Overview

overview

10

Static

static

10

winprofile

windows7-x64

10

winprofile

windows10-1703-x64

10

Analysis

  • max time kernel
    299s
  • max time network
    286s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    24-06-2024 05:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b4a1e470f814bbcf1bc26c087eb513f4bab6165c90ecf43ac71dd87702561c30.exe

  • Size

    297KB

  • MD5

    5d860e52bfa60fec84b6a46661b45246

  • SHA1

    1259e9f868d0d80ac09aadb9387662347cd4bd68

  • SHA256

    b4a1e470f814bbcf1bc26c087eb513f4bab6165c90ecf43ac71dd87702561c30

  • SHA512

    04ea5757d01508a44e0152b3aa78f530908da649d59b8ce7ee3e15c2d4d0314c97f346c1e79b1810edb27165d04781c022937d02536dc9b1dd4c55f023a47701

  • SSDEEP

    3072:WqFFrqwIOGdTypEmz07sFPaF16CVyeR+LhdwT5TZMfvgZcZqf7D34NeqiOLCbBOy:tBIOG6hPPLd05TZaYcZqf7DI3L

Score
10/10
lummaredlineamadiscoveryinfostealerspywarestealer

Malware Config

Extracted

Family

redline

Botnet

AMA

C2

185.215.113.67:40960

Extracted

Family

lumma

C2

https://facilitycoursedw.shop/api

https://publicitycharetew.shop/api

https://computerexcudesp.shop/api

https://leafcalfconflcitw.shop/api

https://injurypiggyoewirog.shop/api

https://bargainnygroandjwk.shop/api

https://disappointcredisotw.shop/api

https://doughtdrillyksow.shop/api

Signatures

  • Lumma Stealer

    An infostealer written in C++ first seen in August 2022.

    stealerlumma
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b4a1e470f814bbcf1bc26c087eb513f4bab6165c90ecf43ac71dd87702561c30.exe
    "C:\Users\Admin\AppData\Local\Temp\b4a1e470f814bbcf1bc26c087eb513f4bab6165c90ecf43ac71dd87702561c30.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3604
    • C:\Users\Admin\AppData\Local\Temp\6.exe
      "C:\Users\Admin\AppData\Local\Temp\6.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:4156
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
    1⤵
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:352
  • C:\Windows\system32\browser_broker.exe
    C:\Windows\system32\browser_broker.exe -Embedding
    1⤵
    • Modifies Internet Explorer settings
    PID:4324
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Modifies registry class
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4060
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:5020
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Drops file in Windows directory
    • Modifies registry class
    PID:428
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3448
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Modifies registry class
    PID:5000
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Modifies registry class
    PID:4968

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\XCFODRP5\edgecompatviewlist[1].xml
    Filesize

    74KB

    MD5

    d4fc49dc14f63895d997fa4940f24378

    SHA1

    3efb1437a7c5e46034147cbbc8db017c69d02c31

    SHA256

    853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1

    SHA512

    cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a

    Download Submit
  • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\RLKVB36V\favicon[1].png
    Filesize

    2KB

    MD5

    18c023bc439b446f91bf942270882422

    SHA1

    768d59e3085976dba252232a65a4af562675f782

    SHA256

    e0e71acef1efbfab69a1a60cd8fadded948d0e47a0a27c59a0be7033f6a84482

    SHA512

    a95ad7b48596bc0af23d05d1e58681e5d65e707247f96c5bc088880f4525312a1834a89615a0e33aea6b066793088a193ec29b5c96ea216f531c443487ae0735

    Download Submit
  • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\TDVUC52A\suggestions[1].en-US
    Filesize

    17KB

    MD5

    5a34cb996293fde2cb7a4ac89587393a

    SHA1

    3c96c993500690d1a77873cd62bc639b3a10653f

    SHA256

    c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

    SHA512

    e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\6.exe
    Filesize

    4.8MB

    MD5

    5bb3677a298d7977d73c2d47b805b9c3

    SHA1

    91933eb9b40281e59dd7e73d8b7dac77c5e42798

    SHA256

    85eb3f6ba52fe0fd232f8c3371d87f7d363f821953c344936ab87728ba6a627f

    SHA512

    d20f862e9fadb5ad12eddaae8c6ebbfa03d67d35c5ca272e185206eb256cd6a89c338ce608c992df715d36a3f1624a507dbe324a057bd412b87438f4a008f33d

    Download Submit
  • memory/352-106-0x0000025FAB120000-0x0000025FAB121000-memory.dmp
    Filesize

    4KB

    Download
  • memory/352-107-0x0000025FAB130000-0x0000025FAB131000-memory.dmp
    Filesize

    4KB

    Download
  • memory/352-58-0x0000025FA1EF0000-0x0000025FA1EF2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/352-38-0x0000025FA4A20000-0x0000025FA4A30000-memory.dmp
    Filesize

    64KB

    Download
  • memory/352-22-0x0000025FA4920000-0x0000025FA4930000-memory.dmp
    Filesize

    64KB

    Download
  • memory/428-96-0x000001DA74C00000-0x000001DA74C02000-memory.dmp
    Filesize

    8KB

    Download
  • memory/428-88-0x000001DA74680000-0x000001DA74780000-memory.dmp
    Filesize

    1024KB

    Download
  • memory/428-89-0x000001DA749F0000-0x000001DA749F2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/428-92-0x000001DA74B20000-0x000001DA74B22000-memory.dmp
    Filesize

    8KB

    Download
  • memory/428-94-0x000001DA74BE0000-0x000001DA74BE2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3604-9-0x0000000005130000-0x000000000516E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/3604-2-0x00000000053A0000-0x000000000589E000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/3604-16-0x0000000006DF0000-0x0000000006E40000-memory.dmp
    Filesize

    320KB

    Download
  • memory/3604-10-0x00000000050C0000-0x000000000510B000-memory.dmp
    Filesize

    300KB

    Download
  • memory/3604-8-0x0000000005090000-0x00000000050A2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/3604-7-0x0000000005240000-0x000000000534A000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/3604-6-0x0000000005EB0000-0x00000000064B6000-memory.dmp
    Filesize

    6.0MB

    Download
  • memory/3604-15-0x00000000732F0000-0x00000000739DE000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/3604-1-0x0000000000590000-0x00000000005E0000-memory.dmp
    Filesize

    320KB

    Download
  • memory/3604-5-0x00000000732F0000-0x00000000739DE000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/3604-3-0x0000000004EA0000-0x0000000004F32000-memory.dmp
    Filesize

    584KB

    Download
  • memory/3604-67-0x00000000732F0000-0x00000000739DE000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/3604-4-0x0000000004FA0000-0x0000000004FAA000-memory.dmp
    Filesize

    40KB

    Download
  • memory/3604-0-0x00000000732FE000-0x00000000732FF000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3604-14-0x00000000732FE000-0x00000000732FF000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3604-13-0x0000000006F90000-0x00000000074BC000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/3604-12-0x0000000006890000-0x0000000006A52000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/3604-11-0x0000000005A10000-0x0000000005A76000-memory.dmp
    Filesize

    408KB

    Download
  • memory/4156-55-0x0000000001172000-0x0000000001402000-memory.dmp
    Filesize

    2.6MB

    Download
  • memory/4156-99-0x0000000001120000-0x000000000193E000-memory.dmp
    Filesize

    8.1MB

    Download
  • memory/4156-98-0x0000000001172000-0x0000000001402000-memory.dmp
    Filesize

    2.6MB

    Download
  • memory/4156-62-0x0000000001120000-0x000000000193E000-memory.dmp
    Filesize

    8.1MB

    Download
  • memory/4156-59-0x0000000000C80000-0x0000000000C81000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4156-60-0x0000000001120000-0x000000000193E000-memory.dmp
    Filesize

    8.1MB

    Download
  • memory/5020-73-0x000001B078600000-0x000001B078700000-memory.dmp
    Filesize

    1024KB

    Download