Analysis
-
max time kernel
164s -
max time network
163s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
-
submitted
23-04-2024 16:08
General
-
Target
ROBLOX Cheat.zip
-
Size
20.1MB
-
MD5
b6035f26bb9ea76b1c153ad12026bbd6
-
SHA1
6b9359a5aae801bc41b4959729973536fb119d68
-
SHA256
b3a6bb95750448d5d4b00db7e9b6657f2d07e1839dc9a8d519cb6faf744e4daa
-
SHA512
df2e21a0b37eb6aa65847fe0c6c5e5e858ea3b0a809da0d8e7b9680bdeeb619471637f3ece20923f2056a8f6e9f91018dd2df283ed517f4c6ea79c24b293d4b6
-
SSDEEP
393216:COCMj1RUE3bUXOb5xklPBCNyYzE9t8svlUhnwXG3+iho0r4nMrJzY:COL7rUSbGY89WPh6tK4neJE
Malware Config
Extracted
lumma
https://productivelookewr.shop/api
https://tolerateilusidjukl.shop/api
https://shatterbreathepsw.shop/api
https://shortsvelventysjo.shop/api
https://incredibleextedwj.shop/api
https://alcojoldwograpciw.shop/api
https://liabilitynighstjsko.shop/api
https://demonstationfukewko.shop/api
Signatures
-
Lumma Stealer
An infostealer written in C++ first seen in August 2022.
-
Executes dropped EXE 3 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Program crash 3 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies registry class 1 IoCs
-
NTFS ADS 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 35 IoCs
-
Suspicious use of AdjustPrivilegeToken 15 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 13 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\ROBLOX Cheat.zip"1⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4288.0.744515698\1564613884" -parentBuildID 20230214051806 -prefsHandle 1744 -prefMapHandle 1736 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a1f3152f-95a8-44dd-b021-2d988802d5fa} 4288 "\\.\pipe\gecko-crash-server-pipe.4288" 1836 24101107458 gpu3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4288.1.420556874\1223304600" -parentBuildID 20230214051806 -prefsHandle 2376 -prefMapHandle 2364 -prefsLen 22112 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6f9f7a3a-c67f-4d8d-ac99-10f433658eb9} 4288 "\\.\pipe\gecko-crash-server-pipe.4288" 2404 24101583c58 socket3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4288.2.1397879515\1449993232" -childID 1 -isForBrowser -prefsHandle 2896 -prefMapHandle 2916 -prefsLen 22150 -prefMapSize 235121 -jsInitHandle 1296 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2fe08da6-65d9-4876-b39f-3dd37e808f1d} 4288 "\\.\pipe\gecko-crash-server-pipe.4288" 3176 2417fb91b58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4288.3.2082285198\276827777" -childID 2 -isForBrowser -prefsHandle 3960 -prefMapHandle 3948 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1296 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5e9bbc26-fd5c-4af1-839b-91064b710226} 4288 "\\.\pipe\gecko-crash-server-pipe.4288" 3972 24105ca7e58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4288.4.2004447395\1119866037" -childID 3 -isForBrowser -prefsHandle 5008 -prefMapHandle 4176 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1296 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2352448e-a70b-410d-b94e-655e77b2cc69} 4288 "\\.\pipe\gecko-crash-server-pipe.4288" 5000 24108839658 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4288.5.237987200\1266364916" -childID 4 -isForBrowser -prefsHandle 5240 -prefMapHandle 5244 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1296 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {585a2525-af66-46b0-b280-c642787c99c2} 4288 "\\.\pipe\gecko-crash-server-pipe.4288" 5232 2410883ae58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4288.6.1051455450\890823569" -childID 5 -isForBrowser -prefsHandle 5432 -prefMapHandle 5436 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1296 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {67a15c7b-693c-401b-876c-e4c71e990991} 4288 "\\.\pipe\gecko-crash-server-pipe.4288" 5424 24108838458 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4288.7.1857752171\1272088146" -childID 6 -isForBrowser -prefsHandle 5812 -prefMapHandle 4976 -prefsLen 27962 -prefMapSize 235121 -jsInitHandle 1296 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cf3d2a24-d4cf-4c73-9c89-be920954c6de} 4288 "\\.\pipe\gecko-crash-server-pipe.4288" 2568 24100357e58 tab3⤵
-
-
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\ROBLOX Cheat\" -spe -an -ai#7zMap16848:86:7zEvent99811⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\Downloads\ROBLOX Cheat\SoftWare.exe"C:\Users\Admin\Downloads\ROBLOX Cheat\SoftWare.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3784 -s 3562⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3784 -ip 37841⤵
-
C:\Users\Admin\Downloads\ROBLOX Cheat\SoftWare.exe"C:\Users\Admin\Downloads\ROBLOX Cheat\SoftWare.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3824 -s 3522⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3824 -ip 38241⤵
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /71⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\Downloads\ROBLOX Cheat\SoftWare.exe"C:\Users\Admin\Downloads\ROBLOX Cheat\SoftWare.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5888 -s 3442⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 5888 -ip 58881⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
26KB
MD5313db0433c764597f6534f5ddefcbd3e
SHA17abacc5962775e3613e3cb161f8afa84cee1a944
SHA2560552401a531cfa776b295182b9918f01bf6e94c56240934224eac04aac58bccc
SHA512afbac2be8ed320c5bd6829c686e2a0cf646bc2cc0d1234d291a7b76e0583ed902ca50e8a675a07b9260f162dc934b303eb6dec49f135a0dced016014920cbd2f
-
Filesize
11KB
MD5c5c28ac1d769be9a237e2afe2eb8ebab
SHA10065dba513f6327c302a4e93669a7294df18b1ee
SHA25654a87f1d1f50d826cd3bd41008d5fb6ec132bb1013928ddd1ba64288e2070651
SHA512f2d45a2835c46e9a260d60a689279ac0829d6efab6f2f124ea396356be14a611a7b80f049c4ed4a91bcf7418ad82596845882aaee230f8cf74ce126af42f62a7
-
Filesize
43KB
MD5b06554223548bbd07533e12557b8d060
SHA1db099713963a2a38977d7651902be24000092b7f
SHA256aa0a2d1b92461db0c1c329efd85e81634df89b3e68abe9275435dbc55735efe9
SHA51282daa903bd8da191a364635759b6bb8f69e3cc0adb066df1d71d7e81dd4ac2ac429cddec6ec847610e7bf9b428d645908f235412a5286a68cf4d61d08f140273
-
Filesize
7KB
MD5368bac2997d4d721567a0b01de2a60ac
SHA1f13937e51f342bf87c762015808267be339d0134
SHA256adc118576931bef8fd75ba4c720cd25ef38ba0e80531efeca77938b82e3afbc4
SHA512400c5d728b0b8371af2ace9de0c6c9ac6876ba4e64574486a09a6fbc5a7a8791caae9c7aeb60e5b1d931d316e2f74781efffe7a011d72ea992918d56e1ec0942
-
Filesize
1KB
MD520ae7d82ec2161b8ace66108880f4a5e
SHA1f998641ebdb72ceff05d4bf7e4626ffb3cec559d
SHA256d16bdb4fad8730782523bb5ea253f89b6ac9b57f0a045724b8b3dee5588d3c4d
SHA5120588edf20a606bf529ef3f0592b9a43c7495d99802fb29e096739a68ae22497e9648cee855e7b7e8c4a6aa2ceaefe1cbd98d85c3677b4a6851ecbc3f34e9cd10
-
Filesize
7KB
MD56b6ccb84f1cc655ad55ce3a16366f28f
SHA1771692abfc968d148e9ef48252eb9fa7adedc35e
SHA256bc4f35e95d5eb33dfe72b9bfb6defacd22c07078217017a8e78af3d27b1c9a42
SHA512722baccb0ecc54a5d3bab5cf8d1efcfc2351e6ce1b7725135c43dc4aa46fe06c46cb289359c7ddf0671780f9ccb5686c4b17872b04b210595aabc9e88aaf3e5f
-
Filesize
3KB
MD5f956fffe96056976331ead6c05036263
SHA11b84963e20cc92083c4e48cdaa755c1d3569a955
SHA256f54d6c6dd97d30e4b1a94070f5c58dcc3065ad6cf9dfb1f8fd812ec8c0e63a2a
SHA5126daf0f73c31636064d7b3915ed4bc7c1456c9921538dc1c6f88aa39eb96fd95bcb492dab7422f08923750897a715b39b0c4324410e28b6fa4aa2e771b7f69b1a
-
Filesize
7KB
MD5f1268f1f3206d75062c59f4038dad949
SHA1fee7032c3957d1b5835f56e59054dbf2d4ceb3e2
SHA25646fccbd1280256bbb64ef4f6c3968f3034c6bce07316eddcaeede55cd393d85c
SHA5120339c30deaa44f54b75d72b2c4d243397e1ec9f09875a41ff6f009e1a7474e355bbbe0fe101b1eca17b9f90341ffe4596550e386ed1406b2622da63767fefa1e
-
Filesize
16KB
MD59f707a96f844d18b64b514c42b3a6201
SHA19aaef38295f410a64e50fa100e68e58a80ddbc84
SHA256e0490164fbb1c1db525c0acde5d4b28fb87e6718799ee4a46ad57f8ca326f05d
SHA512cad9f9334d40a7ee851bc0ac483d63a5d4e51afb13f7dce05e742ed1810d7673a6a5eea5d48d6429bf3aa5cf5f3b3d235475c618d385ebbd8d1c6dd884178ab9
-
Filesize
20.1MB
MD5b6035f26bb9ea76b1c153ad12026bbd6
SHA16b9359a5aae801bc41b4959729973536fb119d68
SHA256b3a6bb95750448d5d4b00db7e9b6657f2d07e1839dc9a8d519cb6faf744e4daa
SHA512df2e21a0b37eb6aa65847fe0c6c5e5e858ea3b0a809da0d8e7b9680bdeeb619471637f3ece20923f2056a8f6e9f91018dd2df283ed517f4c6ea79c24b293d4b6
-
Filesize
464KB
MD57fe41a31c3ae4af5ec8c0d857e396c44
SHA13c6e7380d9a2afc979a055db282ea84e6a81ee40
SHA2562ccd81a16bfa99f25dec0feb035e626eb9e690dd72c604904ad8bb69f1b33bbc
SHA512704854e2c199eea8d1ead61ee1807bfd22050c25904bb56b316fba090033333fb3e2ccc579341d7c67d684e52b71a449a526516b4d5dc4ac8345186fa1a6757e
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
316KB
-
Filesize
468KB
-
Filesize
468KB
-
Filesize
316KB
-
Filesize
316KB
-
Filesize
316KB
-
Filesize
316KB
-
Filesize
468KB
-
Filesize
316KB