Analysis
-
geolocation tags
nanew-jerseynorth-americaunited-statesususa -
max time kernel
43s -
max time network
45s -
platform
windows11-21h2_x64 -
resource
win11-20250619-en -
resource tags
arch:x64arch:x86image:win11-20250619-enlocale:en-usos:windows11-21h2-x64system -
submitted
01/07/2025, 06:38
Static task
static1
Behavioral task
behavioral1
Sample
3c1cc52bb76569ad22cb7f0cbb866ab5e27a6118ba9fa5ead41385bad585c05b.exe
Resource
win10v2004-20250610-en
General
-
Target
3c1cc52bb76569ad22cb7f0cbb866ab5e27a6118ba9fa5ead41385bad585c05b.exe
-
Size
1.8MB
-
MD5
d39cb383043add11313d71a1ca938390
-
SHA1
a5dbb0cd26187c08212d75d59e3bac040f6ad7a5
-
SHA256
3c1cc52bb76569ad22cb7f0cbb866ab5e27a6118ba9fa5ead41385bad585c05b
-
SHA512
47a151adce905facf8fa8c8ef8cacb28f9ff6d46677d1e446975bfb49a344718464276624acdb689b7ffead83361dd68b56f9b72dbc8ff100abb48ba1eb97332
-
SSDEEP
49152:VJ/xIEyl4EFfYrzmI5P+N6DrEIxK5Ff5p+S:VJZrsFAFqC5AD+S
Malware Config
Extracted
lumma
https://rbmlh.xyz/lakd
https://pacwpw.xyz/qwpr
https://comkxjs.xyz/taox
https://unurew.xyz/anhd
https://trsuv.xyz/gait
https://sqgzl.xyz/taoa
https://cexpxg.xyz/airq
https://urarfx.xyz/twox
https://liaxn.xyz/nbzh
-
build_id
44d7a6088f9d1d509c2ebf7ae4155acadb3cce6ae4
Extracted
amadey
5.50
30b25e
http://31.43.185.30
-
install_dir
321c2a24e4
-
install_file
dumer.exe
-
strings_key
7ee2dad1150ef9038dda28ed93be4b54
-
url_paths
/ku9f3ton/index.php
Signatures
-
Amadey family
-
Lumma family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 3c1cc52bb76569ad22cb7f0cbb866ab5e27a6118ba9fa5ead41385bad585c05b.exe -
Downloads MZ/PE file 1 IoCs
flow pid Process 10 5756 3c1cc52bb76569ad22cb7f0cbb866ab5e27a6118ba9fa5ead41385bad585c05b.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 3c1cc52bb76569ad22cb7f0cbb866ab5e27a6118ba9fa5ead41385bad585c05b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 3c1cc52bb76569ad22cb7f0cbb866ab5e27a6118ba9fa5ead41385bad585c05b.exe -
Executes dropped EXE 3 IoCs
pid Process 2596 R1KHGWM8MW5ABTZ89Y.exe 4420 dumer.exe 4888 dumer.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4024151881-1944119507-1574723210-1000\Software\Wine 3c1cc52bb76569ad22cb7f0cbb866ab5e27a6118ba9fa5ead41385bad585c05b.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 5756 3c1cc52bb76569ad22cb7f0cbb866ab5e27a6118ba9fa5ead41385bad585c05b.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\dumer.job R1KHGWM8MW5ABTZ89Y.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3c1cc52bb76569ad22cb7f0cbb866ab5e27a6118ba9fa5ead41385bad585c05b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language R1KHGWM8MW5ABTZ89Y.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dumer.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 5756 3c1cc52bb76569ad22cb7f0cbb866ab5e27a6118ba9fa5ead41385bad585c05b.exe 5756 3c1cc52bb76569ad22cb7f0cbb866ab5e27a6118ba9fa5ead41385bad585c05b.exe 5756 3c1cc52bb76569ad22cb7f0cbb866ab5e27a6118ba9fa5ead41385bad585c05b.exe 5756 3c1cc52bb76569ad22cb7f0cbb866ab5e27a6118ba9fa5ead41385bad585c05b.exe 5756 3c1cc52bb76569ad22cb7f0cbb866ab5e27a6118ba9fa5ead41385bad585c05b.exe 5756 3c1cc52bb76569ad22cb7f0cbb866ab5e27a6118ba9fa5ead41385bad585c05b.exe 5756 3c1cc52bb76569ad22cb7f0cbb866ab5e27a6118ba9fa5ead41385bad585c05b.exe 5756 3c1cc52bb76569ad22cb7f0cbb866ab5e27a6118ba9fa5ead41385bad585c05b.exe 5756 3c1cc52bb76569ad22cb7f0cbb866ab5e27a6118ba9fa5ead41385bad585c05b.exe 5756 3c1cc52bb76569ad22cb7f0cbb866ab5e27a6118ba9fa5ead41385bad585c05b.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeImpersonatePrivilege 5756 3c1cc52bb76569ad22cb7f0cbb866ab5e27a6118ba9fa5ead41385bad585c05b.exe Token: SeImpersonatePrivilege 5756 3c1cc52bb76569ad22cb7f0cbb866ab5e27a6118ba9fa5ead41385bad585c05b.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 5756 wrote to memory of 2596 5756 3c1cc52bb76569ad22cb7f0cbb866ab5e27a6118ba9fa5ead41385bad585c05b.exe 79 PID 5756 wrote to memory of 2596 5756 3c1cc52bb76569ad22cb7f0cbb866ab5e27a6118ba9fa5ead41385bad585c05b.exe 79 PID 5756 wrote to memory of 2596 5756 3c1cc52bb76569ad22cb7f0cbb866ab5e27a6118ba9fa5ead41385bad585c05b.exe 79 PID 2596 wrote to memory of 4420 2596 R1KHGWM8MW5ABTZ89Y.exe 80 PID 2596 wrote to memory of 4420 2596 R1KHGWM8MW5ABTZ89Y.exe 80 PID 2596 wrote to memory of 4420 2596 R1KHGWM8MW5ABTZ89Y.exe 80
Processes
-
C:\Users\Admin\AppData\Local\Temp\3c1cc52bb76569ad22cb7f0cbb866ab5e27a6118ba9fa5ead41385bad585c05b.exe"C:\Users\Admin\AppData\Local\Temp\3c1cc52bb76569ad22cb7f0cbb866ab5e27a6118ba9fa5ead41385bad585c05b.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Downloads MZ/PE file
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5756 -
C:\Users\Admin\AppData\Local\Temp\R1KHGWM8MW5ABTZ89Y.exe"C:\Users\Admin\AppData\Local\Temp\R1KHGWM8MW5ABTZ89Y.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Users\Admin\AppData\Local\Temp\321c2a24e4\dumer.exe"C:\Users\Admin\AppData\Local\Temp\321c2a24e4\dumer.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4420
-
-
-
C:\Users\Admin\AppData\Local\Temp\321c2a24e4\dumer.exeC:\Users\Admin\AppData\Local\Temp\321c2a24e4\dumer.exe1⤵
- Executes dropped EXE
PID:4888
Network
MITRE ATT&CK Enterprise v16
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
416KB
MD57b8c43ff5287ec4c86921c06bff22ff0
SHA1fb00fdb9cd78f260f5f26fc01aee6bb209d05877
SHA256ed0b15b82c2dba6a4516c5a0f5268a95fd7fe8aead707272a096d8ef47db92c0
SHA512dc914c0aa19df91665c5ad0020bfe87bcb7e97126446d4497b6ca8388f1e040796129c66effeeee78073d4f4f3e96d3446652c7510806bb6ac6cc652f4774784