Overview

overview

10

Static

static

3

Temp-Spoof...in.zip

windows10-2004-x64

10

Temp-Spoof...es.hpp

windows10-2004-x64

3

Temp-Spoof...re.cpp

windows10-2004-x64

3

Temp-Spoof...re.hpp

windows10-2004-x64

3

Temp-Spoof...pi.hpp

windows10-2004-x64

3

Temp-Spoof...ICENSE

windows10-2004-x64

1

Temp-Spoof...er.exe

windows10-2004-x64

10

Temp-Spoof...DME.md

windows10-2004-x64

3

Temp-Spoof...ok.cpp

windows10-2004-x64

3

Temp-Spoof...ok.hpp

windows10-2004-x64

3

Temp-Spoof...nfig.h

windows10-2004-x64

3

Temp-Spoof...ui.cpp

windows10-2004-x64

3

Temp-Spoof...mgui.h

windows10-2004-x64

3

Temp-Spoof...mo.cpp

windows10-2004-x64

3

Temp-Spoof...aw.cpp

windows10-2004-x64

3

Temp-Spoof...11.cpp

windows10-2004-x64

3

Temp-Spoof...dx11.h

windows10-2004-x64

3

Temp-Spoof...32.cpp

windows10-2004-x64

3

Temp-Spoof...in32.h

windows10-2004-x64

3

Temp-Spoof...rnal.h

windows10-2004-x64

3

Temp-Spoof...es.cpp

windows10-2004-x64

3

Temp-Spoof...ts.vbs

windows10-2004-x64

1

Temp-Spoof...pack.h

windows10-2004-x64

3

Temp-Spoof...edit.h

windows10-2004-x64

3

Temp-Spoof...type.h

windows10-2004-x64

3

Temp-Spoof...ne.lib

windows10-2004-x64

3

Temp-Spoof...ok.def

windows10-2004-x64

3

Temp-Spoof...Hook.h

windows10-2004-x64

3

Temp-Spoof...AR.rar

windows10-2004-x64

7

Temp-Spoof...ffer.c

windows10-2004-x64

3

Temp-Spoof...ffer.h

windows10-2004-x64

3

Temp-Spoof...de32.c

windows10-2004-x64

3

Analysis

  • max time kernel
    128s
  • max time network
    128s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/02/2024, 15:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Temp-Spoofer-Lifetime-main.zip

  • Size

    1.5MB

  • MD5

    ee2407cadf7d970e8f828cd0b2a154a5

  • SHA1

    1991a745497dcfb99182e9acd11ab97442bcb150

  • SHA256

    b20b682bccf264fb5cafa0f9379f597e5786aecdd17a7064f5ed4f4cd7a10924

  • SHA512

    e8216793506b316835b9cf4d261c8b0ae55a216408d255360fa2909e849eefe2d700f2c5a4f281b514b2d8f353708490881d4799d8887c3093e4096bd0c672e9

  • SSDEEP

    24576:uwMt0Z7HgShMicpLyxvdGZH+irESwGxiXflVyROqpE2I0gxiO521UcgazBGIx:Yyd1MicYvEZHrrXxmfEjB22LFx

Score
10/10
lummastealer

Malware Config

Extracted

Family

lumma

C2

https://secretionsuitcasenioise.shop/api

https://modestessayevenmilwek.shop/api

https://triangleseasonbenchwj.shop/api

https://culturesketchfinanciall.shop/api

https://sofahuntingslidedine.shop/api

Signatures

  • Lumma Stealer

    An infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Executes dropped EXE 1 IoCs
  • Program crash 2 IoCs
  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\Explorer.exe
    C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Temp-Spoofer-Lifetime-main.zip
    1⤵
      PID:4540
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:3180
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        2⤵
        • Checks processor information in registry
        • Modifies registry class
        • NTFS ADS
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1132
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1132.0.719776991\132547270" -parentBuildID 20221007134813 -prefsHandle 1900 -prefMapHandle 1892 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {21d7a085-5c08-4c97-80ab-2fd0a81a88f8} 1132 "\\.\pipe\gecko-crash-server-pipe.1132" 1980 23e3b206e58 gpu
          3⤵
            PID:3328
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1132.1.273565274\173681899" -parentBuildID 20221007134813 -prefsHandle 2372 -prefMapHandle 2368 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2c57b88c-649e-4d4a-8eb4-49b6388246e3} 1132 "\\.\pipe\gecko-crash-server-pipe.1132" 2380 23e2d772b58 socket
            3⤵
              PID:876
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1132.2.1235562524\1935815695" -childID 1 -isForBrowser -prefsHandle 3044 -prefMapHandle 2904 -prefsLen 20888 -prefMapSize 233444 -jsInitHandle 1408 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {657d990d-ea53-49c4-860d-ff721ae49a4d} 1132 "\\.\pipe\gecko-crash-server-pipe.1132" 2908 23e3e2c9758 tab
              3⤵
                PID:1812
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1132.3.1546501324\177722071" -childID 2 -isForBrowser -prefsHandle 3588 -prefMapHandle 3584 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1408 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {76e4ca3b-953e-462e-b275-29be7c43e17c} 1132 "\\.\pipe\gecko-crash-server-pipe.1132" 3600 23e3cc0af58 tab
                3⤵
                  PID:3916
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1132.4.2047904596\653258812" -childID 3 -isForBrowser -prefsHandle 4152 -prefMapHandle 4164 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1408 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {be0e585c-b1ac-4729-ab62-e48b1cd3142a} 1132 "\\.\pipe\gecko-crash-server-pipe.1132" 4112 23e3fe6f258 tab
                  3⤵
                    PID:3692
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1132.7.1061270409\491076182" -childID 6 -isForBrowser -prefsHandle 5400 -prefMapHandle 5404 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1408 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0e0a6314-9687-4a1d-95b5-eff482c86a6e} 1132 "\\.\pipe\gecko-crash-server-pipe.1132" 5392 23e403e4258 tab
                    3⤵
                      PID:2116
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1132.6.1592161244\612159041" -childID 5 -isForBrowser -prefsHandle 5192 -prefMapHandle 5196 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1408 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1bc25fde-757b-41ed-a40e-34e43a7068c4} 1132 "\\.\pipe\gecko-crash-server-pipe.1132" 5184 23e403e2a58 tab
                      3⤵
                        PID:456
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1132.5.1926952785\1364104692" -childID 4 -isForBrowser -prefsHandle 5100 -prefMapHandle 5088 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1408 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {10622b22-7ee8-46be-8fa0-c26c2119f394} 1132 "\\.\pipe\gecko-crash-server-pipe.1132" 5076 23e3e4c8d58 tab
                        3⤵
                          PID:264
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1132.8.2105353471\1135060008" -childID 7 -isForBrowser -prefsHandle 5776 -prefMapHandle 3336 -prefsLen 26550 -prefMapSize 233444 -jsInitHandle 1408 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {31a827e2-d8bb-4af5-b929-4909346d8d42} 1132 "\\.\pipe\gecko-crash-server-pipe.1132" 1644 23e3a485958 tab
                          3⤵
                            PID:5204
                      • C:\Windows\System32\rundll32.exe
                        C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                        1⤵
                          PID:5140
                        • C:\Program Files\7-Zip\7zG.exe
                          "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Temp-Spoofer-Lifetime-main\" -spe -an -ai#7zMap6254:114:7zEvent9279
                          1⤵
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of FindShellTrayWindow
                          PID:5240
                        • C:\Users\Admin\Downloads\Temp-Spoofer-Lifetime-main\Loader.exe
                          "C:\Users\Admin\Downloads\Temp-Spoofer-Lifetime-main\Loader.exe"
                          1⤵
                          • Executes dropped EXE
                          PID:5664
                          • C:\Windows\SysWOW64\WerFault.exe
                            C:\Windows\SysWOW64\WerFault.exe -u -p 5664 -s 1116
                            2⤵
                            • Program crash
                            PID:5952
                          • C:\Windows\SysWOW64\WerFault.exe
                            C:\Windows\SysWOW64\WerFault.exe -u -p 5664 -s 1144
                            2⤵
                            • Program crash
                            PID:5964
                        • C:\Windows\SysWOW64\WerFault.exe
                          C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5664 -ip 5664
                          1⤵
                            PID:5896
                          • C:\Windows\SysWOW64\WerFault.exe
                            C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 5664 -ip 5664
                            1⤵
                              PID:5884

                            Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qapp529h.default-release\cache2\doomed\7659
                              Filesize

                              46KB

                              MD5

                              4978cde349f6b0e9e872102124f0d619

                              SHA1

                              0a02321de5575aa1cf7fe2bbf009a23922e9278e

                              SHA256

                              829af9bd87135babd36affc3ed3069ad71532487a37d462ce44bf0d7a748e1ee

                              SHA512

                              f5b03320db3e192bfa4632a59e482b8ca5b62755acf173dffaef96e4c3d0be04032583b0e94380b9626d88e1dfc0491b294177e5d6283d471ff5e9a7de9bd1a7

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qapp529h.default-release\datareporting\glean\db\data.safe.bin
                              Filesize

                              2KB

                              MD5

                              d4ecd413b2d11899d17400976699f7e4

                              SHA1

                              d567397ec6bd4fceb531ee182c8e5a01dbc32ad3

                              SHA256

                              97d44d5165916674dd9b9a681a830fe48f14facbf720a30cb8f9c84191ee7f61

                              SHA512

                              d09737f19611e9160a1cf6d0b768da9a7db6fcb88aad2326e928e0b7f40641e52e722d01964851c317a8d4d70f6a31c17fec0ad406d5fd5bd4342cc764631bbc

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qapp529h.default-release\datareporting\glean\pending_pings\4dd6a375-cf2e-4d19-8bea-7421aaadd280
                              Filesize

                              746B

                              MD5

                              6c1cac06f6b0ab80a5f8d8696f46cd88

                              SHA1

                              6ff52d45ef9e1daa2febb9a783d4c0d2168eb12e

                              SHA256

                              79db1ce4c0b73dfb30c8eb1af281b95dca401538232f1fb5d1569a3b1d50d721

                              SHA512

                              b2c5fcc7dc3995bee6d26e95387d9fb426ec57c059e1e72923025f5ab0bdbd50fe7e6caac67875e8bcafeb9bfe44164c6be2e0564e135cbab87f6064c30b9723

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qapp529h.default-release\datareporting\glean\pending_pings\d42d3deb-3133-4fd3-9025-d84fbd7783f2
                              Filesize

                              9KB

                              MD5

                              068b97c05a41732bcf2968a66f4ff169

                              SHA1

                              fd0e938b3dafb1dabf621c52ebc980e1fd2a7ecf

                              SHA256

                              4ffdca65e0ae1614284f9e3232c7342cab257eeebfe918c1395c4262b2cefbe8

                              SHA512

                              8533ba538e0ebf8b83a981cbbec44e4e8071bfc8279215ba33e737ddce07f8eeeb58d9e3b2aac5b19da2dac1b22213b84a2047d1ca3a4b01c35ada6ac086b895

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qapp529h.default-release\prefs-1.js
                              Filesize

                              6KB

                              MD5

                              f90aee1e120c661af78c6a53dc1d3cbc

                              SHA1

                              7f61a61a0b7bbd133ed5a1e18866d24d1f854673

                              SHA256

                              8569526c9cee5402e829fb8a082382a6f933df777c26a26d53a116e713e2a2c5

                              SHA512

                              7a7bf3af26fb86d59ba46612b994e8d99d2fca8639a30667d2fa3eae3c1a98fd0b9180845c5e2694735b7a46221d715bda71666536c9e61d53a8889cf39c5909

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qapp529h.default-release\prefs-1.js
                              Filesize

                              6KB

                              MD5

                              e916e768e1a38335cfca437b4136dd26

                              SHA1

                              79bfa32f6a6a247baa78ddb0ff86f0ba32bc370e

                              SHA256

                              367a89d9607be08a1d2e92f24ca58197da1f058b326ae5f7a7c9b55540eaa5db

                              SHA512

                              7042a7146ae49c6d0b523a661be8628b1e9c967f73139204f5bc4debd6fde0dc2b5334eb6d792575ae44cf169196b644da698fdffc952f3b35a3eaf1fc20f121

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qapp529h.default-release\prefs.js
                              Filesize

                              6KB

                              MD5

                              f34458f2234592c39c9bb0d198152217

                              SHA1

                              dd08ae496a932c6952e90a3a98591b448987a94b

                              SHA256

                              fb8090af12f741d202755ee8def095f4136b1876bdb18d8a003bf2b02360597a

                              SHA512

                              9cac95abc141f99b4aa59de3f3a8be3ac0ef4225f3cd2bdefc0653f556af3733caf8aecf59b9437afd55f9103bdc3d9d656680ce7763118a14aedb5db510f024

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qapp529h.default-release\sessionstore-backups\recovery.jsonlz4
                              Filesize

                              2KB

                              MD5

                              799a2805f09ae1fb28a03df76abea016

                              SHA1

                              04f0284ecf0344da3bfa0fed99e25089058db6ad

                              SHA256

                              3803ed927b4c78b726f7e17de5fc99d0439f1e7bd03b173376fe0bbdb6b54353

                              SHA512

                              8bd24105004e3f166afe95538232e2748abe01545f6dc76312e847da0c626bfffdf56b3eba21b864a471e1f92a5964c6a53cce4e119bbe72046cb2e9b3727a32

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qapp529h.default-release\sessionstore-backups\recovery.jsonlz4
                              Filesize

                              6KB

                              MD5

                              5b0a9a18cd1c969d126f350a7cfd6bc3

                              SHA1

                              4784438f9a90e353f0316e58e13b00bab32154b4

                              SHA256

                              bce0cac8900f8bb0b525cd9300f1f438acbf2f9a7b43325b678df876ed30fba8

                              SHA512

                              96d35718f7a95be4b7599a4e625778fdb30f403818cedcf1b89601a01e74a9e1ae81b8bb4930d75bf9f6a4f1b67d203ffd8cfe5f78b17c4f46d42fffc4cdb864

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qapp529h.default-release\sessionstore-backups\recovery.jsonlz4
                              Filesize

                              1KB

                              MD5

                              3999cf6763332e33f4f2f9e30f405368

                              SHA1

                              bb4ce935f7993cec24d7b77a4bbd9d1b33a625af

                              SHA256

                              2a5fa37bb604d554f0b9bc47d0f8388e0b42a2f8959ff4f03dff7002d4fb0fb0

                              SHA512

                              f3436d54e5c1a02ad6728ecf02008d291a7ae386b157236194ca08e18dbebc23ca16779d66e7fffbe2f570b909992785976908af3df0c2a9a76ebe0235cd7ef6

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qapp529h.default-release\sessionstore-backups\recovery.jsonlz4
                              Filesize

                              3KB

                              MD5

                              72eaeab0efc445efb951d3dba7f7da33

                              SHA1

                              3f7a9b00d0c218d76122090abadcb92003325dbd

                              SHA256

                              c5f2bfc6dc93b4f83876379d17c56c4eb5a58307bc173cca312535f8276b0dcc

                              SHA512

                              4c445b959914be7985fdbf1e5ec651d83fa54940f39050a17a13e808d62aebc43bf503936f2908acc843db201ebc89f2032e9ccd4e47064f7fad0f5dfda8c602

                              Download Submit

                            • C:\Users\Admin\Downloads\Temp-Spoofer-Lifetime-main.agEw2Yu6.zip.part
                              Filesize

                              128KB

                              MD5

                              d18c705e5aa9f1a143b5bf47a5a0a409

                              SHA1

                              3949c20083e3ea6904920c9db8f27794d25ab761

                              SHA256

                              2edd57b0ca652ec54e9b9e5c85a88ca71387d5e0f66eab2de20f576477919015

                              SHA512

                              87be582aec715859af94a5301b3af0fe46fc2b2ebc64e124c4fc118dcf91e478443b2499becd7ab237f1c28fddc051ff1d86dc5c24aa8cc8a904dc594be9ff60

                              Download Submit

                            • C:\Users\Admin\Downloads\Temp-Spoofer-Lifetime-main.zip
                              Filesize

                              1.5MB

                              MD5

                              ee2407cadf7d970e8f828cd0b2a154a5

                              SHA1

                              1991a745497dcfb99182e9acd11ab97442bcb150

                              SHA256

                              b20b682bccf264fb5cafa0f9379f597e5786aecdd17a7064f5ed4f4cd7a10924

                              SHA512

                              e8216793506b316835b9cf4d261c8b0ae55a216408d255360fa2909e849eefe2d700f2c5a4f281b514b2d8f353708490881d4799d8887c3093e4096bd0c672e9

                              Download Submit

                            • C:\Users\Admin\Downloads\Temp-Spoofer-Lifetime-main\Loader.exe
                              Filesize

                              690KB

                              MD5

                              9ed99bd8432a2265d1f5fb611213168b

                              SHA1

                              e215f6bfcbc91ed8828ef54cb6840eae1dc72cd0

                              SHA256

                              dde02744526968833651a9f70be666ceec221599b03272c9c5fc5d729667dd72

                              SHA512

                              f75b9ad6823ae8c4e4f5c84202893ba60c9256853d8b3924d47d59a1668e979e485a920b43414b470c5e5fd02975ff81edea3c9a2ed3a16140c13170224f2f28

                              Download Submit

                            • memory/5664-478-0x0000000000D50000-0x0000000000DE7000-memory.dmp

                              Filesize

                              604KB

                              Download

                            • memory/5664-483-0x0000000002C90000-0x0000000002C91000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/5664-484-0x0000000002AE0000-0x0000000002AE1000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/5664-486-0x0000000002AE0000-0x0000000002AE1000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/5664-485-0x0000000002AE0000-0x0000000002B91000-memory.dmp

                              Filesize

                              708KB

                              Download

                            • memory/5664-498-0x0000000000D50000-0x0000000000DE7000-memory.dmp

                              Filesize

                              604KB

                              Download