Overview

overview

10

Static

static

3

TempSpoofer.exe

windows7-x64

10

TempSpoofer.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-04-2024 13:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    TempSpoofer.exe

  • Size

    625KB

  • MD5

    e6b6c975e5b591288cc32e5459e823d8

  • SHA1

    d234a345f28aa66adf2357b9a3253b12b204ed46

  • SHA256

    7aef3228929bccd0715778c0eae7948f2fa233c5720d3b941e9dac152043a9ff

  • SHA512

    203f4efb422c5fd6dbe5e4cb00cbee5e13920699d638fafc0d77b9d8be20b10213d3dc55d1c074e74c1f1b7d5089df7cf07ea4feb23e971d531e0d9563626f11

  • SSDEEP

    12288:PFUNDakMcWUUysz/NhKjJPhM4/5bV/rvgE3:PFOakMcUDz/NEjlzxbVDvb

Score
10/10
lummaevasionpersistencestealer

Malware Config

Extracted

Family

lumma

C2

https://cleartotalfisherwo.shop/api

https://worryfillvolcawoi.shop/api

https://enthusiasimtitleow.shop/api

https://dismissalcylinderhostw.shop/api

https://affordcharmcropwo.shop/api

https://diskretainvigorousiw.shop/api

https://communicationgenerwo.shop/api

https://pillowbrocccolipe.shop/api

Signatures

  • Lumma Stealer

    An infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 6 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\TempSpoofer.exe
    "C:\Users\Admin\AppData\Local\Temp\TempSpoofer.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3160
    • \??\c:\users\admin\appdata\local\temp\tempspoofer.exe 
      c:\users\admin\appdata\local\temp\tempspoofer.exe 
      2⤵
      • Executes dropped EXE
      PID:908
    • C:\Windows\Resources\Themes\icsys.icn.exe
      C:\Windows\Resources\Themes\icsys.icn.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1572
      • \??\c:\windows\resources\themes\explorer.exe
        c:\windows\resources\themes\explorer.exe
        3⤵
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Adds Run key to start application
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4580
        • \??\c:\windows\resources\spoolsv.exe
          c:\windows\resources\spoolsv.exe SE
          4⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1892
          • \??\c:\windows\resources\svchost.exe
            c:\windows\resources\svchost.exe
            5⤵
            • Modifies visiblity of hidden/system files in Explorer
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in System32 directory
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2500
            • \??\c:\windows\resources\spoolsv.exe
              c:\windows\resources\spoolsv.exe PR
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetWindowsHookEx
              PID:1400

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tempspoofer.exe 
    Filesize

    490KB

    MD5

    9c9245810bad661af3d6efec543d34fd

    SHA1

    93e4f301156d120a87fe2c4be3aaa28b9dfd1a8d

    SHA256

    f5f14b9073f86da926a8ed319b3289b893442414d1511e45177f6915fb4e5478

    SHA512

    90d9593595511e722b733a13c53d2e69a1adc9c79b3349350deead2c1cdfed615921fb503597950070e9055f6df74bb64ccd94a60d7716822aa632699c70b767

    Download Submit
  • C:\Windows\Resources\Themes\explorer.exe
    Filesize

    135KB

    MD5

    0b7ed43335e441dbaf1a66a6002a20fc

    SHA1

    6694e8a19f55b34fcfb85f6e04a37c640c8f9e7e

    SHA256

    25ddd68e2e687be4fb1009f68db2c60efa1b8a93aeea4535d654630bc8de8452

    SHA512

    0fc7312cd8f6ef9e39320f056f1b98f4d011a1232a202aae56a6ad4c174f12eed39bea3911921fbd83323ff6a6cb7353e19b89e9edf0dc1a69de09a0eb860646

    Download Submit
  • C:\Windows\Resources\Themes\icsys.icn.exe
    Filesize

    135KB

    MD5

    30cee1272f031af1f0ac832416173483

    SHA1

    a984dc6d301ac807068ec4e2684ad2002ccbe598

    SHA256

    788f85e902cd9b98cfd35c5ad5782ffd26499ab3f69fce6783a5ee902c17baad

    SHA512

    18812a5c75f7b871720c595f9af610f3a26ba5df6238320d06d9a09ae94a03c895c4811a35fb09d9f1dabbb7341f372c9d94a475c016e99c6422add50cc6bfdd

    Download Submit
  • C:\Windows\Resources\spoolsv.exe
    Filesize

    135KB

    MD5

    94490835947d9cc54a19aedc716104be

    SHA1

    44e4025fa8e342ea5e5f5036006c4d9b40a1acb6

    SHA256

    41cb93eb0a6ef2e0076e58a0fde8530a7d2e275a0c94f7d1cca3d5a608053660

    SHA512

    c877241f2910092bf12dfd9db2235782c226b37c7ca0a8156e8918809f375bd77420e754edb5be9182a4201dc5887af2dfbf3459ee73aa0102e4337fdb472244

    Download Submit
  • C:\Windows\Resources\svchost.exe
    Filesize

    135KB

    MD5

    8d159525db913ec59928561eea085db4

    SHA1

    db2ad84603b17353d47f9121dca11c97cb495cb8

    SHA256

    6bce5a74190ef70058010a2995164629a989357a794d12aa48bbddd54553de8a

    SHA512

    5dc37dc88a2fb9dcea4ab5f2b5301fdbca7b1b2557e67c42ee1339503b65d8dbf2caa6bfc01523e7663ef5537eff8a266ba8351723cb74b95e4879a82f56c3fe

    Download Submit
  • memory/908-26-0x0000000000F70000-0x0000000000F71000-memory.dmp
    Filesize

    4KB

    Download
  • memory/908-27-0x0000000000F70000-0x0000000000F71000-memory.dmp
    Filesize

    4KB

    Download
  • memory/908-30-0x0000000000F70000-0x0000000000F71000-memory.dmp
    Filesize

    4KB

    Download
  • memory/908-31-0x0000000000F70000-0x0000000000F71000-memory.dmp
    Filesize

    4KB

    Download
  • memory/908-15-0x0000000000E20000-0x0000000000E6B000-memory.dmp
    Filesize

    300KB

    Download
  • memory/908-57-0x0000000000E20000-0x0000000000E6B000-memory.dmp
    Filesize

    300KB

    Download
  • memory/1400-54-0x0000000000400000-0x000000000041F000-memory.dmp
    Filesize

    124KB

    Download
  • memory/1572-56-0x0000000000400000-0x000000000041F000-memory.dmp
    Filesize

    124KB

    Download
  • memory/1892-55-0x0000000000400000-0x000000000041F000-memory.dmp
    Filesize

    124KB

    Download
  • memory/3160-25-0x0000000000400000-0x000000000041F000-memory.dmp
    Filesize

    124KB

    Download
  • memory/3160-0-0x0000000000400000-0x000000000041F000-memory.dmp
    Filesize

    124KB

    Download
  • memory/4580-29-0x0000000000400000-0x000000000041F000-memory.dmp
    Filesize

    124KB

    Download