Analysis

  • max time kernel
    35s
  • max time network
    40s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-07-2024 01:55

General

  • Target

    b1712b39fe796ae8ed77041201135aa5c71a50eee092518cfb477702feed3e0e.exe

  • Size

    45.0MB

  • MD5

    552bca388a9bad51553e21be26e0f892

  • SHA1

    d94d5c4ffba3dfa8d754fdff58b4631b8329217d

  • SHA256

    b1712b39fe796ae8ed77041201135aa5c71a50eee092518cfb477702feed3e0e

  • SHA512

    a314596469b84abb0507dda4e64ad3874165fa38ca4dbcb440e8c231a38aaf58ce37e934a531b95454c5724d9e8bee6d4e72a3076d32bb31b38181d134f24e7c

  • SSDEEP

    24576:CTsi1sMNeV7QgSDwpsD6rS3ATK8RBax/nGIS:x2eVLAwY6G3tx/nGp

Score
10/10

Malware Config

Extracted

Family

lumma

C2

https://radiationnopp.shop/api

https://bouncedgowp.shop/api

https://bannngwko.shop/api

https://bargainnykwo.shop/api

https://affecthorsedpo.shop/api

https://answerrsdo.shop/api

https://publicitttyps.shop/api

https://benchillppwo.shop/api

https://reinforcedirectorywd.shop/api

Signatures

  • Lumma Stealer

    An infostealer written in C++ first seen in August 2022.

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
  • Enumerates processes with tasklist 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 28 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3576
      • C:\Users\Admin\AppData\Local\Temp\b1712b39fe796ae8ed77041201135aa5c71a50eee092518cfb477702feed3e0e.exe
        "C:\Users\Admin\AppData\Local\Temp\b1712b39fe796ae8ed77041201135aa5c71a50eee092518cfb477702feed3e0e.exe"
        2⤵
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:3896
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /k copy Modes Modes.cmd & Modes.cmd & exit
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1096
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist
            4⤵
            • Enumerates processes with tasklist
            • Suspicious use of AdjustPrivilegeToken
            PID:3060
          • C:\Windows\SysWOW64\findstr.exe
            findstr /I "wrsa.exe opssvc.exe"
            4⤵
              PID:3236
            • C:\Windows\SysWOW64\tasklist.exe
              tasklist
              4⤵
              • Enumerates processes with tasklist
              • Suspicious use of AdjustPrivilegeToken
              PID:4092
            • C:\Windows\SysWOW64\findstr.exe
              findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe"
              4⤵
                PID:4776
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c md 416420
                4⤵
                  PID:3344
                • C:\Windows\SysWOW64\findstr.exe
                  findstr /V "VolumeBroughtDairyVehicle" Customs
                  4⤵
                    PID:552
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd /c copy /b Barbara + Graphics + Frog + Iron 416420\D
                    4⤵
                      PID:1456
                    • C:\Users\Admin\AppData\Local\Temp\416420\Subsequent.pif
                      416420\Subsequent.pif 416420\D
                      4⤵
                      • Suspicious use of NtCreateUserProcessOtherParentProcess
                      • Executes dropped EXE
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of FindShellTrayWindow
                      • Suspicious use of SendNotifyMessage
                      • Suspicious use of WriteProcessMemory
                      PID:3736
                    • C:\Windows\SysWOW64\timeout.exe
                      timeout 5
                      4⤵
                      • Delays execution with timeout.exe
                      PID:3536
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CryptoSync360.url" & echo URL="C:\Users\Admin\AppData\Local\CryptoSync360 Solutions Inc\CryptoSync360.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CryptoSync360.url" & exit
                  2⤵
                  • Drops startup file
                  PID:2700

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\416420\D

                Filesize

                413KB

                MD5

                68a1fb89f18093ff6667acfc35733314

                SHA1

                f0641a40ed407f6ed6d0175bfadb27578c58c729

                SHA256

                29d9ac205d428f81c33683093de57c4c60df882ab349fcd297605510b37a33ea

                SHA512

                2120917b48df98064a33ac118f536e5f08032de0bcee7d1158a1aeccbcaf0c11ca24b48a3858f85e55654c8f73cd69015ad70ac90311eac87ac646c269e30c19

              • C:\Users\Admin\AppData\Local\Temp\416420\Subsequent.pif

                Filesize

                915KB

                MD5

                b06e67f9767e5023892d9698703ad098

                SHA1

                acc07666f4c1d4461d3e1c263cf6a194a8dd1544

                SHA256

                8498900e57a490404e7ec4d8159bee29aed5852ae88bd484141780eaadb727bb

                SHA512

                7972c78acebdd86c57d879c12cb407120155a24a52fda23ddb7d9e181dd59dac1eb74f327817adbc364d37c8dc704f8236f3539b4d3ee5a022814924a1616943

              • C:\Users\Admin\AppData\Local\Temp\Arena

                Filesize

                58KB

                MD5

                c1a7cb47fb484e7454bdb3f2c4fed27e

                SHA1

                9aeb335fd23bad0f7472a23cc215dba0b2f4711c

                SHA256

                244961c83e22b0828ef7b083917985ec01193efe0b3b0238791967cc1f16de20

                SHA512

                114261ccea17cddd232b8deca96e901dc669fe01d042551da4b33e1f748efa8d573d6b48be5f64590ae5ae338e4fa0893de2dba3136b53464b8bb17438b15c88

              • C:\Users\Admin\AppData\Local\Temp\Barbara

                Filesize

                171KB

                MD5

                2232a763d3492eacd4f49c56640b1467

                SHA1

                4470de0b1d31c6cb0927fad29d8786b8c2e20df3

                SHA256

                e5eb7d8e9cb16dd39a6a360ba82dc39d206563b1ba996dd0108e16bf31187cfd

                SHA512

                b898e311bc8be5a29b9f4a411b6edcb767d62b114dcf651341d2689a05a1cd5b2e32d6d05d62bc81ea8636063ee0f7b342050bd6e4c2a9af8d265b10e8ed4523

              • C:\Users\Admin\AppData\Local\Temp\Bbc

                Filesize

                57KB

                MD5

                b5f8920a7e6408f0ad518c41db0b6ce2

                SHA1

                a613aa8821bc33f27a3ce7d57f0abd96391c9163

                SHA256

                8e94da2bfcaff3b86e58443a14c38e5e11c71dda48222d6d95067a95923cd652

                SHA512

                c7435437c556f601dfded2c914e007db534df2c42116353580cf086dfc638a9b20408fb3b42e715bae724c0d8d5ba54375ab4bca65669b6d65b2edc2be7a038c

              • C:\Users\Admin\AppData\Local\Temp\Before

                Filesize

                26KB

                MD5

                8dd91898a6f99cb23ac36731f701dcb0

                SHA1

                85bd3600b8398671d1bc2ef16e373e157da206d9

                SHA256

                4d9aca414aa66b351303fb23e95bb22ba65b728d56d7de2272c778901c4d39f6

                SHA512

                63449d6622c7a3d1d549b03a9d3fffd277e31ff62cb1cbf687cb7d12e1443ba0154079fc81ad25b197cf37da2bc6a9ece041e55389ec26fcf8ec019c9435f316

              • C:\Users\Admin\AppData\Local\Temp\Belt

                Filesize

                22KB

                MD5

                c7f41b04c2ec473409962d016ea7ed36

                SHA1

                6a13a8cc8882a93506c1bc247c8c5de5fa51410e

                SHA256

                1014dd70d6db6ccab8aba83b77eb0c03ea2be026b5d58a9f65265c10f9782f1a

                SHA512

                627e7215c2c4b79f1152b02ddfd0313316d4f748633e364a2c5da7ecf9bda051ad0be3947d263ebbd97dd52eeee221fd8171f22b19a039a8a07d732e1f3969e6

              • C:\Users\Admin\AppData\Local\Temp\Cedar

                Filesize

                35KB

                MD5

                a0315db4108995ecbaa40ca1a75deee6

                SHA1

                7cf78507562d6da24fe3bfec1610a17f0f30a17d

                SHA256

                5dd3561bbc6fdaf2667a63406bed3378de6a4b70b31f3a5782fb51ceb7ce4438

                SHA512

                1efe57ab64f18a349baee203832ecfa8d79f97fcdce9416c5fff0e65a038506bacbd97d95c671edff0aced611c1d26113cd02ae0add035974fffec9a9de0aec0

              • C:\Users\Admin\AppData\Local\Temp\Collections

                Filesize

                49KB

                MD5

                096741cbee215bfacbbaa8bc7a10ffa1

                SHA1

                3989b296039ca4fff3e81051121430bac7c6a137

                SHA256

                e9354ab2cab4d2f7299c87dfd7657a6f900df4038df6e945a749e68dc2d17564

                SHA512

                43831a05fcd8095a460a5cab488629e82ed48e32736c7dacc9d140ef1442825206be9b4767fa97646dcc1570e4898264bef33271bd876cb96fccf42d5721f7c9

              • C:\Users\Admin\AppData\Local\Temp\Customs

                Filesize

                182B

                MD5

                08c2a95bde428fe23a964495cc245068

                SHA1

                75ed63efcc0a61f7b2a422389d7cfd11074c0159

                SHA256

                05b848741ea02cddd23efe9eced1464ac606cfdf6b0eceec8c08255677a9a5ad

                SHA512

                232a8036aa42df88ef84187294ed0ae629be5e5334b862befcd978869e4ad10a2a358aca4940df9ca8a09ea76c431c769a1452306d8c407b86b7745e4503518c

              • C:\Users\Admin\AppData\Local\Temp\Emissions

                Filesize

                20KB

                MD5

                f087593718757a4ee96adfc81e55ca53

                SHA1

                d9a6fee40afb1bac51e2e9120369223746810e94

                SHA256

                d6dd01fb746d32ccb2c1a7292befcb5147f5e4d9d4a0d95c3a9776329442afa5

                SHA512

                0c21c6b58a37015f0b8d0b8d3d413663abe7daa3ea7e19a88b0d85b25e2fb071b25464fd507ee60b3894d075c4b1ef4300a7ec8ee77996ab2964d4ddf76ba93e

              • C:\Users\Admin\AppData\Local\Temp\Employee

                Filesize

                57KB

                MD5

                04bc240e7a1a117a3db49382b3825e1e

                SHA1

                3343eb18d33dac8304f197b54ffc4b7afb2b0105

                SHA256

                d0e4bfe75bcb07f872f4b1ac8436c91517578e2c84b78f6fb0622df55d961d99

                SHA512

                b0b3e97f327c2d2757b546cf68845621af85b64d50cd4358f98183ff5089d9cd9b86bec8f1a08a96cf68013d110238f0d463657e16fb5b9257a25d84f4941dd2

              • C:\Users\Admin\AppData\Local\Temp\Fda

                Filesize

                69KB

                MD5

                dd44ab578a99db6f5a7946c6c210bdce

                SHA1

                5f9370a5a196468c8c02e1cbe4bb4a8ccad2e247

                SHA256

                4c5bf631e9ee85bbd7ce6a8c63f775eac8253e1a6e592c7bb242803e4220494a

                SHA512

                1998392f5f85e691deed726705804f220c7188c95f346d4e08b21459f5cfc04595dd183da9421c7853a3ffb5e2245a86eed71eba93b879532476a25d6ee69bcd

              • C:\Users\Admin\AppData\Local\Temp\Fits

                Filesize

                7KB

                MD5

                2d20546995f3fa6c818e466f01f45a91

                SHA1

                1f2d7dd6e2335b24e982545cee60f80f4907d2b7

                SHA256

                7ea5761264c46345148d3f6ebfdabb8f2b876223907fe30b0ac7adae577b06cd

                SHA512

                f0fa91e6cac7e8dea07d0ff521f43c4a80f74ebaa2136b5653698b01b83e6d7478952dd563b6506f921b5d0f52c00304680dda6f92e5b8316bcbd26272ec39b3

              • C:\Users\Admin\AppData\Local\Temp\Frog

                Filesize

                39KB

                MD5

                19073a4070f210bdb0b066b74879417f

                SHA1

                82af55dc6ba3dbdaa40e976f534a55b52a87a67c

                SHA256

                eda4c37f21565a6a1893997428f5c0e27c87c20c96a3a8391ffe1a62fb76cf64

                SHA512

                53786dc460a200b951afb3b1ce27f02a53376a12d0c181f0f80d359864372001d9cdc79e2c8e92536a3a9a1590f2847ba6912a4540425b4a1984be1b4eed7c67

              • C:\Users\Admin\AppData\Local\Temp\Graphics

                Filesize

                150KB

                MD5

                d1c125fe57c438d3080b89f206aea3eb

                SHA1

                c7d2956c9289282b9fa1892fba0b8d46fe9d390f

                SHA256

                e3d4a8ad5b3fa2f88799428ed6128954eef6503ff47ec9766ec997edac16370e

                SHA512

                b5ba512f9f96f876815459ae7dba34f3d3d1b682d61abde27e01b484df8b8471a2a1ea3bf27f6b395a2997af55403fd7c98570f37a24f060d2ce2120c993241f

              • C:\Users\Admin\AppData\Local\Temp\Into

                Filesize

                58KB

                MD5

                2eb686b17306b9f1ae05c17622e8ec6f

                SHA1

                4ab2be215726f298afe28c0acd9db861a8076e03

                SHA256

                e15f2c1035a51d7c8d8c820fe3cecc5b4fd83e9946eecdf8d1453a86ff759e73

                SHA512

                f8d27c18494e41252943d69da8a0ab9c15d45141d2bffc5e678c34feea47593c82f97d8f6f991a9bc16631d82db6f8dbb59ef187a35893a7b48576c4da5b67ec

              • C:\Users\Admin\AppData\Local\Temp\Iron

                Filesize

                53KB

                MD5

                93bb091756f86ad0409df87d2a11272f

                SHA1

                0f497d21188e97b2790e069e6d227bb58c89aeb6

                SHA256

                b1e51319ba0ba4fac78fa8e34ee7b46d14fc5ed835f56f95a33b680990cd6ab7

                SHA512

                0442629d92bceba498e0e1c299668c68502e968df20851f5581d746bc83eecf512bb2ac3b7e761a2c5769ac5e920f298e1925766013dc47149c64cde6fbaa7ff

              • C:\Users\Admin\AppData\Local\Temp\Jane

                Filesize

                45KB

                MD5

                3e5a33740d9ecf41f380355cf26648ab

                SHA1

                5ca3ae9c2204eff3180b8183c1da54587bd8783a

                SHA256

                43ce5cc68e0128f9141b612852fdcdac699caba80decf4663c1763f74c2d71c1

                SHA512

                4b5a16f29962404075624b48f930c4ebed504d38fb968e4f49142178fea682c8d078d8a8754861d6672a289def100253b0f3fb33073934bd60af7683fc72ef0f

              • C:\Users\Admin\AppData\Local\Temp\Modes

                Filesize

                20KB

                MD5

                80c9b29f953747b33727e2cb25a5bc58

                SHA1

                fe016de98036f9bb72bb72e687bd13c00594e16f

                SHA256

                c57ece1cdddbd9669c1b387dbd309b76844aacc426d903a7286923f92d9a9078

                SHA512

                7118526a0ba10240e63250ed1d1db974835a8b31ac6b3d376807d479b8de39df6232dfd9575d5516458a246696c39e2491ac800977b3a0153f2524adf0badeac

              • C:\Users\Admin\AppData\Local\Temp\Momentum

                Filesize

                15KB

                MD5

                2a29d8e9dfc9d83cf70a1f04077e0b36

                SHA1

                c49cc92751539db30f16661ebb420c94ae427bac

                SHA256

                7049b81d3b7b70d7f9d5b2459a7d5a6cd6c06963b076ce694bc7d24e65c2557c

                SHA512

                57f428cd171f2be35283916c084e06a36d0f0221354b81d49df75ff112b96cc28156f2143a68149768a506d8990b94f38a79cc29c3c44853ec99db049e65b334

              • C:\Users\Admin\AppData\Local\Temp\Needle

                Filesize

                48KB

                MD5

                9e0a8e0c9d6ae85c0ab43aa1e67d4c8d

                SHA1

                5495a9b00a3c7e0e741a47225426e1e3250346f5

                SHA256

                c0a7ba97cd3283783db64b2f34766062a5400142872fe1082ed8e37298ecb3c5

                SHA512

                b49ce91f94664cb3a1d687623d716cbdb57aeb7277195aa4726f7e4b4a7e901c9507d19b67eb6aee360507461dcc5c79d5cbd8afae749cf8a09ff52f8936a0e9

              • C:\Users\Admin\AppData\Local\Temp\Ntsc

                Filesize

                51KB

                MD5

                4a04e9af42fcbacd4da0c2715a555b87

                SHA1

                07e69ddb9b9d95d66016538d970a50ef67c7b8b3

                SHA256

                6e4053fb56747d7f8a058651ee746777042245c451e3b7f036a6619d8485732e

                SHA512

                4684ae3b55e8744fb92bbcb6ef50b772ce97ab5ddf1ca8fb244e6d4bf0ffb9d54c427eab8dd972c32a42b4f39801c71dd4bc3ab29ba3404a9bb63225bdb66164

              • C:\Users\Admin\AppData\Local\Temp\Olive

                Filesize

                48KB

                MD5

                225d8001d5b10ae2d2dd2fad529262e5

                SHA1

                51ce0adf3cef9be80986e434880610d4de0aa64b

                SHA256

                a9f61c8f3cb2e6203aeb5b8a3c4479b02567241f97cd8c045a84697b6befa481

                SHA512

                c35c3731472c149553c49bc471fccb06696afca380489749a709cd4bf4a8c828b727877efe85dd53d4d96d130b14c5e46939775c796feb5143b1976c5b09b9c2

              • C:\Users\Admin\AppData\Local\Temp\Places

                Filesize

                18KB

                MD5

                c3db33937395caba927f3c627cec3d28

                SHA1

                2605a0a160c89561fd295200e1a66399da449fc4

                SHA256

                bd32dd62bafc6bf65ba4c9bc34b6c45ef88afa671d382b7858d5737d4e9c255e

                SHA512

                df9529142ec4debe79f3917ce0072aff8234ac9fe93dba078229cd818da7bdfc59094210e0d7e61d0a051e17f923d537b775d1998df13558f25cfef663b140bc

              • C:\Users\Admin\AppData\Local\Temp\Properly

                Filesize

                57KB

                MD5

                7cb6ee72a8cab64c7f2e705966bad31d

                SHA1

                e82d7678de599ce44945b88edf301f4bde3cf142

                SHA256

                3685e5fe7f64c92174c302134bdfc4028afcf78b71a9d1fd8b0aff3e8e7bab72

                SHA512

                bd2cb13786fd610f1afd778a314efe34605bc7554101333141b4ed99b246a5e05b392f604ee1d4ab584201ccc27980782ecd38283c8511cd3e2232a6a5669dd1

              • C:\Users\Admin\AppData\Local\Temp\Rank

                Filesize

                62KB

                MD5

                19bca4629e1e6ca48f539f950d5d7674

                SHA1

                cdd2f09d9a7f932f034698df19162bf681804d4c

                SHA256

                19e895c36fe5138556db7e0c99033235178df64e2e63ecc4d2e5ea06b63c3710

                SHA512

                9b94c78268d120a6f075c6ee37aa3b11ac71731a98936d8c60d4af62886bbb88b9ece3e525d2ba53d527f07177b619f5ead9e568c54c5e3599ee87ce583041a6

              • C:\Users\Admin\AppData\Local\Temp\Sociology

                Filesize

                8KB

                MD5

                ec77a342ff97b2f0bbae6a298e599ab5

                SHA1

                b7ae7cbf6b2f60cad6c73b7955cff9cab52f5268

                SHA256

                12c836c2e166bde49a6aa650814e3be01b35cb3dd3a1d048c36be975b44b1272

                SHA512

                81fba701a09a0cff55dd6d5c190d11d559bdb2a01be3d1cb451cb7b274ac8446956da42f7179e5584a0f99c3005dd93c289aadd8eb53cecac292f4d0fa0f9678

              • C:\Users\Admin\AppData\Local\Temp\Tears

                Filesize

                17KB

                MD5

                4c1fb4d9eebff7cc26031d30a9659146

                SHA1

                45a5d417bfa9417e269c7f6a67160e61f7fe2e08

                SHA256

                4df99c64a81ecb9b1a724e8076593442493b64cc31fea4ead1b7eb84aaae467d

                SHA512

                58b506ce67c009233a7022bb3d8f8d54b7659f9b118d779602d4963186baf00dc3d35a35d3bc102162923676321859fdc34ce7415cfa15b00a09555b672bbc83

              • C:\Users\Admin\AppData\Local\Temp\Theater

                Filesize

                24KB

                MD5

                d2be5b4014ed53d6b017de14df955af7

                SHA1

                63873a006ae83dc461eb9161628061a4d471a4bf

                SHA256

                ee8eea0306f480a520468a225fbca18d0ccda337ebf5c97e7635c813ddd93cd0

                SHA512

                780f5645f9ff51be6752f9f8942222e778364515ffd864d0d92b3236af58e75d62306a9def1264999e5ee31b2f7d3ad467d11cb345cf519f426506f33866003e

              • C:\Users\Admin\AppData\Local\Temp\Una

                Filesize

                64KB

                MD5

                5d841256483994dff09339e8d310dfe9

                SHA1

                ffa60e1fe0aacf90a9562acb84eca85d1021b192

                SHA256

                9261ab183a8e573b9e628c2e1529558d0eb7aa601ae2f90298c0865be50e7422

                SHA512

                9879680bbea44527789607e694d073487b72c2fd027dce5580b47c6c446a67b5bf5807b172023b703ad84847a65ec93ad1572de10c9c6f10c711def1d04b1110

              • memory/3736-507-0x0000000004A40000-0x0000000004A8F000-memory.dmp

                Filesize

                316KB

              • memory/3736-508-0x0000000004A40000-0x0000000004A8F000-memory.dmp

                Filesize

                316KB

              • memory/3736-509-0x0000000004A40000-0x0000000004A8F000-memory.dmp

                Filesize

                316KB

              • memory/3736-510-0x0000000004A40000-0x0000000004A8F000-memory.dmp

                Filesize

                316KB

              • memory/3736-511-0x0000000004A40000-0x0000000004A8F000-memory.dmp

                Filesize

                316KB