Analysis

  • max time kernel
    69s
  • max time network
    69s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-05-2024 12:53

General

  • Target

    Corel Preview 2024/Offer.pdf.exe

  • Size

    71.1MB

  • MD5

    8564c524e183138b878135bfd324a23e

  • SHA1

    65fa02423a7af2c25235d89d9cca4c1a2c6d0264

  • SHA256

    0e336a760e9b1f32b38c52d0426f48648dec5b5a04f0766482a02a3f152c72fe

  • SHA512

    acc51199f6fb23e3dd728e679bcd1178f66547405bc32b6a2240660fdc272a6ea61650e5419d99b69e08a12442e51d1abd4ffbc5e4cb6a91b3d098850e77443f

  • SSDEEP

    98304:rEF26EMHK1hM4a3jReUhRny9EFhsViTu1D4KY7EpMWPCTbl5:hQRBXTTut4/oDPqb

Score
10/10

Malware Config

Extracted

Family

lumma

C2

https://listenmoutioncow.shop/api

https://museumtespaceorsp.shop/api

https://buttockdecarderwiso.shop/api

https://averageaattractiionsl.shop/api

https://femininiespywageg.shop/api

https://employhabragaomlsp.shop/api

https://stalfbaclcalorieeis.shop/api

https://civilianurinedtsraov.shop/api

https://roomabolishsnifftwk.shop/api

Signatures

  • Lumma Stealer

    An infostealer written in C++ first seen in August 2022.

  • Suspicious use of SetThreadContext 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 48 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 13 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Corel Preview 2024\Offer.pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\Corel Preview 2024\Offer.pdf.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2512
    • C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
      C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
      2⤵
        PID:1404
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /4
      1⤵
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4680
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:924
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k SDRSVC
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:4488
      • C:\Program Files\7-Zip\7zFM.exe
        "C:\Program Files\7-Zip\7zFM.exe" "C:\Windows\System32\t4pfwd.exe"
        1⤵
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        PID:4500

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/1404-7-0x0000000000A50000-0x0000000000AA5000-memory.dmp

        Filesize

        340KB

      • memory/1404-5-0x0000000000A50000-0x0000000000AA5000-memory.dmp

        Filesize

        340KB

      • memory/1404-9-0x0000000000A50000-0x0000000000AA5000-memory.dmp

        Filesize

        340KB

      • memory/2512-2-0x00007FF7E8700000-0x00007FF7E9C90000-memory.dmp

        Filesize

        21.6MB

      • memory/2512-8-0x00007FF7E8700000-0x00007FF7E9C90000-memory.dmp

        Filesize

        21.6MB

      • memory/4680-12-0x000001FE99EB0000-0x000001FE99EB1000-memory.dmp

        Filesize

        4KB

      • memory/4680-10-0x000001FE99EB0000-0x000001FE99EB1000-memory.dmp

        Filesize

        4KB

      • memory/4680-11-0x000001FE99EB0000-0x000001FE99EB1000-memory.dmp

        Filesize

        4KB

      • memory/4680-16-0x000001FE99EB0000-0x000001FE99EB1000-memory.dmp

        Filesize

        4KB

      • memory/4680-18-0x000001FE99EB0000-0x000001FE99EB1000-memory.dmp

        Filesize

        4KB

      • memory/4680-17-0x000001FE99EB0000-0x000001FE99EB1000-memory.dmp

        Filesize

        4KB

      • memory/4680-19-0x000001FE99EB0000-0x000001FE99EB1000-memory.dmp

        Filesize

        4KB

      • memory/4680-20-0x000001FE99EB0000-0x000001FE99EB1000-memory.dmp

        Filesize

        4KB

      • memory/4680-22-0x000001FE99EB0000-0x000001FE99EB1000-memory.dmp

        Filesize

        4KB

      • memory/4680-21-0x000001FE99EB0000-0x000001FE99EB1000-memory.dmp

        Filesize

        4KB