Analysis

  • max time kernel
    150s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-08-2024 20:47

General

  • Target

    https://weoleycastletaxis.co.uk/chao/baby/omgsoft.zip

Score
10/10

Malware Config

Extracted

Family

lumma

Signatures

  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 2 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 42 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://weoleycastletaxis.co.uk/chao/baby/omgsoft.zip
    1⤵
    • Enumerates system info in registry
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1804
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffb53e4cc40,0x7ffb53e4cc4c,0x7ffb53e4cc58
      2⤵
        PID:3940
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1696,i,12265806705313081127,17886103692082407478,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1676 /prefetch:2
        2⤵
          PID:1124
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2128,i,12265806705313081127,17886103692082407478,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2172 /prefetch:3
          2⤵
            PID:3576
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2224,i,12265806705313081127,17886103692082407478,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2180 /prefetch:8
            2⤵
              PID:3508
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3088,i,12265806705313081127,17886103692082407478,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3112 /prefetch:1
              2⤵
                PID:2016
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3104,i,12265806705313081127,17886103692082407478,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3160 /prefetch:1
                2⤵
                  PID:4040
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4784,i,12265806705313081127,17886103692082407478,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4796 /prefetch:8
                  2⤵
                    PID:536
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4488,i,12265806705313081127,17886103692082407478,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4332 /prefetch:8
                    2⤵
                      PID:4912
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5204,i,12265806705313081127,17886103692082407478,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5016 /prefetch:8
                      2⤵
                      • Drops file in System32 directory
                      • Suspicious behavior: EnumeratesProcesses
                      PID:2344
                  • C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
                    "C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
                    1⤵
                      PID:3592
                    • C:\Windows\system32\svchost.exe
                      C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
                      1⤵
                        PID:3916
                      • C:\Windows\System32\rundll32.exe
                        C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                        1⤵
                          PID:4388
                        • C:\Program Files\7-Zip\7zG.exe
                          "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\omgsoft\" -spe -an -ai#7zMap26247:76:7zEvent27579
                          1⤵
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of FindShellTrayWindow
                          PID:1692
                        • C:\Users\Admin\Downloads\omgsoft\omgsoft.exe
                          "C:\Users\Admin\Downloads\omgsoft\omgsoft.exe"
                          1⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          • Suspicious behavior: EnumeratesProcesses
                          PID:3496

                        Network

                        MITRE ATT&CK Enterprise v15

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

                          Filesize

                          649B

                          MD5

                          e7e0c894b5cc1103e76f8d035c252d90

                          SHA1

                          e4ef0466081ebe8a224c8b1f507e4aca5b0a375e

                          SHA256

                          3d5b795c202b6fb12714bb73df4aeafdb193ea57c3e871e360ed1baef7eebe0e

                          SHA512

                          4845dba287fe811659e09003eb8672514ce9855dcae733c0a13286d483b0c6605c581a3483966718a20d83a0c8ecdc7f8872003f704fd293dd55141c0698f006

                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\41712320-bbc9-4425-b50e-09197d0c5de6.tmp

                          Filesize

                          2B

                          MD5

                          d751713988987e9331980363e24189ce

                          SHA1

                          97d170e1550eee4afc0af065b78cda302a97674c

                          SHA256

                          4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                          SHA512

                          b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

                          Filesize

                          1KB

                          MD5

                          8a787dce86fa23752277d20676c8b300

                          SHA1

                          95913631704923da4f709bcdeaafe2579874b1c8

                          SHA256

                          e62071a4f4667f495e40c1e685a4f747a1869acc5641406fc5b2b9a8dcfa564b

                          SHA512

                          f0a56897d607198c9ca2b71e904db0ccb3e58d2cd27ad734690cb7c17b0a53f9a4a9a5353686be0b41512521e5b37e78b68880fb2b6bd448666afb08d276efff

                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                          Filesize

                          9KB

                          MD5

                          40bb557eab703b26bc36f8586d128df9

                          SHA1

                          049e02991062de63ce90d2e750c5ce0c222a1df8

                          SHA256

                          747bdd713cff9f565fe268b1787a851ebf93aa5009b012f64dbca34caeec38f0

                          SHA512

                          6952acc7cf827186f36fd2eadfe0aba93a0e8feab57b39419b270a831257f5d13354f9e931be272bda47d8bc7c40aa88aa5a28f809631a0d2de61c706eb959f3

                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                          Filesize

                          9KB

                          MD5

                          82ac3d02e58ef443e7174f9b5d7d0348

                          SHA1

                          2769298bde530fc9e2250679c1c00ac8f6ce4069

                          SHA256

                          4d819f1b00b0f12188f4b333556a931680e4f18a23219553a280f605b7c07d82

                          SHA512

                          13ed03862d6834b952110519b86c1e535ccf33e4584bfcdbc6ea874d487ce60125038b4eba224494e01d46b1cb882a80aedc73cff915fcd06d579fc14be14f6f

                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                          Filesize

                          8KB

                          MD5

                          737210486ee1d56931ba0aea78ba91cc

                          SHA1

                          493dc097baea0def635cf525835c9065e31b200d

                          SHA256

                          1c1a64a775a3bf1067c15d769fd1ce897f1a84bc627e828af14dd22e218d55e3

                          SHA512

                          5dda6fabb03188d552f9d55731715cdf5fb41c51f74af7d895526c2d842202b8bd1897ec825fb9ed3ac22bfef2d40785f4df929f2cd573f95539c3eadc2985e6

                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                          Filesize

                          9KB

                          MD5

                          64f6264587b0f246fd4866aa51045540

                          SHA1

                          40d2d71f029700d89020be60868bb0869c0d456b

                          SHA256

                          1b099648643da239150c2cfff9965a160268f4075106a207dd9208f4b2557bb4

                          SHA512

                          1297ad5388dd375b990cdb13d25557324ecc1e6338eb7ef843521a8a33038d63bb32d69e5ab8004f57caa67abb08f0baabd86a682f7d9f29af453dfb8e4a1546

                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                          Filesize

                          8KB

                          MD5

                          94406d2e30f0d331a4c59e80b33b83ae

                          SHA1

                          961216cb84e147a25a9dd66793d4296963e87aa1

                          SHA256

                          706b2afa441484c037db7919f4b8b31de8d2ba4d69de2eb838e5858ef7e09c90

                          SHA512

                          ca1d77629da5481d8d816d34c254650b05c494553495f6e911ddc3450132aa74e01ed2b80860cc2419d80d394c9a574f3d2aef5f5d53212a62c2bda7c92158cc

                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                          Filesize

                          9KB

                          MD5

                          420ddf34deb8251fa1190a3821da9014

                          SHA1

                          056df79a6dffed95bf849e34de10e37953badb47

                          SHA256

                          eb96df76cfeca890651c3396f1e9d9d2f85426b5ea77b19a3a9350d6fc8b83be

                          SHA512

                          8a542ac463572e006e8fc0e4d0ef9f050d3b9bc2097312b6e4c6e1ced7ef28101e022c524fd10a44f97f41a69464606458fc8dcfcb60e3f0ab5412d33dd36cf9

                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                          Filesize

                          9KB

                          MD5

                          9ce4d5315ba528a4941b4194384b8dd0

                          SHA1

                          943eee0d6b0d4e985db358fc1d0f7fb8c9cbd8a8

                          SHA256

                          dffb300292d0a39dd0c508c0217f8bfe62817289ac6bf645b098033e2efab2e2

                          SHA512

                          cf2de4e439bd3999b9aa27034433c2dccd230506c220c5b14692c89a8eb2bab5a17c21973069141df0f355b2552167f1b53d0ed36214f76afeb28343969a5ee1

                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                          Filesize

                          9KB

                          MD5

                          8c01fd052315a3745f666453030e4aa5

                          SHA1

                          8ce21ddd06b016bd7be7a557227127ededecfa5c

                          SHA256

                          64f72aab89ff0368e976e226cad526a001eea57005fb4827baaab7ed54c3f893

                          SHA512

                          aaf803f5f92255c6633f173af75af8eb6f89b803257296b40c85294554d7c70a9603b28dc43083f9ade5bc769cbdb4e1c4abd8d07fc41f072790a418ca26d72e

                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                          Filesize

                          99KB

                          MD5

                          11054e7d1ae83047d071a507af243c11

                          SHA1

                          4cc90987f718c6f98cd017653b3785e33662ec7d

                          SHA256

                          e54a28a4006464fa7771bdc940bec6d0560402eba8416e56a3ca1cc898f10be8

                          SHA512

                          4119fbe9d448e8a4fb2ca5e707051a35c7a04b73f5512366e66b4ea127fbc5954941df3baf91a6d31135a3e2b45a32875b29666c7f8caf0a36c71b99efde9d27

                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                          Filesize

                          99KB

                          MD5

                          8daac34566e3baba45bb91d28fd0c407

                          SHA1

                          40de690d1085dc00de857b7abbcc2418916b6ea1

                          SHA256

                          2333ac0b243f43fe1fe41929a3db33957416b3f938c48840cb64a5688e34ce07

                          SHA512

                          9c50d4a44299b22ef0a3d2086d94b421d2555e78960d5c07a15358f2e0024e854d650be09a306ff24878fdb57ac070ff6be11d64161ea49308ec98006e0668be

                        • C:\Users\Admin\Downloads\omgsoft.zip.crdownload

                          Filesize

                          10.5MB

                          MD5

                          eb69150e0f3bfc15abea38fdf4df95cf

                          SHA1

                          838581a9ce8e41432b1581363aa8c2b55a5ea733

                          SHA256

                          6608aeae3695b739311a47c63358d0f9dbe5710bd0073042629f8d9c1df905a8

                          SHA512

                          b75a644ce0c3329dc57bc9d24c022e4c84f7d4253792d82c342083183b753b6f78c38ffc488a4eb3f576a6b209208212d4e7a9c408b6566b9d00534ffd27d052

                        • C:\Users\Admin\Downloads\omgsoft\omgsoft.exe

                          Filesize

                          10.7MB

                          MD5

                          895531f9d849155e054903e7cc466888

                          SHA1

                          4271c3690af27765533a3f1eb30a40d5aebf90bc

                          SHA256

                          e60d911f2ef120ed782449f1136c23ddf0c1c81f7479c5ce31ed6dcea6f6adf9

                          SHA512

                          4c72b3d45291da1eb8290f7c6ad89c71d64e48f0e717126f8729efe683558c43439091e444cc0a7f9df09a90241cebabd09153b9578f5c0e79b2ed537cd68674

                        • memory/3496-62-0x00000000022C0000-0x0000000002311000-memory.dmp

                          Filesize

                          324KB