db4b127e2123ec251b2654cca
-
Filesize
5KB
MD582dff2672115d101cd47a8fa9b6abeda
SHA10e8e7fc2f191760c51dbeafa0fc32445a7374cff
SHA256505ccfd91dc952c3373672526e966ddcdca9d5f2dfbf84b8c8adb7bcd1ab8e76
SHA512aa73bbff14fea511ef6a910368b7a842df740794bd0e1b30da0a76eaaf6f43ff801e02ed743807de9e8c955e6d35c1709c98113b4d92ddbb6febc33c0b2631d4
-
Filesize
2.3MB
MD503985b7b207e63b6bb894ea6ea78d92b
SHA10e6fc44b1f3c724e6050152d9e240a548314a6ff
SHA256793153a9262e4c280a71ea595fe49208a89766d6d344766af0abf8c32648f3e0
SHA512a2e9749c7d7c9745eb16b6976c6c208b3ce2ee524e958cf7c41d0d31a7fb761c4f66ad8320301c652ef4ea8128111ad9687e64f3944d40b933153d99ab8c272b
-
Filesize
8.2MB
MD57762990562f96b0650da3c55e3329efa
SHA1feac520d4484a377ff4e183bfef4f6a843e3a977
SHA2568c11f38ceb7b2a8ba3b7d6a34a1d50ede35bf328838cf1d8483ebc85313b5ed0
SHA5124921c40ac1b4202185a8a712fd8375cb9653df411a0124c7b3225c423bae0de37713107e7068d7b3fb7150af3e1d754565694dec76ef5853c020088af61a634a
-
Filesize
825KB
MD5a3c0c0b1442cdc0a2f49c2b2ae39d245
SHA16aff3d64e06955fb9ad4b19c394dcfdc212b423a
SHA256901fc44992636086f2bc958aa3bdbe2d9ac3e169fc11e0f9d92d235cc906a35a
SHA512b4bb0196ab8a960206b7f1d082eb7d94a408345a2887694d17186f3a2581e9263ddd43d099f2493ee8789ab5ebabac911ba54c069e517cfc479461b1a7bb4f20
-
Filesize
341KB
MD57700f61beca60db53658c52a05b01941
SHA1983f920ffec60b308c02cc07e0abf465c8ba965a
SHA2567e6b2664f4417f5a8f981ced5f2eef867cb72bca990fe3864d76d878ff62cf52
SHA51233e68f2b2440079a75523f69d55ebeb175f1448731d28ba1a120729df3e1612231903c5a9872ab673d629e865f60550bec52d7004417f0305e412724dc8011d4
-
Filesize
2.2MB
MD5832205883448ab8c689d8a434d92f80b
SHA1890c403a288c65683edbe9917b972ceb6eb7eba7
SHA256558addae67d50612acd60a02fb29d41be61999d299348df9a225e419cc9395ed
SHA5120c1b8b3776c14b78f9b7ac09627ca7762f62c63da489204f376519752b029951798c1ed24aed07cc660c5e54936c06560fda921e33a76e80ebab10ef97177973
-
Filesize
641KB
MD5cdbf8cd36924ffb81b19487746f7f18e
SHA1781190c5a979359054ce56ceef714a8f5384cfbb
SHA2560813c77df688b39f26bad0be2b3e4afde13e97d9a1ebcbdb3b1f4184218d1a57
SHA512ca43450e853b3c74808ad199abe329ac2a2d7ae2e84c17fb467374c22ec9620fb102c75889e279e2d28f0ebd14d8bafafe700241ba4141fd64b4801802a3d474
-
Filesize
931KB
MD5ee7926dda58f07906747bc936724aea7
SHA15133bbb7df2e07443d7c6521e878366ae115e28c
SHA256fb617ba0ec74d3e258caa81f90160cad38b6127108adcd1a1ea08d1c95a2d1e6
SHA5124ce28ba95b0de21f3baedb66a63b44bdfc540350855752d94c84ccb63f138035b0352725c9c744aa64d19dcdbf794afe69712b7ca49e67476378a60829aecd7c
-
Filesize
536KB
MD5272a9e637adcaf30b34ea184f4852836
SHA16de8a52a565f813f8ac7362e0c8ba334b680f8f8
SHA25635b15b78c31111db4fa11d9c9cad3a6f22c92daa5e6f069dc455e72073266cc4
SHA512f1f04a84d25a74bb1cf6285ef705f092a08e93d39df569f6badc45b8722d496bbbef02b4e19f76a0332e3842945506c2c12ad61fe34f339bb91f49b8d112cd52
-
Filesize
612KB
MD543143abb001d4211fab627c136124a44
SHA1edb99760ae04bfe68aaacf34eb0287a3c10ec885
SHA256cb8928ff2faf2921b1eddc267dce1bb64e6fee4d15b68cd32588e0f3be116b03
SHA512ced96ca5d1e2573dbf21875cf98a8fcb86b5bcdca4c041680a9cb87374378e04835f02ab569d5243608c68feb2e9b30ffe39feb598f5081261a57d1ce97556a6
-
Filesize
25KB
MD56151d95a66c763f2ae00c6e8928a4826
SHA1858f4c3e3f848c4832b8776b1166170623404982
SHA256fa216c845e5dd3d89bf6cd128f617ea7a51d092ac5ca1bc26c964b83fcf06592
SHA512fbf1cb4cca5fb534ea3a64bb261cd729f211dc7b16ccc67c5804d41634be56e159f48885d2f9ca227641e921e6e8e71b643e631e6a5e80f7dddde8ddac40f66c
-
Filesize
456B
MD54eb9bf26e77653187898d2b0a95a6558
SHA1a30418f1ef539b0ad19c04a2022c7ff5cc5416d5
SHA2567c0fde63c907746a561d2a4d3346687eea2b3e2a4a88f9ff7931958721eb5f31
SHA512b1e22138484b6c3d62d2a2f5d5df0f4743df5c77c3abdf12477309ab8df6b4497d34425c8a84078f1d8af1b8a206d5c049ab565b8a96725d889a9203186eeee0