Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
21-02-2024 20:33
Static task
static1
Behavioral task
behavioral1
Sample
6f9cce343781ac700700049de9d91013482fda8ca13ba8660a5b97c25b354cad.exe
Resource
win7-20240221-en
General
-
Target
6f9cce343781ac700700049de9d91013482fda8ca13ba8660a5b97c25b354cad.exe
-
Size
5.7MB
-
MD5
839999b53169bec8744194c3e49970ce
-
SHA1
8e2cbf38b74b64f12fa7dd108c8f593de9de5058
-
SHA256
6f9cce343781ac700700049de9d91013482fda8ca13ba8660a5b97c25b354cad
-
SHA512
b22658a490474ab7cd1e47ed7ce3f0ff8e7876d31345dc2ee8505588efb53b234b20c1b4622131044612fb10db4e32605d3cec1a323fe4e1206b6f02189e5857
-
SSDEEP
98304:+JiYFsQ19IoMpBeqdtkGjbk8HdG3x25jtqjHqA2VptdmZ8633CTL6:e919IoMfeqsG/kkkxEyx2pt0A
Malware Config
Signatures
-
Detect Lumma Stealer payload V4 7 IoCs
Processes:
resource yara_rule behavioral1/memory/2940-8701-0x0000000010000000-0x000000001080D000-memory.dmp family_lumma_v4 behavioral1/memory/2940-8702-0x0000000010000000-0x000000001080D000-memory.dmp family_lumma_v4 behavioral1/memory/2940-8703-0x0000000010000000-0x000000001080D000-memory.dmp family_lumma_v4 behavioral1/memory/2940-8704-0x0000000010000000-0x000000001080D000-memory.dmp family_lumma_v4 behavioral1/memory/2940-8705-0x0000000010000000-0x000000001080D000-memory.dmp family_lumma_v4 behavioral1/memory/2940-8708-0x0000000010000000-0x000000001080D000-memory.dmp family_lumma_v4 behavioral1/memory/2940-8709-0x0000000010000000-0x000000001080D000-memory.dmp family_lumma_v4 -
Executes dropped EXE 1 IoCs
Processes:
CITUF.exepid Process 2940 CITUF.exe -
Loads dropped DLL 1 IoCs
Processes:
6f9cce343781ac700700049de9d91013482fda8ca13ba8660a5b97c25b354cad.exepid Process 2772 6f9cce343781ac700700049de9d91013482fda8ca13ba8660a5b97c25b354cad.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
CITUF.exedescription ioc Process File opened (read-only) \??\I: CITUF.exe File opened (read-only) \??\K: CITUF.exe File opened (read-only) \??\U: CITUF.exe File opened (read-only) \??\G: CITUF.exe File opened (read-only) \??\J: CITUF.exe File opened (read-only) \??\M: CITUF.exe File opened (read-only) \??\P: CITUF.exe File opened (read-only) \??\N: CITUF.exe File opened (read-only) \??\Q: CITUF.exe File opened (read-only) \??\S: CITUF.exe File opened (read-only) \??\A: CITUF.exe File opened (read-only) \??\B: CITUF.exe File opened (read-only) \??\E: CITUF.exe File opened (read-only) \??\H: CITUF.exe File opened (read-only) \??\L: CITUF.exe File opened (read-only) \??\V: CITUF.exe File opened (read-only) \??\X: CITUF.exe File opened (read-only) \??\Z: CITUF.exe File opened (read-only) \??\O: CITUF.exe File opened (read-only) \??\R: CITUF.exe File opened (read-only) \??\T: CITUF.exe File opened (read-only) \??\W: CITUF.exe File opened (read-only) \??\Y: CITUF.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs
Processes:
CITUF.exepid Process 2940 CITUF.exe 2940 CITUF.exe 2940 CITUF.exe 2940 CITUF.exe 2940 CITUF.exe 2940 CITUF.exe 2940 CITUF.exe 2940 CITUF.exe 2940 CITUF.exe 2940 CITUF.exe 2940 CITUF.exe 2940 CITUF.exe 2940 CITUF.exe 2940 CITUF.exe 2940 CITUF.exe 2940 CITUF.exe 2940 CITUF.exe 2940 CITUF.exe 2940 CITUF.exe 2940 CITUF.exe 2940 CITUF.exe 2940 CITUF.exe 2940 CITUF.exe 2940 CITUF.exe 2940 CITUF.exe 2940 CITUF.exe 2940 CITUF.exe 2940 CITUF.exe 2940 CITUF.exe 2940 CITUF.exe 2940 CITUF.exe 2940 CITUF.exe 2940 CITUF.exe 2940 CITUF.exe 2940 CITUF.exe 2940 CITUF.exe 2940 CITUF.exe 2940 CITUF.exe 2940 CITUF.exe 2940 CITUF.exe 2940 CITUF.exe 2940 CITUF.exe 2940 CITUF.exe 2940 CITUF.exe 2940 CITUF.exe 2940 CITUF.exe 2940 CITUF.exe 2940 CITUF.exe 2940 CITUF.exe 2940 CITUF.exe 2940 CITUF.exe 2940 CITUF.exe 2940 CITUF.exe 2940 CITUF.exe 2940 CITUF.exe 2940 CITUF.exe 2940 CITUF.exe 2940 CITUF.exe 2940 CITUF.exe 2940 CITUF.exe 2940 CITUF.exe 2940 CITUF.exe 2940 CITUF.exe 2940 CITUF.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
6f9cce343781ac700700049de9d91013482fda8ca13ba8660a5b97c25b354cad.exeCITUF.exepid Process 2772 6f9cce343781ac700700049de9d91013482fda8ca13ba8660a5b97c25b354cad.exe 2772 6f9cce343781ac700700049de9d91013482fda8ca13ba8660a5b97c25b354cad.exe 2940 CITUF.exe 2940 CITUF.exe 2940 CITUF.exe 2940 CITUF.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
6f9cce343781ac700700049de9d91013482fda8ca13ba8660a5b97c25b354cad.exedescription pid Process procid_target PID 2772 wrote to memory of 2940 2772 6f9cce343781ac700700049de9d91013482fda8ca13ba8660a5b97c25b354cad.exe 28 PID 2772 wrote to memory of 2940 2772 6f9cce343781ac700700049de9d91013482fda8ca13ba8660a5b97c25b354cad.exe 28 PID 2772 wrote to memory of 2940 2772 6f9cce343781ac700700049de9d91013482fda8ca13ba8660a5b97c25b354cad.exe 28 PID 2772 wrote to memory of 2940 2772 6f9cce343781ac700700049de9d91013482fda8ca13ba8660a5b97c25b354cad.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\6f9cce343781ac700700049de9d91013482fda8ca13ba8660a5b97c25b354cad.exe"C:\Users\Admin\AppData\Local\Temp\6f9cce343781ac700700049de9d91013482fda8ca13ba8660a5b97c25b354cad.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Users\Admin\AppData\Local\Temp\CITUF.exeC:\Users\Admin\AppData\Local\Temp\CITUF.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:2940
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
681KB
MD5178330434eacc121faf0f7cc8c41b516
SHA1936420c82a466dc54ab4d0f6de0d04b041c10e17
SHA256e4e64b932c7c015f8e49f37c6900482e90e3bcaa68d05c21542039f3be1bf497
SHA51261b1e6dd927dad393b04d258d1c1905c54e129d1f4418e580aabf4e22dd4472508e75fe9b70da6272ecf318431fa73fb653c59a2fddf796de778ac3ba590f491
-
Filesize
5.0MB
MD57021afcc5fba762ef0320d5a6ec78f02
SHA17ae1e3d93a67e3198aae634161b6869107e68202
SHA256b516d8aefb6864f5d77720bb03197c072121ffe7ee2d7a065ccdc4cd2c92cf01
SHA51251dca6da28126c81b7d9f4bdc7d707f8884d2361c3d0c67605f063a1b6e83996ac21c0fc6de36657eed34b2f0f3fbc5c52e7700e2cbea4c9e1d4dcaba3238681
-
Filesize
1.4MB
MD5180b488d50dcb49bdef3ebb5874767c8
SHA1c5cc8fe1477b511f4782d425d12a6086056385ae
SHA25623e5870fb24b7b9015927abb469e3bf09d7985c7f02fabad7e43289dd12cbd4a
SHA512e908e13e67c289b3f1fa4c579051aa22293ccb0128805bb69bc4bb0362c8ed3c666d71e0482fef052d5640a875cd3f6e64bbb835bd77f88857922feb7548546d