Analysis
-
max time kernel
44s -
max time network
56s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
27-02-2024 10:52
Static task
static1
Behavioral task
behavioral1
Sample
updater.msi
Resource
win7-20240221-en
General
-
Target
updater.msi
-
Size
8.3MB
-
MD5
4b274f5177add19e1354e8ce7bc018de
-
SHA1
80b5ce160232d37407a4888860be4bccc019b27a
-
SHA256
a8c50ffe3602a16f747b8b19fb51883f25aa6d9f53f9f2c8fd73e0f6bda4218f
-
SHA512
9c7cea2671ef94954ba751160167486c4651511a519f2413683626f791b485d259399cfd880ec15b5618dc9ad64305db1d2d0299bd0f5fe8c6db21c51494ff18
-
SSDEEP
98304:VkIe+YjNoLRunRYsIdn3dZYs2cKkFPOlzBIlq8mBE9cl1C8XPS99:hdIQRunq3jymc8GzC8Xqv
Malware Config
Extracted
lumma
http://zamesblack.fun/api
https://zamesblack.fun/api
Signatures
-
Detect Lumma Stealer payload V4 5 IoCs
Processes:
resource yara_rule behavioral2/memory/3892-54-0x0000000000400000-0x000000000048A000-memory.dmp family_lumma_v4 behavioral2/memory/3892-57-0x0000000000400000-0x000000000048A000-memory.dmp family_lumma_v4 behavioral2/memory/3892-60-0x0000000000400000-0x000000000048A000-memory.dmp family_lumma_v4 behavioral2/memory/3892-62-0x0000000000400000-0x000000000048A000-memory.dmp family_lumma_v4 behavioral2/memory/3892-80-0x0000000000400000-0x000000000048A000-memory.dmp family_lumma_v4 -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
CSVed.exedescription pid process target process PID 1480 set thread context of 3892 1480 CSVed.exe aspnet_compiler.exe -
Drops file in Windows directory 12 IoCs
Processes:
msiexec.exedescription ioc process File opened for modification C:\Windows\Installer\e575def.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI5FD3.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI62F1.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI643A.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI646A.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI6517.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\e575def.msi msiexec.exe File created C:\Windows\Installer\SourceHash{77542BFB-1FC7-491E-A6B8-5761E85BD6BB} msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI66FC.tmp msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe -
Executes dropped EXE 1 IoCs
Processes:
CSVed.exepid process 1480 CSVed.exe -
Loads dropped DLL 5 IoCs
Processes:
MsiExec.exepid process 4288 MsiExec.exe 4288 MsiExec.exe 4288 MsiExec.exe 4288 MsiExec.exe 4288 MsiExec.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
msiexec.exeCSVed.exepid process 1488 msiexec.exe 1488 msiexec.exe 1480 CSVed.exe 1480 CSVed.exe 1480 CSVed.exe -
Suspicious use of AdjustPrivilegeToken 51 IoCs
Processes:
msiexec.exemsiexec.exeCSVed.exedescription pid process Token: SeShutdownPrivilege 4472 msiexec.exe Token: SeIncreaseQuotaPrivilege 4472 msiexec.exe Token: SeSecurityPrivilege 1488 msiexec.exe Token: SeCreateTokenPrivilege 4472 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4472 msiexec.exe Token: SeLockMemoryPrivilege 4472 msiexec.exe Token: SeIncreaseQuotaPrivilege 4472 msiexec.exe Token: SeMachineAccountPrivilege 4472 msiexec.exe Token: SeTcbPrivilege 4472 msiexec.exe Token: SeSecurityPrivilege 4472 msiexec.exe Token: SeTakeOwnershipPrivilege 4472 msiexec.exe Token: SeLoadDriverPrivilege 4472 msiexec.exe Token: SeSystemProfilePrivilege 4472 msiexec.exe Token: SeSystemtimePrivilege 4472 msiexec.exe Token: SeProfSingleProcessPrivilege 4472 msiexec.exe Token: SeIncBasePriorityPrivilege 4472 msiexec.exe Token: SeCreatePagefilePrivilege 4472 msiexec.exe Token: SeCreatePermanentPrivilege 4472 msiexec.exe Token: SeBackupPrivilege 4472 msiexec.exe Token: SeRestorePrivilege 4472 msiexec.exe Token: SeShutdownPrivilege 4472 msiexec.exe Token: SeDebugPrivilege 4472 msiexec.exe Token: SeAuditPrivilege 4472 msiexec.exe Token: SeSystemEnvironmentPrivilege 4472 msiexec.exe Token: SeChangeNotifyPrivilege 4472 msiexec.exe Token: SeRemoteShutdownPrivilege 4472 msiexec.exe Token: SeUndockPrivilege 4472 msiexec.exe Token: SeSyncAgentPrivilege 4472 msiexec.exe Token: SeEnableDelegationPrivilege 4472 msiexec.exe Token: SeManageVolumePrivilege 4472 msiexec.exe Token: SeImpersonatePrivilege 4472 msiexec.exe Token: SeCreateGlobalPrivilege 4472 msiexec.exe Token: SeRestorePrivilege 1488 msiexec.exe Token: SeTakeOwnershipPrivilege 1488 msiexec.exe Token: SeRestorePrivilege 1488 msiexec.exe Token: SeTakeOwnershipPrivilege 1488 msiexec.exe Token: SeRestorePrivilege 1488 msiexec.exe Token: SeTakeOwnershipPrivilege 1488 msiexec.exe Token: SeRestorePrivilege 1488 msiexec.exe Token: SeTakeOwnershipPrivilege 1488 msiexec.exe Token: SeRestorePrivilege 1488 msiexec.exe Token: SeTakeOwnershipPrivilege 1488 msiexec.exe Token: SeRestorePrivilege 1488 msiexec.exe Token: SeTakeOwnershipPrivilege 1488 msiexec.exe Token: SeRestorePrivilege 1488 msiexec.exe Token: SeTakeOwnershipPrivilege 1488 msiexec.exe Token: SeRestorePrivilege 1488 msiexec.exe Token: SeTakeOwnershipPrivilege 1488 msiexec.exe Token: SeRestorePrivilege 1488 msiexec.exe Token: SeTakeOwnershipPrivilege 1488 msiexec.exe Token: SeDebugPrivilege 1480 CSVed.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msiexec.exepid process 4472 msiexec.exe 4472 msiexec.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
msiexec.exeCSVed.exedescription pid process target process PID 1488 wrote to memory of 4288 1488 msiexec.exe MsiExec.exe PID 1488 wrote to memory of 4288 1488 msiexec.exe MsiExec.exe PID 1488 wrote to memory of 4288 1488 msiexec.exe MsiExec.exe PID 1488 wrote to memory of 1480 1488 msiexec.exe CSVed.exe PID 1488 wrote to memory of 1480 1488 msiexec.exe CSVed.exe PID 1488 wrote to memory of 1480 1488 msiexec.exe CSVed.exe PID 1480 wrote to memory of 3892 1480 CSVed.exe aspnet_compiler.exe PID 1480 wrote to memory of 3892 1480 CSVed.exe aspnet_compiler.exe PID 1480 wrote to memory of 3892 1480 CSVed.exe aspnet_compiler.exe PID 1480 wrote to memory of 3892 1480 CSVed.exe aspnet_compiler.exe PID 1480 wrote to memory of 3892 1480 CSVed.exe aspnet_compiler.exe PID 1480 wrote to memory of 3892 1480 CSVed.exe aspnet_compiler.exe PID 1480 wrote to memory of 3892 1480 CSVed.exe aspnet_compiler.exe PID 1480 wrote to memory of 3892 1480 CSVed.exe aspnet_compiler.exe PID 1480 wrote to memory of 3892 1480 CSVed.exe aspnet_compiler.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\updater.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4472
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 5A102B469E218063C83186566DC048412⤵
- Loads dropped DLL
PID:4288
-
-
C:\Users\Admin\AppData\Local\Temp\ipconfig\CSVed.exe"C:\Users\Admin\AppData\Local\Temp\ipconfig\CSVed.exe"2⤵
- Suspicious use of SetThreadContext
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe3⤵PID:3892
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2140
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD571392ec1a206ed3f36b7f7654b6be4d0
SHA18f2e809b91459897e259e43b64637ffbb570e07b
SHA256d2daa99568df0b02fd9fd7f3a0a3dbc0af5a3fc713958e6ab003275de3196cdc
SHA512cb07081e1a235be9ae6ca8c66eb1ce280b659b5dfb134e5b0218552bf7d4708f6ea886f4fedf79991dacc616f19eb1b2d7a877d94ec64e6f4785e6cea9e358c9
-
Filesize
5B
MD5fda44910deb1a460be4ac5d56d61d837
SHA1f6d0c643351580307b2eaa6a7560e76965496bc7
SHA256933b971c6388d594a23fa1559825db5bec8ade2db1240aa8fc9d0c684949e8c9
SHA51257dda9aa7c29f960cd7948a4e4567844d3289fa729e9e388e7f4edcbdf16bf6a94536598b4f9ff8942849f1f96bd3c00bc24a75e748a36fbf2a145f63bf904c1
-
Filesize
5.8MB
MD504588403a23993589c515bd7dbb15136
SHA1e6b98023299f2b5cbb8b47f13b7dc5d48359ab4b
SHA25674639228e93237eb1a22310a5d042ce1ab39609c905607dd1536d7385ae5b222
SHA5122eb00f9755b819beff56e0a396746cb2e5681db475c4abb664b5bd90c5022c988de1b42643eff0017a458616529c8039cd85a4e1702c0fe10f8e0af83e4d8897
-
Filesize
719KB
MD589f70b588a48793450dd603b6cd4096f
SHA19b6509c031856c715d62853c4e93efbdf48d5aeb
SHA256066c52ed8ebf63a33ab8290b7c58d0c13f79c14faa8bf12b1b41f643d3ebe281
SHA512fb04c530430eea6149fd7216f64751e641394a66c0cb222f70c29361baa621a78f906e0adff19bd4cbe5de69edcea7e40bff7c2e068fd4dbd057ca6494db861a