Malware Analysis Report

2024-11-13 14:19

Sample ID 240705-bkdacsyejl
Target word.zip
SHA256 db782aed8ef4fab6299d2d08ca2f695762535847a1e6e77b117fc2c7eb36da33
Tags
lumma persistence stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

db782aed8ef4fab6299d2d08ca2f695762535847a1e6e77b117fc2c7eb36da33

Threat Level: Known bad

The file word.zip was found to be: Known bad.

Malicious Activity Summary

lumma persistence stealer

Lumma Stealer

Detect Lumma Stealer payload V2

Lumma family

Executes dropped EXE

Registers new Windows logon scripts automatically executed at logon.

Loads dropped DLL

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-05 01:12

Signatures

Detect Lumma Stealer payload V2

Description Indicator Process Target
N/A N/A N/A N/A

Lumma family

lumma

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-05 01:11

Reported

2024-07-05 01:18

Platform

win10v2004-20240704-en

Max time kernel

270s

Max time network

212s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\word.zip

Signatures

Detect Lumma Stealer payload V2

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Lumma Stealer

stealer lumma

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\word\word-Visualizador.exe N/A

Registers new Windows logon scripts automatically executed at logon.

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Environment\UserInitMprLogonScript = "C:\\Users\\Admin\\Desktop\\word\\word-Visualizador.exe" C:\Users\Admin\Desktop\word\word-Visualizador.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\word\word-Visualizador.exe N/A
N/A N/A C:\Users\Admin\Desktop\word\word-Visualizador.exe N/A
N/A N/A C:\Users\Admin\Desktop\word\word-Visualizador.exe N/A
N/A N/A C:\Users\Admin\Desktop\word\word-Visualizador.exe N/A
N/A N/A C:\Users\Admin\Desktop\word\word-Visualizador.exe N/A
N/A N/A C:\Users\Admin\Desktop\word\word-Visualizador.exe N/A
N/A N/A C:\Users\Admin\Desktop\word\word-Visualizador.exe N/A
N/A N/A C:\Users\Admin\Desktop\word\word-Visualizador.exe N/A
N/A N/A C:\Users\Admin\Desktop\word\word-Visualizador.exe N/A
N/A N/A C:\Users\Admin\Desktop\word\word-Visualizador.exe N/A
N/A N/A C:\Users\Admin\Desktop\word\word-Visualizador.exe N/A
N/A N/A C:\Users\Admin\Desktop\word\word-Visualizador.exe N/A
N/A N/A C:\Users\Admin\Desktop\word\word-Visualizador.exe N/A
N/A N/A C:\Users\Admin\Desktop\word\word-Visualizador.exe N/A
N/A N/A C:\Users\Admin\Desktop\word\word-Visualizador.exe N/A
N/A N/A C:\Users\Admin\Desktop\word\word-Visualizador.exe N/A
N/A N/A C:\Users\Admin\Desktop\word\word-Visualizador.exe N/A
N/A N/A C:\Users\Admin\Desktop\word\word-Visualizador.exe N/A
N/A N/A C:\Users\Admin\Desktop\word\word-Visualizador.exe N/A
N/A N/A C:\Users\Admin\Desktop\word\word-Visualizador.exe N/A
N/A N/A C:\Users\Admin\Desktop\word\word-Visualizador.exe N/A
N/A N/A C:\Users\Admin\Desktop\word\word-Visualizador.exe N/A
N/A N/A C:\Users\Admin\Desktop\word\word-Visualizador.exe N/A
N/A N/A C:\Users\Admin\Desktop\word\word-Visualizador.exe N/A
N/A N/A C:\Users\Admin\Desktop\word\word-Visualizador.exe N/A
N/A N/A C:\Users\Admin\Desktop\word\word-Visualizador.exe N/A
N/A N/A C:\Users\Admin\Desktop\word\word-Visualizador.exe N/A
N/A N/A C:\Users\Admin\Desktop\word\word-Visualizador.exe N/A
N/A N/A C:\Users\Admin\Desktop\word\word-Visualizador.exe N/A
N/A N/A C:\Users\Admin\Desktop\word\word-Visualizador.exe N/A
N/A N/A C:\Users\Admin\Desktop\word\word-Visualizador.exe N/A
N/A N/A C:\Users\Admin\Desktop\word\word-Visualizador.exe N/A
N/A N/A C:\Users\Admin\Desktop\word\word-Visualizador.exe N/A
N/A N/A C:\Users\Admin\Desktop\word\word-Visualizador.exe N/A
N/A N/A C:\Users\Admin\Desktop\word\word-Visualizador.exe N/A
N/A N/A C:\Users\Admin\Desktop\word\word-Visualizador.exe N/A
N/A N/A C:\Users\Admin\Desktop\word\word-Visualizador.exe N/A
N/A N/A C:\Users\Admin\Desktop\word\word-Visualizador.exe N/A
N/A N/A C:\Users\Admin\Desktop\word\word-Visualizador.exe N/A
N/A N/A C:\Users\Admin\Desktop\word\word-Visualizador.exe N/A
N/A N/A C:\Users\Admin\Desktop\word\word-Visualizador.exe N/A
N/A N/A C:\Users\Admin\Desktop\word\word-Visualizador.exe N/A
N/A N/A C:\Users\Admin\Desktop\word\word-Visualizador.exe N/A
N/A N/A C:\Users\Admin\Desktop\word\word-Visualizador.exe N/A
N/A N/A C:\Users\Admin\Desktop\word\word-Visualizador.exe N/A
N/A N/A C:\Users\Admin\Desktop\word\word-Visualizador.exe N/A
N/A N/A C:\Users\Admin\Desktop\word\word-Visualizador.exe N/A
N/A N/A C:\Users\Admin\Desktop\word\word-Visualizador.exe N/A
N/A N/A C:\Users\Admin\Desktop\word\word-Visualizador.exe N/A
N/A N/A C:\Users\Admin\Desktop\word\word-Visualizador.exe N/A
N/A N/A C:\Users\Admin\Desktop\word\word-Visualizador.exe N/A
N/A N/A C:\Users\Admin\Desktop\word\word-Visualizador.exe N/A
N/A N/A C:\Users\Admin\Desktop\word\word-Visualizador.exe N/A
N/A N/A C:\Users\Admin\Desktop\word\word-Visualizador.exe N/A
N/A N/A C:\Users\Admin\Desktop\word\word-Visualizador.exe N/A
N/A N/A C:\Users\Admin\Desktop\word\word-Visualizador.exe N/A
N/A N/A C:\Users\Admin\Desktop\word\word-Visualizador.exe N/A
N/A N/A C:\Users\Admin\Desktop\word\word-Visualizador.exe N/A
N/A N/A C:\Users\Admin\Desktop\word\word-Visualizador.exe N/A
N/A N/A C:\Users\Admin\Desktop\word\word-Visualizador.exe N/A
N/A N/A C:\Users\Admin\Desktop\word\word-Visualizador.exe N/A
N/A N/A C:\Users\Admin\Desktop\word\word-Visualizador.exe N/A
N/A N/A C:\Users\Admin\Desktop\word\word-Visualizador.exe N/A
N/A N/A C:\Users\Admin\Desktop\word\word-Visualizador.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\word\word-Visualizador.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zG.exe N/A
N/A N/A C:\Users\Admin\Desktop\word\word-Visualizador.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\word\word-Visualizador.exe N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\word.zip

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Program Files\7-Zip\7zG.exe

"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\word\" -spe -an -ai#7zMap25828:66:7zEvent5293

C:\Users\Admin\Desktop\word\word-Visualizador.exe

"C:\Users\Admin\Desktop\word\word-Visualizador.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

C:\Users\Admin\Desktop\word\word-Visualizador.exe

MD5 d26255f827a47a2478f070599977533f
SHA1 bc0ec0846c87ccc819c65e04d33d4928362b83a4
SHA256 e159d61d715a77b6270e10b03dc25eaf10e94e72004e027e3aa630ee31615037
SHA512 1c496afebba73218df7e8cc21f600b22a6cd90bde63c8757bdb9ba5d32b67e113565a5b90ae0824e10700b389175ea6f7c7d81ee58b3d6a5df1fc62719b3bc88

C:\Users\Admin\Desktop\word\de.ini

MD5 7b1d0579348444cc11fb1cc3fbf00514
SHA1 4fb011cd891f7570573579cdc04dc1038b3a5563
SHA256 9af7a22185117967727fe19c3db45e96c14cda3b0607eb576d3d9cca0de9f689
SHA512 3cd89c0e3c43ab71852041ddc962a215fe411e7728989ba20481b7efe598aec3296c3174fdcd63c6908744800d784258e9195e27f7614cdb70131aa8db502880

C:\Users\Admin\Desktop\word\en.ini

MD5 4ee840e71054942e6a2f28448c690d60
SHA1 13a4e387358245952320cbbb478295d4c047ba07
SHA256 a11083ee812b6cc9a0e93ce75856ca16802024c3a13618a2f6c4859cdefa58b5
SHA512 b8ac3bb249e6de012f54b772fc75c459a7b15afdab571e93a740a7a0b0f4d402d9210e26e7e472bbe7b982858edbb7f832194d9d62b3ae230ac6e9eea4ba963b

C:\Users\Admin\Desktop\word\bin\NSOCR.dll

MD5 5d320299f6fcefe759626f0a07dde4f2
SHA1 aee8914fb193e8ebb7e57e55ef054776ac1781b1
SHA256 3c8a6e9126bf505b86a4e4176d9d45de2965117d14b11d42ab3359d631024e7e
SHA512 7e9fc8446cc0bf985ddcf40b457431d723b8124bd43038999aca03b42a2785b194808f458d60a5a8031feaa22340898df8f048e42ce549850ce931f6cfe3da29

C:\Users\Admin\Desktop\word\bin\NsSpell.dll

MD5 8f50f83e4fc8299ca6762b12a9d285bd
SHA1 4b397981ab621f5b8dbe19053a89aef4a47d057f
SHA256 3db372fc7a15d3c4b0f4509685832fff1523004f42150f1a15ff86fe48096e80
SHA512 18cd2507bfdab6bf658df5c535f5581f76d82fa104a96693afea9989a6956bb353fc73af247ea5286de51739ef17b2680f5366bc3725fe0edb9aba26449656f2

C:\Users\Admin\Desktop\word\bin\sd.dat

MD5 ae556c1ba47966f102128bbae8c217f8
SHA1 e0c7e29c400eefffdd493cb03e97b776b1b2d717
SHA256 a1e806c79fa764cb481aa8bba5bca7f503c9f3711bf380503d588b0d6eccbd63
SHA512 78eef37e4199dd34d560a5964d2fef14a2ce360692319661a7d155ffba87e32291715299a8e1592ff211ea3eb44a3f5f53ee918d8a3853727fec941210654cef

C:\Users\Admin\Desktop\word\bin\NsBars.dll

MD5 c22b4cce8a6c064faaa4f93b59b15440
SHA1 a05c2b0c211d4d5827349326c581171f75d5bf09
SHA256 cd6e459d348f04b3cd713304b62afd1d4b84d6b05e9d60b42eea377c417d1761
SHA512 47a06b9658f181a48865d90eaec7f857e867bb2f8ac5b284c444b0e90dbc07188777e0cdb7cbf4cd098d70c78b8b763d6308ed63d3563caaef7ce3e256abc018

C:\Users\Admin\Desktop\word\bin\Config.dat

MD5 98a324a8cee8c2bf63f54eaa762b5a86
SHA1 27965caca83b9927a7fcce2c8f0a52b5e806b679
SHA256 28b8424812c76765ff26f44d3e709e404b0531ba602bc7b1029c8038ba4c1d97
SHA512 198a9da2af3213a58557e111f768b8e97f36f4938c608c03cb4a6ca8aa2b8e1cd7924dc3e7847877faddd20a0153da88a1c20cd9b6fa5651695b2a127a83782e

memory/2788-330-0x0000000004630000-0x0000000004631000-memory.dmp

memory/2788-331-0x0000000004640000-0x0000000004641000-memory.dmp

memory/2788-332-0x0000000004660000-0x0000000004661000-memory.dmp

memory/2788-334-0x00000000046A0000-0x00000000046A1000-memory.dmp

memory/2788-333-0x0000000004690000-0x0000000004691000-memory.dmp

memory/2788-335-0x00000000046B0000-0x00000000046B1000-memory.dmp

memory/2788-336-0x00000000046C0000-0x00000000046C1000-memory.dmp

memory/2788-338-0x00000000728E0000-0x000000007365E000-memory.dmp

C:\Users\Admin\Desktop\word\pagy.picpay

MD5 9d9be48da3636e333e8ca53572d43868
SHA1 9eebf2edab2756cbe971f797e7ee2f996c65a98d
SHA256 3fd61222635d6327fa2cbb1f14fb80bb21bdc590183974564bc09507e5e49a20
SHA512 77ab9efa119db6e0bc66bcf47c62d0b2c2da3f282059df5eb2362971fdb91d6429ae7d71e93ca041a500df5f04b0c019ab9598355c18dd084c2b1308c0ba0356

memory/2788-340-0x0000000000400000-0x0000000000C41000-memory.dmp