Overview
overview
10Static
static
3Setup.exe
windows11-21h2-x64
10$TEMP/Anytime.dot
windows11-21h2-x64
1$TEMP/Attitude.dot
windows11-21h2-x64
1$TEMP/Color.dot
windows11-21h2-x64
1$TEMP/Cons...es.dot
windows11-21h2-x64
1$TEMP/Entitled.dot
windows11-21h2-x64
1$TEMP/Pleased.dot
windows11-21h2-x64
1$TEMP/Richardson.dot
windows11-21h2-x64
1$TEMP/Submitting.dot
windows11-21h2-x64
1$TEMP/Turning.dot
windows11-21h2-x64
1Analysis
-
geolocation tags
nanew-jerseynorth-americaunited-statesususa -
max time kernel
136s -
max time network
137s -
platform
windows11-21h2_x64 -
resource
win11-20250619-en -
resource tags
arch:x64arch:x86image:win11-20250619-enlocale:en-usos:windows11-21h2-x64system -
submitted
01/07/2025, 06:37
Static task
static1
Behavioral task
behavioral1
Sample
Setup.exe
Resource
win11-20250619-en
Behavioral task
behavioral2
Sample
$TEMP/Anytime.dot
Resource
win11-20250619-en
Behavioral task
behavioral3
Sample
$TEMP/Attitude.dot
Resource
win11-20250610-en
Behavioral task
behavioral4
Sample
$TEMP/Color.dot
Resource
win11-20250610-en
Behavioral task
behavioral5
Sample
$TEMP/Consequences.dot
Resource
win11-20250619-en
Behavioral task
behavioral6
Sample
$TEMP/Entitled.dot
Resource
win11-20250619-en
Behavioral task
behavioral7
Sample
$TEMP/Pleased.dot
Resource
win11-20250610-en
Behavioral task
behavioral8
Sample
$TEMP/Richardson.dot
Resource
win11-20250619-en
Behavioral task
behavioral9
Sample
$TEMP/Submitting.dot
Resource
win11-20250619-en
Behavioral task
behavioral10
Sample
$TEMP/Turning.dot
Resource
win11-20250610-en
General
-
Target
Setup.exe
-
Size
1.1MB
-
MD5
5e80f3a191aae0fb63a1a0c6d8d781bb
-
SHA1
2083c8270cc0270cc2d2de1858fc38f5e9d09f9e
-
SHA256
240bce5a0d11df228597503ac7070f5f54cb40b71a8d1ed7f3de3d97dafacd47
-
SHA512
7e2601c6fc8e0642a2e405d39988d980c8a83c0d31b352e4b48525d73b67cf0582b4a77a80cc046717cf32a8d5f7b0a7ae2ec304dade1f6c769573ae3b08c0d8
-
SSDEEP
24576:O0adjo4mkZ7hDsijX4nq9wrQ9c5qAoKtzi2T9pgLbHcjXDFyMZI0Q2Myk81:OXU4p7hLjonq9RcVVBjpqbHczDS2n
Malware Config
Extracted
lumma
https://stochalyqp.xyz/alfp
https://narrathfpt.top/tekq
https://escczlv.top/bufi
https://localixbiw.top/zlpa
https://korxddl.top/qidz
https://diecam.top/laur
https://citellcagt.top/gjtu
https://peppinqikp.xyz/xaow
-
build_id
f020fca5b284e3026ebd4807041a821b354185
Signatures
-
Lumma family
-
Executes dropped EXE 1 IoCs
pid Process 2108 Super.com -
Enumerates processes with tasklist 1 TTPs 2 IoCs
pid Process 4352 tasklist.exe 4076 tasklist.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\DiagramAuckland Setup.exe File opened for modification C:\Windows\TrueCalculations Setup.exe File opened for modification C:\Windows\CumSink Setup.exe File opened for modification C:\Windows\ChoiceNitrogen Setup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language extrac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Super.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language choice.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2108 Super.com 2108 Super.com 2108 Super.com 2108 Super.com 2108 Super.com 2108 Super.com -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4352 tasklist.exe Token: SeDebugPrivilege 4076 tasklist.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 2108 Super.com 2108 Super.com 2108 Super.com -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 2108 Super.com 2108 Super.com 2108 Super.com -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 2608 wrote to memory of 3288 2608 Setup.exe 78 PID 2608 wrote to memory of 3288 2608 Setup.exe 78 PID 2608 wrote to memory of 3288 2608 Setup.exe 78 PID 3288 wrote to memory of 4352 3288 cmd.exe 80 PID 3288 wrote to memory of 4352 3288 cmd.exe 80 PID 3288 wrote to memory of 4352 3288 cmd.exe 80 PID 3288 wrote to memory of 4360 3288 cmd.exe 81 PID 3288 wrote to memory of 4360 3288 cmd.exe 81 PID 3288 wrote to memory of 4360 3288 cmd.exe 81 PID 3288 wrote to memory of 4076 3288 cmd.exe 83 PID 3288 wrote to memory of 4076 3288 cmd.exe 83 PID 3288 wrote to memory of 4076 3288 cmd.exe 83 PID 3288 wrote to memory of 4164 3288 cmd.exe 84 PID 3288 wrote to memory of 4164 3288 cmd.exe 84 PID 3288 wrote to memory of 4164 3288 cmd.exe 84 PID 3288 wrote to memory of 1564 3288 cmd.exe 85 PID 3288 wrote to memory of 1564 3288 cmd.exe 85 PID 3288 wrote to memory of 1564 3288 cmd.exe 85 PID 3288 wrote to memory of 1324 3288 cmd.exe 86 PID 3288 wrote to memory of 1324 3288 cmd.exe 86 PID 3288 wrote to memory of 1324 3288 cmd.exe 86 PID 3288 wrote to memory of 2108 3288 cmd.exe 87 PID 3288 wrote to memory of 2108 3288 cmd.exe 87 PID 3288 wrote to memory of 2108 3288 cmd.exe 87 PID 3288 wrote to memory of 1460 3288 cmd.exe 88 PID 3288 wrote to memory of 1460 3288 cmd.exe 88 PID 3288 wrote to memory of 1460 3288 cmd.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c copy Entitled.dot Entitled.dot.bat & Entitled.dot.bat2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3288 -
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4352
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "opssvc wrsa"3⤵
- System Location Discovery: System Language Discovery
PID:4360
-
-
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4076
-
-
C:\Windows\SysWOW64\findstr.exefindstr "bdservicehost SophosHealth AvastUI AVGUI nsWscSvc ekrn"3⤵
- System Location Discovery: System Language Discovery
PID:4164
-
-
C:\Windows\SysWOW64\extrac32.exeextrac32 /Y Importantly.dot *.*3⤵
- System Location Discovery: System Language Discovery
PID:1564
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V "educators" Operation3⤵
- System Location Discovery: System Language Discovery
PID:1324
-
-
C:\Users\Admin\AppData\Local\Temp\479390\Super.comSuper.com C3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2108
-
-
C:\Windows\SysWOW64\choice.exechoice /d n /t 53⤵
- System Location Discovery: System Language Discovery
PID:1460
-
-
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
542KB
MD558b12ad622c122c1e76488df86a53582
SHA18033c0f09f6c4fac2d0af43b186c1a4a149262fb
SHA25694815a1957251a5924efce89a640c9a4f854d762faad7da43da0d9b8badbfdcd
SHA5128b3a09bce7eeafdf233b2e27bed34217708a88059a334fcea4c9c6208cf295beb614e4f129b42af3ef70d1fc465b411feaf628e3ab54f412b83d67b9c3d2e01c
-
Filesize
925KB
MD562d09f076e6e0240548c2f837536a46a
SHA126bdbc63af8abae9a8fb6ec0913a307ef6614cf2
SHA2561300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49
SHA51232de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f
-
Filesize
54KB
MD5828b31c554ffafc6a3aa5d8d07c5120b
SHA12c381442f05d082b4a55eb67088d89ffe14473a5
SHA2563a13f040064fb52fe07a62ccf1f863d852d908d58b6b02167f565e68a5f91837
SHA512f10c8b35357d240ada8f3f05000b7341ffa660e929f9fca4b2c6afcb89aeedb74a69438bde35754322fe14f625409229c8caa624b5ef8febf51bf6ac3a2a3691
-
Filesize
63KB
MD563da6ebb69ec97a1c5cbc175935e74f5
SHA1cc5a440ad643073cc8fccdd9c95c243323033444
SHA256d2bed4576ba8aacfa88d79c65e4c0b015c59ada2b1a76d8fcc2fcfaba27ea7c7
SHA512370a0c44a8a02461420173f5356965ad7c811c9c30f7dd0b0a10645c1d628eae25011218aeeae2df50eb2c01e1eae1dc993f1b3be5c421822f8bf21c8611bd4f
-
Filesize
73KB
MD547840f944f7019f520af43892891a443
SHA16fa211dbf633d025ba9ef2a49e81b83815343450
SHA256ac87653d27bf3fdaa6340f7eed1f894871bc27f5417547adbcaea5c6c15d328f
SHA512d04184afe607c8b8f573b6368fbb66e356336f3eae2983e79a5b05d942f233122a1cbee83c857422e2fc6b6cae1b085f4b1c9b8439afb04c1f000c24777b7aba
-
Filesize
61KB
MD5d86cce1201dba1d880a23e21b0e0294e
SHA15f5a05a0a06774ad6ac99411e848991bd29631bb
SHA256c6eee1cae85e9fc7d4604b2b8fc30f117fe79176a1048ae08f7d390efb62c1ed
SHA5120296259fc2b53fcfae380288cca10a01f21bcd794e0570e8d9fd1145614a1f7d8efeda6bac3dcc1ad593c834cf159e9f44a4da94934d2a225532f36fce26609f
-
Filesize
87KB
MD5a77ee830abc2608cc2b16d97d8d62322
SHA1631a98da3cf8433d24b5c7e0f220f2613d3d955a
SHA25628140a1897426ea43491b719d3fa3d3567739b0dfac5a9ee15dabbff9aaa6f65
SHA512b6fd9f2baa689190701a9a95602d8c82bc0d3956a6bfd8902dbdc5a19cc3655b3d3ec65a5f97000f84d3223ffce4c683417370ed472de54a6eefff1cec58ac31
-
Filesize
8KB
MD51d4e02a00655816925b5242ccd3d027d
SHA1ccf060157f77aa8e870e21ab2d82215064c4a135
SHA25685fbc188e297280432f6f505267bfe210cf395ad8b8f0bd4a805a95b17ca6df7
SHA51209a72a9eecd20b2b4bcce80f6a5b7464885f122d1f9949fe585e3ea5709f53cd218d9619b5d48f159af01e6644bd1c010b504ab1ad4db4247d34fdeb32327aa8
-
Filesize
50KB
MD5daa384bb26db91e041885d265dc53ef9
SHA146596c6103ae9180467e93ea84ef5ecca94f76c7
SHA256a566caa435a45dd2b7fc6c99b0244314d77ea30e62cd791e94225ecbfb7b5b67
SHA512b823da80880cd0cbf214191bf793cded30391396d5a08b1b24d615acfb392bea7bbd9d0fb4340695e2c508510d26f65363fa823a496d5d2b93b859e0b091836e
-
Filesize
90KB
MD55214eef8013a68c98aef0ea346b2bc14
SHA1388e4d6f1a4da6ed54c448f9f6d88111bdc6e036
SHA256461dd1f464e661218c345b16dc5a641cbaadcb91af6d80a687190cd0d52f803f
SHA5120c4525fce592e90045e066e78fa74ab1a365a90c0c9c824482edf24929ddd8a59d6d8531b6ffdb99b1f17170c803121a016a6a4be41b40b0ee8a99406eaaec2f
-
Filesize
52KB
MD5b770e75363da196ccfadcbd554311a85
SHA1f8ad1a19cef5e58c1b97c6f5dbfd1d10981a8229
SHA256ace7f310fe461a3f4ac6f842abc02c41afb4629181eb21f6dc1aee2057fbd513
SHA512ac8548cbd5ed04bc709e90544b6964198fd91dc4eec918d4eb9c46b28b6c8433c950f8043a83b11ca41ce4e7a31808a4d424a4e0b407141f32f727905b6efc04
-
Filesize
477KB
MD59b80a0dc679e8c2a2c7eca051b52b94b
SHA135e0f7800be58aeb04a1ca6aef0bea9c226d8e3a
SHA256510a71332bef204c7db600ebae5f6355607ed5befda8aa18373d298aa6296b67
SHA512b769ece6eff85222bba3e041f396b7bbfc1f68b22b339b6c09521406b6966494337d37654ad69fa3c8d5f463578189f835c779fda46daf0b93fe69fe7bec11c9
-
Filesize
50KB
MD56de79cfe065be5669b9fc13eeab9817b
SHA136d7cfaa1c1a0e23e007fe9a68508aab20ccd9d9
SHA25631d8eb0f61968f10e27d6b06035b51d88fb615e0e2fe4fad3255976696238428
SHA512420bb25064888581fd2e0beff5a67165ed57c023f4c62031a3c0833b98d3a275f00fc4a7224e77b99dc076ebb57e15fa17aa3131144819d72028adc77cfcbe67
-
Filesize
126KB
MD5f7c6cf32130ca0ece5fdf1680c9d5078
SHA107188325f55a2f78dad2a0b02e5a10dc25de6926
SHA2567cf3e2a4796cfd510146c9359bd70e354a2a4f0b2f50930c131222186c515b55
SHA512cbebf27184dcd23f9242a2345c5699e8be07e7c6e63a6c3f37965fb82c7f06922c6fb72da916697c2b09eb9bca91266d8fc8b8e526013ddc645639e6bf8cf02f
-
Filesize
1KB
MD52fdf15b45ef59773a59f2df97d9387dd
SHA103f1645fa46746baf71e008c2c89110acdad1f8c
SHA2567ca612ef72d566772188cdd64a33151be5e25dbc013ec17388ded2dcb42ca84b
SHA5122a6c776e47e9ceb2a311410015e5cef2e5e974e03a84906f84ce3bf2c4db75f10fa4ad80d3a16295580b146bdaaef2be24687f8cea5b9e9d561f27606b0b9a10
-
Filesize
65KB
MD5e14d6edd72de863fde8b8089c6bfcab6
SHA1cd5147f4968cc166d1bdb2ff6355e6493bc410af
SHA2562d331231316452fb8a9aa81bfd1c94de5922dc7a4bcf4468d9784877671a2adc
SHA512b70f9f087f8001c845df596490d7a91b02902bd0c6bc18e7c636f52942da094ba9f02c7e57b9399ce74c9167204747ea67494fa9abba5ca708ee3b600826b48e
-
Filesize
69KB
MD58ed3aff005c1751b3c592f1111525669
SHA1d28dd942674e3334e07d399b53cf54373afceeca
SHA2560ac8c37abf0f0f18b7d06c0a5196bc41708ec513b36ea61cf67e70f9d126d855
SHA512d101edf50862fc3308e4719ddd631532dccf7a51598da72a05e46e83effece454dc32ffa444f8a173a4d478b99c7589f2947d724d6c1af2925128e406473c105
-
Filesize
68KB
MD5e6ad99f9219779111b4f1b35cee18430
SHA14beb43bfa99ae71388f74fcde1da0e07f4f9f6ce
SHA2563c66570a3d37aaede803c327d01bdd03880ecfd0eef847d645248c642ec2226e
SHA512b1345dd106c614ecdfd67a4a6c085ed33eb7562a0226504f4605dbeeaa9c9892b0f0fc31265911df435d8cc3c56711a9dc45925ff095709a8a9bc4de9a03102d
-
Filesize
146KB
MD57c2cd501a08cf4257a7bd8e2f14aea4d
SHA115c52ca78d50d7978549fa2e1819f5512febc04f
SHA25617f7046bf36ff156243a1b74e10e21a65bd6c4336921aaf9cf649b550b7f1547
SHA5126147aff7abd381a1fa94fde5a77541458206ff38d63a6af7e4489ebb1ce33a34c0edde2476132885f830d84e837b68ef726b9959e0072c063022c2a3ffb1780f
-
Filesize
86KB
MD559b53c75aa34be7e47c81e4a2a14b077
SHA13b7ded22e4354a2b1bc13798899f2036508c3236
SHA256bdc480c7eed5371b031679313f387c38917d9e71ad73c46f2c5b174ccf43cb8a
SHA5129c9caeebea0d97653635bbd5fb5338f3f61b6b579afafd109ddd2e8f64e261d0de20d8bbb04843a01794cdf29a288780886b5fb2ad33952f403b7c82100fdc66
-
Filesize
53KB
MD55754a2f4323b175d5432eac0bb81f2ca
SHA192f37a04cfc07ef1e20bda3d5cc33011766dbeb5
SHA2568ffcdab3021da520c02211fa2df6a480718618f1600abb5e9a430d3e90150fbe
SHA512f0c04b0ec63b420fa183ac65e7f5c48beb0daacd114076956aabb78ec05796e4c7685d0c4b6851a80fe9cb46edd2ca753b8913928c2a34745b445dc618a6fe28
-
Filesize
104KB
MD53a9772059dae128c1d85e4ff5d798181
SHA16ffc0e3cae9ef7a5e5bd1e9b50f6e2d06da9c12c
SHA256718898c453ee4232a62e7247d2e365ff963b48dcfb3511c03d036ca8682834e4
SHA512f13c4c43056ff805d630b945bc6846d1ca8b764c296858ea31f3cdb4209255414925fff6a3fde6e07807742053f803b527c55774d735a13ea3bdb16a3739ac62
-
Filesize
70KB
MD5c27e01a7a3d0062890583b330d8b8280
SHA15fdb3acaf5e478d55cc8c44faf19b37234aa6698
SHA256222a85f880cac9de2d6b8895acb05aa2dbee29e7986c471223ba6b62a0bd8614
SHA5127860975e2b61260363f2f13cda357ba03f34320cd8803181b2012c12a6fbe836a073fb32eefbe0a4777baad7f20d0105d1b49c5968c49a37634dd37d5b90ea17
-
Filesize
98KB
MD57c4b83d506c2047c38ec34786559f9f4
SHA112f6430bbee8555fb006960be543e1705180bb23
SHA256f1b3f6ef436d895705212891858c6f305cc4d15083683132ed3d65aefce4ed90
SHA512f807a9edfa5e00b5fb1eb1aca47a85c7684748a7bad2e06f088eefa009c24a30a065b4812bc5aae8999bc200904b8b083689171c65904d7f135558f23560ed0f