Malware Analysis Report

2024-11-15 06:18

Sample ID 240227-myjvvafd2y
Target updater.msi.zip
SHA256 c5a3407d4fe90acb290604aa260d14f5d5fa44473c39944a05c348c94f9a6da0
Tags
lumma stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c5a3407d4fe90acb290604aa260d14f5d5fa44473c39944a05c348c94f9a6da0

Threat Level: Known bad

The file updater.msi.zip was found to be: Known bad.

Malicious Activity Summary

lumma stealer

Lumma Stealer

Detect Lumma Stealer payload V4

Blocklisted process makes network request

Enumerates connected drives

Suspicious use of SetThreadContext

Executes dropped EXE

Loads dropped DLL

Drops file in Windows directory

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-27 10:52

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-27 10:52

Reported

2024-02-27 10:53

Platform

win7-20240221-en

Max time kernel

47s

Max time network

41s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\updater.msi

Signatures

Detect Lumma Stealer payload V4

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Lumma Stealer

stealer lumma

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1284 set thread context of 1588 N/A C:\Users\Admin\AppData\Local\Temp\ipconfig\CSVed.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Installer\f76148a.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI1666.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI1741.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f76148d.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f76148a.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI1781.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f76148d.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI1917.tmp C:\Windows\system32\msiexec.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ipconfig\CSVed.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ipconfig\CSVed.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ipconfig\CSVed.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ipconfig\CSVed.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2656 wrote to memory of 2712 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2656 wrote to memory of 2712 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2656 wrote to memory of 2712 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2656 wrote to memory of 2712 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2656 wrote to memory of 2712 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2656 wrote to memory of 2712 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2656 wrote to memory of 2712 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2656 wrote to memory of 1284 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\ipconfig\CSVed.exe
PID 2656 wrote to memory of 1284 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\ipconfig\CSVed.exe
PID 2656 wrote to memory of 1284 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\ipconfig\CSVed.exe
PID 2656 wrote to memory of 1284 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\ipconfig\CSVed.exe
PID 1284 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\ipconfig\CSVed.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 1284 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\ipconfig\CSVed.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 1284 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\ipconfig\CSVed.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 1284 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\ipconfig\CSVed.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 1284 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\ipconfig\CSVed.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 1284 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\ipconfig\CSVed.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 1284 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\ipconfig\CSVed.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 1284 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\ipconfig\CSVed.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 1284 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\ipconfig\CSVed.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 1284 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\ipconfig\CSVed.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\updater.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding A3A085AA5FA48D03F124DF46DB5EDF24

C:\Users\Admin\AppData\Local\Temp\ipconfig\CSVed.exe

"C:\Users\Admin\AppData\Local\Temp\ipconfig\CSVed.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 noladuer.pw udp
US 8.8.8.8:53 bluepablo.fun udp
US 8.8.8.8:53 howlcars.fun udp
US 8.8.8.8:53 comperssw.fun udp
US 8.8.8.8:53 duhodown.fun udp
US 8.8.8.8:53 kowersize.fun udp
US 8.8.8.8:53 mouseoiet.fun udp
US 8.8.8.8:53 plengreg.fun udp
US 8.8.8.8:53 zamesblack.fun udp
US 104.21.13.74:80 zamesblack.fun tcp
US 104.21.13.74:80 zamesblack.fun tcp
US 104.21.13.74:443 zamesblack.fun tcp
US 8.8.8.8:53 apps.identrust.com udp
GB 96.17.179.205:80 apps.identrust.com tcp
US 8.8.8.8:53 x2.c.lencr.org udp
GB 2.19.169.32:80 x2.c.lencr.org tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab1325.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\Tar13D4.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5484aa93ae68dc1d687a3ed6fe7f1a76
SHA1 af222527b7d4b610fd8bea7ebfe2b9bf60fe14d2
SHA256 88d3c77bcd294021e218f24fb9f065620224f9d0c6ef4b286a006544835d26cf
SHA512 5a2192581319f2d24666fc18998418ef855580a384ea702761b91dad4b4834d131a837b7625aff25b5964ab29f6a849385842fc10f2114e2c2224b64a889a272

C:\Windows\Installer\MSI1666.tmp

MD5 89f70b588a48793450dd603b6cd4096f
SHA1 9b6509c031856c715d62853c4e93efbdf48d5aeb
SHA256 066c52ed8ebf63a33ab8290b7c58d0c13f79c14faa8bf12b1b41f643d3ebe281
SHA512 fb04c530430eea6149fd7216f64751e641394a66c0cb222f70c29361baa621a78f906e0adff19bd4cbe5de69edcea7e40bff7c2e068fd4dbd057ca6494db861a

C:\Config.Msi\f76148e.rbs

MD5 80162742ecc5b827d1e691e4ed04056a
SHA1 d83ce8476abadbeb76a7a5a3bad68b529fe11844
SHA256 80e03a3f69bddf006ca9888e79d74e4e16217dc333a12fa9badf604b679c7a9c
SHA512 3c6a83566e1126ba9925c559170c57b12f30e73d8cdfcb1bf1fc8ea4a428741330084b22e05b44b5cef9fe19f5aafe96901572c3e7ff6c05ea4cd209930ddb91

C:\Users\Admin\AppData\Local\Temp\ipconfig\CSVed.exe

MD5 a88a3a4399cc290758fa04f7365a01da
SHA1 82a4dedaa3f8d1460ead18c359bb743d50fbbdb7
SHA256 20d702b233d0d47bbb9f05385ef35563d12b0dd464282283779d85c21b7475e1
SHA512 872a5cc844ae44de72772b4def56866d79e074e41b24bd2ffd1173bd8b7bc9e40717b163fac6d64900479faf0761c9995fd8fa390871fa83a0e56d589b543e10

C:\Users\Admin\AppData\Local\Temp\ipconfig\CSVed.exe

MD5 04588403a23993589c515bd7dbb15136
SHA1 e6b98023299f2b5cbb8b47f13b7dc5d48359ab4b
SHA256 74639228e93237eb1a22310a5d042ce1ab39609c905607dd1536d7385ae5b222
SHA512 2eb00f9755b819beff56e0a396746cb2e5681db475c4abb664b5bd90c5022c988de1b42643eff0017a458616529c8039cd85a4e1702c0fe10f8e0af83e4d8897

memory/1284-102-0x0000000000230000-0x0000000000231000-memory.dmp

memory/1284-103-0x0000000003300000-0x00000000034C3000-memory.dmp

memory/1284-104-0x0000000003300000-0x00000000034C3000-memory.dmp

memory/1284-107-0x0000000006520000-0x00000000066E4000-memory.dmp

memory/1284-106-0x0000000073930000-0x000000007401E000-memory.dmp

memory/1284-108-0x0000000006320000-0x0000000006360000-memory.dmp

memory/1284-109-0x0000000006320000-0x0000000006360000-memory.dmp

memory/1284-110-0x0000000006320000-0x0000000006360000-memory.dmp

memory/1284-111-0x0000000006280000-0x0000000006312000-memory.dmp

memory/1284-112-0x0000000006360000-0x00000000063DA000-memory.dmp

memory/1284-113-0x00000000069C0000-0x0000000006A38000-memory.dmp

memory/1284-114-0x0000000006A40000-0x0000000006A8C000-memory.dmp

memory/1284-115-0x0000000000400000-0x00000000009D6000-memory.dmp

memory/1588-118-0x0000000000400000-0x000000000048A000-memory.dmp

memory/1588-122-0x0000000000400000-0x000000000048A000-memory.dmp

memory/1588-126-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1588-124-0x0000000000400000-0x000000000048A000-memory.dmp

memory/1588-128-0x0000000000400000-0x000000000048A000-memory.dmp

memory/1284-129-0x0000000003300000-0x00000000034C3000-memory.dmp

memory/1588-133-0x0000000000400000-0x000000000048A000-memory.dmp

memory/1588-120-0x0000000000400000-0x000000000048A000-memory.dmp

memory/1588-116-0x0000000000400000-0x000000000048A000-memory.dmp

memory/1284-134-0x0000000073930000-0x000000007401E000-memory.dmp

memory/1588-135-0x0000000000400000-0x000000000048A000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 813352d55c5ca80e16e8006670cbd1bd
SHA1 366ed6b980f2a5741b22377e0af921311cf823e4
SHA256 5784272af32a15ccb7f303862d28e5e8ea19ef2f481e06f590471889f0081681
SHA512 92763545323b6fc2662b27127e09b7ff084da98ca37a871a23db1982a3472c5d2cc5f385dc530ab8ce44679a1027b20137e699573febaf7a1afcb26c29888ae4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 31f18e0b4cec8514f0f602666960e480
SHA1 66a60183b5a4f287d8f1ea57fe6371da78ecf1da
SHA256 237e569d4cbb6b3846d1676ac811e2035fbb5a85851a5c13c9f2a2fb023def40
SHA512 2dc82a141dde04d444a55f89d771a077eb072fba2bbaff55ebcc9bb1bdc7382c7380de60a31ecf30207ee35a65d0a9b946755557945f9fb51f1c5e1a7ca30f46

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MPR7YYBV\api[1]

MD5 fda44910deb1a460be4ac5d56d61d837
SHA1 f6d0c643351580307b2eaa6a7560e76965496bc7
SHA256 933b971c6388d594a23fa1559825db5bec8ade2db1240aa8fc9d0c684949e8c9
SHA512 57dda9aa7c29f960cd7948a4e4567844d3289fa729e9e388e7f4edcbdf16bf6a94536598b4f9ff8942849f1f96bd3c00bc24a75e748a36fbf2a145f63bf904c1

memory/1588-225-0x0000000000400000-0x000000000048A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-27 10:52

Reported

2024-02-27 10:53

Platform

win10v2004-20240226-en

Max time kernel

44s

Max time network

56s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\updater.msi

Signatures

Detect Lumma Stealer payload V4

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Lumma Stealer

stealer lumma

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1480 set thread context of 3892 N/A C:\Users\Admin\AppData\Local\Temp\ipconfig\CSVed.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\e575def.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI5FD3.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI62F1.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI643A.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI646A.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI6517.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e575def.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{77542BFB-1FC7-491E-A6B8-5761E85BD6BB} C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI66FC.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ipconfig\CSVed.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ipconfig\CSVed.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1488 wrote to memory of 4288 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1488 wrote to memory of 4288 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1488 wrote to memory of 4288 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1488 wrote to memory of 1480 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\ipconfig\CSVed.exe
PID 1488 wrote to memory of 1480 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\ipconfig\CSVed.exe
PID 1488 wrote to memory of 1480 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\ipconfig\CSVed.exe
PID 1480 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\ipconfig\CSVed.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 1480 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\ipconfig\CSVed.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 1480 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\ipconfig\CSVed.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 1480 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\ipconfig\CSVed.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 1480 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\ipconfig\CSVed.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 1480 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\ipconfig\CSVed.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 1480 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\ipconfig\CSVed.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 1480 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\ipconfig\CSVed.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 1480 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\ipconfig\CSVed.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\updater.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 5A102B469E218063C83186566DC04841

C:\Users\Admin\AppData\Local\Temp\ipconfig\CSVed.exe

"C:\Users\Admin\AppData\Local\Temp\ipconfig\CSVed.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 noladuer.pw udp
US 8.8.8.8:53 bluepablo.fun udp
US 8.8.8.8:53 howlcars.fun udp
US 8.8.8.8:53 comperssw.fun udp
US 8.8.8.8:53 duhodown.fun udp
US 8.8.8.8:53 kowersize.fun udp
US 8.8.8.8:53 mouseoiet.fun udp
US 8.8.8.8:53 plengreg.fun udp
US 8.8.8.8:53 zamesblack.fun udp
US 172.67.198.200:80 zamesblack.fun tcp
US 172.67.198.200:80 zamesblack.fun tcp
US 172.67.198.200:443 zamesblack.fun tcp
US 8.8.8.8:53 200.198.67.172.in-addr.arpa udp
US 8.8.8.8:53 32.169.19.2.in-addr.arpa udp
US 8.8.8.8:53 x2.c.lencr.org udp
GB 2.19.169.32:80 x2.c.lencr.org tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 www.microsoft.com udp
GB 92.123.241.137:80 www.microsoft.com tcp
GB 92.123.241.137:80 www.microsoft.com tcp
US 8.8.8.8:53 137.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp

Files

C:\Windows\Installer\MSI5FD3.tmp

MD5 89f70b588a48793450dd603b6cd4096f
SHA1 9b6509c031856c715d62853c4e93efbdf48d5aeb
SHA256 066c52ed8ebf63a33ab8290b7c58d0c13f79c14faa8bf12b1b41f643d3ebe281
SHA512 fb04c530430eea6149fd7216f64751e641394a66c0cb222f70c29361baa621a78f906e0adff19bd4cbe5de69edcea7e40bff7c2e068fd4dbd057ca6494db861a

C:\Config.Msi\e575df2.rbs

MD5 71392ec1a206ed3f36b7f7654b6be4d0
SHA1 8f2e809b91459897e259e43b64637ffbb570e07b
SHA256 d2daa99568df0b02fd9fd7f3a0a3dbc0af5a3fc713958e6ab003275de3196cdc
SHA512 cb07081e1a235be9ae6ca8c66eb1ce280b659b5dfb134e5b0218552bf7d4708f6ea886f4fedf79991dacc616f19eb1b2d7a877d94ec64e6f4785e6cea9e358c9

C:\Users\Admin\AppData\Local\Temp\ipconfig\CSVed.exe

MD5 04588403a23993589c515bd7dbb15136
SHA1 e6b98023299f2b5cbb8b47f13b7dc5d48359ab4b
SHA256 74639228e93237eb1a22310a5d042ce1ab39609c905607dd1536d7385ae5b222
SHA512 2eb00f9755b819beff56e0a396746cb2e5681db475c4abb664b5bd90c5022c988de1b42643eff0017a458616529c8039cd85a4e1702c0fe10f8e0af83e4d8897

memory/1480-38-0x0000000000CF0000-0x0000000000CF1000-memory.dmp

memory/1480-39-0x0000000002B50000-0x0000000002D13000-memory.dmp

memory/1480-40-0x0000000002B50000-0x0000000002D13000-memory.dmp

memory/1480-42-0x0000000072CE0000-0x0000000073490000-memory.dmp

memory/1480-43-0x0000000005B50000-0x0000000005D14000-memory.dmp

memory/1480-44-0x0000000000400000-0x00000000009D6000-memory.dmp

memory/1480-45-0x0000000005980000-0x0000000005990000-memory.dmp

memory/1480-46-0x0000000005980000-0x0000000005990000-memory.dmp

memory/1480-47-0x0000000005A90000-0x0000000005B22000-memory.dmp

memory/1480-48-0x0000000005980000-0x0000000005990000-memory.dmp

memory/1480-49-0x0000000005D10000-0x0000000005D8A000-memory.dmp

memory/1480-50-0x0000000005ED0000-0x0000000005F48000-memory.dmp

memory/1480-51-0x0000000005F50000-0x0000000005F9C000-memory.dmp

memory/1480-53-0x0000000005FB0000-0x0000000006554000-memory.dmp

memory/3892-54-0x0000000000400000-0x000000000048A000-memory.dmp

memory/1480-56-0x0000000002B50000-0x0000000002D13000-memory.dmp

memory/3892-57-0x0000000000400000-0x000000000048A000-memory.dmp

memory/3892-60-0x0000000000400000-0x000000000048A000-memory.dmp

memory/1480-61-0x0000000072CE0000-0x0000000073490000-memory.dmp

memory/3892-62-0x0000000000400000-0x000000000048A000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\TMWGKKVJ\api[1]

MD5 fda44910deb1a460be4ac5d56d61d837
SHA1 f6d0c643351580307b2eaa6a7560e76965496bc7
SHA256 933b971c6388d594a23fa1559825db5bec8ade2db1240aa8fc9d0c684949e8c9
SHA512 57dda9aa7c29f960cd7948a4e4567844d3289fa729e9e388e7f4edcbdf16bf6a94536598b4f9ff8942849f1f96bd3c00bc24a75e748a36fbf2a145f63bf904c1

memory/3892-80-0x0000000000400000-0x000000000048A000-memory.dmp