Analysis

  • max time kernel
    47s
  • max time network
    41s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    27-02-2024 10:52

General

  • Target

    updater.msi

  • Size

    8.3MB

  • MD5

    4b274f5177add19e1354e8ce7bc018de

  • SHA1

    80b5ce160232d37407a4888860be4bccc019b27a

  • SHA256

    a8c50ffe3602a16f747b8b19fb51883f25aa6d9f53f9f2c8fd73e0f6bda4218f

  • SHA512

    9c7cea2671ef94954ba751160167486c4651511a519f2413683626f791b485d259399cfd880ec15b5618dc9ad64305db1d2d0299bd0f5fe8c6db21c51494ff18

  • SSDEEP

    98304:VkIe+YjNoLRunRYsIdn3dZYs2cKkFPOlzBIlq8mBE9cl1C8XPS99:hdIQRunq3jymc8GzC8Xqv

Score
10/10

Malware Config

Extracted

Family

lumma

C2

http://zamesblack.fun/api

https://zamesblack.fun/api

Signatures

  • Detect Lumma Stealer payload V4 5 IoCs
  • Lumma Stealer

    An infostealer written in C++ first seen in August 2022.

  • Blocklisted process makes network request 3 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 9 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 51 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\updater.msi
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2876
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2656
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding A3A085AA5FA48D03F124DF46DB5EDF24
      2⤵
      • Loads dropped DLL
      PID:2712
    • C:\Users\Admin\AppData\Local\Temp\ipconfig\CSVed.exe
      "C:\Users\Admin\AppData\Local\Temp\ipconfig\CSVed.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1284
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
        3⤵
          PID:1588

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Config.Msi\f76148e.rbs

      Filesize

      1KB

      MD5

      80162742ecc5b827d1e691e4ed04056a

      SHA1

      d83ce8476abadbeb76a7a5a3bad68b529fe11844

      SHA256

      80e03a3f69bddf006ca9888e79d74e4e16217dc333a12fa9badf604b679c7a9c

      SHA512

      3c6a83566e1126ba9925c559170c57b12f30e73d8cdfcb1bf1fc8ea4a428741330084b22e05b44b5cef9fe19f5aafe96901572c3e7ff6c05ea4cd209930ddb91

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      344B

      MD5

      813352d55c5ca80e16e8006670cbd1bd

      SHA1

      366ed6b980f2a5741b22377e0af921311cf823e4

      SHA256

      5784272af32a15ccb7f303862d28e5e8ea19ef2f481e06f590471889f0081681

      SHA512

      92763545323b6fc2662b27127e09b7ff084da98ca37a871a23db1982a3472c5d2cc5f385dc530ab8ce44679a1027b20137e699573febaf7a1afcb26c29888ae4

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      344B

      MD5

      31f18e0b4cec8514f0f602666960e480

      SHA1

      66a60183b5a4f287d8f1ea57fe6371da78ecf1da

      SHA256

      237e569d4cbb6b3846d1676ac811e2035fbb5a85851a5c13c9f2a2fb023def40

      SHA512

      2dc82a141dde04d444a55f89d771a077eb072fba2bbaff55ebcc9bb1bdc7382c7380de60a31ecf30207ee35a65d0a9b946755557945f9fb51f1c5e1a7ca30f46

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      344B

      MD5

      5484aa93ae68dc1d687a3ed6fe7f1a76

      SHA1

      af222527b7d4b610fd8bea7ebfe2b9bf60fe14d2

      SHA256

      88d3c77bcd294021e218f24fb9f065620224f9d0c6ef4b286a006544835d26cf

      SHA512

      5a2192581319f2d24666fc18998418ef855580a384ea702761b91dad4b4834d131a837b7625aff25b5964ab29f6a849385842fc10f2114e2c2224b64a889a272

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MPR7YYBV\api[1]

      Filesize

      5B

      MD5

      fda44910deb1a460be4ac5d56d61d837

      SHA1

      f6d0c643351580307b2eaa6a7560e76965496bc7

      SHA256

      933b971c6388d594a23fa1559825db5bec8ade2db1240aa8fc9d0c684949e8c9

      SHA512

      57dda9aa7c29f960cd7948a4e4567844d3289fa729e9e388e7f4edcbdf16bf6a94536598b4f9ff8942849f1f96bd3c00bc24a75e748a36fbf2a145f63bf904c1

    • C:\Users\Admin\AppData\Local\Temp\Cab1325.tmp

      Filesize

      65KB

      MD5

      ac05d27423a85adc1622c714f2cb6184

      SHA1

      b0fe2b1abddb97837ea0195be70ab2ff14d43198

      SHA256

      c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

      SHA512

      6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

    • C:\Users\Admin\AppData\Local\Temp\Tar13D4.tmp

      Filesize

      171KB

      MD5

      9c0c641c06238516f27941aa1166d427

      SHA1

      64cd549fb8cf014fcd9312aa7a5b023847b6c977

      SHA256

      4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

      SHA512

      936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

    • C:\Users\Admin\AppData\Local\Temp\ipconfig\CSVed.exe

      Filesize

      5.8MB

      MD5

      04588403a23993589c515bd7dbb15136

      SHA1

      e6b98023299f2b5cbb8b47f13b7dc5d48359ab4b

      SHA256

      74639228e93237eb1a22310a5d042ce1ab39609c905607dd1536d7385ae5b222

      SHA512

      2eb00f9755b819beff56e0a396746cb2e5681db475c4abb664b5bd90c5022c988de1b42643eff0017a458616529c8039cd85a4e1702c0fe10f8e0af83e4d8897

    • C:\Users\Admin\AppData\Local\Temp\ipconfig\CSVed.exe

      Filesize

      4.6MB

      MD5

      a88a3a4399cc290758fa04f7365a01da

      SHA1

      82a4dedaa3f8d1460ead18c359bb743d50fbbdb7

      SHA256

      20d702b233d0d47bbb9f05385ef35563d12b0dd464282283779d85c21b7475e1

      SHA512

      872a5cc844ae44de72772b4def56866d79e074e41b24bd2ffd1173bd8b7bc9e40717b163fac6d64900479faf0761c9995fd8fa390871fa83a0e56d589b543e10

    • C:\Windows\Installer\MSI1666.tmp

      Filesize

      719KB

      MD5

      89f70b588a48793450dd603b6cd4096f

      SHA1

      9b6509c031856c715d62853c4e93efbdf48d5aeb

      SHA256

      066c52ed8ebf63a33ab8290b7c58d0c13f79c14faa8bf12b1b41f643d3ebe281

      SHA512

      fb04c530430eea6149fd7216f64751e641394a66c0cb222f70c29361baa621a78f906e0adff19bd4cbe5de69edcea7e40bff7c2e068fd4dbd057ca6494db861a

    • memory/1284-112-0x0000000006360000-0x00000000063DA000-memory.dmp

      Filesize

      488KB

    • memory/1284-134-0x0000000073930000-0x000000007401E000-memory.dmp

      Filesize

      6.9MB

    • memory/1284-108-0x0000000006320000-0x0000000006360000-memory.dmp

      Filesize

      256KB

    • memory/1284-109-0x0000000006320000-0x0000000006360000-memory.dmp

      Filesize

      256KB

    • memory/1284-110-0x0000000006320000-0x0000000006360000-memory.dmp

      Filesize

      256KB

    • memory/1284-111-0x0000000006280000-0x0000000006312000-memory.dmp

      Filesize

      584KB

    • memory/1284-107-0x0000000006520000-0x00000000066E4000-memory.dmp

      Filesize

      1.8MB

    • memory/1284-113-0x00000000069C0000-0x0000000006A38000-memory.dmp

      Filesize

      480KB

    • memory/1284-114-0x0000000006A40000-0x0000000006A8C000-memory.dmp

      Filesize

      304KB

    • memory/1284-115-0x0000000000400000-0x00000000009D6000-memory.dmp

      Filesize

      5.8MB

    • memory/1284-102-0x0000000000230000-0x0000000000231000-memory.dmp

      Filesize

      4KB

    • memory/1284-103-0x0000000003300000-0x00000000034C3000-memory.dmp

      Filesize

      1.8MB

    • memory/1284-104-0x0000000003300000-0x00000000034C3000-memory.dmp

      Filesize

      1.8MB

    • memory/1284-106-0x0000000073930000-0x000000007401E000-memory.dmp

      Filesize

      6.9MB

    • memory/1284-129-0x0000000003300000-0x00000000034C3000-memory.dmp

      Filesize

      1.8MB

    • memory/1588-128-0x0000000000400000-0x000000000048A000-memory.dmp

      Filesize

      552KB

    • memory/1588-133-0x0000000000400000-0x000000000048A000-memory.dmp

      Filesize

      552KB

    • memory/1588-120-0x0000000000400000-0x000000000048A000-memory.dmp

      Filesize

      552KB

    • memory/1588-116-0x0000000000400000-0x000000000048A000-memory.dmp

      Filesize

      552KB

    • memory/1588-124-0x0000000000400000-0x000000000048A000-memory.dmp

      Filesize

      552KB

    • memory/1588-135-0x0000000000400000-0x000000000048A000-memory.dmp

      Filesize

      552KB

    • memory/1588-126-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

    • memory/1588-122-0x0000000000400000-0x000000000048A000-memory.dmp

      Filesize

      552KB

    • memory/1588-118-0x0000000000400000-0x000000000048A000-memory.dmp

      Filesize

      552KB

    • memory/1588-225-0x0000000000400000-0x000000000048A000-memory.dmp

      Filesize

      552KB