Malware Analysis Report

2024-11-13 14:19

Sample ID 240704-2l36aawapg
Target 8ddb8e92032cbe0758431e0866b6bee6426e2f6422d3b00b26cb03c4f213785f
SHA256 8ddb8e92032cbe0758431e0866b6bee6426e2f6422d3b00b26cb03c4f213785f
Tags
vmprotect lumma discovery spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8ddb8e92032cbe0758431e0866b6bee6426e2f6422d3b00b26cb03c4f213785f

Threat Level: Known bad

The file 8ddb8e92032cbe0758431e0866b6bee6426e2f6422d3b00b26cb03c4f213785f was found to be: Known bad.

Malicious Activity Summary

vmprotect lumma discovery spyware stealer

Lumma Stealer

Reads user/profile data of web browsers

Loads dropped DLL

VMProtect packed file

Executes dropped EXE

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-04 22:41

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-04 22:41

Reported

2024-07-04 22:46

Platform

win7-20240220-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8ddb8e92032cbe0758431e0866b6bee6426e2f6422d3b00b26cb03c4f213785f.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\polaris.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\pokafdw.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\pokafdw.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2868 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\8ddb8e92032cbe0758431e0866b6bee6426e2f6422d3b00b26cb03c4f213785f.exe C:\Windows\system32\cmd.exe
PID 2868 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\8ddb8e92032cbe0758431e0866b6bee6426e2f6422d3b00b26cb03c4f213785f.exe C:\Windows\system32\cmd.exe
PID 2868 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\8ddb8e92032cbe0758431e0866b6bee6426e2f6422d3b00b26cb03c4f213785f.exe C:\Windows\system32\cmd.exe
PID 2724 wrote to memory of 2604 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\polaris.exe
PID 2724 wrote to memory of 2604 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\polaris.exe
PID 2724 wrote to memory of 2604 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\polaris.exe
PID 2604 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\polaris.exe C:\Users\Admin\AppData\Local\Temp\RarSFX1\pokafdw.exe
PID 2604 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\polaris.exe C:\Users\Admin\AppData\Local\Temp\RarSFX1\pokafdw.exe
PID 2604 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\polaris.exe C:\Users\Admin\AppData\Local\Temp\RarSFX1\pokafdw.exe
PID 2604 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\polaris.exe C:\Users\Admin\AppData\Local\Temp\RarSFX1\pokafdw.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8ddb8e92032cbe0758431e0866b6bee6426e2f6422d3b00b26cb03c4f213785f.exe

"C:\Users\Admin\AppData\Local\Temp\8ddb8e92032cbe0758431e0866b6bee6426e2f6422d3b00b26cb03c4f213785f.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "

C:\Users\Admin\AppData\Local\Temp\RarSFX0\polaris.exe

polaris.exe -priverdD

C:\Users\Admin\AppData\Local\Temp\RarSFX1\pokafdw.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX1\pokafdw.exe"

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat

MD5 76ce3d5d5c3032cc9f78133af90b7ca7
SHA1 774907a1177135daf81ad950c2201510958cc52b
SHA256 7deb532bdc37e4ed59642407a94a479ad7b7c18b852c9237899bb1fa9e55febd
SHA512 fbc4c6fe065ed0000687130f6a173349ccd3fb68a6b5fa72c24cac90cbb53b82970961b60bee7bc1318682de70823aa054eff27010773b3c5b950ed084ba71de

\Users\Admin\AppData\Local\Temp\RarSFX0\polaris.exe

MD5 0f21f614bbd1768957b4ada1faf64885
SHA1 9e1fde36a3f615e783afec63be45a55453a14b89
SHA256 cda0db0d276a2a24745a5c9b23712e2c950f5dd5c103f1ab88b9f1bdbe5be501
SHA512 8df61c2aa68b1ffef973d60bfa46c1fb0566ddc64f84729e459bc5d587daeab2cdc0ab5a69db3bb57bad1b2067969db06a83d9066c71215a2bd7e1f416b7c0a7

C:\Users\Admin\AppData\Local\Temp\RarSFX1\pokafdw.exe

MD5 5fd19293fa5acf9323ebc45b5df49b06
SHA1 6f0c22c0f40a1a4ac7abf31c7e3ba977bd3a133a
SHA256 659ad4fec79f03ac2f1c9fc81371a426cefd6abaef8edad4403a71f29088a261
SHA512 595e552e6202d7b22615eff1fecb35ad0fdf7506dd70dd3b708b7342b119a3f885bbdb0709785401a991b5de55cd4043c6398baa2a9b6a45ca390687e99aa697

memory/2480-37-0x0000000000120000-0x0000000000121000-memory.dmp

memory/2480-35-0x0000000000120000-0x0000000000121000-memory.dmp

memory/2480-39-0x0000000000120000-0x0000000000121000-memory.dmp

memory/2480-43-0x0000000000D93000-0x00000000010C8000-memory.dmp

memory/2480-42-0x0000000000D93000-0x00000000010C8000-memory.dmp

memory/2480-44-0x0000000000D40000-0x000000000164C000-memory.dmp

memory/2480-40-0x0000000000D40000-0x000000000164C000-memory.dmp

memory/2480-45-0x0000000000D40000-0x000000000164C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-04 22:41

Reported

2024-07-04 22:46

Platform

win10-20240404-en

Max time kernel

195s

Max time network

256s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8ddb8e92032cbe0758431e0866b6bee6426e2f6422d3b00b26cb03c4f213785f.exe"

Signatures

Lumma Stealer

stealer lumma

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\polaris.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\pokafdw.exe N/A

Reads user/profile data of web browsers

spyware stealer

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\8ddb8e92032cbe0758431e0866b6bee6426e2f6422d3b00b26cb03c4f213785f.exe

"C:\Users\Admin\AppData\Local\Temp\8ddb8e92032cbe0758431e0866b6bee6426e2f6422d3b00b26cb03c4f213785f.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "

C:\Users\Admin\AppData\Local\Temp\RarSFX0\polaris.exe

polaris.exe -priverdD

C:\Users\Admin\AppData\Local\Temp\RarSFX1\pokafdw.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX1\pokafdw.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 foodypannyjsud.shop udp
US 104.21.49.164:443 foodypannyjsud.shop tcp
US 8.8.8.8:53 164.49.21.104.in-addr.arpa udp
US 104.21.49.164:443 foodypannyjsud.shop tcp
US 104.21.49.164:443 foodypannyjsud.shop tcp
US 104.21.49.164:443 foodypannyjsud.shop tcp
US 104.21.49.164:443 foodypannyjsud.shop tcp
US 104.21.49.164:443 foodypannyjsud.shop tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 2.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 100.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat

MD5 76ce3d5d5c3032cc9f78133af90b7ca7
SHA1 774907a1177135daf81ad950c2201510958cc52b
SHA256 7deb532bdc37e4ed59642407a94a479ad7b7c18b852c9237899bb1fa9e55febd
SHA512 fbc4c6fe065ed0000687130f6a173349ccd3fb68a6b5fa72c24cac90cbb53b82970961b60bee7bc1318682de70823aa054eff27010773b3c5b950ed084ba71de

C:\Users\Admin\AppData\Local\Temp\RarSFX0\polaris.exe

MD5 0f21f614bbd1768957b4ada1faf64885
SHA1 9e1fde36a3f615e783afec63be45a55453a14b89
SHA256 cda0db0d276a2a24745a5c9b23712e2c950f5dd5c103f1ab88b9f1bdbe5be501
SHA512 8df61c2aa68b1ffef973d60bfa46c1fb0566ddc64f84729e459bc5d587daeab2cdc0ab5a69db3bb57bad1b2067969db06a83d9066c71215a2bd7e1f416b7c0a7

C:\Users\Admin\AppData\Local\Temp\RarSFX1\pokafdw.exe

MD5 5fd19293fa5acf9323ebc45b5df49b06
SHA1 6f0c22c0f40a1a4ac7abf31c7e3ba977bd3a133a
SHA256 659ad4fec79f03ac2f1c9fc81371a426cefd6abaef8edad4403a71f29088a261
SHA512 595e552e6202d7b22615eff1fecb35ad0fdf7506dd70dd3b708b7342b119a3f885bbdb0709785401a991b5de55cd4043c6398baa2a9b6a45ca390687e99aa697

memory/1852-20-0x00000000018D0000-0x00000000018D1000-memory.dmp

memory/1852-22-0x0000000000B10000-0x000000000141C000-memory.dmp