Analysis

  • max time kernel
    270s
  • max time network
    212s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240704-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-07-2024 01:11

General

  • Target

    word.zip

  • Size

    49.5MB

  • MD5

    2065356a29de858b29e54be9111caa38

  • SHA1

    5c6416f041e2a2ed47056200d76a6f1f5eecebc6

  • SHA256

    db782aed8ef4fab6299d2d08ca2f695762535847a1e6e77b117fc2c7eb36da33

  • SHA512

    51333037e48943ca48fa7f73eb1949955901e672a478c60ee64e8dc674777ae9f15ef23e390a2b8aa0e3abc84ae67e08754894c07410c250a616a95119f2c502

  • SSDEEP

    1572864:1coUN9zmk+jAi/99i7wR4X/E6Fsv8THJtnUh:1cjg/ri44X/JFS8THJlUh

Malware Config

Signatures

  • Detect Lumma Stealer payload V2 2 IoCs
  • Lumma Stealer

    An infostealer written in C++ first seen in August 2022.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Registers new Windows logon scripts automatically executed at logon. 1 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs

Processes

  • C:\Windows\Explorer.exe
    C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\word.zip
    1⤵
      PID:1128
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:2320
      • C:\Program Files\7-Zip\7zG.exe
        "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\word\" -spe -an -ai#7zMap25828:66:7zEvent5293
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        PID:3120
      • C:\Users\Admin\Desktop\word\word-Visualizador.exe
        "C:\Users\Admin\Desktop\word\word-Visualizador.exe"
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Registers new Windows logon scripts automatically executed at logon.
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        PID:2788

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\Desktop\word\bin\Config.dat

        Filesize

        13KB

        MD5

        98a324a8cee8c2bf63f54eaa762b5a86

        SHA1

        27965caca83b9927a7fcce2c8f0a52b5e806b679

        SHA256

        28b8424812c76765ff26f44d3e709e404b0531ba602bc7b1029c8038ba4c1d97

        SHA512

        198a9da2af3213a58557e111f768b8e97f36f4938c608c03cb4a6ca8aa2b8e1cd7924dc3e7847877faddd20a0153da88a1c20cd9b6fa5651695b2a127a83782e

      • C:\Users\Admin\Desktop\word\bin\NSOCR.dll

        Filesize

        2.9MB

        MD5

        5d320299f6fcefe759626f0a07dde4f2

        SHA1

        aee8914fb193e8ebb7e57e55ef054776ac1781b1

        SHA256

        3c8a6e9126bf505b86a4e4176d9d45de2965117d14b11d42ab3359d631024e7e

        SHA512

        7e9fc8446cc0bf985ddcf40b457431d723b8124bd43038999aca03b42a2785b194808f458d60a5a8031feaa22340898df8f048e42ce549850ce931f6cfe3da29

      • C:\Users\Admin\Desktop\word\bin\NsBars.dll

        Filesize

        8.1MB

        MD5

        c22b4cce8a6c064faaa4f93b59b15440

        SHA1

        a05c2b0c211d4d5827349326c581171f75d5bf09

        SHA256

        cd6e459d348f04b3cd713304b62afd1d4b84d6b05e9d60b42eea377c417d1761

        SHA512

        47a06b9658f181a48865d90eaec7f857e867bb2f8ac5b284c444b0e90dbc07188777e0cdb7cbf4cd098d70c78b8b763d6308ed63d3563caaef7ce3e256abc018

      • C:\Users\Admin\Desktop\word\bin\NsSpell.dll

        Filesize

        316KB

        MD5

        8f50f83e4fc8299ca6762b12a9d285bd

        SHA1

        4b397981ab621f5b8dbe19053a89aef4a47d057f

        SHA256

        3db372fc7a15d3c4b0f4509685832fff1523004f42150f1a15ff86fe48096e80

        SHA512

        18cd2507bfdab6bf658df5c535f5581f76d82fa104a96693afea9989a6956bb353fc73af247ea5286de51739ef17b2680f5366bc3725fe0edb9aba26449656f2

      • C:\Users\Admin\Desktop\word\bin\sd.dat

        Filesize

        22KB

        MD5

        ae556c1ba47966f102128bbae8c217f8

        SHA1

        e0c7e29c400eefffdd493cb03e97b776b1b2d717

        SHA256

        a1e806c79fa764cb481aa8bba5bca7f503c9f3711bf380503d588b0d6eccbd63

        SHA512

        78eef37e4199dd34d560a5964d2fef14a2ce360692319661a7d155ffba87e32291715299a8e1592ff211ea3eb44a3f5f53ee918d8a3853727fec941210654cef

      • C:\Users\Admin\Desktop\word\de.ini

        Filesize

        14KB

        MD5

        7b1d0579348444cc11fb1cc3fbf00514

        SHA1

        4fb011cd891f7570573579cdc04dc1038b3a5563

        SHA256

        9af7a22185117967727fe19c3db45e96c14cda3b0607eb576d3d9cca0de9f689

        SHA512

        3cd89c0e3c43ab71852041ddc962a215fe411e7728989ba20481b7efe598aec3296c3174fdcd63c6908744800d784258e9195e27f7614cdb70131aa8db502880

      • C:\Users\Admin\Desktop\word\en.ini

        Filesize

        13KB

        MD5

        4ee840e71054942e6a2f28448c690d60

        SHA1

        13a4e387358245952320cbbb478295d4c047ba07

        SHA256

        a11083ee812b6cc9a0e93ce75856ca16802024c3a13618a2f6c4859cdefa58b5

        SHA512

        b8ac3bb249e6de012f54b772fc75c459a7b15afdab571e93a740a7a0b0f4d402d9210e26e7e472bbe7b982858edbb7f832194d9d62b3ae230ac6e9eea4ba963b

      • C:\Users\Admin\Desktop\word\pagy.picpay

        Filesize

        4.9MB

        MD5

        9d9be48da3636e333e8ca53572d43868

        SHA1

        9eebf2edab2756cbe971f797e7ee2f996c65a98d

        SHA256

        3fd61222635d6327fa2cbb1f14fb80bb21bdc590183974564bc09507e5e49a20

        SHA512

        77ab9efa119db6e0bc66bcf47c62d0b2c2da3f282059df5eb2362971fdb91d6429ae7d71e93ca041a500df5f04b0c019ab9598355c18dd084c2b1308c0ba0356

      • C:\Users\Admin\Desktop\word\word-Visualizador.exe

        Filesize

        8.2MB

        MD5

        d26255f827a47a2478f070599977533f

        SHA1

        bc0ec0846c87ccc819c65e04d33d4928362b83a4

        SHA256

        e159d61d715a77b6270e10b03dc25eaf10e94e72004e027e3aa630ee31615037

        SHA512

        1c496afebba73218df7e8cc21f600b22a6cd90bde63c8757bdb9ba5d32b67e113565a5b90ae0824e10700b389175ea6f7c7d81ee58b3d6a5df1fc62719b3bc88

      • memory/2788-330-0x0000000004630000-0x0000000004631000-memory.dmp

        Filesize

        4KB

      • memory/2788-332-0x0000000004660000-0x0000000004661000-memory.dmp

        Filesize

        4KB

      • memory/2788-334-0x00000000046A0000-0x00000000046A1000-memory.dmp

        Filesize

        4KB

      • memory/2788-333-0x0000000004690000-0x0000000004691000-memory.dmp

        Filesize

        4KB

      • memory/2788-335-0x00000000046B0000-0x00000000046B1000-memory.dmp

        Filesize

        4KB

      • memory/2788-336-0x00000000046C0000-0x00000000046C1000-memory.dmp

        Filesize

        4KB

      • memory/2788-338-0x00000000728E0000-0x000000007365E000-memory.dmp

        Filesize

        13.5MB

      • memory/2788-331-0x0000000004640000-0x0000000004641000-memory.dmp

        Filesize

        4KB

      • memory/2788-340-0x0000000000400000-0x0000000000C41000-memory.dmp

        Filesize

        8.3MB