Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-05-2024 00:01

General

  • Target

    msimg32.dll

  • Size

    44.9MB

  • MD5

    b5f59b6995aebcc5d59d7f1b87333feb

  • SHA1

    3e6e1b41e93059517fd6675cbb3919d4de6d4c91

  • SHA256

    3ba98e952dac1f26679caf47bdd8662f78d8826ae030919b6b0ade9352f33b17

  • SHA512

    5df700664897d1fac422ff887238c641a2797901c9f664802da234ca999e32e08da55a4e237f7f785fab8ec34c5a1057aa2554ff0c49b6301cb31066173f96d8

  • SSDEEP

    786432:/UP7GCGO7t0Srkx/tC0SzIdSwh/WxbpNHQD3trzRp23:/UP7GCG6iSrkx1hSzYsHQD3t/RE3

Score
10/10

Malware Config

Extracted

Family

lumma

C2

https://wastwfulldashiwnjs.shop/api

https://museumtespaceorsp.shop/api

https://buttockdecarderwiso.shop/api

https://averageaattractiionsl.shop/api

https://femininiespywageg.shop/api

https://employhabragaomlsp.shop/api

https://stalfbaclcalorieeis.shop/api

https://civilianurinedtsraov.shop/api

https://roomabolishsnifftwk.shop/api

Signatures

  • Lumma Stealer

    An infostealer written in C++ first seen in August 2022.

  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Program crash 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\msimg32.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:408
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\msimg32.dll
      2⤵
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of WriteProcessMemory
      PID:1644
      • C:\Windows\SysWOW64\regsvr32.exe
        "C:\Windows\SysWOW64\regsvr32.exe"
        3⤵
          PID:4516
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1644 -s 804
          3⤵
          • Program crash
          PID:2692
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1644 -ip 1644
      1⤵
        PID:3752

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/1644-1-0x00000000102E6000-0x0000000010300000-memory.dmp

        Filesize

        104KB

      • memory/1644-0-0x0000000010000000-0x0000000012DA5000-memory.dmp

        Filesize

        45.6MB

      • memory/1644-6-0x0000000010000000-0x0000000012DA5000-memory.dmp

        Filesize

        45.6MB

      • memory/1644-7-0x0000000012D78000-0x0000000012DA5000-memory.dmp

        Filesize

        180KB

      • memory/4516-2-0x00000000012E0000-0x00000000012E1000-memory.dmp

        Filesize

        4KB

      • memory/4516-4-0x0000000001280000-0x00000000012D4000-memory.dmp

        Filesize

        336KB

      • memory/4516-5-0x0000000001280000-0x00000000012D4000-memory.dmp

        Filesize

        336KB

      • memory/4516-8-0x0000000001280000-0x00000000012D4000-memory.dmp

        Filesize

        336KB