Overview

overview

10

Static

static

3

ff9c2ce33f...18.exe

windows7-x64

10

ff9c2ce33f...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-04-2024 15:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ff9c2ce33fce1585aa1ff20145555761_JaffaCakes118.exe

  • Size

    227KB

  • MD5

    ff9c2ce33fce1585aa1ff20145555761

  • SHA1

    0a69962fd393fb450a81b557af000bcc9d8b1e25

  • SHA256

    8c9f417cc07060056a707d847258a7a6a98e0ef6a16cb1243222c235d79c86bf

  • SHA512

    7572f57ee2ed16996df52c8c70d7e01cfdac1cca15e86334a7f78d370fc6fb5ac3efca4e082e82a5073fcbd4acf116d0e619a3a3d090129e5eeee328ddd0338a

  • SSDEEP

    6144:qoEdkmu85Dq+3qM3W7tfQN5/inEaMadDKNa1aILk71:gkmDN6M3atfQunka1KNaTgJ

Score
10/10
lummaevasionstealer

Malware Config

Signatures

  • Detect Lumma Stealer payload V4 16 IoCs
  • Lumma Stealer

    An infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Modifies security service 2 TTPs 22 IoCs
    evasion
  • Executes dropped EXE 10 IoCs
  • Drops file in System32 directory 32 IoCs
  • Runs .reg file with regedit 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ff9c2ce33fce1585aa1ff20145555761_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\ff9c2ce33fce1585aa1ff20145555761_JaffaCakes118.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:2180
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c c:\acx.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1432
      • C:\Windows\SysWOW64\regedit.exe
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        3⤵
        • Modifies security service
        • Runs .reg file with regedit
        PID:4488
    • C:\Windows\SysWOW64\cPaner.com
      C:\Windows\system32\cPaner.com 1048 "C:\Users\Admin\AppData\Local\Temp\ff9c2ce33fce1585aa1ff20145555761_JaffaCakes118.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:3580
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c c:\acx.bat
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3152
        • C:\Windows\SysWOW64\regedit.exe
          REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
          4⤵
          • Modifies security service
          • Runs .reg file with regedit
          PID:5108
      • C:\Windows\SysWOW64\cPaner.com
        C:\Windows\system32\cPaner.com 1208 "C:\Windows\SysWOW64\cPaner.com"
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Suspicious use of WriteProcessMemory
        PID:3300
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c c:\acx.bat
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3052
          • C:\Windows\SysWOW64\regedit.exe
            REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
            5⤵
            • Modifies security service
            • Runs .reg file with regedit
            PID:2456
        • C:\Windows\SysWOW64\cPaner.com
          C:\Windows\system32\cPaner.com 1180 "C:\Windows\SysWOW64\cPaner.com"
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Suspicious use of WriteProcessMemory
          PID:4112
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c c:\acx.bat
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1064
            • C:\Windows\SysWOW64\regedit.exe
              REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
              6⤵
              • Modifies security service
              • Runs .reg file with regedit
              PID:3828
          • C:\Windows\SysWOW64\cPaner.com
            C:\Windows\system32\cPaner.com 1184 "C:\Windows\SysWOW64\cPaner.com"
            5⤵
            • Executes dropped EXE
            • Drops file in System32 directory
            • Suspicious use of WriteProcessMemory
            PID:60
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c c:\acx.bat
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:4204
              • C:\Windows\SysWOW64\regedit.exe
                REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                7⤵
                • Modifies security service
                • Runs .reg file with regedit
                PID:4516
            • C:\Windows\SysWOW64\cPaner.com
              C:\Windows\system32\cPaner.com 1188 "C:\Windows\SysWOW64\cPaner.com"
              6⤵
              • Executes dropped EXE
              • Drops file in System32 directory
              • Suspicious use of WriteProcessMemory
              PID:924
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c c:\acx.bat
                7⤵
                • Suspicious use of WriteProcessMemory
                PID:2896
                • C:\Windows\SysWOW64\regedit.exe
                  REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                  8⤵
                  • Modifies security service
                  • Runs .reg file with regedit
                  PID:4532
              • C:\Windows\SysWOW64\cPaner.com
                C:\Windows\system32\cPaner.com 1196 "C:\Windows\SysWOW64\cPaner.com"
                7⤵
                • Executes dropped EXE
                • Drops file in System32 directory
                • Suspicious use of WriteProcessMemory
                PID:4748
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c c:\acx.bat
                  8⤵
                  • Suspicious use of WriteProcessMemory
                  PID:3052
                  • C:\Windows\SysWOW64\regedit.exe
                    REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                    9⤵
                    • Modifies security service
                    • Runs .reg file with regedit
                    PID:4784
                • C:\Windows\SysWOW64\cPaner.com
                  C:\Windows\system32\cPaner.com 1200 "C:\Windows\SysWOW64\cPaner.com"
                  8⤵
                  • Executes dropped EXE
                  • Drops file in System32 directory
                  • Suspicious use of WriteProcessMemory
                  PID:4460
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c c:\acx.bat
                    9⤵
                      PID:4244
                      • C:\Windows\SysWOW64\regedit.exe
                        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                        10⤵
                        • Modifies security service
                        • Runs .reg file with regedit
                        PID:2944
                    • C:\Windows\SysWOW64\cPaner.com
                      C:\Windows\system32\cPaner.com 1204 "C:\Windows\SysWOW64\cPaner.com"
                      9⤵
                      • Executes dropped EXE
                      • Drops file in System32 directory
                      PID:2156
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c c:\acx.bat
                        10⤵
                          PID:3264
                          • C:\Windows\SysWOW64\regedit.exe
                            REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                            11⤵
                            • Modifies security service
                            • Runs .reg file with regedit
                            PID:4092
                        • C:\Windows\SysWOW64\cPaner.com
                          C:\Windows\system32\cPaner.com 1192 "C:\Windows\SysWOW64\cPaner.com"
                          10⤵
                          • Executes dropped EXE
                          • Drops file in System32 directory
                          PID:3860
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c c:\acx.bat
                            11⤵
                              PID:3968
                              • C:\Windows\SysWOW64\regedit.exe
                                REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                                12⤵
                                • Modifies security service
                                • Runs .reg file with regedit
                                PID:488
                            • C:\Windows\SysWOW64\cPaner.com
                              C:\Windows\system32\cPaner.com 1212 "C:\Windows\SysWOW64\cPaner.com"
                              11⤵
                              • Executes dropped EXE
                              • Drops file in System32 directory
                              PID:1652
                              • C:\Windows\SysWOW64\cmd.exe
                                C:\Windows\system32\cmd.exe /c c:\acx.bat
                                12⤵
                                  PID:2232
                                  • C:\Windows\SysWOW64\regedit.exe
                                    REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                                    13⤵
                                    • Modifies security service
                                    • Runs .reg file with regedit
                                    PID:1064

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\1.reg
            Filesize

            1KB

            MD5

            895301bce84d6fe707b5cfd50f1f9f97

            SHA1

            50a012f59655621768f624c4571654145663c042

            SHA256

            b2c6435e83784b85e7f4bdd4568bd954029caac9f5795e3111ae75db0f9874d4

            SHA512

            a75188afa7c01959bcbf7b832d92d0134072eecd3dd58d6179bc626024d4c9593cadc5cf9ab00deb3824853df003a0a73c84b60cefbdcb6944d216534ea7ffc4

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\1.reg
            Filesize

            2KB

            MD5

            fa83299c5a0d8714939977af6bdafa92

            SHA1

            46a4abab9b803a7361ab89d0ca000a367550e23c

            SHA256

            f3bb35f7fc756da2c2297a100fa29506cb12371edb793061add90ee16318bf03

            SHA512

            85e46b9f1089054e60c433459eea52bec26330f8b91879df3b48db1533a307443dd82006ac3bb86245bbd207c1d8c75c29949f755cc0dc262ede888a1d531599

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\1.reg
            Filesize

            3KB

            MD5

            9e5db93bd3302c217b15561d8f1e299d

            SHA1

            95a5579b336d16213909beda75589fd0a2091f30

            SHA256

            f360fb5740172b6b4dd59c1ac30b480511665ae991196f833167e275d91f943e

            SHA512

            b5547e5047a3c43397ee846ff9d5979cba45ba44671db5c5df5536d9dc26262e27a8645a08e0cf35960a3601dc0f6f5fe8d47ae232c9ca44d6899e97d36fb25a

            Download Submit

          • C:\Windows\SysWOW64\cPaner.com
            Filesize

            227KB

            MD5

            ff9c2ce33fce1585aa1ff20145555761

            SHA1

            0a69962fd393fb450a81b557af000bcc9d8b1e25

            SHA256

            8c9f417cc07060056a707d847258a7a6a98e0ef6a16cb1243222c235d79c86bf

            SHA512

            7572f57ee2ed16996df52c8c70d7e01cfdac1cca15e86334a7f78d370fc6fb5ac3efca4e082e82a5073fcbd4acf116d0e619a3a3d090129e5eeee328ddd0338a

            Download Submit

          • \??\c:\acx.bat
            Filesize

            5KB

            MD5

            0019a0451cc6b9659762c3e274bc04fb

            SHA1

            5259e256cc0908f2846e532161b989f1295f479b

            SHA256

            ce4674afd978d1401596d22a0961f90c8fb53c5bd55649684e1a999c8cf77876

            SHA512

            314c23ec37cb0cd4443213c019c4541df968447353b422ef6fff1e7ddf6c983c80778787408b7ca9b81e580a6a7f1589ca7f43c022e6fc16182973580ed4d904

            Download Submit

          • memory/60-871-0x0000000000400000-0x000000000048A000-memory.dmp

            Filesize

            552KB

            Download

          • memory/60-737-0x0000000000400000-0x000000000048A000-memory.dmp

            Filesize

            552KB

            Download

          • memory/924-1012-0x0000000000400000-0x000000000048A000-memory.dmp

            Filesize

            552KB

            Download

          • memory/924-877-0x0000000000400000-0x000000000048A000-memory.dmp

            Filesize

            552KB

            Download

          • memory/1652-1545-0x0000000000400000-0x000000000048A000-memory.dmp

            Filesize

            552KB

            Download

          • memory/2156-1411-0x0000000000400000-0x000000000048A000-memory.dmp

            Filesize

            552KB

            Download

          • memory/2156-1285-0x0000000000400000-0x000000000048A000-memory.dmp

            Filesize

            552KB

            Download

          • memory/2180-149-0x0000000002630000-0x0000000002631000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2180-160-0x00000000031B0000-0x00000000031B1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2180-118-0x00000000022D0000-0x00000000022D1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2180-34-0x00000000022F0000-0x00000000022F1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2180-120-0x0000000002330000-0x0000000002331000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2180-121-0x0000000002470000-0x0000000002471000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2180-122-0x0000000002460000-0x0000000002461000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2180-123-0x0000000002490000-0x0000000002491000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2180-124-0x0000000002480000-0x0000000002481000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2180-125-0x00000000024B0000-0x00000000024B1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2180-128-0x00000000024D0000-0x00000000024D1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2180-126-0x00000000024A0000-0x00000000024A1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2180-129-0x00000000024C0000-0x00000000024C1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2180-131-0x00000000024E0000-0x00000000024E1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2180-132-0x0000000002510000-0x0000000002511000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2180-130-0x00000000024F0000-0x00000000024F1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2180-133-0x0000000002500000-0x0000000002501000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2180-134-0x0000000002540000-0x0000000002541000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2180-135-0x0000000002530000-0x0000000002531000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2180-136-0x0000000002560000-0x0000000002561000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2180-137-0x0000000002550000-0x0000000002551000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2180-139-0x0000000002570000-0x0000000002571000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2180-138-0x0000000002580000-0x0000000002581000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2180-140-0x00000000025A0000-0x00000000025A1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2180-141-0x0000000002590000-0x0000000002591000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2180-142-0x00000000025B0000-0x00000000025B1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2180-143-0x00000000025E0000-0x00000000025E1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2180-144-0x00000000025D0000-0x00000000025D1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2180-145-0x0000000002600000-0x0000000002601000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2180-146-0x00000000025F0000-0x00000000025F1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2180-100-0x0000000002320000-0x0000000002321000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2180-148-0x0000000002640000-0x0000000002641000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2180-150-0x00000000025C0000-0x00000000025C1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2180-151-0x0000000002620000-0x0000000002621000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2180-147-0x0000000002610000-0x0000000002611000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2180-157-0x0000000003190000-0x0000000003191000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2180-159-0x0000000003180000-0x0000000003181000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2180-119-0x00000000022E0000-0x00000000022E1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2180-161-0x00000000031A0000-0x00000000031A1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2180-163-0x00000000031D0000-0x00000000031D1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2180-164-0x00000000031C0000-0x00000000031C1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2180-166-0x00000000031F0000-0x00000000031F1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2180-168-0x0000000003220000-0x0000000003221000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2180-194-0x0000000003210000-0x0000000003211000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2180-278-0x0000000003230000-0x0000000003231000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2180-195-0x0000000003240000-0x0000000003241000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2180-167-0x00000000031E0000-0x00000000031E1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2180-280-0x0000000003260000-0x0000000003261000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2180-281-0x0000000003250000-0x0000000003251000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2180-282-0x0000000003280000-0x0000000003281000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2180-283-0x0000000003270000-0x0000000003271000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2180-284-0x00000000032A0000-0x00000000032A1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2180-285-0x0000000003290000-0x0000000003291000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2180-286-0x00000000032C0000-0x00000000032C1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2180-287-0x00000000032B0000-0x00000000032B1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2180-288-0x00000000032E0000-0x00000000032E1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2180-289-0x00000000032D0000-0x00000000032D1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2180-296-0x0000000000400000-0x000000000048A000-memory.dmp

            Filesize

            552KB

            Download

          • memory/2180-0-0x0000000000400000-0x000000000048A000-memory.dmp

            Filesize

            552KB

            Download

          • memory/2180-1-0x0000000000940000-0x0000000000984000-memory.dmp

            Filesize

            272KB

            Download

          • memory/2180-2-0x00000000022A0000-0x00000000022A1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2180-6-0x00000000005F0000-0x00000000005F1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2180-9-0x0000000002310000-0x0000000002314000-memory.dmp

            Filesize

            16KB

            Download

          • memory/2180-7-0x00000000022C0000-0x00000000022C1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2180-5-0x0000000000600000-0x0000000000601000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3300-590-0x0000000000400000-0x000000000048A000-memory.dmp

            Filesize

            552KB

            Download

          • memory/3580-439-0x0000000000400000-0x000000000048A000-memory.dmp

            Filesize

            552KB

            Download

          • memory/3580-318-0x0000000000400000-0x000000000048A000-memory.dmp

            Filesize

            552KB

            Download

          • memory/3860-1414-0x0000000000400000-0x000000000048A000-memory.dmp

            Filesize

            552KB

            Download

          • memory/4112-597-0x0000000000400000-0x000000000048A000-memory.dmp

            Filesize

            552KB

            Download

          • memory/4460-1152-0x0000000000400000-0x000000000048A000-memory.dmp

            Filesize

            552KB

            Download

          • memory/4748-1018-0x0000000000400000-0x000000000048A000-memory.dmp

            Filesize

            552KB

            Download

          • memory/4748-1147-0x0000000000400000-0x000000000048A000-memory.dmp

            Filesize

            552KB

            Download