Analysis

  • max time kernel
    111s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-05-2024 15:39

General

  • Target

    Software_1.30.1.rar

  • Size

    11.1MB

  • MD5

    6b793466d2bd5f3518ba8f652c349bbc

  • SHA1

    0074d126f0b4015d04b3261b3bdc6f82701e49cc

  • SHA256

    513d2ec0c996a97c554741d6f021dd8fb2a2637bc06047c70e26e33f71998b40

  • SHA512

    ff6e163ab3479c2d1217a4e9c69071f8d3326c25098587a53f5eb6ffb7438d4aa459a738f9def1cda9506dffb5d1964e1d89011a831158ef6fb20e20792833f4

  • SSDEEP

    196608:VZ6u+eldqUsxKGyBhqQnDPNA92ILS1XezkIFRCCXqvO2IdfzNrYLdKkt:t+eDqPozBhqQnDPNmS1X76n9J1+Kkt

Score
10/10

Malware Config

Extracted

Family

lumma

C2

https://femininiespywageg.shop/api

https://museumtespaceorsp.shop/api

https://buttockdecarderwiso.shop/api

https://averageaattractiionsl.shop/api

https://employhabragaomlsp.shop/api

https://stalfbaclcalorieeis.shop/api

https://civilianurinedtsraov.shop/api

https://roomabolishsnifftwk.shop/api

Signatures

  • Lumma Stealer

    An infostealer written in C++ first seen in August 2022.

  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 25 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of FindShellTrayWindow 38 IoCs
  • Suspicious use of SendNotifyMessage 36 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\Software_1.30.1.rar
    1⤵
    • Modifies registry class
    PID:888
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:2344
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:1180
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      PID:2168
    • C:\Program Files\7-Zip\7zG.exe
      "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\" -an -ai#7zMap19491:110:7zEvent3854
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:1060
    • C:\Users\Admin\AppData\Local\Temp\Software_1.30.1.exe
      "C:\Users\Admin\AppData\Local\Temp\Software_1.30.1.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1468
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        2⤵
          PID:2180
      • C:\Windows\system32\taskmgr.exe
        "C:\Windows\system32\taskmgr.exe" /7
        1⤵
        • Checks SCSI registry key(s)
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2612

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\Software_1.30.1.exe

        Filesize

        456KB

        MD5

        c759ec5443cbfe889a818285fae8809a

        SHA1

        be21bff0760e7a9f295ac7e347f8483afc353732

        SHA256

        56cf084e470f460202e795ea244413c7445d3aa7c83bc64b3891b1c8e6a7151b

        SHA512

        471a8a861ad0e43cabf699abfa1b7acaf422e2a90c8cadacd6d02dc068f4b74b3949f2a0abb8b894f6fd74886ba114410265efedf54402a49ab3a9117b01349d

      • memory/1468-32-0x0000000000570000-0x0000000000571000-memory.dmp

        Filesize

        4KB

      • memory/1468-34-0x0000000000570000-0x0000000000571000-memory.dmp

        Filesize

        4KB

      • memory/2180-33-0x0000000000400000-0x0000000000456000-memory.dmp

        Filesize

        344KB

      • memory/2180-35-0x0000000000400000-0x0000000000456000-memory.dmp

        Filesize

        344KB

      • memory/2612-38-0x00000175D5140000-0x00000175D5141000-memory.dmp

        Filesize

        4KB

      • memory/2612-37-0x00000175D5140000-0x00000175D5141000-memory.dmp

        Filesize

        4KB

      • memory/2612-36-0x00000175D5140000-0x00000175D5141000-memory.dmp

        Filesize

        4KB

      • memory/2612-48-0x00000175D5140000-0x00000175D5141000-memory.dmp

        Filesize

        4KB

      • memory/2612-47-0x00000175D5140000-0x00000175D5141000-memory.dmp

        Filesize

        4KB

      • memory/2612-46-0x00000175D5140000-0x00000175D5141000-memory.dmp

        Filesize

        4KB

      • memory/2612-45-0x00000175D5140000-0x00000175D5141000-memory.dmp

        Filesize

        4KB

      • memory/2612-44-0x00000175D5140000-0x00000175D5141000-memory.dmp

        Filesize

        4KB

      • memory/2612-43-0x00000175D5140000-0x00000175D5141000-memory.dmp

        Filesize

        4KB

      • memory/2612-42-0x00000175D5140000-0x00000175D5141000-memory.dmp

        Filesize

        4KB