Analysis
-
max time kernel
16s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
15/01/2024, 03:56
Static task
static1
Behavioral task
behavioral1
Sample
5c121105334208968a697161ba6eff73.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
5c121105334208968a697161ba6eff73.exe
Resource
win10v2004-20231215-en
Errors
General
-
Target
5c121105334208968a697161ba6eff73.exe
-
Size
402KB
-
MD5
5c121105334208968a697161ba6eff73
-
SHA1
52f1ade2720edfc01d85220a1b20f8bb7d2115b0
-
SHA256
f089d5f2f8107188da34c6e58f406f84dda6bec684a26f66b56f7fb1350c5b43
-
SHA512
85990d6651dc501f82a49f37c1f8967099d042e28ddda248acd40dbf2b405b9e071e01e301bff78011b459f0f2dce75b4791fe64d2fe9b9fc5b2d9deeed9a04e
-
SSDEEP
12288:AmQ9dCrejHa1c2obY7XQNSWShDYRtmLnrqYVkkkkkkkk9:Aq6jHIocYSM2nrqw
Malware Config
Signatures
-
Detect Lumma Stealer payload V4 2 IoCs
resource yara_rule behavioral1/memory/2008-158-0x0000000000400000-0x000000000056E000-memory.dmp family_lumma_v4 behavioral1/memory/2120-276-0x0000000000400000-0x000000000056E000-memory.dmp family_lumma_v4 -
Modifies security service 2 TTPs 4 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" regedit.exe -
Executes dropped EXE 2 IoCs
pid Process 2120 scrov.exe 1316 scrov.exe -
Loads dropped DLL 4 IoCs
pid Process 2008 5c121105334208968a697161ba6eff73.exe 2008 5c121105334208968a697161ba6eff73.exe 2120 scrov.exe 2120 scrov.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\SysWOW64\scrov.exe 5c121105334208968a697161ba6eff73.exe File opened for modification C:\Windows\SysWOW64\scrov.exe 5c121105334208968a697161ba6eff73.exe File opened for modification C:\Windows\SysWOW64\scrov.exe scrov.exe File created C:\Windows\SysWOW64\scrov.exe scrov.exe -
Runs .reg file with regedit 2 IoCs
pid Process 1280 regedit.exe 1472 regedit.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2008 wrote to memory of 2104 2008 5c121105334208968a697161ba6eff73.exe 28 PID 2008 wrote to memory of 2104 2008 5c121105334208968a697161ba6eff73.exe 28 PID 2008 wrote to memory of 2104 2008 5c121105334208968a697161ba6eff73.exe 28 PID 2008 wrote to memory of 2104 2008 5c121105334208968a697161ba6eff73.exe 28 PID 2104 wrote to memory of 1280 2104 cmd.exe 29 PID 2104 wrote to memory of 1280 2104 cmd.exe 29 PID 2104 wrote to memory of 1280 2104 cmd.exe 29 PID 2104 wrote to memory of 1280 2104 cmd.exe 29 PID 2008 wrote to memory of 2120 2008 5c121105334208968a697161ba6eff73.exe 30 PID 2008 wrote to memory of 2120 2008 5c121105334208968a697161ba6eff73.exe 30 PID 2008 wrote to memory of 2120 2008 5c121105334208968a697161ba6eff73.exe 30 PID 2008 wrote to memory of 2120 2008 5c121105334208968a697161ba6eff73.exe 30 PID 2120 wrote to memory of 1548 2120 scrov.exe 31 PID 2120 wrote to memory of 1548 2120 scrov.exe 31 PID 2120 wrote to memory of 1548 2120 scrov.exe 31 PID 2120 wrote to memory of 1548 2120 scrov.exe 31 PID 1548 wrote to memory of 1472 1548 cmd.exe 32 PID 1548 wrote to memory of 1472 1548 cmd.exe 32 PID 1548 wrote to memory of 1472 1548 cmd.exe 32 PID 1548 wrote to memory of 1472 1548 cmd.exe 32 PID 2120 wrote to memory of 1316 2120 scrov.exe 33 PID 2120 wrote to memory of 1316 2120 scrov.exe 33 PID 2120 wrote to memory of 1316 2120 scrov.exe 33 PID 2120 wrote to memory of 1316 2120 scrov.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\5c121105334208968a697161ba6eff73.exe"C:\Users\Admin\AppData\Local\Temp\5c121105334208968a697161ba6eff73.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat2⤵
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg3⤵
- Modifies security service
- Runs .reg file with regedit
PID:1280
-
-
-
C:\Windows\SysWOW64\scrov.exeC:\Windows\system32\scrov.exe 504 "C:\Users\Admin\AppData\Local\Temp\5c121105334208968a697161ba6eff73.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat3⤵
- Suspicious use of WriteProcessMemory
PID:1548 -
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg4⤵
- Modifies security service
- Runs .reg file with regedit
PID:1472
-
-
-
C:\Windows\SysWOW64\scrov.exeC:\Windows\system32\scrov.exe 544 "C:\Windows\SysWOW64\scrov.exe"3⤵
- Executes dropped EXE
PID:1316
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5d085cde42c14e8ee2a5e8870d08aee42
SHA1c8e967f1d301f97dbcf252d7e1677e590126f994
SHA256a15d5dfd655de1214e0aae2292ead17eef1f1b211d39fac03276bbd6325b0d9f
SHA512de2cebd45d3cf053df17ae43466db6a8b2d816bf4b9a8deb5b577cfedf765b5dcdc5904145809ad3ca03ccff308f8893ec1faa309dd34afcab7cc1836d698d7b
-
Filesize
3KB
MD59e5db93bd3302c217b15561d8f1e299d
SHA195a5579b336d16213909beda75589fd0a2091f30
SHA256f360fb5740172b6b4dd59c1ac30b480511665ae991196f833167e275d91f943e
SHA512b5547e5047a3c43397ee846ff9d5979cba45ba44671db5c5df5536d9dc26262e27a8645a08e0cf35960a3601dc0f6f5fe8d47ae232c9ca44d6899e97d36fb25a
-
Filesize
2KB
MD5bef09dc596b7b91eec4f38765e0965b7
SHA1b8bb8d2eb918e0979b08fd1967dac127874b9de5
SHA2568dab724d5941eb7becff35ce1a76e8525dcdca024900e70758300dcdddf8e265
SHA5120bbce4150b47bafb674f2074fdfc20df86edadb85037f93c541d1d53f721ed52e37a49d14522dac56e9d2e9ce801bcdb701509fa02285778a086d547f1be966a
-
Filesize
2KB
MD56bf876cd9994f0d41be4eca36d22c42a
SHA150cda4b940e6ba730ce59000cfc59e6c4d7fdc79
SHA256ff39ffe6e43e9b293c5be6aa85345e868a27215293e750c00e1e0ba676deeb2a
SHA512605e2920cd230b6c617a2d4153f23144954cd4bae0f66b857e1b334cd66258fbc5ba049c1ab6ab83c30fd54c87235a115ec7bbfd17d6792a4bbbae4c6700e106
-
Filesize
402KB
MD55c121105334208968a697161ba6eff73
SHA152f1ade2720edfc01d85220a1b20f8bb7d2115b0
SHA256f089d5f2f8107188da34c6e58f406f84dda6bec684a26f66b56f7fb1350c5b43
SHA51285990d6651dc501f82a49f37c1f8967099d042e28ddda248acd40dbf2b405b9e071e01e301bff78011b459f0f2dce75b4791fe64d2fe9b9fc5b2d9deeed9a04e
-
Filesize
5KB
MD50019a0451cc6b9659762c3e274bc04fb
SHA15259e256cc0908f2846e532161b989f1295f479b
SHA256ce4674afd978d1401596d22a0961f90c8fb53c5bd55649684e1a999c8cf77876
SHA512314c23ec37cb0cd4443213c019c4541df968447353b422ef6fff1e7ddf6c983c80778787408b7ca9b81e580a6a7f1589ca7f43c022e6fc16182973580ed4d904