Malware Analysis Report

2025-06-15 19:52

Sample ID 240115-ehebesghel
Target 5c121105334208968a697161ba6eff73
SHA256 f089d5f2f8107188da34c6e58f406f84dda6bec684a26f66b56f7fb1350c5b43
Tags
lumma evasion stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f089d5f2f8107188da34c6e58f406f84dda6bec684a26f66b56f7fb1350c5b43

Threat Level: Known bad

The file 5c121105334208968a697161ba6eff73 was found to be: Known bad.

Malicious Activity Summary

lumma evasion stealer

Detect Lumma Stealer payload V4

Lumma Stealer

Modifies security service

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Runs .reg file with regedit

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-15 03:56

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-15 03:56

Reported

2024-01-15 03:56

Platform

win7-20231215-en

Max time kernel

16s

Max time network

19s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5c121105334208968a697161ba6eff73.exe"

Signatures

Detect Lumma Stealer payload V4

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Lumma Stealer

stealer lumma

Modifies security service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\scrov.exe N/A
N/A N/A C:\Windows\SysWOW64\scrov.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\scrov.exe C:\Users\Admin\AppData\Local\Temp\5c121105334208968a697161ba6eff73.exe N/A
File opened for modification C:\Windows\SysWOW64\scrov.exe C:\Users\Admin\AppData\Local\Temp\5c121105334208968a697161ba6eff73.exe N/A
File opened for modification C:\Windows\SysWOW64\scrov.exe C:\Windows\SysWOW64\scrov.exe N/A
File created C:\Windows\SysWOW64\scrov.exe C:\Windows\SysWOW64\scrov.exe N/A

Runs .reg file with regedit

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2008 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\5c121105334208968a697161ba6eff73.exe C:\Windows\SysWOW64\cmd.exe
PID 2008 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\5c121105334208968a697161ba6eff73.exe C:\Windows\SysWOW64\cmd.exe
PID 2008 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\5c121105334208968a697161ba6eff73.exe C:\Windows\SysWOW64\cmd.exe
PID 2008 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\5c121105334208968a697161ba6eff73.exe C:\Windows\SysWOW64\cmd.exe
PID 2104 wrote to memory of 1280 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2104 wrote to memory of 1280 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2104 wrote to memory of 1280 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2104 wrote to memory of 1280 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2008 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\5c121105334208968a697161ba6eff73.exe C:\Windows\SysWOW64\scrov.exe
PID 2008 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\5c121105334208968a697161ba6eff73.exe C:\Windows\SysWOW64\scrov.exe
PID 2008 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\5c121105334208968a697161ba6eff73.exe C:\Windows\SysWOW64\scrov.exe
PID 2008 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\5c121105334208968a697161ba6eff73.exe C:\Windows\SysWOW64\scrov.exe
PID 2120 wrote to memory of 1548 N/A C:\Windows\SysWOW64\scrov.exe C:\Windows\SysWOW64\cmd.exe
PID 2120 wrote to memory of 1548 N/A C:\Windows\SysWOW64\scrov.exe C:\Windows\SysWOW64\cmd.exe
PID 2120 wrote to memory of 1548 N/A C:\Windows\SysWOW64\scrov.exe C:\Windows\SysWOW64\cmd.exe
PID 2120 wrote to memory of 1548 N/A C:\Windows\SysWOW64\scrov.exe C:\Windows\SysWOW64\cmd.exe
PID 1548 wrote to memory of 1472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1548 wrote to memory of 1472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1548 wrote to memory of 1472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1548 wrote to memory of 1472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2120 wrote to memory of 1316 N/A C:\Windows\SysWOW64\scrov.exe C:\Windows\SysWOW64\scrov.exe
PID 2120 wrote to memory of 1316 N/A C:\Windows\SysWOW64\scrov.exe C:\Windows\SysWOW64\scrov.exe
PID 2120 wrote to memory of 1316 N/A C:\Windows\SysWOW64\scrov.exe C:\Windows\SysWOW64\scrov.exe
PID 2120 wrote to memory of 1316 N/A C:\Windows\SysWOW64\scrov.exe C:\Windows\SysWOW64\scrov.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5c121105334208968a697161ba6eff73.exe

"C:\Users\Admin\AppData\Local\Temp\5c121105334208968a697161ba6eff73.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\scrov.exe

C:\Windows\system32\scrov.exe 504 "C:\Users\Admin\AppData\Local\Temp\5c121105334208968a697161ba6eff73.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\scrov.exe

C:\Windows\system32\scrov.exe 544 "C:\Windows\SysWOW64\scrov.exe"

Network

N/A

Files

memory/2008-0-0x0000000000400000-0x000000000056E000-memory.dmp

memory/2008-1-0x0000000000370000-0x00000000003C0000-memory.dmp

memory/2008-2-0x0000000000290000-0x0000000000291000-memory.dmp

memory/2008-4-0x0000000000340000-0x0000000000341000-memory.dmp

memory/2008-5-0x0000000000350000-0x0000000000351000-memory.dmp

memory/2008-3-0x0000000000280000-0x0000000000281000-memory.dmp

memory/2008-6-0x00000000003E0000-0x00000000003E1000-memory.dmp

memory/2008-7-0x0000000000360000-0x0000000000361000-memory.dmp

memory/2008-9-0x0000000000330000-0x0000000000331000-memory.dmp

memory/2008-8-0x0000000002B30000-0x0000000002B31000-memory.dmp

memory/2008-11-0x0000000002B20000-0x0000000002B24000-memory.dmp

memory/2008-28-0x0000000002380000-0x0000000002381000-memory.dmp

memory/2008-30-0x00000000023A0000-0x00000000023A1000-memory.dmp

memory/2008-29-0x0000000002390000-0x0000000002391000-memory.dmp

memory/2008-27-0x00000000008F0000-0x00000000008F1000-memory.dmp

memory/2008-26-0x0000000000900000-0x0000000000901000-memory.dmp

memory/2008-25-0x00000000005D0000-0x00000000005D1000-memory.dmp

memory/2008-24-0x0000000000610000-0x0000000000611000-memory.dmp

memory/2008-23-0x0000000000640000-0x0000000000641000-memory.dmp

memory/2008-22-0x0000000000600000-0x0000000000601000-memory.dmp

memory/2008-31-0x0000000002370000-0x0000000002371000-memory.dmp

memory/2008-21-0x00000000005F0000-0x00000000005F1000-memory.dmp

memory/2008-20-0x0000000000570000-0x0000000000571000-memory.dmp

C:\a.bat

MD5 0019a0451cc6b9659762c3e274bc04fb
SHA1 5259e256cc0908f2846e532161b989f1295f479b
SHA256 ce4674afd978d1401596d22a0961f90c8fb53c5bd55649684e1a999c8cf77876
SHA512 314c23ec37cb0cd4443213c019c4541df968447353b422ef6fff1e7ddf6c983c80778787408b7ca9b81e580a6a7f1589ca7f43c022e6fc16182973580ed4d904

memory/2008-12-0x0000000000630000-0x0000000000631000-memory.dmp

memory/2008-13-0x0000000000580000-0x0000000000581000-memory.dmp

memory/2008-32-0x0000000002B10000-0x0000000002B15000-memory.dmp

memory/2008-36-0x0000000000650000-0x0000000000651000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 9e5db93bd3302c217b15561d8f1e299d
SHA1 95a5579b336d16213909beda75589fd0a2091f30
SHA256 f360fb5740172b6b4dd59c1ac30b480511665ae991196f833167e275d91f943e
SHA512 b5547e5047a3c43397ee846ff9d5979cba45ba44671db5c5df5536d9dc26262e27a8645a08e0cf35960a3601dc0f6f5fe8d47ae232c9ca44d6899e97d36fb25a

memory/2008-140-0x0000000002540000-0x0000000002541000-memory.dmp

memory/2008-48-0x00000000003D0000-0x00000000003D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 d085cde42c14e8ee2a5e8870d08aee42
SHA1 c8e967f1d301f97dbcf252d7e1677e590126f994
SHA256 a15d5dfd655de1214e0aae2292ead17eef1f1b211d39fac03276bbd6325b0d9f
SHA512 de2cebd45d3cf053df17ae43466db6a8b2d816bf4b9a8deb5b577cfedf765b5dcdc5904145809ad3ca03ccff308f8893ec1faa309dd34afcab7cc1836d698d7b

memory/2008-35-0x0000000002B80000-0x0000000002B81000-memory.dmp

memory/2008-34-0x0000000002B70000-0x0000000002B71000-memory.dmp

memory/2008-33-0x00000000003F0000-0x00000000003F1000-memory.dmp

C:\Windows\SysWOW64\scrov.exe

MD5 5c121105334208968a697161ba6eff73
SHA1 52f1ade2720edfc01d85220a1b20f8bb7d2115b0
SHA256 f089d5f2f8107188da34c6e58f406f84dda6bec684a26f66b56f7fb1350c5b43
SHA512 85990d6651dc501f82a49f37c1f8967099d042e28ddda248acd40dbf2b405b9e071e01e301bff78011b459f0f2dce75b4791fe64d2fe9b9fc5b2d9deeed9a04e

memory/2008-158-0x0000000000400000-0x000000000056E000-memory.dmp

memory/2120-159-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/2120-160-0x00000000003F0000-0x00000000003F1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 bef09dc596b7b91eec4f38765e0965b7
SHA1 b8bb8d2eb918e0979b08fd1967dac127874b9de5
SHA256 8dab724d5941eb7becff35ce1a76e8525dcdca024900e70758300dcdddf8e265
SHA512 0bbce4150b47bafb674f2074fdfc20df86edadb85037f93c541d1d53f721ed52e37a49d14522dac56e9d2e9ce801bcdb701509fa02285778a086d547f1be966a

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 6bf876cd9994f0d41be4eca36d22c42a
SHA1 50cda4b940e6ba730ce59000cfc59e6c4d7fdc79
SHA256 ff39ffe6e43e9b293c5be6aa85345e868a27215293e750c00e1e0ba676deeb2a
SHA512 605e2920cd230b6c617a2d4153f23144954cd4bae0f66b857e1b334cd66258fbc5ba049c1ab6ab83c30fd54c87235a115ec7bbfd17d6792a4bbbae4c6700e106

memory/2120-276-0x0000000000400000-0x000000000056E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-15 03:56

Reported

2024-01-15 03:58

Platform

win10v2004-20231215-en

Max time kernel

1s

Max time network

6s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5c121105334208968a697161ba6eff73.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\5c121105334208968a697161ba6eff73.exe

"C:\Users\Admin\AppData\Local\Temp\5c121105334208968a697161ba6eff73.exe"

Network

Files

memory/448-0-0x0000000000400000-0x000000000056E000-memory.dmp

memory/448-1-0x0000000000A10000-0x0000000000A60000-memory.dmp

memory/448-2-0x00000000023B0000-0x00000000023B1000-memory.dmp

memory/448-3-0x0000000002340000-0x0000000002341000-memory.dmp

memory/448-4-0x0000000000710000-0x0000000000711000-memory.dmp

memory/448-5-0x0000000002370000-0x0000000002371000-memory.dmp

memory/448-6-0x0000000002380000-0x0000000002381000-memory.dmp