Analysis
-
max time kernel
270s -
max time network
212s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
05-07-2024 01:11
Behavioral task
behavioral1
Sample
word.zip
Resource
win10v2004-20240704-en
General
-
Target
word.zip
-
Size
49.5MB
-
MD5
2065356a29de858b29e54be9111caa38
-
SHA1
5c6416f041e2a2ed47056200d76a6f1f5eecebc6
-
SHA256
db782aed8ef4fab6299d2d08ca2f695762535847a1e6e77b117fc2c7eb36da33
-
SHA512
51333037e48943ca48fa7f73eb1949955901e672a478c60ee64e8dc674777ae9f15ef23e390a2b8aa0e3abc84ae67e08754894c07410c250a616a95119f2c502
-
SSDEEP
1572864:1coUN9zmk+jAi/99i7wR4X/E6Fsv8THJtnUh:1cjg/ri44X/JFS8THJlUh
Malware Config
Signatures
-
Detect Lumma Stealer payload V2 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\Desktop\word\word-Visualizador.exe family_lumma_V2 behavioral1/memory/2788-340-0x0000000000400000-0x0000000000C41000-memory.dmp family_lumma_V2 -
Executes dropped EXE 1 IoCs
Processes:
word-Visualizador.exepid process 2788 word-Visualizador.exe -
Loads dropped DLL 3 IoCs
Processes:
word-Visualizador.exepid process 2788 word-Visualizador.exe 2788 word-Visualizador.exe 2788 word-Visualizador.exe -
Registers new Windows logon scripts automatically executed at logon. 1 TTPs 1 IoCs
Processes:
word-Visualizador.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Environment\UserInitMprLogonScript = "C:\\Users\\Admin\\Desktop\\word\\word-Visualizador.exe" word-Visualizador.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
word-Visualizador.exepid process 2788 word-Visualizador.exe 2788 word-Visualizador.exe 2788 word-Visualizador.exe 2788 word-Visualizador.exe 2788 word-Visualizador.exe 2788 word-Visualizador.exe 2788 word-Visualizador.exe 2788 word-Visualizador.exe 2788 word-Visualizador.exe 2788 word-Visualizador.exe 2788 word-Visualizador.exe 2788 word-Visualizador.exe 2788 word-Visualizador.exe 2788 word-Visualizador.exe 2788 word-Visualizador.exe 2788 word-Visualizador.exe 2788 word-Visualizador.exe 2788 word-Visualizador.exe 2788 word-Visualizador.exe 2788 word-Visualizador.exe 2788 word-Visualizador.exe 2788 word-Visualizador.exe 2788 word-Visualizador.exe 2788 word-Visualizador.exe 2788 word-Visualizador.exe 2788 word-Visualizador.exe 2788 word-Visualizador.exe 2788 word-Visualizador.exe 2788 word-Visualizador.exe 2788 word-Visualizador.exe 2788 word-Visualizador.exe 2788 word-Visualizador.exe 2788 word-Visualizador.exe 2788 word-Visualizador.exe 2788 word-Visualizador.exe 2788 word-Visualizador.exe 2788 word-Visualizador.exe 2788 word-Visualizador.exe 2788 word-Visualizador.exe 2788 word-Visualizador.exe 2788 word-Visualizador.exe 2788 word-Visualizador.exe 2788 word-Visualizador.exe 2788 word-Visualizador.exe 2788 word-Visualizador.exe 2788 word-Visualizador.exe 2788 word-Visualizador.exe 2788 word-Visualizador.exe 2788 word-Visualizador.exe 2788 word-Visualizador.exe 2788 word-Visualizador.exe 2788 word-Visualizador.exe 2788 word-Visualizador.exe 2788 word-Visualizador.exe 2788 word-Visualizador.exe 2788 word-Visualizador.exe 2788 word-Visualizador.exe 2788 word-Visualizador.exe 2788 word-Visualizador.exe 2788 word-Visualizador.exe 2788 word-Visualizador.exe 2788 word-Visualizador.exe 2788 word-Visualizador.exe 2788 word-Visualizador.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
word-Visualizador.exepid process 2788 word-Visualizador.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
7zG.exedescription pid process Token: SeRestorePrivilege 3120 7zG.exe Token: 35 3120 7zG.exe Token: SeSecurityPrivilege 3120 7zG.exe Token: SeSecurityPrivilege 3120 7zG.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
7zG.exeword-Visualizador.exepid process 3120 7zG.exe 2788 word-Visualizador.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
word-Visualizador.exepid process 2788 word-Visualizador.exe
Processes
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\word.zip1⤵PID:1128
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2320
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\word\" -spe -an -ai#7zMap25828:66:7zEvent52931⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3120
-
C:\Users\Admin\Desktop\word\word-Visualizador.exe"C:\Users\Admin\Desktop\word\word-Visualizador.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Registers new Windows logon scripts automatically executed at logon.
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2788
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
13KB
MD598a324a8cee8c2bf63f54eaa762b5a86
SHA127965caca83b9927a7fcce2c8f0a52b5e806b679
SHA25628b8424812c76765ff26f44d3e709e404b0531ba602bc7b1029c8038ba4c1d97
SHA512198a9da2af3213a58557e111f768b8e97f36f4938c608c03cb4a6ca8aa2b8e1cd7924dc3e7847877faddd20a0153da88a1c20cd9b6fa5651695b2a127a83782e
-
Filesize
2.9MB
MD55d320299f6fcefe759626f0a07dde4f2
SHA1aee8914fb193e8ebb7e57e55ef054776ac1781b1
SHA2563c8a6e9126bf505b86a4e4176d9d45de2965117d14b11d42ab3359d631024e7e
SHA5127e9fc8446cc0bf985ddcf40b457431d723b8124bd43038999aca03b42a2785b194808f458d60a5a8031feaa22340898df8f048e42ce549850ce931f6cfe3da29
-
Filesize
8.1MB
MD5c22b4cce8a6c064faaa4f93b59b15440
SHA1a05c2b0c211d4d5827349326c581171f75d5bf09
SHA256cd6e459d348f04b3cd713304b62afd1d4b84d6b05e9d60b42eea377c417d1761
SHA51247a06b9658f181a48865d90eaec7f857e867bb2f8ac5b284c444b0e90dbc07188777e0cdb7cbf4cd098d70c78b8b763d6308ed63d3563caaef7ce3e256abc018
-
Filesize
316KB
MD58f50f83e4fc8299ca6762b12a9d285bd
SHA14b397981ab621f5b8dbe19053a89aef4a47d057f
SHA2563db372fc7a15d3c4b0f4509685832fff1523004f42150f1a15ff86fe48096e80
SHA51218cd2507bfdab6bf658df5c535f5581f76d82fa104a96693afea9989a6956bb353fc73af247ea5286de51739ef17b2680f5366bc3725fe0edb9aba26449656f2
-
Filesize
22KB
MD5ae556c1ba47966f102128bbae8c217f8
SHA1e0c7e29c400eefffdd493cb03e97b776b1b2d717
SHA256a1e806c79fa764cb481aa8bba5bca7f503c9f3711bf380503d588b0d6eccbd63
SHA51278eef37e4199dd34d560a5964d2fef14a2ce360692319661a7d155ffba87e32291715299a8e1592ff211ea3eb44a3f5f53ee918d8a3853727fec941210654cef
-
Filesize
14KB
MD57b1d0579348444cc11fb1cc3fbf00514
SHA14fb011cd891f7570573579cdc04dc1038b3a5563
SHA2569af7a22185117967727fe19c3db45e96c14cda3b0607eb576d3d9cca0de9f689
SHA5123cd89c0e3c43ab71852041ddc962a215fe411e7728989ba20481b7efe598aec3296c3174fdcd63c6908744800d784258e9195e27f7614cdb70131aa8db502880
-
Filesize
13KB
MD54ee840e71054942e6a2f28448c690d60
SHA113a4e387358245952320cbbb478295d4c047ba07
SHA256a11083ee812b6cc9a0e93ce75856ca16802024c3a13618a2f6c4859cdefa58b5
SHA512b8ac3bb249e6de012f54b772fc75c459a7b15afdab571e93a740a7a0b0f4d402d9210e26e7e472bbe7b982858edbb7f832194d9d62b3ae230ac6e9eea4ba963b
-
Filesize
4.9MB
MD59d9be48da3636e333e8ca53572d43868
SHA19eebf2edab2756cbe971f797e7ee2f996c65a98d
SHA2563fd61222635d6327fa2cbb1f14fb80bb21bdc590183974564bc09507e5e49a20
SHA51277ab9efa119db6e0bc66bcf47c62d0b2c2da3f282059df5eb2362971fdb91d6429ae7d71e93ca041a500df5f04b0c019ab9598355c18dd084c2b1308c0ba0356
-
Filesize
8.2MB
MD5d26255f827a47a2478f070599977533f
SHA1bc0ec0846c87ccc819c65e04d33d4928362b83a4
SHA256e159d61d715a77b6270e10b03dc25eaf10e94e72004e027e3aa630ee31615037
SHA5121c496afebba73218df7e8cc21f600b22a6cd90bde63c8757bdb9ba5d32b67e113565a5b90ae0824e10700b389175ea6f7c7d81ee58b3d6a5df1fc62719b3bc88