Malware Analysis Report

2024-11-15 06:22

Sample ID 240525-bc6xpsgh8t
Target 2024-05-25_6c7b1c7f2a466936f3c06f608358311a_avoslocker_revil
SHA256 c41745d8a3ead8489fba5d9ddbadbcc868194da360463eae2d63a0a09c07c19f
Tags
lumma risepro
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c41745d8a3ead8489fba5d9ddbadbcc868194da360463eae2d63a0a09c07c19f

Threat Level: Known bad

The file 2024-05-25_6c7b1c7f2a466936f3c06f608358311a_avoslocker_revil was found to be: Known bad.

Malicious Activity Summary

lumma risepro

Detect Lumma Stealer payload V4

Lumma family

Risepro family

Checks system information in the registry

Enumerates physical storage devices

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-25 01:01

Signatures

Detect Lumma Stealer payload V4

Description Indicator Process Target
N/A N/A N/A N/A

Lumma family

lumma

Risepro family

risepro

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-25 01:00

Reported

2024-05-25 01:03

Platform

win7-20240221-en

Max time kernel

122s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-25_6c7b1c7f2a466936f3c06f608358311a_avoslocker_revil.exe"

Signatures

Checks system information in the registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer C:\Users\Admin\AppData\Local\Temp\2024-05-25_6c7b1c7f2a466936f3c06f608358311a_avoslocker_revil.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName C:\Users\Admin\AppData\Local\Temp\2024-05-25_6c7b1c7f2a466936f3c06f608358311a_avoslocker_revil.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-25_6c7b1c7f2a466936f3c06f608358311a_avoslocker_revil.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-25_6c7b1c7f2a466936f3c06f608358311a_avoslocker_revil.exe"

Network

Country Destination Domain Proto
N/A 127.0.0.1:49260 tcp

Files

C:\ProgramData\netskope\stagent\Logs\nsdebuglog.log

MD5 2de1bfe71cfc5a4220f1c4591aec8d07
SHA1 9cbfee4cdb3fc4680c47e3ca659fa370cb599a3b
SHA256 a6beba9600e995452800cc6729b56bf6f08741c2c5c6a041da11cb7c20382f49
SHA512 6a0c4d8e6407be69b2df8c652316052615041367522dc2281c83cfe22f8f9a4858927f113528dc05fa61df6c9c35db5ed43318ca87dff72679ec3c62d99501c3

C:\ProgramData\netskope\stagent\Logs\nsdebuglog.log

MD5 47f2322fb942160bbfb66b20089c26b5
SHA1 64872306a838eb7d89fe1929c92837055cfbad6e
SHA256 e408469bbdfd6e476beb948a13dfcdd7ae5ce41c8b2c7d84cf8592b1a3c99e4f
SHA512 62696289437232028184d53d367ceb5e6d5cafb4b1336638e5083be58b066207b6eecbd3fb4f4f313a155c9e41bd63b5496403f647e4d75d0e59b38aa96116e9

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-25 01:00

Reported

2024-05-25 01:03

Platform

win10v2004-20240508-en

Max time kernel

132s

Max time network

101s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-25_6c7b1c7f2a466936f3c06f608358311a_avoslocker_revil.exe"

Signatures

Checks system information in the registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer C:\Users\Admin\AppData\Local\Temp\2024-05-25_6c7b1c7f2a466936f3c06f608358311a_avoslocker_revil.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName C:\Users\Admin\AppData\Local\Temp\2024-05-25_6c7b1c7f2a466936f3c06f608358311a_avoslocker_revil.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-25_6c7b1c7f2a466936f3c06f608358311a_avoslocker_revil.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-25_6c7b1c7f2a466936f3c06f608358311a_avoslocker_revil.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
N/A 127.0.0.1:55731 tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp

Files

C:\ProgramData\netskope\stagent\Logs\nsdebuglog.log

MD5 3e4c41db27479e98573b1bc85658a944
SHA1 84b39c5d7f161f26e788236aa84fe9771e5e4929
SHA256 6cf0ed2260954c5ab122e9d08035f468d3ee5e5a7a5f56bc474b47b077c84f7b
SHA512 71a71e7ab9d5d29050a2d634e5d8596dcf86180a216d8bb3b640620e2085da616714082c639bcc7b7082eb8f935ba084c44328b39d6c09bf2846352c977d4a70

C:\ProgramData\netskope\stagent\Logs\nsdebuglog.log

MD5 45792e4d83ea4a027e3f915a7a04cad8
SHA1 fcf8f4361cf854882f3ffc69ae3b76efb9b8c2e8
SHA256 b34840b2915ffc04a053ab46c5a1261685051fd3191e5f62bc301599ee2aef09
SHA512 8ce6fe19ad106576a9685a8190a9983c810f8765e21c067958e1f4a2ef1664ffa465e3691711a148b2def9c80b31b711f619cb1306b8f0cfc863bc6d94729609