Overview

overview

10

Static

static

3

cryptolaemus

windows10-2004-x64

10

cryptolaemus

windows11-21h2-x64

7

Analysis

  • max time kernel
    138s
  • max time network
    163s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-05-2024 18:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    11fe45cccad95a86b7e7d29c9d92547dae0706d549485d37d482d3df5fe58ebb.exe

  • Size

    6.1MB

  • MD5

    d4f738f4e3787ef0b31891e446919aa8

  • SHA1

    fa22c2fe4da02adbb51c35402c8dc21ab4157c43

  • SHA256

    11fe45cccad95a86b7e7d29c9d92547dae0706d549485d37d482d3df5fe58ebb

  • SHA512

    19d3a88cc2367669d6df8d5e7f4f310e482699c365a72cc7d2ee384972e6a2441a4adfc2c348780658c2e88a3e6f8ad82ecae1b4637d8f7cabb447266e16d3c7

  • SSDEEP

    196608:a7m6/UXOd2L2Y4QE2i7fQzrVmbLm5g53D9I:eAOIL2Yfi7fymHmK5z9I

Score
10/10
lummastealervmprotect

Malware Config

Extracted

Family

lumma

C2

https://greetclassifytalk.shop/api

https://acceptabledcooeprs.shop/api

https://obsceneclassyjuwks.shop/api

https://zippyfinickysofwps.shop/api

https://miniaturefinerninewjs.shop/api

https://plaintediousidowsko.shop/api

https://sweetsquarediaslw.shop/api

https://holicisticscrarws.shop/api

https://boredimperissvieos.shop/api

Signatures

  • Lumma Stealer

    An infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • VMProtect packed file 2 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\11fe45cccad95a86b7e7d29c9d92547dae0706d549485d37d482d3df5fe58ebb.exe
    "C:\Users\Admin\AppData\Local\Temp\11fe45cccad95a86b7e7d29c9d92547dae0706d549485d37d482d3df5fe58ebb.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2608
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4028
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe
        work.exe -priverdD
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:3784
        • C:\Users\Admin\AppData\Local\Temp\RarSFX1\pgsthse.exe
          "C:\Users\Admin\AppData\Local\Temp\RarSFX1\pgsthse.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          PID:3900
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3816 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:3676

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat
      Filesize

      35B

      MD5

      ff59d999beb970447667695ce3273f75

      SHA1

      316fa09f467ba90ac34a054daf2e92e6e2854ff8

      SHA256

      065d2b17ad499587dc9de7ee9ecda4938b45da1df388bc72e6627dff220f64d2

      SHA512

      d5ac72cb065a3cd3cb118a69a2f356314eeed24dcb4880751e1a3683895e66cedc62607967e29f77a0c27adf1c9fe0efd86e804f693f0a63a5b51b0bf0056b5d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe
      Filesize

      5.8MB

      MD5

      cfb293de9746b2e41887b20155c1ee61

      SHA1

      282f4eb7c72e0403b6176d9925c914878539458f

      SHA256

      aa3fd950bcaa5a3bcf630976d6f5b25577468c4dba51a6421673435583bf309d

      SHA512

      e57536d985e50f8ec649ea64c6faf4b2eb2c887d48a26eba8eadd3512a235a9cdaeed8aabea10f5cfed4a7bf597ca92b89c93ceb2ef552ad56a9813d79164b6e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RarSFX1\pgsthse.exe
      Filesize

      5.5MB

      MD5

      d09d8539c62597cd658a22b167acc4f9

      SHA1

      67309103226da380034dba8e6fe5a0a4e8183464

      SHA256

      15b67d1c9943ded17553939213a1c2d90541d05f59deee44e4ed2903d828ff16

      SHA512

      15a7afdb8567d4db79dbc6e4df187cc7cf447f1467970f0c6c3de617791f66d820aa9b8bb46a95775723abe4d1dcc8bd1ff67b3b3fa1822e9ca0f07578d67336

      Download Submit

    • memory/3900-19-0x00000000011D0000-0x00000000011D1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3900-20-0x0000000000760000-0x0000000001064000-memory.dmp

      Filesize

      9.0MB

      Download