Analysis Overview
SHA256
87cc10a52a2125a4a1166cd4b5ac9697cbb2ba7cb795b8883fe0b57a516829b9
Threat Level: Known bad
The file pegieigh.rar was found to be: Known bad.
Malicious Activity Summary
Lumma Stealer
RedLine payload
RedLine
Reads user/profile data of web browsers
Executes dropped EXE
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Drops file in Windows directory
Enumerates physical storage devices
Enumerates processes with tasklist
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Checks SCSI registry key(s)
Suspicious use of WriteProcessMemory
Suspicious use of SendNotifyMessage
Modifies registry class
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Checks processor information in registry
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-22 13:22
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-22 13:22
Reported
2024-02-22 13:25
Platform
win10-20240221-en
Max time kernel
134s
Max time network
136s
Command Line
Signatures
Lumma Stealer
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\pegieigh\lnjector.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\24366\Xx.pif | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\pegieigh\lnjector.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\24372\Xx.pif | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\pegieigh\lnjector.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.002\24382\Xx.pif | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\pegieigh\Silent install\lnjector.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\rescache\_merged\4183903823\810424605.pri | C:\Windows\system32\taskmgr.exe | N/A |
| File created | C:\Windows\rescache\_merged\1601268389\3877292338.pri | C:\Windows\system32\taskmgr.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\taskmgr.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1990815831-2007029909-3877453929-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1990815831-2007029909-3877453929-1000_Classes\Local Settings | C:\Windows\system32\taskmgr.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Desktop\pegieigh\Silent install\lnjector.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\pegieigh.rar
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\pegieigh.rar"
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Admin\Desktop\pegieigh\lnjector.exe
"C:\Users\Admin\Desktop\pegieigh\lnjector.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k move Bass Bass.bat & Bass.bat & exit
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c md 24366
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Powder + Adjustment + Rocks + Strange + Mw 24366\Xx.pif
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Emails 24366\L
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\24366\Xx.pif
24366\Xx.pif 24366\L
C:\Windows\SysWOW64\PING.EXE
ping -n 5 127.0.0.1
C:\Users\Admin\Desktop\pegieigh\lnjector.exe
"C:\Users\Admin\Desktop\pegieigh\lnjector.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k move Bass Bass.bat & Bass.bat & exit
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c md 24372
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Powder + Adjustment + Rocks + Strange + Mw 24372\Xx.pif
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Emails 24372\L
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\24372\Xx.pif
24372\Xx.pif 24372\L
C:\Windows\SysWOW64\PING.EXE
ping -n 5 127.0.0.1
C:\Users\Admin\Desktop\pegieigh\lnjector.exe
"C:\Users\Admin\Desktop\pegieigh\lnjector.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k move Bass Bass.bat & Bass.bat & exit
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c md 24382
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Powder + Adjustment + Rocks + Strange + Mw 24382\Xx.pif
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Emails 24382\L
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.002\24382\Xx.pif
24382\Xx.pif 24382\L
C:\Windows\SysWOW64\PING.EXE
ping -n 5 127.0.0.1
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Windows\System32\br21sx.exe
"C:\Windows\System32\br21sx.exe"
C:\Users\Admin\Desktop\pegieigh\Silent install\lnjector.exe
"C:\Users\Admin\Desktop\pegieigh\Silent install\lnjector.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | gwGqiDPdYhTWNqct.gwGqiDPdYhTWNqct | udp |
| US | 8.8.8.8:53 | gwGqiDPdYhTWNqct.gwGqiDPdYhTWNqct | udp |
| US | 8.8.8.8:53 | assumptionflattyou.shop | udp |
| US | 172.67.163.54:443 | assumptionflattyou.shop | tcp |
| US | 8.8.8.8:53 | technologyenterdo.shop | udp |
| US | 172.67.180.132:443 | technologyenterdo.shop | tcp |
| US | 8.8.8.8:53 | lighterepisodeheighte.fun | udp |
| US | 8.8.8.8:53 | 54.163.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 132.180.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | problemregardybuiwo.fun | udp |
| US | 8.8.8.8:53 | detectordiscusser.shop | udp |
| US | 104.21.60.92:443 | detectordiscusser.shop | tcp |
| US | 172.67.163.54:443 | assumptionflattyou.shop | tcp |
| US | 8.8.8.8:53 | edurestunningcrackyow.fun | udp |
| US | 8.8.8.8:53 | pooreveningfuseor.pw | udp |
| US | 172.67.180.132:443 | technologyenterdo.shop | tcp |
| US | 8.8.8.8:53 | turkeyunlikelyofw.shop | udp |
| US | 104.21.76.253:443 | turkeyunlikelyofw.shop | tcp |
| US | 8.8.8.8:53 | 92.60.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | associationokeo.shop | udp |
| US | 104.21.60.92:443 | detectordiscusser.shop | tcp |
| US | 104.21.10.242:443 | associationokeo.shop | tcp |
| US | 104.21.76.253:443 | turkeyunlikelyofw.shop | tcp |
| US | 104.21.10.242:443 | associationokeo.shop | tcp |
| US | 8.8.8.8:53 | 253.76.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 242.10.21.104.in-addr.arpa | udp |
| US | 172.67.163.54:443 | assumptionflattyou.shop | tcp |
| US | 172.67.180.132:443 | technologyenterdo.shop | tcp |
| US | 8.8.8.8:53 | lighterepisodeheighte.fun | udp |
| US | 8.8.8.8:53 | problemregardybuiwo.fun | udp |
| US | 104.21.60.92:443 | detectordiscusser.shop | tcp |
| US | 104.21.76.253:443 | turkeyunlikelyofw.shop | tcp |
| US | 104.21.10.242:443 | associationokeo.shop | tcp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| NL | 45.15.156.142:33597 | tcp | |
| US | 8.8.8.8:53 | 142.156.15.45.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 28.73.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.178.17.96.in-addr.arpa | udp |
Files
C:\Users\Admin\Desktop\pegieigh\lnjector.exe
| MD5 | 691b4750a377c2239d2b624444691621 |
| SHA1 | 7904e79d024f2e65a1750e9905c30e8be5fdea1b |
| SHA256 | c7fe6382cba2ebc45ef1128363244223a896c36a70bb3094065a80546900f3fe |
| SHA512 | 1097a06b7923bdd797c402b285eb0e88b7927f13b9597282804fb41ab740d05c3f46f8ab1f194e31d5b90980ddecf7d1288e09f7ff0255b26cd6ef9a4759852a |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Bass
| MD5 | 20696427abc2f9c1880265c1b31e1b6b |
| SHA1 | ed7a926f67baf4c8ea904be067e46c7464d9abde |
| SHA256 | 6e281bdc178f1e4f78a30b448e08d54ff46737e0fd4d92611cbabc7f0e54760a |
| SHA512 | 2c4c052521c669fc5fb85866200fa187cd0a234655091b90eecadb01a2e280f40cb163555d34c5e843ca70eb8806e83f3f9e210faf3c50cad34088141193716b |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Powder
| MD5 | e2eb152132c5d116148008a9992a40ce |
| SHA1 | f2c9052793ec7df7055ff8fba3d7c8de716672e9 |
| SHA256 | ae2be4aca761add018f18474394836ec62ba12350a1d3c41838353dee89fd200 |
| SHA512 | 5f9567156f3ba35695ec50fc83487728560d6641714d3b65dff26805057dd62285c8abb0c736075576981a66212449a3c2086d8c6834d8425c1e9a932655e0d6 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Adjustment
| MD5 | cbe564a978d65c59d81c8b0024d460dc |
| SHA1 | d221f213e412b3cc86066a144805fda792dea127 |
| SHA256 | cb32fdd72ae79c8087a57f34ec4067d01942e1e9ba20a55a2919068a4ecb79a3 |
| SHA512 | 5086d0b081590c050eaf9686aa83543fd8a125c66f5107d09944ab3b22ee9dc1313f4b4feb1524f6b4fc66021251a040c8acfc8d5cfa8c0b3722cfe67bb0832d |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Rocks
| MD5 | 29a6e6b5fc39a5f046934ce00b7afd08 |
| SHA1 | 1a01d7cefb78ddca5de438c5046378bdfce72384 |
| SHA256 | 662eb933f3356d4618c402746f69936f94008de34feca4df4a510eebb7399728 |
| SHA512 | 7d8b07e4e8633a61dabc769b9efbcc8eaa6f4dfd20f07bba548e461eded369170056272d04127158dfa4ec2fad3820212e57beb67c98380994f9074445bc98c4 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Strange
| MD5 | f9f85fa462682f13b768d9a25f208d8f |
| SHA1 | 38fc01a38f6942d25bda6c28f0fd5df7801139d6 |
| SHA256 | bfac483436da8b5114f84b6576e3e4e9b0e31b6c6e0f70d5bb1c89ba6f35cceb |
| SHA512 | 92e78b7642e7ed9d333c736b582790b236425540bfa9bda8cc70156fd55139a84d5598f072f8b2d9bdf399f5be68104d959b3e00d550cc38042c5db35e23a651 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Mw
| MD5 | dceb28d0ff9d99813139834427e6f09d |
| SHA1 | 6af4f0d7ab21e40aaefcb66a2fdf6b39884e31ca |
| SHA256 | eb8b8508a9d5e62aedee83280581d0dbad62e2a991578eced7beef51a746dc6d |
| SHA512 | 1aeacf81aacc3157dff77dd26c4f6eea3c26b96c8c8be7fed9d4b193c928ae93973087d888d2f2075d688577141b182f223c56fa1e6872d2f84c15721256678f |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Emails
| MD5 | be1c3ec024688bea76be17104e70e32d |
| SHA1 | 6c35f586626e1ccff964938d53140444517fef27 |
| SHA256 | 9cb5eee8f44fdc50408a19fd1e229c2a3b82de64b6445260a9f8ff6c29dd576c |
| SHA512 | 740f091e34fc35901784d884531d4115b948d1b00c7e76a430a41ee7126ae9d0cfddb7d59fb278c222c0ad2890f5b7769da0c48f58349a5a3c236b15e6f6079e |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\24366\Xx.pif
| MD5 | 848164d084384c49937f99d5b894253e |
| SHA1 | 3055ef803eeec4f175ebf120f94125717ee12444 |
| SHA256 | f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3 |
| SHA512 | aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a |
memory/4928-416-0x0000000077DD1000-0x0000000077EE4000-memory.dmp
memory/4928-481-0x0000000004040000-0x0000000004041000-memory.dmp
memory/4928-482-0x0000000004A50000-0x0000000004A99000-memory.dmp
memory/4928-480-0x0000000004A50000-0x0000000004A99000-memory.dmp
memory/4928-484-0x0000000004A50000-0x0000000004A99000-memory.dmp
memory/4928-483-0x0000000004A50000-0x0000000004A99000-memory.dmp
memory/4928-485-0x0000000004A50000-0x0000000004A99000-memory.dmp
memory/4928-486-0x0000000004A50000-0x0000000004A99000-memory.dmp
memory/4928-487-0x0000000004A50000-0x0000000004A99000-memory.dmp
memory/4928-488-0x0000000004050000-0x0000000004090000-memory.dmp
memory/4928-489-0x0000000004050000-0x0000000004090000-memory.dmp
memory/4928-490-0x0000000004050000-0x0000000004090000-memory.dmp
memory/4928-491-0x0000000004050000-0x0000000004090000-memory.dmp
memory/4928-492-0x0000000004050000-0x0000000004090000-memory.dmp
memory/3564-498-0x0000000004240000-0x0000000004289000-memory.dmp
memory/3564-500-0x0000000000CF0000-0x0000000000D30000-memory.dmp
memory/3564-501-0x0000000000CF0000-0x0000000000D30000-memory.dmp
memory/3564-502-0x0000000000CF0000-0x0000000000D30000-memory.dmp
memory/3564-499-0x0000000000CF0000-0x0000000000D30000-memory.dmp
memory/3564-503-0x0000000000CF0000-0x0000000000D30000-memory.dmp
memory/3564-504-0x0000000000CF0000-0x0000000000D30000-memory.dmp
memory/3952-510-0x0000000004700000-0x0000000004749000-memory.dmp
C:\Users\Admin\Desktop\pegieigh\Silent install\lnjector.exe
| MD5 | 3528ed9f161dad56dbf2f77a420464ce |
| SHA1 | 989040271b891dbd6a9ebb41e9b4568baa9ee265 |
| SHA256 | e02eb47a4a87882c843ad0ca293a1b38b7b61d192b85ffd8dbdebf76098bb4d1 |
| SHA512 | 884b21cca8bb30035d27738b992e59e9885714c03af5dc7a289330e6915f68fb47b9bf62979c443f2c587323cbf3002ee4824a6a62ccc1a14b6f74bc33b1f86a |
memory/696-513-0x0000000000840000-0x0000000000894000-memory.dmp
memory/696-517-0x0000000074010000-0x00000000746FE000-memory.dmp
memory/696-518-0x0000000005150000-0x000000000564E000-memory.dmp
memory/696-519-0x0000000004C50000-0x0000000004CE2000-memory.dmp
memory/696-520-0x0000000004E00000-0x0000000004E10000-memory.dmp
memory/696-521-0x0000000004D50000-0x0000000004D5A000-memory.dmp
memory/696-522-0x0000000005C60000-0x0000000006266000-memory.dmp
memory/696-523-0x0000000004F60000-0x000000000506A000-memory.dmp
memory/696-524-0x0000000004E40000-0x0000000004E52000-memory.dmp
memory/696-525-0x0000000004EA0000-0x0000000004EDE000-memory.dmp
memory/696-526-0x0000000004EE0000-0x0000000004F2B000-memory.dmp
memory/696-527-0x00000000056C0000-0x0000000005726000-memory.dmp
memory/696-528-0x00000000064C0000-0x0000000006510000-memory.dmp
memory/696-529-0x00000000066E0000-0x00000000068A2000-memory.dmp
memory/696-530-0x0000000006DE0000-0x000000000730C000-memory.dmp
memory/696-533-0x0000000074010000-0x00000000746FE000-memory.dmp