Overview
overview
10Static
static
104072025_1...ft.exe
windows10-2004-x64
10ExamplesJe...ed.xls
windows10-2004-x64
1TvcomFreig...rs.xls
windows10-2004-x64
1TvcomFreig...es.xls
windows10-2004-x64
1TvcomFreight/Euro.xls
windows10-2004-x64
1TvcomFreig...er.xls
windows10-2004-x64
1TvcomFreig...on.xls
windows10-2004-x64
1TvcomFreight/V.xls
windows10-2004-x64
1Analysis
-
max time kernel
281s -
max time network
282s -
platform
windows10-2004_x64 -
resource
win10v2004-20250619-en -
resource tags
arch:x64arch:x86image:win10v2004-20250619-enlocale:en-usos:windows10-2004-x64system -
submitted
04/07/2025, 12:06
Static task
static1
Behavioral task
behavioral1
Sample
04072025_1206_ChristopherCraft.exe
Resource
win10v2004-20250619-en
Behavioral task
behavioral2
Sample
ExamplesJennifer/Enjoyed.xls
Resource
win10v2004-20250619-en
Behavioral task
behavioral3
Sample
TvcomFreight/Browsers.xls
Resource
win10v2004-20250610-en
Behavioral task
behavioral4
Sample
TvcomFreight/Closes.xls
Resource
win10v2004-20250619-en
Behavioral task
behavioral5
Sample
TvcomFreight/Euro.xls
Resource
win10v2004-20250610-en
Behavioral task
behavioral6
Sample
TvcomFreight/Observer.xls
Resource
win10v2004-20250610-en
Behavioral task
behavioral7
Sample
TvcomFreight/Opinion.xls
Resource
win10v2004-20250502-en
Behavioral task
behavioral8
Sample
TvcomFreight/V.xls
Resource
win10v2004-20250502-en
General
-
Target
04072025_1206_ChristopherCraft.exe
-
Size
12.0MB
-
MD5
d6a1aab8db3097d36a5282b20dd6a1bf
-
SHA1
a89a5af5ac50adfd0c300f1b04bee70a4a5089df
-
SHA256
df2b1b10e01cd391a3dcb08327a887b8b534f4e6ba702c72619926c74daecad5
-
SHA512
2bc64b7ae854fbf4afa66cddafb6f006877250662c9a35a0010de4fa262302c807295f8523e79d217d0b180a89d83e8447278ea968f744abf54e96539fb653ea
-
SSDEEP
24576:N0a1ZrvUfdXZx/mEHaSwrfyJujaB5N0uQ/mkl:NZALlUfCBnamkl
Malware Config
Extracted
lumma
https://mahrox.shop/towq
https://ycvduc.xyz/trie
https://nbcsfar.xyz/tpxz
https://cbakk.xyz/ajng
https://trsuv.xyz/gait
https://sqgzl.xyz/taoa
https://cexpxg.xyz/airq
https://urarfx.xyz/twox
https://liaxn.xyz/nbzh
-
build_id
0b919b275dc5920e130f2a71ccf287f507e09929
Signatures
-
Lumma family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\Control Panel\International\Geo\Nation 04072025_1206_ChristopherCraft.exe -
Executes dropped EXE 1 IoCs
pid Process 5040 Threaded.com -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates processes with tasklist 1 TTPs 2 IoCs
pid Process 2292 tasklist.exe 1976 tasklist.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\GtkDepot 04072025_1206_ChristopherCraft.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language choice.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 04072025_1206_ChristopherCraft.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language extrac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Threaded.com -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 5040 Threaded.com 5040 Threaded.com 5040 Threaded.com 5040 Threaded.com 5040 Threaded.com 5040 Threaded.com 5040 Threaded.com 5040 Threaded.com 5040 Threaded.com 5040 Threaded.com 5040 Threaded.com 5040 Threaded.com -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2292 tasklist.exe Token: SeDebugPrivilege 1976 tasklist.exe Token: SeImpersonatePrivilege 5040 Threaded.com -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 5040 Threaded.com 5040 Threaded.com 5040 Threaded.com -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 5040 Threaded.com 5040 Threaded.com 5040 Threaded.com -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 2684 wrote to memory of 228 2684 04072025_1206_ChristopherCraft.exe 86 PID 2684 wrote to memory of 228 2684 04072025_1206_ChristopherCraft.exe 86 PID 2684 wrote to memory of 228 2684 04072025_1206_ChristopherCraft.exe 86 PID 228 wrote to memory of 2292 228 cmd.exe 96 PID 228 wrote to memory of 2292 228 cmd.exe 96 PID 228 wrote to memory of 2292 228 cmd.exe 96 PID 228 wrote to memory of 3028 228 cmd.exe 97 PID 228 wrote to memory of 3028 228 cmd.exe 97 PID 228 wrote to memory of 3028 228 cmd.exe 97 PID 228 wrote to memory of 1976 228 cmd.exe 100 PID 228 wrote to memory of 1976 228 cmd.exe 100 PID 228 wrote to memory of 1976 228 cmd.exe 100 PID 228 wrote to memory of 4196 228 cmd.exe 101 PID 228 wrote to memory of 4196 228 cmd.exe 101 PID 228 wrote to memory of 4196 228 cmd.exe 101 PID 228 wrote to memory of 4456 228 cmd.exe 102 PID 228 wrote to memory of 4456 228 cmd.exe 102 PID 228 wrote to memory of 4456 228 cmd.exe 102 PID 228 wrote to memory of 3148 228 cmd.exe 103 PID 228 wrote to memory of 3148 228 cmd.exe 103 PID 228 wrote to memory of 3148 228 cmd.exe 103 PID 228 wrote to memory of 5040 228 cmd.exe 104 PID 228 wrote to memory of 5040 228 cmd.exe 104 PID 228 wrote to memory of 5040 228 cmd.exe 104 PID 228 wrote to memory of 2628 228 cmd.exe 105 PID 228 wrote to memory of 2628 228 cmd.exe 105 PID 228 wrote to memory of 2628 228 cmd.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\04072025_1206_ChristopherCraft.exe"C:\Users\Admin\AppData\Local\Temp\04072025_1206_ChristopherCraft.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c copy Browsers.xls Browsers.xls.bat & Browsers.xls.bat2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:228 -
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2292
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "opssvc wrsa"3⤵
- System Location Discovery: System Language Discovery
PID:3028
-
-
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1976
-
-
C:\Windows\SysWOW64\findstr.exefindstr "nsWscSvc ekrn bdservicehost SophosHealth AvastUI AVGUI & if not errorlevel 1 Set YhiTgBlLujKrjjSwyNzUWfJW=AutoIt3.exe & Set raPtRpuxzjwGYWHwTgdaszFhgVP=.a3x & Set NXFYuIdYQ=3003⤵
- System Location Discovery: System Language Discovery
PID:4196
-
-
C:\Windows\SysWOW64\extrac32.exeextrac32 /Y Phase.xls *.*3⤵
- System Location Discovery: System Language Discovery
PID:4456
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V "Ct" Rick3⤵
- System Location Discovery: System Language Discovery
PID:3148
-
-
C:\Users\Admin\AppData\Local\Temp\542417\Threaded.comThreaded.com h3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5040
-
-
C:\Windows\SysWOW64\choice.exechoice /d n /t 53⤵
- System Location Discovery: System Language Discovery
PID:2628
-
-
Network
MITRE ATT&CK Enterprise v16
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
925KB
MD562d09f076e6e0240548c2f837536a46a
SHA126bdbc63af8abae9a8fb6ec0913a307ef6614cf2
SHA2561300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49
SHA51232de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f
-
Filesize
457KB
MD51a4ab95c26df7d9baa249513a86822f8
SHA1f3aeb8d2dd77b02ab0dd974f1f4ad76053023729
SHA25680574740431658db73706300ac53a4cad9962f8bb5d19264ce2fd922a2638628
SHA5122339cbb91f6199d5bff6110bd568c1c5a76c4d9b0564cd285622d8047b2f765cdb50073c00f8076284ec2a973418d7984147e803cafe9af1e1e4584a1436db80
-
Filesize
136KB
MD545b00ef6c0ff6b7e107ab38501aa9b8d
SHA11d7239f1ac9d2fdc68bf42cb4c922ef30f0b9ff3
SHA25692c778c32620fcfa92294432fb584c0aa3387865d31ad9417c2cf410a984ec77
SHA5129361d2a5eb2b540edae4bfdd2b807ca055f23edc7fda560c1197fbd7b2c7ebcb8af66c444d343fbcdd7b19e87c5a4b49e2b3ff6b9595f9398793799e087c8660
-
Filesize
28KB
MD5c7a5c5af0a4baceab363c56bc22df705
SHA16cab90344cc1aed4e89a2cf10c9369b8f1c65247
SHA256c39fdb5696afc03d20b33ab6fcea6d1daf97e7cdee47f17d0cc2e665f1bde0a0
SHA512add03f8971f6c760aa95f4b9a5a1173d2abf2a8118576dd62673b5cbba4a7d34996e752dcf5252f15eeedf88d860246c0961c10c7838e51fd8a64783d02f2bd4
-
Filesize
87KB
MD5ca026bf277621b9558c201d296aff9fa
SHA150b4aec1db438a0abe70d1e3870b45948f9e9492
SHA256040c31e1dd4726b2c22f7ceba9a613fa13b31d5a5ec665f0fe7167e2b060a8a0
SHA512ed018c8e0d4c1fed340cc31c5014e1e9ae6b113922acdfa72bc0bc208925b830e8380a535484e7b2f8ba08d581a66ce9672e03a64c9c161a3cae46645ae9ae0e
-
Filesize
125KB
MD520895547fa3a515d2bbfbd0481e22461
SHA18b87cb53cf1d9861e24378034bc2d0d241f8f250
SHA25622129e2365e88107e08d24c42a9bfc1686cf535c48fc5833221fe9625f213f7b
SHA512dd5c8d2c2fcbe7b2ec70c0867530f959303f2e7dc73ad7b1605f19ce41164d379a9582dd37a5fb75bb7f2ae8d60df721dd3a63c6ec1445746395d1240da00153
-
Filesize
85KB
MD5d429c47f0cc10ad4611eca4e3af6b175
SHA187464cd046524092d076cd8493a87e6ef437164e
SHA25630167494f93fe884630f33d0db988794f24bf7cd1e4677f6b98da99c7fcbe4c5
SHA5124e2c6ce9a3b1ca703874cfba03c74344fc936773a6333cc6b786db828541b3e46b28fedf84591562ab14150587eaa1542b43c41ff45960e8c584d736e2f9b0f0
-
Filesize
94KB
MD5d469b9ac05657dcc68db99926bcef248
SHA10f806e115a21ae525576c38ec249edc2a7c7b7c5
SHA256a87eca97001728a9f08f7a01e4af5962315a31206757bbd844ee132f1b284b77
SHA5120a4ddbeddb2931c545f7c9924e42679298457b6f7336196d0608c6ba4337666e74abd7aa480c1e692e0d516cc8738cf9f2d3bb1989dd4d01408bc536c4ffe3d4
-
Filesize
138KB
MD5b86aeeb94a759d50dd82253e3b35b189
SHA1a5e8c674d431eea13d2edb209983692f0be8e4c2
SHA25610b13f92c9445cf1a5ccf7b33cce66796018a4ffe7a6d9dba6e52a27eafc1013
SHA51230b6a21443ac2b4de56d7c7db0ac01283d09f3e820ccf5de9cc2add76a2bf1bf6b4a8b8c4feb6e5be332ba0b8f6f4c21050a4658985da41ea091e85836cea965
-
Filesize
52KB
MD544c2060e55b67e3a1e6c1c6d9718732a
SHA10517ad7625d36b11a8ce2bb8f10d9ff196d5dc20
SHA256c71df96688a046f890fa005f28b89b9a806e4519db689f55914aeb3ac04390e5
SHA512087b07b06a84ea9b93779028aa80423624d8a038d5f8f2e8b57397d2afd2046230d31ede1bf40f1ca778a4af7a8d89d4cddd97fd025fbe0d48dfff3c12465312
-
Filesize
68KB
MD52b5fcb3cd72546ec42e467574044d822
SHA1253ba53ed24d55c422e38f5bd66ff4448de08c93
SHA256ddfd3dc555d81c08940e0632d7ad5c21891999d4e005361069f8a2beacfd3228
SHA51279d2ffdb33766b62201ee356d5b4ebcdbad9587a2bcc5e33c3dd258fad5a54aaf509668a324a4789ebb6bad0e4a131eebf8822561f2d3a52a4afb9ce9b549e59
-
Filesize
478KB
MD5ec519420fd100373a7450c8daf7952ba
SHA1cd8db08264eb1f570a401e3f9ec4ca8a0b687b1a
SHA2564ff2c534d0f12312f600e5f296b02922b5c722ba26a7ed56264450d694bf72fc
SHA5129075e9e4586d0e687f78534e716981e1cd1a29c056d89cac372dc1e8e286ca99750cc31b671240a5616df9ad401c9106cefcdf7f917158b7086d74aa7271ee68
-
Filesize
106KB
MD5b27e76bc94bfb17550ffad69c60875d3
SHA1d164ed43ba3cdb396356747809ffd59d5d65a063
SHA25681b591ffd26a28580a3898883ecd14123f58523c78513100b1154218e8bbe92d
SHA512139793af16e1db6e3e05017e307b20b55a984a706946b43715f21b11c40b9ddb034610e0fb28ba98778392ce32530c91b58edfada87f22c33dccfa63c5af669c
-
Filesize
1KB
MD552f053245da34f90d9181baac6d23e12
SHA10c42c0879918787e4f8dbbe57b4d3f7938a86d76
SHA2560cdfd1b79ee6288a175792cbf1727a2c20253e89cbf8b5ce22c82a7cd2ea535a
SHA512937b86ecdf543597e6304f32730ff4392cae4e8c927b3fae62058e940aa9b9b1418b7b9f5dfc98193814ad10fd942d4ce471a703596cd644b6ceb286241cb445
-
Filesize
143KB
MD52efb121a4f18c03ecd7793f19c035c81
SHA13fb5891056d17deaf8024717800b98caf26bcb18
SHA25619c38507f88adef9dde548e215b01549a306ec3bb2c75b142fe389eb216cbf8f
SHA5122967164bf30ce30e4be7517d0f3f87b20c102f27b15c85501806e46caa04f3eb91d77fba76085742500a40d9674508ab942b03c04417a9f8ba94d189f19220e3
-
Filesize
146KB
MD5d26e449dbd419e33b1649d281120e95d
SHA12536fbcca7a6a50f18dafd52b55c868265ffcb1e
SHA2561925e81e6f9d510c21859ac048f1f70b6e14f8e993748d0284c2ad86f3a46a6a
SHA51237675505b66e5dd223e5b7b64310c9df860e331cd5acae1af2dfdffaf57306324360808b6da12e4e620699c58b2609e02fda75ca6b9ef64d2037330eb923f8b8
-
Filesize
17KB
MD58ebbdd0335faa715a3738576f0f36f83
SHA194117f75ce3f4376ae6726ca91b2cf815592ffc9
SHA256d60935ad257a55db709ea03f4decc6cb54a8dcabb50e0aa22c8b6ec528e41686
SHA51221bc1437b26cfc917a8d91db33ccd0272f5cb008ab5e6b235ae7e0e79fcb14855a3b380c2461668c869c270f712df6525e68f23f88c18481ff3629df1f1e70fd
-
Filesize
112KB
MD5896cc5596dbc99b96e537e1ba2669f9a
SHA181e503420f174312ce3b8931fb65bcceede1c578
SHA256b13e4895353432809d061efb5d593dc5d3b612697f69cabb78f99e43c344d53f
SHA512a80b9c84b7508d1bfbe108a4b93df3ee7881aff80eaaddfcddcdba7b5b73435f3758adc1d7287d1880ad51d85c1227cdb24457da95572e31bd1f7d34785fa062
-
Filesize
71KB
MD5dd293664223c227fa5a3502f021449cb
SHA15a91a61c061f3e148e65c06e2f9bd5ebea131327
SHA2564b68746f26924785b0648f91b165808d06b9ce74e6f07f69b2a634728923b784
SHA5125efff838a94a15def500819bfc7d21e2f77330eb2e3c262bad521f5f1aaa9db9634e37cbc2e6bb03781a20fa463fd431c79fb06a358b9d9c2c8c41bc36b5a8de