Analysis

  • max time kernel
    145s
  • max time network
    105s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240704-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-07-2024 19:35

General

  • Target

    !ŞetUp_51286--#PaSꞨKḙy#$$/Setup.exe

  • Size

    1.1MB

  • MD5

    f975a2d83d63a473fa2fc5206b66bb79

  • SHA1

    e49d21f112ab27ae0953aff30ae122440cf164b9

  • SHA256

    6a2d3876003f6c68f824df4f0033564d8c230716908ba2e6c06ea1dd6d5f98e8

  • SHA512

    4af4ce56bf131432d488ed112f8858c1e1392d013c6ac0603f2fd70ed513091e35854c0f678efeab7fa9a551517c6b9698f40a92729112de4b852fa3c0c69d64

  • SSDEEP

    12288:IbCylcTVPbi7vT1K7n6HpVkg8KHIo5u0K1VmMxEnbuvuY2jTU+LHMA+nk2oG1ts:4lcTVPbikTMkg8KH/mmMxnvfphx8

Malware Config

Extracted

Family

lumma

C2

https://unwielldyzpwo.shop/api

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • Lumma Stealer

    An infostealer written in C++ first seen in August 2022.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Downloads MZ/PE file
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Windows directory 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 35 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\Setup.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:4604
    • C:\Windows\SysWOW64\more.com
      C:\Windows\SysWOW64\more.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:1552
      • C:\Windows\SysWOW64\SearchIndexer.exe
        C:\Windows\SysWOW64\SearchIndexer.exe
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:216
        • C:\Users\Admin\AppData\Local\Temp\3XJKGGKKAP7WHKELR8UQONZC35RFI.exe
          "C:\Users\Admin\AppData\Local\Temp\3XJKGGKKAP7WHKELR8UQONZC35RFI.exe"
          4⤵
          • Suspicious use of SetThreadContext
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3908
          • C:\Windows\SysWOW64\comp.exe
            C:\Windows\SysWOW64\comp.exe
            5⤵
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of WriteProcessMemory
            PID:4212
            • C:\Windows\SysWOW64\explorer.exe
              C:\Windows\SysWOW64\explorer.exe
              6⤵
                PID:2044
          • C:\Users\Admin\AppData\Local\Temp\5N57UY572XC7M2XUVGVS7NN55FL.exe
            "C:\Users\Admin\AppData\Local\Temp\5N57UY572XC7M2XUVGVS7NN55FL.exe"
            4⤵
            • Suspicious use of SetThreadContext
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:3288
            • C:\Windows\SysWOW64\comp.exe
              C:\Windows\SysWOW64\comp.exe
              5⤵
              • Drops file in Windows directory
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of WriteProcessMemory
              PID:4172
              • C:\Windows\SysWOW64\explorer.exe
                C:\Windows\SysWOW64\explorer.exe
                6⤵
                • Suspicious use of WriteProcessMemory
                PID:2996
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\1000003041\run.ps1"
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2580

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\1000003041\run.ps1

      Filesize

      15KB

      MD5

      0fb684cc15d197c0b937e5528359d7c8

      SHA1

      7d963246f52f42012bdcddb31214283c84c954ed

      SHA256

      e767d70fc57483aae7a20cb094a9bfc1fd4f04e97fb772cd6892d057e5be4260

      SHA512

      c40335f72f802479dc0926704d87670a782362fedae5bb50179d427fc343c6a33cfe09f4640acb15624d1511d3d66f76d87f663f9ad430fc2ddb00c54056103c

    • C:\Users\Admin\AppData\Local\Temp\110d2f45

      Filesize

      1.3MB

      MD5

      388667ede854ace9db095fe44c660697

      SHA1

      aea9cf775e19bca4aa3d371c2a63c558bb43c77a

      SHA256

      25e56853d565a313574317ddd22ac95e8c4bb742b3fb0773a4d8dbed62d14b79

      SHA512

      0c8b5a5385fdd91619c0c271d526a0a8b0dcf7170452b3cd0f4ebb9549ca2761cc9661d86a8a85a90e5db6d884d14ddeeae8c83b1c40e1c0197743220222e94d

    • C:\Users\Admin\AppData\Local\Temp\143a3d6b

      Filesize

      1.1MB

      MD5

      1f6c231ab1add6380bcdcadda16d6ac1

      SHA1

      ad820342b92e92e04584d643f474a7b73dcd3257

      SHA256

      7ad83f3bf45cbe15e7bc562215544f6233e6354f8e7be26cdd8e3afc91cafef9

      SHA512

      25e33a57c9b455dcea59df74831aa10f35ec8bd025e7acec472b337733e7f99fbc6c29be6be51331b847a3c65044b151dbc74ba9352e650d3f77f4a29ca064a2

    • C:\Users\Admin\AppData\Local\Temp\3XJKGGKKAP7WHKELR8UQONZC35RFI.exe

      Filesize

      4.2MB

      MD5

      024547ee3841ed6035b7bb9866452713

      SHA1

      8f1c8a12cecaeb4f15f3d2a3332073a0b1aefb36

      SHA256

      f89e565d3e73984e9b538fba979c8798f06775706cde8ecd1a921c61fecf2d28

      SHA512

      fc846fa5432d41973f30c4ee16b197079fb344322d1023c5bf31aa1bbab72d53094f2b17422471a292fbc9250dcb176b6ae2b78a883087689ca2bb9db1205545

    • C:\Users\Admin\AppData\Local\Temp\563d433

      Filesize

      1011KB

      MD5

      394f9e41d44bbdbd7b5e9816a0801b3b

      SHA1

      431ee4529ca5c29c7ff692dc76b83692f3762dbd

      SHA256

      11f9555e4825e41ab00b47a726f2a95484fdeea780a34508cf60f196eacfb734

      SHA512

      c3188313126c3f0b222ef86eb379cf9b06968f3667d25e81f4b1c18f106517469d746838982ac19008bd36fa55e575459ad81974de520dd792c81670d48cb5b2

    • C:\Users\Admin\AppData\Local\Temp\5N57UY572XC7M2XUVGVS7NN55FL.exe

      Filesize

      4.2MB

      MD5

      7c6730f484b1727b976fdad0f565b048

      SHA1

      c8a4a74d3a6e6025614d689a632dda845a7a8ec1

      SHA256

      d39f60dbce9c26f2b6336d8b8931f6bcb949022413d602344432eca8cdea8b45

      SHA512

      a3a763902e78c0d9ebaff810df2208cebfb22dbe9f7059dc641c301f7f88469cd52e1d04eaed9029ec7e045328fa062e56dad5b5b418a6a65a1511c1d266baad

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wip2ral0.vuk.ps1

      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    • C:\Users\Admin\AppData\Local\Temp\b159923

      Filesize

      1.2MB

      MD5

      d39e706474d16261ec9b1cb57adbd1ee

      SHA1

      a0b19ed7e6ceb4ef12fedf717f019b1c6f07864a

      SHA256

      21a8d114f403a17e319eed493d5bd411201fdc8a6077d6da016fba16cc711135

      SHA512

      0e786655120af5cff93bb574aa1568fccdebcaf0ffe56ce4338a407947b9cc4b34f4e2be6f4300f9d868e5160b5129a98a1c04c359efe3e2ff7a7b365eb12699

    • C:\Users\Admin\AppData\Local\Temp\e479e61

      Filesize

      1.1MB

      MD5

      893841decbf4c6332ed2875006d01aea

      SHA1

      56dbe95018c3b2ce9d0d5c3bc6f618bf854ae319

      SHA256

      24d16abe464ff47607b8cc6f9c46dc2664789b3b6c4cb71bff68f873340f2efa

      SHA512

      47a6a05a24558df37a276e411d1adc06a4d6caca7230f6fb9f14d88e5b9af8160d11cdbf7626acc34ae204001000cd58393868366853f991d9e89ee7810cbb38

    • memory/216-16-0x00007FF94D290000-0x00007FF94D485000-memory.dmp

      Filesize

      2.0MB

    • memory/216-17-0x0000000000D30000-0x0000000000D88000-memory.dmp

      Filesize

      352KB

    • memory/216-18-0x0000000000A6B000-0x0000000000A72000-memory.dmp

      Filesize

      28KB

    • memory/216-19-0x0000000000D30000-0x0000000000D88000-memory.dmp

      Filesize

      352KB

    • memory/216-36-0x0000000000D30000-0x0000000000D88000-memory.dmp

      Filesize

      352KB

    • memory/1552-15-0x0000000074E40000-0x0000000074E54000-memory.dmp

      Filesize

      80KB

    • memory/1552-20-0x0000000074E4E000-0x0000000074E50000-memory.dmp

      Filesize

      8KB

    • memory/1552-12-0x0000000074E4E000-0x0000000074E50000-memory.dmp

      Filesize

      8KB

    • memory/1552-13-0x0000000074E40000-0x0000000074E54000-memory.dmp

      Filesize

      80KB

    • memory/1552-11-0x0000000074E40000-0x0000000074E54000-memory.dmp

      Filesize

      80KB

    • memory/1552-10-0x00007FF94D290000-0x00007FF94D485000-memory.dmp

      Filesize

      2.0MB

    • memory/2044-81-0x00007FF94D290000-0x00007FF94D485000-memory.dmp

      Filesize

      2.0MB

    • memory/2044-99-0x0000000000DA0000-0x0000000000E07000-memory.dmp

      Filesize

      412KB

    • memory/2580-112-0x00000000060F0000-0x0000000006444000-memory.dmp

      Filesize

      3.3MB

    • memory/2580-127-0x0000000006B00000-0x0000000006B1E000-memory.dmp

      Filesize

      120KB

    • memory/2580-138-0x0000000007A70000-0x0000000007A78000-memory.dmp

      Filesize

      32KB

    • memory/2580-137-0x0000000007B30000-0x0000000007B4A000-memory.dmp

      Filesize

      104KB

    • memory/2580-136-0x0000000007A40000-0x0000000007A54000-memory.dmp

      Filesize

      80KB

    • memory/2580-135-0x0000000007A30000-0x0000000007A3E000-memory.dmp

      Filesize

      56KB

    • memory/2580-133-0x00000000079F0000-0x0000000007A01000-memory.dmp

      Filesize

      68KB

    • memory/2580-132-0x0000000007A90000-0x0000000007B26000-memory.dmp

      Filesize

      600KB

    • memory/2580-131-0x0000000007860000-0x000000000786A000-memory.dmp

      Filesize

      40KB

    • memory/2580-130-0x0000000007820000-0x000000000783A000-memory.dmp

      Filesize

      104KB

    • memory/2580-129-0x0000000007E40000-0x00000000084BA000-memory.dmp

      Filesize

      6.5MB

    • memory/2580-128-0x0000000007500000-0x00000000075A3000-memory.dmp

      Filesize

      652KB

    • memory/2580-117-0x000000006F240000-0x000000006F28C000-memory.dmp

      Filesize

      304KB

    • memory/2580-116-0x0000000006AA0000-0x0000000006AD2000-memory.dmp

      Filesize

      200KB

    • memory/2580-114-0x0000000006510000-0x000000000655C000-memory.dmp

      Filesize

      304KB

    • memory/2580-113-0x00000000064C0000-0x00000000064DE000-memory.dmp

      Filesize

      120KB

    • memory/2580-97-0x0000000004F30000-0x0000000004F66000-memory.dmp

      Filesize

      216KB

    • memory/2580-98-0x0000000005650000-0x0000000005C78000-memory.dmp

      Filesize

      6.2MB

    • memory/2580-102-0x0000000005CF0000-0x0000000005D56000-memory.dmp

      Filesize

      408KB

    • memory/2580-100-0x00000000054F0000-0x0000000005512000-memory.dmp

      Filesize

      136KB

    • memory/2580-101-0x0000000005590000-0x00000000055F6000-memory.dmp

      Filesize

      408KB

    • memory/2996-83-0x00007FF94D290000-0x00007FF94D485000-memory.dmp

      Filesize

      2.0MB

    • memory/2996-134-0x00000000006F0000-0x0000000000761000-memory.dmp

      Filesize

      452KB

    • memory/3288-45-0x00007FF94D290000-0x00007FF94D485000-memory.dmp

      Filesize

      2.0MB

    • memory/3288-38-0x0000000000400000-0x0000000000847000-memory.dmp

      Filesize

      4.3MB

    • memory/3908-46-0x0000000074E40000-0x0000000074E54000-memory.dmp

      Filesize

      80KB

    • memory/3908-48-0x0000000074E40000-0x0000000074E54000-memory.dmp

      Filesize

      80KB

    • memory/3908-25-0x0000000000400000-0x0000000000837000-memory.dmp

      Filesize

      4.2MB

    • memory/3908-32-0x00007FF94D290000-0x00007FF94D485000-memory.dmp

      Filesize

      2.0MB

    • memory/3908-31-0x0000000074E40000-0x0000000074E54000-memory.dmp

      Filesize

      80KB

    • memory/4172-58-0x00007FF94D290000-0x00007FF94D485000-memory.dmp

      Filesize

      2.0MB

    • memory/4172-60-0x0000000074E40000-0x0000000074E54000-memory.dmp

      Filesize

      80KB

    • memory/4212-72-0x0000000074E40000-0x0000000074E54000-memory.dmp

      Filesize

      80KB

    • memory/4212-57-0x00007FF94D290000-0x00007FF94D485000-memory.dmp

      Filesize

      2.0MB

    • memory/4212-70-0x0000000074E40000-0x0000000074E54000-memory.dmp

      Filesize

      80KB

    • memory/4212-80-0x0000000074E40000-0x0000000074E54000-memory.dmp

      Filesize

      80KB

    • memory/4604-4-0x00007FF945668000-0x00007FF945669000-memory.dmp

      Filesize

      4KB

    • memory/4604-6-0x00007FF945650000-0x00007FF94566C000-memory.dmp

      Filesize

      112KB

    • memory/4604-0-0x00007FF945650000-0x00007FF94566C000-memory.dmp

      Filesize

      112KB

    • memory/4604-5-0x00007FF945650000-0x00007FF94566C000-memory.dmp

      Filesize

      112KB