Analysis

  • max time kernel
    142s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    27-02-2024 03:36

General

  • Target

    a81de519432b6d76d9b881cff0cf9cef.exe

  • Size

    304KB

  • MD5

    a81de519432b6d76d9b881cff0cf9cef

  • SHA1

    e35a6446307b3e55db9097cee2cdeec87e6145b6

  • SHA256

    bd8c7e7ef7ae77f7f99f3408108fd9757f71141e6e990cee3d16a4d4bb17d2ce

  • SHA512

    eb10557925254fa38759998c04dab4429e8a90574a6cd4aa3e0c3fea109c4dd80dd23781a5a92a5d4501d4befb057053d3c1e33f40181db379a932f06cf41730

  • SSDEEP

    6144:qR1VpFoIbQFCgMWt14yRjfT/OlaazY660vT+YZj+0Ccdak:qR1VpWIUw/k14ojfifd60rbZQcck

Score
10/10

Malware Config

Signatures

  • Detect Lumma Stealer payload V4 24 IoCs
  • Lumma Stealer

    An infostealer written in C++ first seen in August 2022.

  • Modifies security service 2 TTPs 22 IoCs
  • Executes dropped EXE 20 IoCs
  • Loads dropped DLL 21 IoCs
  • Drops file in System32 directory 22 IoCs
  • Suspicious use of SetThreadContext 11 IoCs
  • Runs .reg file with regedit 11 IoCs
  • Suspicious use of SetWindowsHookEx 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a81de519432b6d76d9b881cff0cf9cef.exe
    "C:\Users\Admin\AppData\Local\Temp\a81de519432b6d76d9b881cff0cf9cef.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3036
    • C:\Users\Admin\AppData\Local\Temp\a81de519432b6d76d9b881cff0cf9cef.exe
      C:\Users\Admin\AppData\Local\Temp\a81de519432b6d76d9b881cff0cf9cef.exe
      2⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:2208
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c c:\a.bat
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2616
        • C:\Windows\SysWOW64\regedit.exe
          REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
          4⤵
          • Modifies security service
          • Runs .reg file with regedit
          PID:2864
      • C:\Windows\SysWOW64\netX.exe
        C:\Windows\system32\netX.exe 512 "C:\Users\Admin\AppData\Local\Temp\a81de519432b6d76d9b881cff0cf9cef.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1880
  • C:\Windows\SysWOW64\netX.exe
    "C:\Windows\SysWOW64\netX.exe"
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:1972
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c c:\a.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:972
    • C:\Windows\SysWOW64\netX.exe
      C:\Windows\system32\netX.exe 532 "C:\Windows\SysWOW64\netX.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1452
      • C:\Windows\SysWOW64\netX.exe
        "C:\Windows\SysWOW64\netX.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in System32 directory
        • Suspicious use of WriteProcessMemory
        PID:292
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c c:\a.bat
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2200
          • C:\Windows\SysWOW64\regedit.exe
            REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
            5⤵
            • Modifies security service
            • Runs .reg file with regedit
            PID:2488
        • C:\Windows\SysWOW64\netX.exe
          C:\Windows\system32\netX.exe 532 "C:\Windows\SysWOW64\netX.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:736
          • C:\Windows\SysWOW64\netX.exe
            "C:\Windows\SysWOW64\netX.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Drops file in System32 directory
            PID:1276
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c c:\a.bat
              6⤵
                PID:2512
                • C:\Windows\SysWOW64\regedit.exe
                  REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                  7⤵
                  • Modifies security service
                  • Runs .reg file with regedit
                  PID:592
              • C:\Windows\SysWOW64\netX.exe
                C:\Windows\system32\netX.exe 532 "C:\Windows\SysWOW64\netX.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Suspicious use of SetWindowsHookEx
                PID:1036
                • C:\Windows\SysWOW64\netX.exe
                  "C:\Windows\SysWOW64\netX.exe"
                  7⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Drops file in System32 directory
                  PID:1776
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd /c c:\a.bat
                    8⤵
                      PID:1132
                      • C:\Windows\SysWOW64\regedit.exe
                        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                        9⤵
                        • Modifies security service
                        • Runs .reg file with regedit
                        PID:2420
                    • C:\Windows\SysWOW64\netX.exe
                      C:\Windows\system32\netX.exe 532 "C:\Windows\SysWOW64\netX.exe"
                      8⤵
                      • Executes dropped EXE
                      • Suspicious use of SetThreadContext
                      • Suspicious use of SetWindowsHookEx
                      PID:2500
                      • C:\Windows\SysWOW64\netX.exe
                        "C:\Windows\SysWOW64\netX.exe"
                        9⤵
                        • Executes dropped EXE
                        • Loads dropped DLL
                        • Drops file in System32 directory
                        PID:2580
                        • C:\Windows\SysWOW64\cmd.exe
                          cmd /c c:\a.bat
                          10⤵
                            PID:2980
                            • C:\Windows\SysWOW64\regedit.exe
                              REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                              11⤵
                              • Modifies security service
                              • Runs .reg file with regedit
                              PID:1756
                          • C:\Windows\SysWOW64\netX.exe
                            C:\Windows\system32\netX.exe 532 "C:\Windows\SysWOW64\netX.exe"
                            10⤵
                            • Executes dropped EXE
                            • Suspicious use of SetThreadContext
                            • Suspicious use of SetWindowsHookEx
                            PID:2272
                            • C:\Windows\SysWOW64\netX.exe
                              "C:\Windows\SysWOW64\netX.exe"
                              11⤵
                              • Executes dropped EXE
                              • Loads dropped DLL
                              • Drops file in System32 directory
                              PID:1340
                              • C:\Windows\SysWOW64\cmd.exe
                                cmd /c c:\a.bat
                                12⤵
                                  PID:1524
                                  • C:\Windows\SysWOW64\regedit.exe
                                    REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                                    13⤵
                                    • Modifies security service
                                    • Runs .reg file with regedit
                                    PID:1012
                                • C:\Windows\SysWOW64\netX.exe
                                  C:\Windows\system32\netX.exe 532 "C:\Windows\SysWOW64\netX.exe"
                                  12⤵
                                  • Executes dropped EXE
                                  • Suspicious use of SetThreadContext
                                  • Suspicious use of SetWindowsHookEx
                                  PID:2600
                                  • C:\Windows\SysWOW64\netX.exe
                                    "C:\Windows\SysWOW64\netX.exe"
                                    13⤵
                                    • Executes dropped EXE
                                    • Loads dropped DLL
                                    • Drops file in System32 directory
                                    PID:2556
                                    • C:\Windows\SysWOW64\cmd.exe
                                      cmd /c c:\a.bat
                                      14⤵
                                        PID:2708
                                        • C:\Windows\SysWOW64\regedit.exe
                                          REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                                          15⤵
                                          • Modifies security service
                                          • Runs .reg file with regedit
                                          PID:2112
                                      • C:\Windows\SysWOW64\netX.exe
                                        C:\Windows\system32\netX.exe 532 "C:\Windows\SysWOW64\netX.exe"
                                        14⤵
                                        • Executes dropped EXE
                                        • Suspicious use of SetThreadContext
                                        • Suspicious use of SetWindowsHookEx
                                        PID:2712
                                        • C:\Windows\SysWOW64\netX.exe
                                          "C:\Windows\SysWOW64\netX.exe"
                                          15⤵
                                          • Executes dropped EXE
                                          • Loads dropped DLL
                                          • Drops file in System32 directory
                                          PID:1588
                                          • C:\Windows\SysWOW64\cmd.exe
                                            cmd /c c:\a.bat
                                            16⤵
                                              PID:2000
                                            • C:\Windows\SysWOW64\netX.exe
                                              C:\Windows\system32\netX.exe 532 "C:\Windows\SysWOW64\netX.exe"
                                              16⤵
                                              • Executes dropped EXE
                                              • Suspicious use of SetThreadContext
                                              • Suspicious use of SetWindowsHookEx
                                              PID:2336
                                              • C:\Windows\SysWOW64\netX.exe
                                                "C:\Windows\SysWOW64\netX.exe"
                                                17⤵
                                                • Executes dropped EXE
                                                • Loads dropped DLL
                                                • Drops file in System32 directory
                                                PID:2372
                                                • C:\Windows\SysWOW64\cmd.exe
                                                  cmd /c c:\a.bat
                                                  18⤵
                                                    PID:1992
                                                    • C:\Windows\SysWOW64\regedit.exe
                                                      REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                                                      19⤵
                                                      • Modifies security service
                                                      • Runs .reg file with regedit
                                                      PID:2452
                                                  • C:\Windows\SysWOW64\netX.exe
                                                    C:\Windows\system32\netX.exe 524 "C:\Windows\SysWOW64\netX.exe"
                                                    18⤵
                                                    • Executes dropped EXE
                                                    • Suspicious use of SetThreadContext
                                                    • Suspicious use of SetWindowsHookEx
                                                    PID:2820
                                                    • C:\Windows\SysWOW64\netX.exe
                                                      "C:\Windows\SysWOW64\netX.exe"
                                                      19⤵
                                                      • Executes dropped EXE
                                                      • Drops file in System32 directory
                                                      PID:2108
                                                      • C:\Windows\SysWOW64\cmd.exe
                                                        cmd /c c:\a.bat
                                                        20⤵
                                                          PID:2112
                                                          • C:\Windows\SysWOW64\regedit.exe
                                                            REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                                                            21⤵
                                                            • Modifies security service
                                                            • Runs .reg file with regedit
                                                            PID:1184
                  • C:\Windows\SysWOW64\regedit.exe
                    REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                    1⤵
                    • Modifies security service
                    • Runs .reg file with regedit
                    PID:1080
                  • C:\Windows\SysWOW64\regedit.exe
                    REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                    1⤵
                    • Modifies security service
                    • Runs .reg file with regedit
                    PID:1836

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Temp\1.reg

                    Filesize

                    3KB

                    MD5

                    7fe70731de9e888ca911baeb99ee503d

                    SHA1

                    0073da5273512f66dbf570580dc55957535c2478

                    SHA256

                    ec8ce13a4cab475695329eddc61ff2eee378e79f0d2f9ca3a9bc7b18bd52b89a

                    SHA512

                    4421df7085fd2aac218d5544152d77080b99c1eaa24076975a6b1bb01149a19a1c0d6cc2c042cd507b37af9a220e7ce1f026103cdabfaec5994b1533c2f3eeac

                  • C:\Users\Admin\AppData\Local\Temp\1.reg

                    Filesize

                    849B

                    MD5

                    558ce6da965ba1758d112b22e15aa5a2

                    SHA1

                    a365542609e4d1dc46be62928b08612fcabe2ede

                    SHA256

                    c11beaac10a5e00391ef4b41be8c240f59c5a2dc930aead6d7db237fcd2641fb

                    SHA512

                    37f7f10c3d201b11cc5224ae69c5990eb33b4430c601d3c21f6bec9323621120442e0cfa49e1f4eda459ea4ac750277e446dca78b9e44c1445bd891e4e460b5c

                  • C:\Users\Admin\AppData\Local\Temp\1.reg

                    Filesize

                    784B

                    MD5

                    5a466127fedf6dbcd99adc917bd74581

                    SHA1

                    a2e60b101c8789b59360d95a64ec07d0723c4d38

                    SHA256

                    8cd3b8dd28ac014cf973d9ab4b03af1c274bbc9b5ee0ee4ab8af0bdb01573b84

                    SHA512

                    695cafc932bc8f0a514bc515860cb275297665de63ca3394b55f42c457761ebf654d29d504674681a77b34e3356a469e8c5b97ff7efc24de330d5375f025cba5

                  • C:\Users\Admin\AppData\Local\Temp\1.reg

                    Filesize

                    2KB

                    MD5

                    54ca6e3ef1c12b994043e85a8c9895f0

                    SHA1

                    5eaccfb482cbe24cf5c3203ffdc926184097427e

                    SHA256

                    0db388471ad17c9c9b4a0a40b2536b7a6f27b8cc96775812d48d7009acb418c0

                    SHA512

                    925615f057558a00fb0ed3f9faeee2b70f3dd5469376de9381a387b3666c230fc0bb5b83fd3acf0169872e3c5f747cbdaff473d7fa389a5848f3828916680626

                  • C:\Users\Admin\AppData\Local\Temp\1.reg

                    Filesize

                    3KB

                    MD5

                    9e5db93bd3302c217b15561d8f1e299d

                    SHA1

                    95a5579b336d16213909beda75589fd0a2091f30

                    SHA256

                    f360fb5740172b6b4dd59c1ac30b480511665ae991196f833167e275d91f943e

                    SHA512

                    b5547e5047a3c43397ee846ff9d5979cba45ba44671db5c5df5536d9dc26262e27a8645a08e0cf35960a3601dc0f6f5fe8d47ae232c9ca44d6899e97d36fb25a

                  • C:\Users\Admin\AppData\Local\Temp\1.reg

                    Filesize

                    1KB

                    MD5

                    5f6aefafda312b288b7d555c1fc36dc9

                    SHA1

                    f25e2fdea9dd714d0fae68af71cace7bb49302ce

                    SHA256

                    60f6d3cbf831857bf18e46a43ff403a03e2035d9430a72d768ea9cec1947917a

                    SHA512

                    97f0250ba79b008d7632a2f32a7b851d9ca87f116b2854d5343c120511cfd55551a1f3eb3e0959602656b39b3f86003a0f9d04243ceb8b73d28eb9bb9449a6de

                  • C:\Users\Admin\AppData\Local\Temp\1.reg

                    Filesize

                    2KB

                    MD5

                    b79d7c7385eb2936ecd5681762227a9b

                    SHA1

                    c2a21fb49bd3cc8be9baac1bf6f6389453ad785d

                    SHA256

                    fd1be29f1f4b9fc4a8d9b583c4d2114f17c062998c833b2085960ac02ef82019

                    SHA512

                    7ea049afca363ff483f57b9fff1e213006d689eb4406cefe7f1e096c46b41e7908f1e4d69e1411ae56eb1c4e19489c9322176ffdd8ea2f1c37213eb51f03ef5b

                  • C:\Users\Admin\AppData\Local\Temp\1.reg

                    Filesize

                    1KB

                    MD5

                    908860a865f8ed2e14085e35256578dd

                    SHA1

                    7ff5ee35cc7e96a661848eb95a70d0b8d2d78603

                    SHA256

                    d2b73d92cf00a9dc61f2777a7f298e8c4bb72697236965f8931bdfc9d0924c5f

                    SHA512

                    a93bb8cb180d957ef2b2c511d5ff66a25d2bcfb071af9884c146b8c422d1fadc9a4d390712bc2cb27640634854b3e59d5209803373cf1f42381d513747a65fd9

                  • C:\Users\Admin\AppData\Local\Temp\1.reg

                    Filesize

                    2KB

                    MD5

                    501effddf60a974e98b67dc8921aa7e8

                    SHA1

                    734dfe4b508dbc1527ec92e91821a1251aec5b2e

                    SHA256

                    672e3c47827c2fc929fc92cd7d2a61d9ba41e847f876a1e5486e2701cbc3cb06

                    SHA512

                    28081046c5b0eb6a5578134e19af2a447d38afda338bd3ae4c2fc0054460580d47f9ab6d8c9001ff605e76df462e7bbcab80be15deaf3ca6264e20717dfb9c1c

                  • C:\Users\Admin\AppData\Local\Temp\1.reg

                    Filesize

                    2KB

                    MD5

                    6bf876cd9994f0d41be4eca36d22c42a

                    SHA1

                    50cda4b940e6ba730ce59000cfc59e6c4d7fdc79

                    SHA256

                    ff39ffe6e43e9b293c5be6aa85345e868a27215293e750c00e1e0ba676deeb2a

                    SHA512

                    605e2920cd230b6c617a2d4153f23144954cd4bae0f66b857e1b334cd66258fbc5ba049c1ab6ab83c30fd54c87235a115ec7bbfd17d6792a4bbbae4c6700e106

                  • C:\Windows\SysWOW64\netX.exe

                    Filesize

                    136KB

                    MD5

                    a44ba2322cc89663d4f956a1f29b124b

                    SHA1

                    f27eabd4a09aa6063c591bd2fb64dbb0aad0955b

                    SHA256

                    70c777afc8d0c0825ac19eccec2ca19b815b24f125ad5df70e9c19fbf0494f40

                    SHA512

                    98cb33d231971176fc8744cfa106d1791e10fe1538ca66f9b28750b7a90e9aa9b2ecf9a8f285bd2889e513c6a5535e7f9844ef93cef5ea82254510af545c55ba

                  • C:\a.bat

                    Filesize

                    5KB

                    MD5

                    0019a0451cc6b9659762c3e274bc04fb

                    SHA1

                    5259e256cc0908f2846e532161b989f1295f479b

                    SHA256

                    ce4674afd978d1401596d22a0961f90c8fb53c5bd55649684e1a999c8cf77876

                    SHA512

                    314c23ec37cb0cd4443213c019c4541df968447353b422ef6fff1e7ddf6c983c80778787408b7ca9b81e580a6a7f1589ca7f43c022e6fc16182973580ed4d904

                  • \Windows\SysWOW64\netX.exe

                    Filesize

                    304KB

                    MD5

                    a81de519432b6d76d9b881cff0cf9cef

                    SHA1

                    e35a6446307b3e55db9097cee2cdeec87e6145b6

                    SHA256

                    bd8c7e7ef7ae77f7f99f3408108fd9757f71141e6e990cee3d16a4d4bb17d2ce

                    SHA512

                    eb10557925254fa38759998c04dab4429e8a90574a6cd4aa3e0c3fea109c4dd80dd23781a5a92a5d4501d4befb057053d3c1e33f40181db379a932f06cf41730

                  • memory/292-306-0x0000000000400000-0x0000000000517000-memory.dmp

                    Filesize

                    1.1MB

                  • memory/292-415-0x0000000000400000-0x0000000000517000-memory.dmp

                    Filesize

                    1.1MB

                  • memory/1276-553-0x0000000000400000-0x0000000000517000-memory.dmp

                    Filesize

                    1.1MB

                  • memory/1276-445-0x0000000000400000-0x0000000000517000-memory.dmp

                    Filesize

                    1.1MB

                  • memory/1340-987-0x0000000000400000-0x0000000000517000-memory.dmp

                    Filesize

                    1.1MB

                  • memory/1340-860-0x0000000000400000-0x0000000000517000-memory.dmp

                    Filesize

                    1.1MB

                  • memory/1588-1138-0x0000000000400000-0x0000000000517000-memory.dmp

                    Filesize

                    1.1MB

                  • memory/1588-1270-0x0000000000400000-0x0000000000517000-memory.dmp

                    Filesize

                    1.1MB

                  • memory/1776-707-0x0000000000400000-0x0000000000517000-memory.dmp

                    Filesize

                    1.1MB

                  • memory/1776-582-0x0000000000400000-0x0000000000517000-memory.dmp

                    Filesize

                    1.1MB

                  • memory/1972-167-0x0000000000400000-0x0000000000517000-memory.dmp

                    Filesize

                    1.1MB

                  • memory/1972-277-0x0000000000400000-0x0000000000517000-memory.dmp

                    Filesize

                    1.1MB

                  • memory/2108-1416-0x0000000000400000-0x0000000000517000-memory.dmp

                    Filesize

                    1.1MB

                  • memory/2208-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

                    Filesize

                    4KB

                  • memory/2208-14-0x0000000000400000-0x0000000000517000-memory.dmp

                    Filesize

                    1.1MB

                  • memory/2208-6-0x0000000000400000-0x0000000000517000-memory.dmp

                    Filesize

                    1.1MB

                  • memory/2208-16-0x0000000000400000-0x0000000000517000-memory.dmp

                    Filesize

                    1.1MB

                  • memory/2208-2-0x0000000000400000-0x0000000000517000-memory.dmp

                    Filesize

                    1.1MB

                  • memory/2208-8-0x0000000000400000-0x0000000000517000-memory.dmp

                    Filesize

                    1.1MB

                  • memory/2208-12-0x0000000000400000-0x0000000000517000-memory.dmp

                    Filesize

                    1.1MB

                  • memory/2208-4-0x0000000000400000-0x0000000000517000-memory.dmp

                    Filesize

                    1.1MB

                  • memory/2208-150-0x0000000000400000-0x0000000000517000-memory.dmp

                    Filesize

                    1.1MB

                  • memory/2372-1271-0x0000000000400000-0x0000000000517000-memory.dmp

                    Filesize

                    1.1MB

                  • memory/2372-1400-0x0000000000400000-0x0000000000517000-memory.dmp

                    Filesize

                    1.1MB

                  • memory/2556-1123-0x0000000000400000-0x0000000000517000-memory.dmp

                    Filesize

                    1.1MB

                  • memory/2556-993-0x0000000000400000-0x0000000000517000-memory.dmp

                    Filesize

                    1.1MB

                  • memory/2580-846-0x0000000000400000-0x0000000000517000-memory.dmp

                    Filesize

                    1.1MB

                  • memory/2580-721-0x0000000000400000-0x0000000000517000-memory.dmp

                    Filesize

                    1.1MB