Analysis
-
max time kernel
15s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
-
submitted
31/12/2023, 05:16
General
-
Target
299e7cda75bcbaf576fe85afc0a1f993.exe
-
Size
1.2MB
-
MD5
299e7cda75bcbaf576fe85afc0a1f993
-
SHA1
897bbd813e5acf8f2e6d41531d9a3079dd67a8ea
-
SHA256
88e4b4a9fb614ec33e573354ecc8086e77d3703fd89b7efd3acc5f8de99287f1
-
SHA512
9ce2f3c6bdaf0cb31cdb5f7ad9bded6f7fbf21f259a5fca1397d69193b4f934eb05a2e026636ce84e53b91d4819de2e0ef425a3232658bf5dba95ca0cc3521a7
-
SSDEEP
24576:BQHk18m7hgeUR3Gw4K2unwWJ7DFzkKGTP0oOYvw:BQCBhUwRVWHzkTLGY
Malware Config
Signatures
-
Detect Lumma Stealer payload V4 9 IoCs
-
Lumma Stealer
An infostealer written in C++ first seen in August 2022.
-
Modifies security service 2 TTPs 2 IoCs
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 4 IoCs
-
Themida packer 11 IoCs
Detects Themida, an advanced Windows software protection system.
-
Drops file in System32 directory 4 IoCs
-
Runs .reg file with regedit 10 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of WriteProcessMemory 20 IoCs
Processes
-
C:\Windows\SysWOW64\cPanel.comC:\Windows\system32\cPanel.com 696 "C:\Users\Admin\AppData\Local\Temp\299e7cda75bcbaf576fe85afc0a1f993.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cPanel.comC:\Windows\system32\cPanel.com 712 "C:\Windows\SysWOW64\cPanel.com"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cPanel.comC:\Windows\system32\cPanel.com 724 "C:\Windows\SysWOW64\cPanel.com"3⤵
-
C:\Windows\SysWOW64\cPanel.comC:\Windows\system32\cPanel.com 728 "C:\Windows\SysWOW64\cPanel.com"4⤵
-
C:\Windows\SysWOW64\cPanel.comC:\Windows\system32\cPanel.com 732 "C:\Windows\SysWOW64\cPanel.com"5⤵
-
C:\Windows\SysWOW64\cPanel.comC:\Windows\system32\cPanel.com 720 "C:\Windows\SysWOW64\cPanel.com"6⤵
-
C:\Windows\SysWOW64\cPanel.comC:\Windows\system32\cPanel.com 740 "C:\Windows\SysWOW64\cPanel.com"7⤵
-
C:\Windows\SysWOW64\cPanel.comC:\Windows\system32\cPanel.com 744 "C:\Windows\SysWOW64\cPanel.com"8⤵
-
C:\Windows\SysWOW64\cPanel.comC:\Windows\system32\cPanel.com 748 "C:\Windows\SysWOW64\cPanel.com"9⤵
-
C:\Windows\SysWOW64\cPanel.comC:\Windows\system32\cPanel.com 752 "C:\Windows\SysWOW64\cPanel.com"10⤵
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg1⤵
- Modifies security service
- Runs .reg file with regedit
-
C:\Windows\SysWOW64\cmd.execmd /c c:\acx.bat1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\299e7cda75bcbaf576fe85afc0a1f993.exe"C:\Users\Admin\AppData\Local\Temp\299e7cda75bcbaf576fe85afc0a1f993.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg1⤵
- Runs .reg file with regedit
-
C:\Windows\SysWOW64\cmd.execmd /c c:\acx.bat1⤵
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg1⤵
- Runs .reg file with regedit
-
C:\Windows\SysWOW64\cmd.execmd /c c:\acx.bat1⤵
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg1⤵
- Runs .reg file with regedit
-
C:\Windows\SysWOW64\cmd.execmd /c c:\acx.bat1⤵
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg1⤵
- Runs .reg file with regedit
-
C:\Windows\SysWOW64\cmd.execmd /c c:\acx.bat1⤵
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg1⤵
- Runs .reg file with regedit
-
C:\Windows\SysWOW64\cmd.execmd /c c:\acx.bat1⤵
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg1⤵
- Runs .reg file with regedit
-
C:\Windows\SysWOW64\cmd.execmd /c c:\acx.bat1⤵
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg1⤵
- Runs .reg file with regedit
-
C:\Windows\SysWOW64\cmd.execmd /c c:\acx.bat1⤵
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg1⤵
- Runs .reg file with regedit
-
C:\Windows\SysWOW64\cmd.execmd /c c:\acx.bat1⤵
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg1⤵
- Runs .reg file with regedit
-
C:\Windows\SysWOW64\cmd.execmd /c c:\acx.bat1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
298B
MD54117e5a9c995bab9cd3bce3fc2b99a46
SHA180144ccbad81c2efb1df64e13d3d5f59ca4486da
SHA25637b58c2d66ab2f896316ee0cdba30dcc9aac15a51995b8ba6c143c8ba34bf292
SHA512bdb721bd3dea641a9b1f26b46311c05199de01c6b0d7ea2b973aa71a4f796b292a6964ddef32ba9dfc4a545768943d105f110c5d60716e0ff6f82914affb507c
-
Filesize
3KB
MD5872656500ddac1ddd91d10aba3a8df96
SHA1ddf655aea7e8eae37b0a2dd4c8cabaf21cf681fc
SHA256d6f58d2fbf733d278281af0b9e7732a591cdd752e18a430f76cb7afa806c75f8
SHA512e7fab32f6f38bde67c8ce7af483216c9965ab62a70aee5c9a9e17aa693c33c67953f817406c1687406977b234d89e62d7feb44757527de5db34e5a61462a0be9
-
Filesize
5KB
MD50019a0451cc6b9659762c3e274bc04fb
SHA15259e256cc0908f2846e532161b989f1295f479b
SHA256ce4674afd978d1401596d22a0961f90c8fb53c5bd55649684e1a999c8cf77876
SHA512314c23ec37cb0cd4443213c019c4541df968447353b422ef6fff1e7ddf6c983c80778787408b7ca9b81e580a6a7f1589ca7f43c022e6fc16182973580ed4d904
-
Filesize
1.2MB
MD5299e7cda75bcbaf576fe85afc0a1f993
SHA1897bbd813e5acf8f2e6d41531d9a3079dd67a8ea
SHA25688e4b4a9fb614ec33e573354ecc8086e77d3703fd89b7efd3acc5f8de99287f1
SHA5129ce2f3c6bdaf0cb31cdb5f7ad9bded6f7fbf21f259a5fca1397d69193b4f934eb05a2e026636ce84e53b91d4819de2e0ef425a3232658bf5dba95ca0cc3521a7
-
Filesize
1.1MB
MD539ffccc122449fe16ef4a3a5e38224ed
SHA15fdae2ceda235800e709e2923447ff112a077932
SHA2560c6780916015827acc22ca7a7cc8f71484f737dc48c2a2dad4f32a11b6769aac
SHA51213c3b4fb6eda792adef34994c3868594e98f94cb7cad971d4bcbb1c19a12a9921bbb57a441702f368d196c3f88866139cefa9e0e7984b42e2f0e94d8e7d6452c
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
2.7MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
2.7MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
2.7MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
2.7MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
2.7MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
2.7MB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
4KB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
920KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
2.7MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
2.7MB
-
Filesize
4KB
-
Filesize
8KB