Malware Analysis Report

2024-11-15 06:19

Sample ID 240227-f2njwahb87
Target Laun4er___Pswrd--1231.rar
SHA256 0f6f7876e556d8a0aaa9079710e980901cba752cc159f437b16e2d4a44bc693a
Tags
lumma stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0f6f7876e556d8a0aaa9079710e980901cba752cc159f437b16e2d4a44bc693a

Threat Level: Known bad

The file Laun4er___Pswrd--1231.rar was found to be: Known bad.

Malicious Activity Summary

lumma stealer

Lumma Stealer

Executes dropped EXE

Checks computer location settings

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of FindShellTrayWindow

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-27 05:22

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-27 05:22

Reported

2024-02-27 05:25

Platform

win10v2004-20240226-en

Max time kernel

146s

Max time network

153s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Laun4er___Pswrd--1231.rar

Signatures

Lumma Stealer

stealer lumma

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation C:\Windows\system32\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\Laun4er___Pswrd--1231\Setupp.exe N/A
N/A N/A C:\Users\Admin\Desktop\Laun4er___Pswrd--1231\Setupp.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1340 set thread context of 3776 N/A C:\Users\Admin\Desktop\Laun4er___Pswrd--1231\Setupp.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\Laun4er___Pswrd--1231\Setupp.exe N/A
N/A N/A C:\Users\Admin\Desktop\Laun4er___Pswrd--1231\Setupp.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Laun4er___Pswrd--1231.rar

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Laun4er___Pswrd--1231.rar"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\Desktop\Laun4er___Pswrd--1231\Setupp.exe

"C:\Users\Admin\Desktop\Laun4er___Pswrd--1231\Setupp.exe"

C:\Users\Admin\Desktop\Laun4er___Pswrd--1231\Setupp.exe

"C:\Users\Admin\Desktop\Laun4er___Pswrd--1231\Setupp.exe"

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 203.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 sermonundressolcow.shop udp
US 172.67.163.37:443 sermonundressolcow.shop tcp
US 8.8.8.8:53 technologyenterdo.shop udp
US 104.21.80.118:443 technologyenterdo.shop tcp
US 8.8.8.8:53 37.163.67.172.in-addr.arpa udp
US 8.8.8.8:53 lighterepisodeheighte.fun udp
US 8.8.8.8:53 problemregardybuiwo.fun udp
US 8.8.8.8:53 detectordiscusser.shop udp
US 104.21.60.92:443 detectordiscusser.shop tcp
US 8.8.8.8:53 edurestunningcrackyow.fun udp
US 8.8.8.8:53 pooreveningfuseor.pw udp
US 8.8.8.8:53 turkeyunlikelyofw.shop udp
US 172.67.202.191:443 turkeyunlikelyofw.shop tcp
US 8.8.8.8:53 118.80.21.104.in-addr.arpa udp
US 8.8.8.8:53 92.60.21.104.in-addr.arpa udp
US 8.8.8.8:53 associationokeo.shop udp
US 172.67.147.18:443 associationokeo.shop tcp
US 8.8.8.8:53 191.202.67.172.in-addr.arpa udp
US 8.8.8.8:53 18.147.67.172.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 9.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\Desktop\Laun4er___Pswrd--1231\Setupp.exe

MD5 c3ca6e54a505d3a6c5d05c60959f1951
SHA1 51ebe39cc258b27a67db249c46b90d9640d789b9
SHA256 d5c9d3b60aa9d7eb387edcc90de3f5088658a531620ab6089752c4e501e94b8c
SHA512 8486ad593c7cc0d3dd6b03a38f0dde6fe85f1a32a3ee8a09095463dde72472db8c41a26dd1242940beeb9bc6a39a5973539257ad7113728596a0847bce7fb82f

C:\Users\Admin\Desktop\Laun4er___Pswrd--1231\Setupp.exe

MD5 d7891655b042e952eaddd9bca6e2766d
SHA1 efd3a91d3f87d3d459a173d88a45ecdf24392e1f
SHA256 6e2f740731ac28de1a9e107add1128f47046e7fab01b13c37df3e13e0cd7832b
SHA512 19ce3734ff698dd830866134d169d178e92a4e5ae1f72e3313c9c159431d17c5941118d1fef87c93edfa405e88394d76606e06000877d8c3f14a00fd11081057

memory/1340-278-0x00007FF6CD4B0000-0x00007FF6D227C000-memory.dmp

memory/1340-279-0x00007FF6CD4B0000-0x00007FF6D227C000-memory.dmp

C:\Users\Admin\Desktop\Laun4er___Pswrd--1231\Setupp.exe

MD5 d9bd8b7a158589e5f209c49fd6dd6951
SHA1 538dd485892a827da29c8815803f16b0992e6212
SHA256 9540e760bd0b0f38f117812b301d746076df9991cd882e094739723d874fb93d
SHA512 aadb08ca50a4cfb7225441954888266f2b37fe00ad081049d9bf073c8632f54f9791c659ef34672e1ec8ec459d2839f63dce9e2e6824a1f341f21de71c637360

memory/1340-283-0x00007FF6CD4B0000-0x00007FF6D227C000-memory.dmp

memory/3776-286-0x0000000000660000-0x00000000006A8000-memory.dmp

memory/3776-289-0x0000000000660000-0x00000000006A8000-memory.dmp

memory/1340-287-0x00007FF6CD4B0000-0x00007FF6D227C000-memory.dmp

memory/1408-291-0x00007FF6CD4B0000-0x00007FF6D227C000-memory.dmp

memory/3776-293-0x0000000000990000-0x0000000000991000-memory.dmp

memory/3776-292-0x0000000000660000-0x00000000006A8000-memory.dmp

memory/1408-294-0x00007FF6CD4B0000-0x00007FF6D227C000-memory.dmp

memory/1408-295-0x00007FF6CD4B0000-0x00007FF6D227C000-memory.dmp

memory/1408-296-0x00007FF6CD4B0000-0x00007FF6D227C000-memory.dmp

memory/1408-297-0x00007FF6CD4B0000-0x00007FF6D227C000-memory.dmp

memory/1408-298-0x00007FF6CD4B0000-0x00007FF6D227C000-memory.dmp

memory/1408-299-0x00007FF6CD4B0000-0x00007FF6D227C000-memory.dmp

memory/1408-300-0x00007FF6CD4B0000-0x00007FF6D227C000-memory.dmp