Analysis

  • max time kernel
    165s
  • max time network
    204s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240704-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-07-2024 20:10

General

  • Target

    infected.zip

  • Size

    4.0MB

  • MD5

    101a3061619bdb9e71bb91fa32eefb9b

  • SHA1

    41b3a2605900d72ed4221a4c2c8e79bd3c6aa5d6

  • SHA256

    78921f75ee30f950b9cfa43a79f92edc2589cc0e813f22ebdb4993ab5b4926ac

  • SHA512

    6198e59f69502ca9e9cd65d90270907e932c46db51c125cc0c23d1ba7702e03a4c9f0d42822648e2a5d49d8d676447d9d3ec125b7b4f29790dde4b8f940c1bec

  • SSDEEP

    98304:g6aZ3ofc1iwhDYibIQ4QvIHQvgfcuJQF4sZvjtAoIyuUu5rayqWeoB7/:g6u3ec1iwhDcQ4Qr+AtZuUWraysGr

Score
10/10

Malware Config

Extracted

Family

lumma

C2

https://unwielldyzpwo.shop/api

Signatures

  • Lumma Stealer

    An infostealer written in C++ first seen in August 2022.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\Explorer.exe
    C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\infected.zip
    1⤵
      PID:4136
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:2288
      • C:\Program Files\7-Zip\7zG.exe
        "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\" -an -ai#7zMap19623:96:7zEvent11900
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        PID:628
      • C:\Users\Admin\AppData\Local\Temp\Program\Setup.exe
        "C:\Users\Admin\AppData\Local\Temp\Program\Setup.exe"
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:1720
        • C:\Windows\SysWOW64\more.com
          C:\Windows\SysWOW64\more.com
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:4232
          • C:\Windows\SysWOW64\SearchIndexer.exe
            C:\Windows\SysWOW64\SearchIndexer.exe
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:1908

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\Program\Setup.exe

        Filesize

        1.1MB

        MD5

        f975a2d83d63a473fa2fc5206b66bb79

        SHA1

        e49d21f112ab27ae0953aff30ae122440cf164b9

        SHA256

        6a2d3876003f6c68f824df4f0033564d8c230716908ba2e6c06ea1dd6d5f98e8

        SHA512

        4af4ce56bf131432d488ed112f8858c1e1392d013c6ac0603f2fd70ed513091e35854c0f678efeab7fa9a551517c6b9698f40a92729112de4b852fa3c0c69d64

      • C:\Users\Admin\AppData\Local\Temp\Program\caret.xls

        Filesize

        779KB

        MD5

        4d4b5ccd0ff38d099e68792ee07c4a99

        SHA1

        f529d6bb59e1edd6ee57b7ceca20afaa2272d157

        SHA256

        90b7b1dbc330af1f1d80403bacb25b46506b666aa9182fef90aaec5d612507a7

        SHA512

        b8113fef6c0e7dea4ad6615fa0a451e72f481d72691d9f4001196be7784df8620ea8b7c00456a546204e0540580eaa13a4bb7ed18ef90ba7a7022682573484f6

      • C:\Users\Admin\AppData\Local\Temp\Program\msedge_elf.dll

        Filesize

        3.9MB

        MD5

        b37d0df4c44e4e1e9502f6b90adbd73d

        SHA1

        2164d4fd7184f2ed4ebb225f2ea36b84c001f7ee

        SHA256

        0b16174a0a47cfcabf5dd427e56355b806467ac3284d5d55f66aa19fbcf91e92

        SHA512

        f5fbb1d506835a4cedd2843a7ff1e1b750ad0c147730e9de521de0c1b67cece4ded32ea0bf153341f9fe6630febb7af785b117d4c49fdfe01e65a18fc450a265

      • C:\Users\Admin\AppData\Local\Temp\Program\test.asp

        Filesize

        53KB

        MD5

        012206c2a828f8687db2a3e5e878068f

        SHA1

        ee75d067cebca73b982546e1d4c7c7cf32569e8a

        SHA256

        42f229a1430516ca02825a0b8ead2aa296c1a1cd7e1b41165d918e6657fe4ac4

        SHA512

        8a0c894cdf75f675b692a3e5fd0db278536c7b8044490fd1a83b47ca606996d9d36190017f33ff9874e0223dd6e2dbb9f5173c870d501e0ae57fbc2bb6ca323b

      • C:\Users\Admin\AppData\Local\Temp\d8928b9a

        Filesize

        1011KB

        MD5

        c5adcef29ab7b7bd62fae63abab9188d

        SHA1

        fbb16ddb70d87f46d104c3d0f2326f792b71a768

        SHA256

        ae25c79823a569ce6914fd5ec487d3ccb0137ef518e2b005f500a5ad9e83853a

        SHA512

        31ab8c3a4890aedc4a19160ab503bdd0d5934837f5a98104d7863ec12fc5a114e67c4e5c43150b6fc9cd324bad60bdefe425b9072aaf28b4b32a8253600dbfc6

      • memory/1720-36-0x00007FFDA6460000-0x00007FFDA647C000-memory.dmp

        Filesize

        112KB

      • memory/1720-40-0x00007FFDA6460000-0x00007FFDA647C000-memory.dmp

        Filesize

        112KB

      • memory/1908-47-0x00007FFDB04F0000-0x00007FFDB06E5000-memory.dmp

        Filesize

        2.0MB

      • memory/1908-48-0x0000000000180000-0x00000000001D8000-memory.dmp

        Filesize

        352KB

      • memory/1908-49-0x0000000000180000-0x00000000001D8000-memory.dmp

        Filesize

        352KB

      • memory/4232-44-0x00007FFDB04F0000-0x00007FFDB06E5000-memory.dmp

        Filesize

        2.0MB

      • memory/4232-45-0x0000000075B00000-0x0000000075B14000-memory.dmp

        Filesize

        80KB