Analysis
-
max time kernel
47s -
max time network
41s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
27-02-2024 10:52
Static task
static1
Behavioral task
behavioral1
Sample
updater.msi
Resource
win7-20240221-en
General
-
Target
updater.msi
-
Size
8.3MB
-
MD5
4b274f5177add19e1354e8ce7bc018de
-
SHA1
80b5ce160232d37407a4888860be4bccc019b27a
-
SHA256
a8c50ffe3602a16f747b8b19fb51883f25aa6d9f53f9f2c8fd73e0f6bda4218f
-
SHA512
9c7cea2671ef94954ba751160167486c4651511a519f2413683626f791b485d259399cfd880ec15b5618dc9ad64305db1d2d0299bd0f5fe8c6db21c51494ff18
-
SSDEEP
98304:VkIe+YjNoLRunRYsIdn3dZYs2cKkFPOlzBIlq8mBE9cl1C8XPS99:hdIQRunq3jymc8GzC8Xqv
Malware Config
Extracted
lumma
http://zamesblack.fun/api
https://zamesblack.fun/api
Signatures
-
Detect Lumma Stealer payload V4 5 IoCs
Processes:
resource yara_rule behavioral1/memory/1588-124-0x0000000000400000-0x000000000048A000-memory.dmp family_lumma_v4 behavioral1/memory/1588-128-0x0000000000400000-0x000000000048A000-memory.dmp family_lumma_v4 behavioral1/memory/1588-133-0x0000000000400000-0x000000000048A000-memory.dmp family_lumma_v4 behavioral1/memory/1588-135-0x0000000000400000-0x000000000048A000-memory.dmp family_lumma_v4 behavioral1/memory/1588-225-0x0000000000400000-0x000000000048A000-memory.dmp family_lumma_v4 -
Blocklisted process makes network request 3 IoCs
Processes:
msiexec.exemsiexec.exeflow pid process 3 2876 msiexec.exe 5 2876 msiexec.exe 6 2656 msiexec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\K: msiexec.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
CSVed.exedescription pid process target process PID 1284 set thread context of 1588 1284 CSVed.exe aspnet_compiler.exe -
Drops file in Windows directory 9 IoCs
Processes:
msiexec.exedescription ioc process File created C:\Windows\Installer\f76148a.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI1666.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI1741.tmp msiexec.exe File opened for modification C:\Windows\Installer\f76148d.ipi msiexec.exe File opened for modification C:\Windows\Installer\f76148a.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI1781.tmp msiexec.exe File created C:\Windows\Installer\f76148d.ipi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI1917.tmp msiexec.exe -
Executes dropped EXE 1 IoCs
Processes:
CSVed.exepid process 1284 CSVed.exe -
Loads dropped DLL 3 IoCs
Processes:
MsiExec.exepid process 2712 MsiExec.exe 2712 MsiExec.exe 2712 MsiExec.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
msiexec.exeCSVed.exepid process 2656 msiexec.exe 2656 msiexec.exe 1284 CSVed.exe 1284 CSVed.exe -
Suspicious use of AdjustPrivilegeToken 51 IoCs
Processes:
msiexec.exemsiexec.exeCSVed.exedescription pid process Token: SeShutdownPrivilege 2876 msiexec.exe Token: SeIncreaseQuotaPrivilege 2876 msiexec.exe Token: SeRestorePrivilege 2656 msiexec.exe Token: SeTakeOwnershipPrivilege 2656 msiexec.exe Token: SeSecurityPrivilege 2656 msiexec.exe Token: SeCreateTokenPrivilege 2876 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2876 msiexec.exe Token: SeLockMemoryPrivilege 2876 msiexec.exe Token: SeIncreaseQuotaPrivilege 2876 msiexec.exe Token: SeMachineAccountPrivilege 2876 msiexec.exe Token: SeTcbPrivilege 2876 msiexec.exe Token: SeSecurityPrivilege 2876 msiexec.exe Token: SeTakeOwnershipPrivilege 2876 msiexec.exe Token: SeLoadDriverPrivilege 2876 msiexec.exe Token: SeSystemProfilePrivilege 2876 msiexec.exe Token: SeSystemtimePrivilege 2876 msiexec.exe Token: SeProfSingleProcessPrivilege 2876 msiexec.exe Token: SeIncBasePriorityPrivilege 2876 msiexec.exe Token: SeCreatePagefilePrivilege 2876 msiexec.exe Token: SeCreatePermanentPrivilege 2876 msiexec.exe Token: SeBackupPrivilege 2876 msiexec.exe Token: SeRestorePrivilege 2876 msiexec.exe Token: SeShutdownPrivilege 2876 msiexec.exe Token: SeDebugPrivilege 2876 msiexec.exe Token: SeAuditPrivilege 2876 msiexec.exe Token: SeSystemEnvironmentPrivilege 2876 msiexec.exe Token: SeChangeNotifyPrivilege 2876 msiexec.exe Token: SeRemoteShutdownPrivilege 2876 msiexec.exe Token: SeUndockPrivilege 2876 msiexec.exe Token: SeSyncAgentPrivilege 2876 msiexec.exe Token: SeEnableDelegationPrivilege 2876 msiexec.exe Token: SeManageVolumePrivilege 2876 msiexec.exe Token: SeImpersonatePrivilege 2876 msiexec.exe Token: SeCreateGlobalPrivilege 2876 msiexec.exe Token: SeRestorePrivilege 2656 msiexec.exe Token: SeTakeOwnershipPrivilege 2656 msiexec.exe Token: SeRestorePrivilege 2656 msiexec.exe Token: SeTakeOwnershipPrivilege 2656 msiexec.exe Token: SeRestorePrivilege 2656 msiexec.exe Token: SeTakeOwnershipPrivilege 2656 msiexec.exe Token: SeRestorePrivilege 2656 msiexec.exe Token: SeTakeOwnershipPrivilege 2656 msiexec.exe Token: SeRestorePrivilege 2656 msiexec.exe Token: SeTakeOwnershipPrivilege 2656 msiexec.exe Token: SeRestorePrivilege 2656 msiexec.exe Token: SeTakeOwnershipPrivilege 2656 msiexec.exe Token: SeRestorePrivilege 2656 msiexec.exe Token: SeTakeOwnershipPrivilege 2656 msiexec.exe Token: SeRestorePrivilege 2656 msiexec.exe Token: SeTakeOwnershipPrivilege 2656 msiexec.exe Token: SeDebugPrivilege 1284 CSVed.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msiexec.exepid process 2876 msiexec.exe 2876 msiexec.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
msiexec.exeCSVed.exedescription pid process target process PID 2656 wrote to memory of 2712 2656 msiexec.exe MsiExec.exe PID 2656 wrote to memory of 2712 2656 msiexec.exe MsiExec.exe PID 2656 wrote to memory of 2712 2656 msiexec.exe MsiExec.exe PID 2656 wrote to memory of 2712 2656 msiexec.exe MsiExec.exe PID 2656 wrote to memory of 2712 2656 msiexec.exe MsiExec.exe PID 2656 wrote to memory of 2712 2656 msiexec.exe MsiExec.exe PID 2656 wrote to memory of 2712 2656 msiexec.exe MsiExec.exe PID 2656 wrote to memory of 1284 2656 msiexec.exe CSVed.exe PID 2656 wrote to memory of 1284 2656 msiexec.exe CSVed.exe PID 2656 wrote to memory of 1284 2656 msiexec.exe CSVed.exe PID 2656 wrote to memory of 1284 2656 msiexec.exe CSVed.exe PID 1284 wrote to memory of 1588 1284 CSVed.exe aspnet_compiler.exe PID 1284 wrote to memory of 1588 1284 CSVed.exe aspnet_compiler.exe PID 1284 wrote to memory of 1588 1284 CSVed.exe aspnet_compiler.exe PID 1284 wrote to memory of 1588 1284 CSVed.exe aspnet_compiler.exe PID 1284 wrote to memory of 1588 1284 CSVed.exe aspnet_compiler.exe PID 1284 wrote to memory of 1588 1284 CSVed.exe aspnet_compiler.exe PID 1284 wrote to memory of 1588 1284 CSVed.exe aspnet_compiler.exe PID 1284 wrote to memory of 1588 1284 CSVed.exe aspnet_compiler.exe PID 1284 wrote to memory of 1588 1284 CSVed.exe aspnet_compiler.exe PID 1284 wrote to memory of 1588 1284 CSVed.exe aspnet_compiler.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\updater.msi1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2876
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding A3A085AA5FA48D03F124DF46DB5EDF242⤵
- Loads dropped DLL
PID:2712
-
-
C:\Users\Admin\AppData\Local\Temp\ipconfig\CSVed.exe"C:\Users\Admin\AppData\Local\Temp\ipconfig\CSVed.exe"2⤵
- Suspicious use of SetThreadContext
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1284 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe3⤵PID:1588
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD580162742ecc5b827d1e691e4ed04056a
SHA1d83ce8476abadbeb76a7a5a3bad68b529fe11844
SHA25680e03a3f69bddf006ca9888e79d74e4e16217dc333a12fa9badf604b679c7a9c
SHA5123c6a83566e1126ba9925c559170c57b12f30e73d8cdfcb1bf1fc8ea4a428741330084b22e05b44b5cef9fe19f5aafe96901572c3e7ff6c05ea4cd209930ddb91
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5813352d55c5ca80e16e8006670cbd1bd
SHA1366ed6b980f2a5741b22377e0af921311cf823e4
SHA2565784272af32a15ccb7f303862d28e5e8ea19ef2f481e06f590471889f0081681
SHA51292763545323b6fc2662b27127e09b7ff084da98ca37a871a23db1982a3472c5d2cc5f385dc530ab8ce44679a1027b20137e699573febaf7a1afcb26c29888ae4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD531f18e0b4cec8514f0f602666960e480
SHA166a60183b5a4f287d8f1ea57fe6371da78ecf1da
SHA256237e569d4cbb6b3846d1676ac811e2035fbb5a85851a5c13c9f2a2fb023def40
SHA5122dc82a141dde04d444a55f89d771a077eb072fba2bbaff55ebcc9bb1bdc7382c7380de60a31ecf30207ee35a65d0a9b946755557945f9fb51f1c5e1a7ca30f46
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD55484aa93ae68dc1d687a3ed6fe7f1a76
SHA1af222527b7d4b610fd8bea7ebfe2b9bf60fe14d2
SHA25688d3c77bcd294021e218f24fb9f065620224f9d0c6ef4b286a006544835d26cf
SHA5125a2192581319f2d24666fc18998418ef855580a384ea702761b91dad4b4834d131a837b7625aff25b5964ab29f6a849385842fc10f2114e2c2224b64a889a272
-
Filesize
5B
MD5fda44910deb1a460be4ac5d56d61d837
SHA1f6d0c643351580307b2eaa6a7560e76965496bc7
SHA256933b971c6388d594a23fa1559825db5bec8ade2db1240aa8fc9d0c684949e8c9
SHA51257dda9aa7c29f960cd7948a4e4567844d3289fa729e9e388e7f4edcbdf16bf6a94536598b4f9ff8942849f1f96bd3c00bc24a75e748a36fbf2a145f63bf904c1
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06
-
Filesize
5.8MB
MD504588403a23993589c515bd7dbb15136
SHA1e6b98023299f2b5cbb8b47f13b7dc5d48359ab4b
SHA25674639228e93237eb1a22310a5d042ce1ab39609c905607dd1536d7385ae5b222
SHA5122eb00f9755b819beff56e0a396746cb2e5681db475c4abb664b5bd90c5022c988de1b42643eff0017a458616529c8039cd85a4e1702c0fe10f8e0af83e4d8897
-
Filesize
4.6MB
MD5a88a3a4399cc290758fa04f7365a01da
SHA182a4dedaa3f8d1460ead18c359bb743d50fbbdb7
SHA25620d702b233d0d47bbb9f05385ef35563d12b0dd464282283779d85c21b7475e1
SHA512872a5cc844ae44de72772b4def56866d79e074e41b24bd2ffd1173bd8b7bc9e40717b163fac6d64900479faf0761c9995fd8fa390871fa83a0e56d589b543e10
-
Filesize
719KB
MD589f70b588a48793450dd603b6cd4096f
SHA19b6509c031856c715d62853c4e93efbdf48d5aeb
SHA256066c52ed8ebf63a33ab8290b7c58d0c13f79c14faa8bf12b1b41f643d3ebe281
SHA512fb04c530430eea6149fd7216f64751e641394a66c0cb222f70c29361baa621a78f906e0adff19bd4cbe5de69edcea7e40bff7c2e068fd4dbd057ca6494db861a