Analysis

  • max time kernel
    148s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-02-2024 15:27

General

  • Target

    a22f400ce87664d7f5c214600509fcb3.exe

  • Size

    228KB

  • MD5

    a22f400ce87664d7f5c214600509fcb3

  • SHA1

    5a807ef099b4b71e7043d0380723becb98cb6f28

  • SHA256

    25534defb0d6daa1b4989a1aa4f4029b8333fbb31e67a90e96080bd7f365493c

  • SHA512

    874ab03464ae78e092c224c2356fbbaa15bb66e7d4fd95138ef36dcca75910aff1d80d8dcc7c01b63a493344a1b89c514e21eb6cc317541cc047293941d68d29

  • SSDEEP

    6144:OoEdkmu85Dq+3qM3W7tfQN5/inEaMadDKNa1aILk71:MkmDN6M3atfQunka1KNaTgJ

Score
10/10

Malware Config

Signatures

  • Detect Lumma Stealer payload V4 16 IoCs
  • Lumma Stealer

    An infostealer written in C++ first seen in August 2022.

  • Modifies security service 2 TTPs 22 IoCs
  • Executes dropped EXE 10 IoCs
  • Drops file in System32 directory 32 IoCs
  • Runs .reg file with regedit 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a22f400ce87664d7f5c214600509fcb3.exe
    "C:\Users\Admin\AppData\Local\Temp\a22f400ce87664d7f5c214600509fcb3.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:1612
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c c:\acx.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1636
      • C:\Windows\SysWOW64\regedit.exe
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        3⤵
        • Modifies security service
        • Runs .reg file with regedit
        PID:392
    • C:\Windows\SysWOW64\cPaner.com
      C:\Windows\system32\cPaner.com 1240 "C:\Users\Admin\AppData\Local\Temp\a22f400ce87664d7f5c214600509fcb3.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:4968
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c c:\acx.bat
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4868
        • C:\Windows\SysWOW64\regedit.exe
          REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
          4⤵
          • Modifies security service
          • Runs .reg file with regedit
          PID:880
      • C:\Windows\SysWOW64\cPaner.com
        C:\Windows\system32\cPaner.com 1204 "C:\Windows\SysWOW64\cPaner.com"
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Suspicious use of WriteProcessMemory
        PID:1788
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c c:\acx.bat
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:5040
          • C:\Windows\SysWOW64\regedit.exe
            REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
            5⤵
            • Modifies security service
            • Runs .reg file with regedit
            PID:1360
        • C:\Windows\SysWOW64\cPaner.com
          C:\Windows\system32\cPaner.com 1180 "C:\Windows\SysWOW64\cPaner.com"
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Suspicious use of WriteProcessMemory
          PID:3220
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c c:\acx.bat
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:4136
            • C:\Windows\SysWOW64\regedit.exe
              REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
              6⤵
              • Modifies security service
              • Runs .reg file with regedit
              PID:4452
          • C:\Windows\SysWOW64\cPaner.com
            C:\Windows\system32\cPaner.com 1176 "C:\Windows\SysWOW64\cPaner.com"
            5⤵
            • Executes dropped EXE
            • Drops file in System32 directory
            • Suspicious use of WriteProcessMemory
            PID:3868
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c c:\acx.bat
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:4360
              • C:\Windows\SysWOW64\regedit.exe
                REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                7⤵
                • Modifies security service
                • Runs .reg file with regedit
                PID:3280
            • C:\Windows\SysWOW64\cPaner.com
              C:\Windows\system32\cPaner.com 1184 "C:\Windows\SysWOW64\cPaner.com"
              6⤵
              • Executes dropped EXE
              • Drops file in System32 directory
              • Suspicious use of WriteProcessMemory
              PID:4496
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c c:\acx.bat
                7⤵
                • Suspicious use of WriteProcessMemory
                PID:4468
                • C:\Windows\SysWOW64\regedit.exe
                  REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                  8⤵
                  • Modifies security service
                  • Runs .reg file with regedit
                  PID:3756
              • C:\Windows\SysWOW64\cPaner.com
                C:\Windows\system32\cPaner.com 1192 "C:\Windows\SysWOW64\cPaner.com"
                7⤵
                • Executes dropped EXE
                • Drops file in System32 directory
                • Suspicious use of WriteProcessMemory
                PID:3420
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c c:\acx.bat
                  8⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2748
                  • C:\Windows\SysWOW64\regedit.exe
                    REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                    9⤵
                    • Modifies security service
                    • Runs .reg file with regedit
                    PID:3564
                • C:\Windows\SysWOW64\cPaner.com
                  C:\Windows\system32\cPaner.com 1188 "C:\Windows\SysWOW64\cPaner.com"
                  8⤵
                  • Executes dropped EXE
                  • Drops file in System32 directory
                  • Suspicious use of WriteProcessMemory
                  PID:4248
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c c:\acx.bat
                    9⤵
                      PID:212
                      • C:\Windows\SysWOW64\regedit.exe
                        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                        10⤵
                        • Modifies security service
                        • Runs .reg file with regedit
                        PID:540
                    • C:\Windows\SysWOW64\cPaner.com
                      C:\Windows\system32\cPaner.com 1200 "C:\Windows\SysWOW64\cPaner.com"
                      9⤵
                      • Executes dropped EXE
                      • Drops file in System32 directory
                      PID:3044
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c c:\acx.bat
                        10⤵
                          PID:3260
                          • C:\Windows\SysWOW64\regedit.exe
                            REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                            11⤵
                            • Modifies security service
                            • Runs .reg file with regedit
                            PID:4168
                        • C:\Windows\SysWOW64\cPaner.com
                          C:\Windows\system32\cPaner.com 1196 "C:\Windows\SysWOW64\cPaner.com"
                          10⤵
                          • Executes dropped EXE
                          • Drops file in System32 directory
                          PID:3224
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c c:\acx.bat
                            11⤵
                              PID:3892
                              • C:\Windows\SysWOW64\regedit.exe
                                REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                                12⤵
                                • Modifies security service
                                • Runs .reg file with regedit
                                PID:1664
                            • C:\Windows\SysWOW64\cPaner.com
                              C:\Windows\system32\cPaner.com 1212 "C:\Windows\SysWOW64\cPaner.com"
                              11⤵
                              • Executes dropped EXE
                              • Drops file in System32 directory
                              PID:4800
                              • C:\Windows\SysWOW64\cmd.exe
                                C:\Windows\system32\cmd.exe /c c:\acx.bat
                                12⤵
                                  PID:3980
                                  • C:\Windows\SysWOW64\regedit.exe
                                    REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                                    13⤵
                                    • Modifies security service
                                    • Runs .reg file with regedit
                                    PID:3288

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\1.reg

            Filesize

            815B

            MD5

            fadf3805f68986d2ee9c82f560a564e4

            SHA1

            87bcab6ab1fb66ace98eb1d36e54eb9c11628aa6

            SHA256

            d6e4760c4554b061363e89648dc4144f8a9ba8a300dde1a1621f22ecc62ab759

            SHA512

            e3e495385da6d181a2411554a61b27c480ff31fa49225e8b2dc46b9ec4f618343475a8d189786b956c91efc65bfb05be19065bfdf3288eb011c5ec427e764cb9

          • C:\Users\Admin\AppData\Local\Temp\1.reg

            Filesize

            3KB

            MD5

            117efa689c5631c1a1ee316f123182bd

            SHA1

            f477bf1e9f4db8452bd9fe314cd18715f7045689

            SHA256

            79ed2f9f9de900b4f0a4869fc5dd40f1dcfb11a3f50bd7a5f362b30fe51b52e7

            SHA512

            abe34afa94cca236205e9ea954b95a78c986612cebd847f5146f792c00a5c58ca1fdc55be2befd974b5be77b1b117e28d8c4996f34b41c78b653725f21da4671

          • C:\Users\Admin\AppData\Local\Temp\1.reg

            Filesize

            3KB

            MD5

            9e5db93bd3302c217b15561d8f1e299d

            SHA1

            95a5579b336d16213909beda75589fd0a2091f30

            SHA256

            f360fb5740172b6b4dd59c1ac30b480511665ae991196f833167e275d91f943e

            SHA512

            b5547e5047a3c43397ee846ff9d5979cba45ba44671db5c5df5536d9dc26262e27a8645a08e0cf35960a3601dc0f6f5fe8d47ae232c9ca44d6899e97d36fb25a

          • C:\Users\Admin\AppData\Local\Temp\1.reg

            Filesize

            3KB

            MD5

            5aa228bc61037ddaf7a22dab4a04e9a1

            SHA1

            b50fcd8f643ea748f989a06e38c778884b3c19f2

            SHA256

            65c7c12f00303ec69556e7e108d2fb3881b761b5e68d12e8ae94d80ab1fd7d8b

            SHA512

            2ac1a9465083463a116b33039b4c4014433bda78a61e6312dde0e8f74f0a6a6881017041985871badee442a693d66385fe87cbfc60f1309f7a3c9fb59ec6f2aa

          • C:\Users\Admin\AppData\Local\Temp\1.reg

            Filesize

            2KB

            MD5

            f5fa5178657d29a36c5dc4ac9445cbdc

            SHA1

            4be1a87a89715d24d52b23c59006f9cb74437ba0

            SHA256

            f5df5a0913b98b4c5ef35c76ba8c7601adb2698300bef0a47f23845a95942114

            SHA512

            54272b6eaead06588ac6605a5d995c928f2270c2bccb18891f83dc5cae98eb2c88a98b49bd553f6305659cbf51c36842840dd98fa0b44a3b693de8c7af1f6b6f

          • C:\Users\Admin\AppData\Local\Temp\1.reg

            Filesize

            3KB

            MD5

            e78a2688839aaee80b2bfdc4639329c5

            SHA1

            818a0dd05493b075a9f2eaf063e64d5a653f470a

            SHA256

            bd056b778b99213f8eb81f452e96f275da92f129457fae23da4e2986cf465a5d

            SHA512

            2821f753aa03221061be778aa9d5cffaee58fc0e1e712d8021894d91d963a3859e06afd6bd94ca6e23386e513d0be092e7b2e6a53439e14e4cbc75f5ccd97847

          • C:\Users\Admin\AppData\Local\Temp\1.reg

            Filesize

            3KB

            MD5

            d085cde42c14e8ee2a5e8870d08aee42

            SHA1

            c8e967f1d301f97dbcf252d7e1677e590126f994

            SHA256

            a15d5dfd655de1214e0aae2292ead17eef1f1b211d39fac03276bbd6325b0d9f

            SHA512

            de2cebd45d3cf053df17ae43466db6a8b2d816bf4b9a8deb5b577cfedf765b5dcdc5904145809ad3ca03ccff308f8893ec1faa309dd34afcab7cc1836d698d7b

          • C:\Windows\SysWOW64\cPaner.com

            Filesize

            228KB

            MD5

            a22f400ce87664d7f5c214600509fcb3

            SHA1

            5a807ef099b4b71e7043d0380723becb98cb6f28

            SHA256

            25534defb0d6daa1b4989a1aa4f4029b8333fbb31e67a90e96080bd7f365493c

            SHA512

            874ab03464ae78e092c224c2356fbbaa15bb66e7d4fd95138ef36dcca75910aff1d80d8dcc7c01b63a493344a1b89c514e21eb6cc317541cc047293941d68d29

          • \??\c:\acx.bat

            Filesize

            5KB

            MD5

            0019a0451cc6b9659762c3e274bc04fb

            SHA1

            5259e256cc0908f2846e532161b989f1295f479b

            SHA256

            ce4674afd978d1401596d22a0961f90c8fb53c5bd55649684e1a999c8cf77876

            SHA512

            314c23ec37cb0cd4443213c019c4541df968447353b422ef6fff1e7ddf6c983c80778787408b7ca9b81e580a6a7f1589ca7f43c022e6fc16182973580ed4d904

          • memory/1612-150-0x00000000025C0000-0x00000000025C1000-memory.dmp

            Filesize

            4KB

          • memory/1612-156-0x0000000003310000-0x0000000003311000-memory.dmp

            Filesize

            4KB

          • memory/1612-13-0x0000000002360000-0x0000000002361000-memory.dmp

            Filesize

            4KB

          • memory/1612-16-0x0000000002390000-0x0000000002391000-memory.dmp

            Filesize

            4KB

          • memory/1612-12-0x0000000002310000-0x0000000002311000-memory.dmp

            Filesize

            4KB

          • memory/1612-41-0x00000000023C0000-0x00000000023C1000-memory.dmp

            Filesize

            4KB

          • memory/1612-14-0x00000000023A0000-0x00000000023A1000-memory.dmp

            Filesize

            4KB

          • memory/1612-43-0x00000000023E0000-0x00000000023E1000-memory.dmp

            Filesize

            4KB

          • memory/1612-42-0x00000000023B0000-0x00000000023B1000-memory.dmp

            Filesize

            4KB

          • memory/1612-5-0x00000000005E0000-0x00000000005E1000-memory.dmp

            Filesize

            4KB

          • memory/1612-44-0x00000000023D0000-0x00000000023D1000-memory.dmp

            Filesize

            4KB

          • memory/1612-10-0x0000000002350000-0x0000000002351000-memory.dmp

            Filesize

            4KB

          • memory/1612-89-0x0000000002510000-0x0000000002511000-memory.dmp

            Filesize

            4KB

          • memory/1612-8-0x0000000002320000-0x0000000002321000-memory.dmp

            Filesize

            4KB

          • memory/1612-129-0x0000000002530000-0x0000000002531000-memory.dmp

            Filesize

            4KB

          • memory/1612-123-0x0000000002500000-0x0000000002501000-memory.dmp

            Filesize

            4KB

          • memory/1612-130-0x0000000002520000-0x0000000002521000-memory.dmp

            Filesize

            4KB

          • memory/1612-131-0x0000000002550000-0x0000000002551000-memory.dmp

            Filesize

            4KB

          • memory/1612-132-0x0000000002540000-0x0000000002541000-memory.dmp

            Filesize

            4KB

          • memory/1612-133-0x0000000002570000-0x0000000002571000-memory.dmp

            Filesize

            4KB

          • memory/1612-134-0x0000000002560000-0x0000000002561000-memory.dmp

            Filesize

            4KB

          • memory/1612-135-0x00000000025A0000-0x00000000025A1000-memory.dmp

            Filesize

            4KB

          • memory/1612-136-0x0000000002590000-0x0000000002591000-memory.dmp

            Filesize

            4KB

          • memory/1612-137-0x00000000025B0000-0x00000000025B1000-memory.dmp

            Filesize

            4KB

          • memory/1612-138-0x00000000025E0000-0x00000000025E1000-memory.dmp

            Filesize

            4KB

          • memory/1612-140-0x0000000002600000-0x0000000002601000-memory.dmp

            Filesize

            4KB

          • memory/1612-139-0x00000000025D0000-0x00000000025D1000-memory.dmp

            Filesize

            4KB

          • memory/1612-141-0x00000000025F0000-0x00000000025F1000-memory.dmp

            Filesize

            4KB

          • memory/1612-143-0x0000000002610000-0x0000000002611000-memory.dmp

            Filesize

            4KB

          • memory/1612-142-0x0000000002620000-0x0000000002621000-memory.dmp

            Filesize

            4KB

          • memory/1612-144-0x0000000002640000-0x0000000002641000-memory.dmp

            Filesize

            4KB

          • memory/1612-145-0x0000000002630000-0x0000000002631000-memory.dmp

            Filesize

            4KB

          • memory/1612-146-0x0000000002660000-0x0000000002661000-memory.dmp

            Filesize

            4KB

          • memory/1612-148-0x0000000002650000-0x0000000002651000-memory.dmp

            Filesize

            4KB

          • memory/1612-149-0x0000000002670000-0x0000000002671000-memory.dmp

            Filesize

            4KB

          • memory/1612-0-0x0000000000400000-0x0000000000490000-memory.dmp

            Filesize

            576KB

          • memory/1612-151-0x0000000002680000-0x0000000002681000-memory.dmp

            Filesize

            4KB

          • memory/1612-155-0x0000000003320000-0x0000000003321000-memory.dmp

            Filesize

            4KB

          • memory/1612-167-0x0000000003370000-0x0000000003371000-memory.dmp

            Filesize

            4KB

          • memory/1612-1-0x00000000009A0000-0x00000000009E4000-memory.dmp

            Filesize

            272KB

          • memory/1612-11-0x0000000002300000-0x0000000002301000-memory.dmp

            Filesize

            4KB

          • memory/1612-163-0x0000000003350000-0x0000000003351000-memory.dmp

            Filesize

            4KB

          • memory/1612-161-0x0000000003360000-0x0000000003361000-memory.dmp

            Filesize

            4KB

          • memory/1612-159-0x0000000003330000-0x0000000003331000-memory.dmp

            Filesize

            4KB

          • memory/1612-7-0x0000000002340000-0x0000000002344000-memory.dmp

            Filesize

            16KB

          • memory/1612-171-0x00000000033A0000-0x00000000033A1000-memory.dmp

            Filesize

            4KB

          • memory/1612-194-0x0000000003390000-0x0000000003391000-memory.dmp

            Filesize

            4KB

          • memory/1612-165-0x0000000003380000-0x0000000003381000-memory.dmp

            Filesize

            4KB

          • memory/1612-195-0x00000000033C0000-0x00000000033C1000-memory.dmp

            Filesize

            4KB

          • memory/1612-216-0x00000000033E0000-0x00000000033E1000-memory.dmp

            Filesize

            4KB

          • memory/1612-217-0x00000000033D0000-0x00000000033D1000-memory.dmp

            Filesize

            4KB

          • memory/1612-281-0x0000000003400000-0x0000000003401000-memory.dmp

            Filesize

            4KB

          • memory/1612-282-0x0000000000400000-0x0000000000490000-memory.dmp

            Filesize

            576KB

          • memory/1612-285-0x00000000009A0000-0x00000000009E4000-memory.dmp

            Filesize

            272KB

          • memory/1612-286-0x0000000003420000-0x0000000003421000-memory.dmp

            Filesize

            4KB

          • memory/1612-2-0x00000000022D0000-0x00000000022D1000-memory.dmp

            Filesize

            4KB

          • memory/1612-157-0x0000000003340000-0x0000000003341000-memory.dmp

            Filesize

            4KB

          • memory/1612-283-0x00000000033F0000-0x00000000033F1000-memory.dmp

            Filesize

            4KB

          • memory/1612-196-0x00000000033B0000-0x00000000033B1000-memory.dmp

            Filesize

            4KB

          • memory/1612-4-0x00000000005F0000-0x00000000005F1000-memory.dmp

            Filesize

            4KB

          • memory/1612-6-0x00000000022F0000-0x00000000022F1000-memory.dmp

            Filesize

            4KB

          • memory/1788-460-0x0000000000400000-0x0000000000490000-memory.dmp

            Filesize

            576KB

          • memory/1788-587-0x0000000000400000-0x0000000000490000-memory.dmp

            Filesize

            576KB

          • memory/3044-1269-0x0000000000400000-0x0000000000490000-memory.dmp

            Filesize

            576KB

          • memory/3220-595-0x0000000000400000-0x0000000000490000-memory.dmp

            Filesize

            576KB

          • memory/3220-719-0x0000000000400000-0x0000000000490000-memory.dmp

            Filesize

            576KB

          • memory/3224-1529-0x0000000000400000-0x0000000000490000-memory.dmp

            Filesize

            576KB

          • memory/3224-1401-0x0000000000400000-0x0000000000490000-memory.dmp

            Filesize

            576KB

          • memory/3420-995-0x0000000000400000-0x0000000000490000-memory.dmp

            Filesize

            576KB

          • memory/3868-729-0x0000000000400000-0x0000000000490000-memory.dmp

            Filesize

            576KB

          • memory/3868-855-0x0000000000400000-0x0000000000490000-memory.dmp

            Filesize

            576KB

          • memory/4248-1129-0x0000000000400000-0x0000000000490000-memory.dmp

            Filesize

            576KB

          • memory/4248-1258-0x0000000000400000-0x0000000000490000-memory.dmp

            Filesize

            576KB

          • memory/4496-864-0x0000000000400000-0x0000000000490000-memory.dmp

            Filesize

            576KB

          • memory/4496-988-0x0000000000400000-0x0000000000490000-memory.dmp

            Filesize

            576KB

          • memory/4968-440-0x0000000000400000-0x0000000000490000-memory.dmp

            Filesize

            576KB

          • memory/4968-289-0x00000000023B0000-0x00000000023B1000-memory.dmp

            Filesize

            4KB

          • memory/4968-287-0x0000000002360000-0x0000000002361000-memory.dmp

            Filesize

            4KB

          • memory/4968-290-0x00000000023D0000-0x00000000023D1000-memory.dmp

            Filesize

            4KB

          • memory/4968-288-0x0000000002370000-0x0000000002371000-memory.dmp

            Filesize

            4KB