Analysis

  • max time kernel
    143s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    27-02-2024 02:16

General

  • Target

    a7f52148e5518fbedbedd9097ed70183.exe

  • Size

    114KB

  • MD5

    a7f52148e5518fbedbedd9097ed70183

  • SHA1

    50ccb973e8f65810edbf951c3e50e2304e5bb69d

  • SHA256

    2890092eb02db7f5b8d048e5e54d2963c8024502bf1bf7745f70be3ffbdd52d6

  • SHA512

    f2d2dc873bef9fe1096221ce046db358c9d3af3f573f484e7324f8b1e3e369059f0948a4b313a9d0f5aca6160e5d2d4dbb5fa3c75953319077be984d99677c43

  • SSDEEP

    3072:H7hqiAJzrGZCDIBBIUmbv9fhnz8bGlaKfn4yxzjxS:HlAJXGZoIBiU0v9fZwbGxvbK

Score
10/10

Malware Config

Signatures

  • Detect Lumma Stealer payload V4 26 IoCs
  • Lumma Stealer

    An infostealer written in C++ first seen in August 2022.

  • Modifies security service 2 TTPs 20 IoCs
  • Executes dropped EXE 10 IoCs
  • Loads dropped DLL 20 IoCs
  • Drops file in System32 directory 22 IoCs
  • Runs .reg file with regedit 10 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a7f52148e5518fbedbedd9097ed70183.exe
    "C:\Users\Admin\AppData\Local\Temp\a7f52148e5518fbedbedd9097ed70183.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:2104
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c c:\a.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3052
      • C:\Windows\SysWOW64\regedit.exe
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        3⤵
        • Modifies security service
        • Runs .reg file with regedit
        PID:2996
    • C:\Windows\SysWOW64\nod64.exe
      C:\Windows\system32\nod64.exe 512 "C:\Users\Admin\AppData\Local\Temp\a7f52148e5518fbedbedd9097ed70183.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:3008
      • C:\Windows\SysWOW64\nod64.exe
        C:\Windows\system32\nod64.exe 528 "C:\Windows\SysWOW64\nod64.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in System32 directory
        • Suspicious use of WriteProcessMemory
        PID:2684
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c c:\a.bat
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:324
          • C:\Windows\SysWOW64\regedit.exe
            REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
            5⤵
            • Modifies security service
            • Runs .reg file with regedit
            PID:2384
        • C:\Windows\SysWOW64\nod64.exe
          C:\Windows\system32\nod64.exe 544 "C:\Windows\SysWOW64\nod64.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in System32 directory
          • Suspicious use of WriteProcessMemory
          PID:1288
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c c:\a.bat
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:900
            • C:\Windows\SysWOW64\regedit.exe
              REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
              6⤵
              • Modifies security service
              • Runs .reg file with regedit
              PID:2728
          • C:\Windows\SysWOW64\nod64.exe
            C:\Windows\system32\nod64.exe 540 "C:\Windows\SysWOW64\nod64.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Drops file in System32 directory
            • Suspicious use of WriteProcessMemory
            PID:2560
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c c:\a.bat
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:240
              • C:\Windows\SysWOW64\regedit.exe
                REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                7⤵
                • Modifies security service
                • Runs .reg file with regedit
                PID:2032
            • C:\Windows\SysWOW64\nod64.exe
              C:\Windows\system32\nod64.exe 548 "C:\Windows\SysWOW64\nod64.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Drops file in System32 directory
              • Suspicious use of WriteProcessMemory
              PID:1968
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c c:\a.bat
                7⤵
                • Suspicious use of WriteProcessMemory
                PID:2864
                • C:\Windows\SysWOW64\regedit.exe
                  REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                  8⤵
                  • Modifies security service
                  • Runs .reg file with regedit
                  PID:1728
              • C:\Windows\SysWOW64\nod64.exe
                C:\Windows\system32\nod64.exe 556 "C:\Windows\SysWOW64\nod64.exe"
                7⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Drops file in System32 directory
                PID:2028
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /c c:\a.bat
                  8⤵
                    PID:2044
                    • C:\Windows\SysWOW64\regedit.exe
                      REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                      9⤵
                      • Modifies security service
                      • Runs .reg file with regedit
                      PID:1812
                  • C:\Windows\SysWOW64\nod64.exe
                    C:\Windows\system32\nod64.exe 552 "C:\Windows\SysWOW64\nod64.exe"
                    8⤵
                    • Executes dropped EXE
                    • Loads dropped DLL
                    • Drops file in System32 directory
                    PID:1332
                    • C:\Windows\SysWOW64\cmd.exe
                      cmd /c c:\a.bat
                      9⤵
                        PID:2540
                        • C:\Windows\SysWOW64\regedit.exe
                          REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                          10⤵
                          • Modifies security service
                          • Runs .reg file with regedit
                          PID:2388
                      • C:\Windows\SysWOW64\nod64.exe
                        C:\Windows\system32\nod64.exe 560 "C:\Windows\SysWOW64\nod64.exe"
                        9⤵
                        • Executes dropped EXE
                        • Loads dropped DLL
                        • Drops file in System32 directory
                        PID:2808
                        • C:\Windows\SysWOW64\cmd.exe
                          cmd /c c:\a.bat
                          10⤵
                            PID:944
                            • C:\Windows\SysWOW64\regedit.exe
                              REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                              11⤵
                              • Modifies security service
                              • Runs .reg file with regedit
                              PID:2628
                          • C:\Windows\SysWOW64\nod64.exe
                            C:\Windows\system32\nod64.exe 564 "C:\Windows\SysWOW64\nod64.exe"
                            10⤵
                            • Executes dropped EXE
                            • Loads dropped DLL
                            • Drops file in System32 directory
                            PID:2744
                            • C:\Windows\SysWOW64\cmd.exe
                              cmd /c c:\a.bat
                              11⤵
                                PID:2616
                                • C:\Windows\SysWOW64\regedit.exe
                                  REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                                  12⤵
                                  • Modifies security service
                                  • Runs .reg file with regedit
                                  PID:832
                              • C:\Windows\SysWOW64\nod64.exe
                                C:\Windows\system32\nod64.exe 568 "C:\Windows\SysWOW64\nod64.exe"
                                11⤵
                                • Executes dropped EXE
                                • Drops file in System32 directory
                                PID:2112
                                • C:\Windows\SysWOW64\cmd.exe
                                  cmd /c c:\a.bat
                                  12⤵
                                    PID:2484
                                    • C:\Windows\SysWOW64\regedit.exe
                                      REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                                      13⤵
                                      • Modifies security service
                                      • Runs .reg file with regedit
                                      PID:1252

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\1.reg

              Filesize

              298B

              MD5

              4117e5a9c995bab9cd3bce3fc2b99a46

              SHA1

              80144ccbad81c2efb1df64e13d3d5f59ca4486da

              SHA256

              37b58c2d66ab2f896316ee0cdba30dcc9aac15a51995b8ba6c143c8ba34bf292

              SHA512

              bdb721bd3dea641a9b1f26b46311c05199de01c6b0d7ea2b973aa71a4f796b292a6964ddef32ba9dfc4a545768943d105f110c5d60716e0ff6f82914affb507c

            • C:\Users\Admin\AppData\Local\Temp\1.reg

              Filesize

              3KB

              MD5

              9e5db93bd3302c217b15561d8f1e299d

              SHA1

              95a5579b336d16213909beda75589fd0a2091f30

              SHA256

              f360fb5740172b6b4dd59c1ac30b480511665ae991196f833167e275d91f943e

              SHA512

              b5547e5047a3c43397ee846ff9d5979cba45ba44671db5c5df5536d9dc26262e27a8645a08e0cf35960a3601dc0f6f5fe8d47ae232c9ca44d6899e97d36fb25a

            • C:\Users\Admin\AppData\Local\Temp\1.reg

              Filesize

              384B

              MD5

              c93c561465db53bf9a99759de9d25f07

              SHA1

              5386934828e2c2589bfe394ac1f03ffbfba93bfa

              SHA256

              32eae568e5a03070b122719c66798a0574658b85dc61bcf3c48eae29f4d77851

              SHA512

              bb0163e1a26f6b7cfd4ce214ae33a56e446fa74efca7682352ab52aa4b4d5b5b92a141e3e2a12b76f33827b1cd423f3d862cc973079d5da291832ce6a9fb9b18

            • C:\Users\Admin\AppData\Local\Temp\1.reg

              Filesize

              2KB

              MD5

              d5e129352c8dd0032b51f34a2bbecad3

              SHA1

              a50f8887ad4f6a1eb2dd3c5b807c95a923964a6a

              SHA256

              ebdaad14508e5ba8d9e794963cf35bd51b7a92b949ebf32deef254ab9cdd6267

              SHA512

              9a3aa2796657c964f3c3ff07c8891533a740c86e8b0bebb449b5a3e07e1248d0f6608e03d9847caf1c8bff70392d15474f2954349869d92658108515df6831c2

            • C:\Users\Admin\AppData\Local\Temp\1.reg

              Filesize

              3KB

              MD5

              cd085b8c40e69c2bf1eb3d59f8155b99

              SHA1

              3499260f24020fe6d54d9d632d34ba2770bb06e0

              SHA256

              10546433db0c1ab764cd632eb0d08d93a530c6e52d1ec7fcb9c1fd32193f2a9c

              SHA512

              3813b8a7f742f6a64da36492447f3f2fee6ea505d7d0dccebede84117ec06101321dfacc7901403ea557171085982ae1a4dc39dd666da9e67d61ea71dfbb8edb

            • C:\Users\Admin\AppData\Local\Temp\1.reg

              Filesize

              2KB

              MD5

              f82bc8865c1f6bf7125563479421f95c

              SHA1

              65c25d7af3ab1f29ef2ef1fdc67378ac9c82098d

              SHA256

              f9799dc2afb8128d1925b69fdef1d641f312ed41254dd5f4ac543cf50648a2f6

              SHA512

              00a9b7798a630779dc30296c3d0fed2589e7e86d6941f4502ea301c5bce2e80a5d8a4916e36183c7064f968b539ae6dac49094b1de3643a1a2fedc83cf558825

            • C:\Users\Admin\AppData\Local\Temp\1.reg

              Filesize

              1KB

              MD5

              3bd23392c6fcc866c4561388c1dc72ac

              SHA1

              c4b1462473f1d97fed434014532ea344b8fc05c1

              SHA256

              696a382790ee24d6256b3618b1431eaf14c510a12ff2585edfeae430024c7a43

              SHA512

              15b3a33bb5d5d6e6b149773ff47ade4f22271264f058ad8439403df71d6ecfaa2729ef48487f43d68b517b15efed587b368bc6c5df549983de410ec23b55adb1

            • C:\a.bat

              Filesize

              5KB

              MD5

              0019a0451cc6b9659762c3e274bc04fb

              SHA1

              5259e256cc0908f2846e532161b989f1295f479b

              SHA256

              ce4674afd978d1401596d22a0961f90c8fb53c5bd55649684e1a999c8cf77876

              SHA512

              314c23ec37cb0cd4443213c019c4541df968447353b422ef6fff1e7ddf6c983c80778787408b7ca9b81e580a6a7f1589ca7f43c022e6fc16182973580ed4d904

            • \Windows\SysWOW64\nod64.exe

              Filesize

              76KB

              MD5

              8411da2727ff47a72ab856710db24e81

              SHA1

              726e2ef167a65fed55c3e76b6fdd04098b447d56

              SHA256

              e2c87d03abc7bd96803fa5f675d3c91d65445ce6d5c59aa75cc9778403c2250c

              SHA512

              984d5107eac9e9c0b03efddb7a1d9d298f7695870a06fe227e08490eacf9f223b92abaf6e19d50caaabdf7c785ab094ceff32ce5b1c8cd675aa5a767b9b0a13f

            • \Windows\SysWOW64\nod64.exe

              Filesize

              114KB

              MD5

              a7f52148e5518fbedbedd9097ed70183

              SHA1

              50ccb973e8f65810edbf951c3e50e2304e5bb69d

              SHA256

              2890092eb02db7f5b8d048e5e54d2963c8024502bf1bf7745f70be3ffbdd52d6

              SHA512

              f2d2dc873bef9fe1096221ce046db358c9d3af3f573f484e7324f8b1e3e369059f0948a4b313a9d0f5aca6160e5d2d4dbb5fa3c75953319077be984d99677c43

            • memory/1288-507-0x0000000000400000-0x000000000053C7BA-memory.dmp

              Filesize

              1.2MB

            • memory/1288-264-0x0000000000400000-0x000000000053C7BA-memory.dmp

              Filesize

              1.2MB

            • memory/1332-1001-0x0000000000400000-0x000000000053C7BA-memory.dmp

              Filesize

              1.2MB

            • memory/1968-635-0x0000000002840000-0x000000000297D000-memory.dmp

              Filesize

              1.2MB

            • memory/1968-879-0x0000000002840000-0x000000000297D000-memory.dmp

              Filesize

              1.2MB

            • memory/1968-637-0x0000000000400000-0x000000000053C7BA-memory.dmp

              Filesize

              1.2MB

            • memory/1968-512-0x0000000000400000-0x000000000053C7BA-memory.dmp

              Filesize

              1.2MB

            • memory/2028-760-0x0000000002960000-0x0000000002A9D000-memory.dmp

              Filesize

              1.2MB

            • memory/2028-761-0x0000000000400000-0x000000000053C7BA-memory.dmp

              Filesize

              1.2MB

            • memory/2028-1002-0x0000000002960000-0x0000000002A9D000-memory.dmp

              Filesize

              1.2MB

            • memory/2104-133-0x0000000000400000-0x000000000053C7BA-memory.dmp

              Filesize

              1.2MB

            • memory/2104-0-0x0000000000400000-0x000000000053C7BA-memory.dmp

              Filesize

              1.2MB

            • memory/2104-128-0x0000000002910000-0x0000000002A4D000-memory.dmp

              Filesize

              1.2MB

            • memory/2104-2-0x0000000000400000-0x000000000053C7BA-memory.dmp

              Filesize

              1.2MB

            • memory/2560-513-0x0000000002A60000-0x0000000002B9D000-memory.dmp

              Filesize

              1.2MB

            • memory/2560-514-0x0000000000400000-0x000000000053C7BA-memory.dmp

              Filesize

              1.2MB

            • memory/2560-755-0x0000000002A60000-0x0000000002B9D000-memory.dmp

              Filesize

              1.2MB

            • memory/2560-402-0x0000000000400000-0x000000000053C7BA-memory.dmp

              Filesize

              1.2MB

            • memory/2560-505-0x0000000000400000-0x000000000053C7BA-memory.dmp

              Filesize

              1.2MB

            • memory/2684-508-0x0000000002850000-0x000000000298D000-memory.dmp

              Filesize

              1.2MB

            • memory/2684-265-0x0000000002850000-0x000000000298D000-memory.dmp

              Filesize

              1.2MB

            • memory/2684-266-0x0000000000400000-0x000000000053C7BA-memory.dmp

              Filesize

              1.2MB

            • memory/2744-1133-0x0000000002980000-0x0000000002ABD000-memory.dmp

              Filesize

              1.2MB

            • memory/2744-1131-0x0000000000400000-0x000000000053C7BA-memory.dmp

              Filesize

              1.2MB

            • memory/2744-1129-0x0000000002980000-0x0000000002ABD000-memory.dmp

              Filesize

              1.2MB

            • memory/2808-1008-0x0000000000400000-0x000000000053C7BA-memory.dmp

              Filesize

              1.2MB

            • memory/2808-1007-0x00000000029F0000-0x0000000002B2D000-memory.dmp

              Filesize

              1.2MB

            • memory/2808-1250-0x00000000029F0000-0x0000000002B2D000-memory.dmp

              Filesize

              1.2MB

            • memory/3008-144-0x0000000000400000-0x000000000053C7BA-memory.dmp

              Filesize

              1.2MB

            • memory/3008-140-0x0000000002A00000-0x0000000002B3D000-memory.dmp

              Filesize

              1.2MB

            • memory/3008-142-0x0000000002A00000-0x0000000002B3D000-memory.dmp

              Filesize

              1.2MB

            • memory/3008-132-0x0000000000400000-0x000000000053C7BA-memory.dmp

              Filesize

              1.2MB