Overview

overview

10

Static

static

1

SecuriteIn...89.exe

windows7-x64

7

SecuriteIn...89.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    91s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-02-2024 18:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.Win32.Malware-gen.5981.9189.exe

  • Size

    965KB

  • MD5

    ff36088c0ded85dbc225f0913cf67a7b

  • SHA1

    c8c792f2beaaf1f8abbcbfabedd59b6cb319a5db

  • SHA256

    d5c78b62b3a63008127a31fdb356bcc8fc8a301c660708467525660d802d32ee

  • SHA512

    473bb5ce8b5b928b2588a744bac8dc7bcfb5ba107f20d5951da8ddf73cf6b18249083b018da311f88fcb3fd6feb2f84a7d1da0dcb473c8fde74818ea3c4990b6

  • SSDEEP

    24576:R0LJ7wf5s8usysS3Fx1nwwsSZYxLUgaPCsp72Cyd5xHfTjB:R0LJM/u+UtJZATdrHfHB

Score
10/10
lummapersistencestealer

Malware Config

Extracted

Family

lumma

C2

https://sustentatorcoagulat.fun/api

Signatures

  • Lumma Stealer

    An infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates processes with tasklist 1 TTPs 2 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Malware-gen.5981.9189.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Malware-gen.5981.9189.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4032
    • C:\Windows\SysWOW64\TapiUnattend.exe
      TapiUnattend.exe
      2⤵
        PID:3060
      • C:\Windows\SysWOW64\cmd.exe
        cmd /k move Ward Ward.bat & Ward.bat & exit
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1600
        • C:\Windows\SysWOW64\tasklist.exe
          tasklist
          3⤵
          • Enumerates processes with tasklist
          • Suspicious use of AdjustPrivilegeToken
          PID:2232
        • C:\Windows\SysWOW64\findstr.exe
          findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
          3⤵
            PID:2256
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist
            3⤵
            • Enumerates processes with tasklist
            • Suspicious use of AdjustPrivilegeToken
            PID:3076
          • C:\Windows\SysWOW64\findstr.exe
            findstr /I "wrsa.exe opssvc.exe"
            3⤵
              PID:4420
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c md 16823
              3⤵
                PID:1728
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c copy /b Advance + Initiated + Covering + Introduces + Czech 16823\Combines.pif
                3⤵
                  PID:1096
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /c copy /b Forests + Baghdad + Disable 16823\p
                  3⤵
                    PID:2960
                  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\16823\Combines.pif
                    16823\Combines.pif 16823\p
                    3⤵
                    • Executes dropped EXE
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of FindShellTrayWindow
                    • Suspicious use of SendNotifyMessage
                    PID:1816
                  • C:\Windows\SysWOW64\PING.EXE
                    ping -n 5 localhost
                    3⤵
                    • Runs ping.exe
                    PID:3548

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\16823\Combines.pif
                Filesize

                924KB

                MD5

                848164d084384c49937f99d5b894253e

                SHA1

                3055ef803eeec4f175ebf120f94125717ee12444

                SHA256

                f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3

                SHA512

                aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\16823\p
                Filesize

                903KB

                MD5

                91c74d37ac7321c082f1f0ce082ddb8d

                SHA1

                a9ded07acfcb5148cd8e2082055f451f0c3446d9

                SHA256

                cac9dac9b23f740b2dc15541927032e290d25e0ac6afd9a6ce9e1ddf06f111b6

                SHA512

                98046fb91318cce7cf19b680a4aa21bdeed8e8688dfc3c2bd0c465873067defd63ae4b4d1208aaf17d184cb6de6499b0b36b29427396bfaf19bb5d9a57ae429a

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Advance
                Filesize

                174KB

                MD5

                a0d348d48f9389555698870e0642645f

                SHA1

                39e60d06152c6966f50a57ae3f7fef9b991c710b

                SHA256

                3aca5601ed44f96628533374a8ca789e7b1d0c8791382df85c2dce89247d9b86

                SHA512

                3264c4aa0310513a9203c8212a6928e8f8321da72e2d996140d6deabf32baf815d832d35645fdcfc887ef22cebd1d83653a1154f6aecdcfcfb4a3ef18935fbd7

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Baghdad
                Filesize

                414KB

                MD5

                ec0b3ec727520f56a6741f4569153b38

                SHA1

                7cb01894370bde7ce3a38a478370e3db79b30904

                SHA256

                bc65c7156dc2b09677840833e64b99d28ac9ae770f6bb3b1f9c97bff23eb6ffc

                SHA512

                622239e683f8fe2dafb4a901fdf82887635b7da1ee93cacbd274975218135f4e24da0e0eb017165208fcff0490c47e6108d12b88215d085526a8772055c54f65

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Covering
                Filesize

                131KB

                MD5

                56a6be0109f8e938f0fe3844b287e8a9

                SHA1

                d0206dfb0f5c59b1598417742688dfd626294297

                SHA256

                9c27d131cf4adcb21e059404a4aaadf15cacd2828ce9ab6d879e42fe50c96524

                SHA512

                84d8da0ff85222db43289b3fa53eafbb4cf2a493170f71cff787759770e17c491b81c2764d07589ae6e043a382bcc6607d23722485f9122b86d618c55bb5fd08

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Czech
                Filesize

                189KB

                MD5

                924c0ef6531aee94085f9a6d7c3754a0

                SHA1

                b899a1c7e37a902d2faa9993ec81572aca03a65f

                SHA256

                3829c300ed066f4a334748f3d7531a1f212080649a4eb3eb2fc1ecbf879b3cef

                SHA512

                77aaf61923ba72704ff69c3bc6f35529d95e3b69730c42c4af72642c47d921fab23dec97c035f43f9adca3577c9077edf4a4b89d888fbf9bf5fe87953c800c34

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Disable
                Filesize

                126KB

                MD5

                e720d78737442ee448864b760bfc2154

                SHA1

                3408f4c1b96dd8d6fa0555beed2b964f959304cb

                SHA256

                1d74a63c10fedbe0026426c2aac7e9ee0cc3136252b336c9d7612a78b837fdce

                SHA512

                5a57efabb77c25aec5901185330416702d8a38564789a99f18543ef3e7e5fc0a3b6e54d801af85d4a6bd0fd536829e64088507367d815e52400e596719db85d4

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Forests
                Filesize

                444KB

                MD5

                f5e00e25340ca759cfaaf113db301844

                SHA1

                98f72e6016addb30de59c6289b83b8262accdf4d

                SHA256

                ba998c73e83d06a20a7fb6855db82193da9eade08bb68b4e23d4a1a19de1c38a

                SHA512

                849def8b079a165918c2daedc366b03f4968997f3b463a3e6bbfc013520437ba3e1e6a267bae4eeb3cb7aae97da46041bf3fbd83563b57f5a3f6ab3f373332f8

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Initiated
                Filesize

                223KB

                MD5

                15cf524c35c79bfc7d14ef089aa36654

                SHA1

                b5de7303b8392079a0e24381cb2db8c37c35c0d3

                SHA256

                9207eacd1cdaca6f5d1dea63d8c45b1d21c666e40c4df0b3d93d23b88a4cef8d

                SHA512

                be2320f8730c8818575c67aede4bb16649d1ccf7d6ef5ea68fe04b87eade00c60e969cfad14192ac1530abfbde88a79b74e8df74d2a9a81b79b64998f90e55c6

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Introduces
                Filesize

                207KB

                MD5

                ebdd5083135e6b0d4073cfccb7629476

                SHA1

                f9a1246cecd3fb4b8d750b9eccef5c28a09f5c92

                SHA256

                a4ead8a25f32722ddda970cfefdaf1b49fefb84f55336ebb8499fd63ef97bea3

                SHA512

                b37519e90dc7b48dd99f41eea7a1aaadc8709fe4334531a3af08daed4c4d13e59e935572952458f599ce6f054609a1e316fee8a64b6ed2f38e90f8288a73f81d

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ward
                Filesize

                12KB

                MD5

                7bf45f9b27d16f94a4859ca0dab5cd90

                SHA1

                9dd76d9b5ba50f3f1915a3b01c54559c0abf3527

                SHA256

                1b609a66173f2fc08bbbfb828e1ad07da17532ee8355b882a9f2c7a6d67835d5

                SHA512

                5907005d67dea5199cf1282058bf53a6fcf3689d6f5dffd624943351120905129be0ea4614900430e85a325ba6e8649ac96a1b420402982edd844fdcc00b521f

                Download Submit

              • memory/1816-32-0x0000000077D31000-0x0000000077E51000-memory.dmp

                Filesize

                1.1MB

                Download

              • memory/1816-34-0x0000000001660000-0x0000000001661000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1816-35-0x0000000000120000-0x0000000000199000-memory.dmp

                Filesize

                484KB

                Download

              • memory/1816-36-0x0000000000120000-0x0000000000199000-memory.dmp

                Filesize

                484KB

                Download

              • memory/1816-37-0x0000000000120000-0x0000000000199000-memory.dmp

                Filesize

                484KB

                Download

              • memory/1816-38-0x0000000000120000-0x0000000000199000-memory.dmp

                Filesize

                484KB

                Download

              • memory/1816-39-0x0000000000120000-0x0000000000199000-memory.dmp

                Filesize

                484KB

                Download

              • memory/1816-40-0x0000000000120000-0x0000000000199000-memory.dmp

                Filesize

                484KB

                Download

              • memory/1816-41-0x0000000000120000-0x0000000000199000-memory.dmp

                Filesize

                484KB

                Download

              • memory/1816-42-0x0000000000120000-0x0000000000199000-memory.dmp

                Filesize

                484KB

                Download