Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-02-2024 23:57

General

  • Target

    a7b122b234de26887fae66072351a137.exe

  • Size

    230KB

  • MD5

    a7b122b234de26887fae66072351a137

  • SHA1

    26cd1b664332037f040183cfc6275da0ef24848f

  • SHA256

    4588cf14ad219264d9a1e100ab9590f64d48bb16a29bdb59d292d1af25ee2f64

  • SHA512

    dd2a3c73812ce6e405edd6d7262d517d799105693d2504aff40a8b85a46a4cd786e30ea526eac58586bfd54b97154c35785709e1f622ae897357c4f07313f10b

  • SSDEEP

    6144:azquP7bLg28emgyv/3K6436viwONzcuJhoG2:azq87bLg21mnfCzNGG2

Score
10/10

Malware Config

Signatures

  • Detect Lumma Stealer payload V4 1 IoCs
  • Lumma Stealer

    An infostealer written in C++ first seen in August 2022.

  • Modifies security service 2 TTPs 22 IoCs
  • Executes dropped EXE 10 IoCs
  • Drops file in System32 directory 22 IoCs
  • Runs .reg file with regedit 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a7b122b234de26887fae66072351a137.exe
    "C:\Users\Admin\AppData\Local\Temp\a7b122b234de26887fae66072351a137.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:1912
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c c:\a.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:948
      • C:\Windows\SysWOW64\regedit.exe
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        3⤵
        • Modifies security service
        • Runs .reg file with regedit
        PID:3988
    • C:\Windows\SysWOW64\Windows-Time.exe
      C:\Windows\system32\Windows-Time.exe 1052 "C:\Users\Admin\AppData\Local\Temp\a7b122b234de26887fae66072351a137.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:1916
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c c:\a.bat
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:5004
        • C:\Windows\SysWOW64\regedit.exe
          REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
          4⤵
          • Modifies security service
          • Runs .reg file with regedit
          PID:3724
      • C:\Windows\SysWOW64\Windows-Time.exe
        C:\Windows\system32\Windows-Time.exe 1172 "C:\Windows\SysWOW64\Windows-Time.exe"
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Suspicious use of WriteProcessMemory
        PID:2080
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c c:\a.bat
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4816
          • C:\Windows\SysWOW64\regedit.exe
            REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
            5⤵
            • Modifies security service
            • Runs .reg file with regedit
            PID:220
        • C:\Windows\SysWOW64\Windows-Time.exe
          C:\Windows\system32\Windows-Time.exe 1140 "C:\Windows\SysWOW64\Windows-Time.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Suspicious use of WriteProcessMemory
          PID:3272
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c c:\a.bat
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:3896
            • C:\Windows\SysWOW64\regedit.exe
              REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
              6⤵
              • Modifies security service
              • Runs .reg file with regedit
              PID:2396
          • C:\Windows\SysWOW64\Windows-Time.exe
            C:\Windows\system32\Windows-Time.exe 1132 "C:\Windows\SysWOW64\Windows-Time.exe"
            5⤵
            • Executes dropped EXE
            • Drops file in System32 directory
            • Suspicious use of WriteProcessMemory
            PID:3860
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c c:\a.bat
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:3640
              • C:\Windows\SysWOW64\regedit.exe
                REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                7⤵
                • Modifies security service
                • Runs .reg file with regedit
                PID:3524
            • C:\Windows\SysWOW64\Windows-Time.exe
              C:\Windows\system32\Windows-Time.exe 1148 "C:\Windows\SysWOW64\Windows-Time.exe"
              6⤵
              • Executes dropped EXE
              • Drops file in System32 directory
              • Suspicious use of WriteProcessMemory
              PID:2508
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c c:\a.bat
                7⤵
                • Suspicious use of WriteProcessMemory
                PID:2392
                • C:\Windows\SysWOW64\regedit.exe
                  REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                  8⤵
                  • Modifies security service
                  • Runs .reg file with regedit
                  PID:1224
              • C:\Windows\SysWOW64\Windows-Time.exe
                C:\Windows\system32\Windows-Time.exe 1156 "C:\Windows\SysWOW64\Windows-Time.exe"
                7⤵
                • Executes dropped EXE
                • Drops file in System32 directory
                • Suspicious use of WriteProcessMemory
                PID:4664
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c c:\a.bat
                  8⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1480
                  • C:\Windows\SysWOW64\regedit.exe
                    REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                    9⤵
                    • Modifies security service
                    • Runs .reg file with regedit
                    PID:3760
                • C:\Windows\SysWOW64\Windows-Time.exe
                  C:\Windows\system32\Windows-Time.exe 1152 "C:\Windows\SysWOW64\Windows-Time.exe"
                  8⤵
                  • Executes dropped EXE
                  • Drops file in System32 directory
                  • Suspicious use of WriteProcessMemory
                  PID:3992
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c c:\a.bat
                    9⤵
                      PID:4608
                      • C:\Windows\SysWOW64\regedit.exe
                        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                        10⤵
                        • Modifies security service
                        • Runs .reg file with regedit
                        PID:544
                    • C:\Windows\SysWOW64\Windows-Time.exe
                      C:\Windows\system32\Windows-Time.exe 1164 "C:\Windows\SysWOW64\Windows-Time.exe"
                      9⤵
                      • Executes dropped EXE
                      • Drops file in System32 directory
                      PID:1088
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c c:\a.bat
                        10⤵
                          PID:4988
                          • C:\Windows\SysWOW64\regedit.exe
                            REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                            11⤵
                            • Modifies security service
                            • Runs .reg file with regedit
                            PID:5096
                        • C:\Windows\SysWOW64\Windows-Time.exe
                          C:\Windows\system32\Windows-Time.exe 1168 "C:\Windows\SysWOW64\Windows-Time.exe"
                          10⤵
                          • Executes dropped EXE
                          • Drops file in System32 directory
                          PID:4052
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c c:\a.bat
                            11⤵
                              PID:1828
                              • C:\Windows\SysWOW64\regedit.exe
                                REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                                12⤵
                                • Modifies security service
                                • Runs .reg file with regedit
                                PID:1556
                            • C:\Windows\SysWOW64\Windows-Time.exe
                              C:\Windows\system32\Windows-Time.exe 1176 "C:\Windows\SysWOW64\Windows-Time.exe"
                              11⤵
                              • Executes dropped EXE
                              • Drops file in System32 directory
                              PID:2416
                              • C:\Windows\SysWOW64\cmd.exe
                                C:\Windows\system32\cmd.exe /c c:\a.bat
                                12⤵
                                  PID:1920
                                  • C:\Windows\SysWOW64\regedit.exe
                                    REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                                    13⤵
                                    • Modifies security service
                                    • Runs .reg file with regedit
                                    PID:4812

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\1.reg

            Filesize

            784B

            MD5

            5a466127fedf6dbcd99adc917bd74581

            SHA1

            a2e60b101c8789b59360d95a64ec07d0723c4d38

            SHA256

            8cd3b8dd28ac014cf973d9ab4b03af1c274bbc9b5ee0ee4ab8af0bdb01573b84

            SHA512

            695cafc932bc8f0a514bc515860cb275297665de63ca3394b55f42c457761ebf654d29d504674681a77b34e3356a469e8c5b97ff7efc24de330d5375f025cba5

          • C:\Users\Admin\AppData\Local\Temp\1.reg

            Filesize

            3KB

            MD5

            872656500ddac1ddd91d10aba3a8df96

            SHA1

            ddf655aea7e8eae37b0a2dd4c8cabaf21cf681fc

            SHA256

            d6f58d2fbf733d278281af0b9e7732a591cdd752e18a430f76cb7afa806c75f8

            SHA512

            e7fab32f6f38bde67c8ce7af483216c9965ab62a70aee5c9a9e17aa693c33c67953f817406c1687406977b234d89e62d7feb44757527de5db34e5a61462a0be9

          • C:\Users\Admin\AppData\Local\Temp\1.reg

            Filesize

            3KB

            MD5

            9e5db93bd3302c217b15561d8f1e299d

            SHA1

            95a5579b336d16213909beda75589fd0a2091f30

            SHA256

            f360fb5740172b6b4dd59c1ac30b480511665ae991196f833167e275d91f943e

            SHA512

            b5547e5047a3c43397ee846ff9d5979cba45ba44671db5c5df5536d9dc26262e27a8645a08e0cf35960a3601dc0f6f5fe8d47ae232c9ca44d6899e97d36fb25a

          • C:\Users\Admin\AppData\Local\Temp\1.reg

            Filesize

            386B

            MD5

            4be01c629881eddccb675ba267a66899

            SHA1

            23324e7814bcd157b27e810f4c786b0c39bfc9b1

            SHA256

            39c14522925e5e55bf1eefcd5beb8b7aae687158163082aac7ef5690c3524a30

            SHA512

            7c3063badaa57e3a39eea5d87e6bdbeec00793f9afd2bea52d3aa354e0bbd83e2a63966438fe7305f29a0ee6f45cb77d4613fe2d3b4f6719e16860deae764d55

          • C:\Users\Admin\AppData\Local\Temp\1.reg

            Filesize

            476B

            MD5

            a5d4cddfecf34e5391a7a3df62312327

            SHA1

            04a3c708bab0c15b6746cf9dbf41a71c917a98b9

            SHA256

            8961a4310b2413753851ba8afe2feb4c522c20e856c6a98537d8ab440f48853a

            SHA512

            48024549d0fcb88e3bd46f7fb42715181142cae764a3daeb64cad07f10cf3bf14153731aeafba9a191557e29ddf1c5b62a460588823df215e2246eddaeff6643

          • C:\Users\Admin\AppData\Local\Temp\1.reg

            Filesize

            1KB

            MD5

            c1e5f93e2bee9ca33872764d8889de23

            SHA1

            167f65adfc34a0e47cb7de92cc5958ee8905796a

            SHA256

            8f5276e847b1c6beb572b1eeae20f98784aae11ea2d8f8860adcdb78fd9dca3a

            SHA512

            482741b0df7bf6e94ba9667892fe12125df30812e21de40fd60dee540922da70ffb6db4a0c0e17346e714d4bb6e49e2d4eca53c0d5194cd888903071c82b8859

          • C:\Users\Admin\AppData\Local\Temp\1.reg

            Filesize

            1KB

            MD5

            a437192517c26d96c8cee8d5a27dd560

            SHA1

            f665a3e5e5c141e4527509dffd30b0320aa8df6f

            SHA256

            d0ec3ddd0503ee6ddae52c33b6c0b8780c73b8f27ca3aadc073f7fa512702e23

            SHA512

            f9538163b6c41ff5419cb12a9c103c0da5afbfe6237317985d45ff243c4f15ee89a86eab2b4d02cbda1a14596d2f24d3d1cdf05bb3e5fd931fbe9be4b869aa41

          • C:\Users\Admin\AppData\Local\Temp\1.reg

            Filesize

            1KB

            MD5

            2299014e9ce921b7045e958d39d83e74

            SHA1

            26ed64f84417eb05d1d9d48441342ca1363084da

            SHA256

            ee2b1a70a028c6d66757d68a847b4631fc722c1e9bfc2ce714b5202f43ec6b57

            SHA512

            0a1922752065a6ab7614ca8a12d5d235dfb088d3759b831de51124894adae79637713d7dee2eb87668fa85e37f3ba00d85a727a7ba3a6301fbf1d47f80c6a08f

          • C:\Users\Admin\AppData\Local\Temp\1.reg

            Filesize

            2KB

            MD5

            fa83299c5a0d8714939977af6bdafa92

            SHA1

            46a4abab9b803a7361ab89d0ca000a367550e23c

            SHA256

            f3bb35f7fc756da2c2297a100fa29506cb12371edb793061add90ee16318bf03

            SHA512

            85e46b9f1089054e60c433459eea52bec26330f8b91879df3b48db1533a307443dd82006ac3bb86245bbd207c1d8c75c29949f755cc0dc262ede888a1d531599

          • C:\Users\Admin\AppData\Local\Temp\1.reg

            Filesize

            274B

            MD5

            eee5718ce97d259fd8acec31375fc375

            SHA1

            989c64b0c9a049f1b7ad9e677c4566ab1559744f

            SHA256

            1975123645c58e5160d63cc6ab8430f9dd0bc70d5cddafccf3687d655730dcfb

            SHA512

            6c2e14846b20128ac8bea8470b4455fd4b65de7457c216824cfa7008fafa41c29445290de6780dc4f6f3beea97ec3137c02c9b7504877d6c845e573a7b7db610

          • C:\Users\Admin\AppData\Local\Temp\1.reg

            Filesize

            298B

            MD5

            4117e5a9c995bab9cd3bce3fc2b99a46

            SHA1

            80144ccbad81c2efb1df64e13d3d5f59ca4486da

            SHA256

            37b58c2d66ab2f896316ee0cdba30dcc9aac15a51995b8ba6c143c8ba34bf292

            SHA512

            bdb721bd3dea641a9b1f26b46311c05199de01c6b0d7ea2b973aa71a4f796b292a6964ddef32ba9dfc4a545768943d105f110c5d60716e0ff6f82914affb507c

          • C:\Users\Admin\AppData\Local\Temp\1.reg

            Filesize

            2KB

            MD5

            bef09dc596b7b91eec4f38765e0965b7

            SHA1

            b8bb8d2eb918e0979b08fd1967dac127874b9de5

            SHA256

            8dab724d5941eb7becff35ce1a76e8525dcdca024900e70758300dcdddf8e265

            SHA512

            0bbce4150b47bafb674f2074fdfc20df86edadb85037f93c541d1d53f721ed52e37a49d14522dac56e9d2e9ce801bcdb701509fa02285778a086d547f1be966a

          • C:\Users\Admin\AppData\Local\Temp\1.reg

            Filesize

            2KB

            MD5

            f82bc8865c1f6bf7125563479421f95c

            SHA1

            65c25d7af3ab1f29ef2ef1fdc67378ac9c82098d

            SHA256

            f9799dc2afb8128d1925b69fdef1d641f312ed41254dd5f4ac543cf50648a2f6

            SHA512

            00a9b7798a630779dc30296c3d0fed2589e7e86d6941f4502ea301c5bce2e80a5d8a4916e36183c7064f968b539ae6dac49094b1de3643a1a2fedc83cf558825

          • C:\Users\Admin\AppData\Local\Temp\1.reg

            Filesize

            2KB

            MD5

            8c6aa92ac8ffdfb7a0fb3dafd14d65f1

            SHA1

            cac3992d696a99a5dec2ab1c824c816117414b16

            SHA256

            dc98a84d679d0ba1e36e3142000fa9fd7c5cd4606e07cbcb33f12c98bc1510fa

            SHA512

            f17a7cbfc11ce2a258aee2857720dcc72ddcfd17ebe9c9b1b04bedb52835c2b35ca4bb649fd5ef3d7ef3f9585f87ef321efec52cb7524be3b83a919999c4900c

          • C:\Users\Admin\AppData\Local\Temp\1.reg

            Filesize

            1KB

            MD5

            a57e37dfb6f88b2d04424936ed0b4afb

            SHA1

            35e2f81486b8420b88b7693ad3e92f846367cb12

            SHA256

            411f47af20b97f1fe35d3ff6f2a03a77301c8bee20cdfd4638a68430af77456d

            SHA512

            41f683cc837a2ac36eaf8c32ac336534d329eb482c1a7bd23728b3878492ce79488647df4746701c15254e552e3460f8efa8cec9448a252146596c7926dff448

          • C:\Users\Admin\AppData\Local\Temp\1.reg

            Filesize

            2KB

            MD5

            1b2949b211ab497b739b1daf37cd4101

            SHA1

            12cad1063d28129ddd89e80acc2940f8dfbbaab3

            SHA256

            3e906a8373d1dfa40782f56710768abd4365933ad60f2ca9e974743c25b4cb6c

            SHA512

            a9e6555d435fe3e7a63059f20cd4c59531319421efcd90ca1d14498c28d9882ab0b7cd1af63dd50fa693b3b5a714db572d61867c56b86618423c7feaf043f2ef

          • C:\Users\Admin\AppData\Local\Temp\1.reg

            Filesize

            2KB

            MD5

            8a36f3bf3750851d8732b132fa330bb4

            SHA1

            1cb36be31f3d7d9439aac14af3d7a27f05a980eb

            SHA256

            5d88aebc1d13a61609ef057cb38dc9d7b0a04a47a7670a7591f40d1ea05b6ad9

            SHA512

            a822885389f3b12baed60b565646bed97aea1740e163e236ca3647fb63a9c15f6e21bc5ff92eb2d47bb6b1268c71ffb8e5e84006f3c04377d9d3a7c16434e646

          • C:\Users\Admin\AppData\Local\Temp\1.reg

            Filesize

            3KB

            MD5

            d085cde42c14e8ee2a5e8870d08aee42

            SHA1

            c8e967f1d301f97dbcf252d7e1677e590126f994

            SHA256

            a15d5dfd655de1214e0aae2292ead17eef1f1b211d39fac03276bbd6325b0d9f

            SHA512

            de2cebd45d3cf053df17ae43466db6a8b2d816bf4b9a8deb5b577cfedf765b5dcdc5904145809ad3ca03ccff308f8893ec1faa309dd34afcab7cc1836d698d7b

          • C:\Windows\SysWOW64\Windows-Time.exe

            Filesize

            230KB

            MD5

            a7b122b234de26887fae66072351a137

            SHA1

            26cd1b664332037f040183cfc6275da0ef24848f

            SHA256

            4588cf14ad219264d9a1e100ab9590f64d48bb16a29bdb59d292d1af25ee2f64

            SHA512

            dd2a3c73812ce6e405edd6d7262d517d799105693d2504aff40a8b85a46a4cd786e30ea526eac58586bfd54b97154c35785709e1f622ae897357c4f07313f10b

          • \??\c:\a.bat

            Filesize

            5KB

            MD5

            0019a0451cc6b9659762c3e274bc04fb

            SHA1

            5259e256cc0908f2846e532161b989f1295f479b

            SHA256

            ce4674afd978d1401596d22a0961f90c8fb53c5bd55649684e1a999c8cf77876

            SHA512

            314c23ec37cb0cd4443213c019c4541df968447353b422ef6fff1e7ddf6c983c80778787408b7ca9b81e580a6a7f1589ca7f43c022e6fc16182973580ed4d904