Overview

overview

10

Static

static

1

007c6dfe44...12.exe

windows7-x64

10

007c6dfe44...12.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-08-2024 08:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    007c6dfe4466894d678c06e6b30df77225450225ddd8e904e731cab32e82c512.exe

  • Size

    1.3MB

  • MD5

    31f04226973fdade2e7232918f11e5da

  • SHA1

    ff19422e7095cb81c10f6e067d483429e25937df

  • SHA256

    007c6dfe4466894d678c06e6b30df77225450225ddd8e904e731cab32e82c512

  • SHA512

    42198fc375993a09da3c8a2766ee6831cf52ff8cd60b3eb4256a361afa6963f64a0aff49adb87c3b22950e03c8ef58a94655959771f8d2d5b754012706220f66

  • SSDEEP

    24576:VzZDpgqx9+kamgRQ+uYU8hwjxKmAERKk1LxkGTagw276kyJsAb3WIWI:VrBxbEQ+uYJqQERKk9mE/76KAbr

Score
10/10
lummadiscoverystealer

Malware Config

Extracted

Family

lumma

C2

https://complaintsipzzx.shop/api

https://writerospzm.shop/api

https://deallerospfosu.shop/api

https://bassizcellskz.shop/api

https://languagedscie.shop/api

https://quialitsuzoxm.shop/api

https://tenntysjuxmz.shop/api

Signatures

  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Enumerates processes with tasklist 1 TTPs 2 IoCs
    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 35 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3444
      • C:\Users\Admin\AppData\Local\Temp\007c6dfe4466894d678c06e6b30df77225450225ddd8e904e731cab32e82c512.exe
        "C:\Users\Admin\AppData\Local\Temp\007c6dfe4466894d678c06e6b30df77225450225ddd8e904e731cab32e82c512.exe"
        2⤵
        • Checks computer location settings
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3388
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /k move Powell Powell.cmd & Powell.cmd & exit
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1324
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist
            4⤵
            • Enumerates processes with tasklist
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:5000
          • C:\Windows\SysWOW64\findstr.exe
            findstr /I "wrsa.exe opssvc.exe"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:4732
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist
            4⤵
            • Enumerates processes with tasklist
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:3492
          • C:\Windows\SysWOW64\findstr.exe
            findstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:1456
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c md 193997
            4⤵
            • System Location Discovery: System Language Discovery
            PID:4432
          • C:\Windows\SysWOW64\findstr.exe
            findstr /V "JulieAppMagneticWhenever" Hist
            4⤵
            • System Location Discovery: System Language Discovery
            PID:3508
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c copy /b ..\Medicines + ..\While + ..\Remained + ..\Bs + ..\Ak + ..\Statistical + ..\Entity + ..\Autumn + ..\Scott + ..\Keyboards y
            4⤵
            • System Location Discovery: System Language Discovery
            PID:1476
          • C:\Users\Admin\AppData\Local\Temp\193997\Restructuring.pif
            Restructuring.pif y
            4⤵
            • Suspicious use of NtCreateUserProcessOtherParentProcess
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of WriteProcessMemory
            PID:4520
          • C:\Windows\SysWOW64\choice.exe
            choice /d y /t 5
            4⤵
            • System Location Discovery: System Language Discovery
            PID:4936
      • C:\Users\Admin\AppData\Local\Temp\193997\Restructuring.pif
        C:\Users\Admin\AppData\Local\Temp\193997\Restructuring.pif
        2⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:652

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\193997\Restructuring.pif
      Filesize

      872KB

      MD5

      c56b5f0201a3b3de53e561fe76912bfd

      SHA1

      2a4062e10a5de813f5688221dbeb3f3ff33eb417

      SHA256

      237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

      SHA512

      195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\193997\y
      Filesize

      662KB

      MD5

      d6a0473754ad77650d88eaa94cf4bcf0

      SHA1

      d2123bf8b796fe6f76e570641037d9420b3f3c78

      SHA256

      355d2dc53492ea6ba26263dd8a2f7544ae3a36c17f64cccb6ad84007bebafbb7

      SHA512

      14d844255fb657a039d4f94ddcc58acc79d44fdc58882ace49a453c537db86ceeef9a10640d83ff20af2caa0e880de3e77b7afbf2af79291873c0f81db72d3bc

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Ak
      Filesize

      63KB

      MD5

      2078e604090ab3f34e7254584f5b5e18

      SHA1

      6c6923837538fe0516a7395fd114c6000da29fdb

      SHA256

      9b129a2e4cef84ec4f1101524cdec497f7daeed3fda8cac227803772ebb80ca7

      SHA512

      af16f5679fc77dfd32c2bc2bfcaf80f56d633a3cb47941565f35ca84c5b385eeebd4caf8a703860a2e3b1a55a808a576a85ed0c5a6595ffa7d2fb0435dbee08f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Autumn
      Filesize

      62KB

      MD5

      452ec03a6dc9758ff5c0d17f9e55572a

      SHA1

      194df13d1dd92f3c986bb1b196eebf6e25900412

      SHA256

      bd9b030da3887b0cb821ef37aab7771d7d048c05835c3eb5ee034cd077a85cd3

      SHA512

      f2d6979ac9915991020522d4c7218e431a437d9b06b40c395923fdacc514056f01ca127f4264697f0e49faf88b15df8eb6cca80f69e0983f4af7dcda51a87f6c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Bs
      Filesize

      52KB

      MD5

      5383c87dff2feb9b2c8e93c4bed93e34

      SHA1

      1487faf6f6e098fd878f4536bb99cf8c628b12a4

      SHA256

      963b21a66a6afd24e3c8eab4e9d3fa803caca58f2f1e2cbd2e80451ab2b5bb73

      SHA512

      af6219b70b180518f7a5866e95719e23a28394b814239f38250383511b7da1d3712dbd49be75e375f66226192dfc2d46dd905f0733e6bfffe13eeac3ef9f975d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Entity
      Filesize

      75KB

      MD5

      116177ea561e297830d84e68e4851a28

      SHA1

      80545b33450655d3e5e7c055aace79a31eadd3af

      SHA256

      3570fa88359a94df74450f1be19f8fb54e566270f968254ac56b616a424b8446

      SHA512

      86e8f3dc6a9b18f4e5a9f2cb1f58baabe782ca264105967987e0eae987f00eeece800ee4f3c126b95ea471c5fd6530d11a87bb9be5a7a2c66ea473b84be6f839

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Hist
      Filesize

      486B

      MD5

      01f1ebfab9f7716fd124ef8edd32a90f

      SHA1

      85a045dab05d4c1360f97f3e3d32679e844766c8

      SHA256

      379fdc3da78974a0332ec7b4c0704d500869ab83afadeba852cd2b510aec4f80

      SHA512

      3f1300fc81667a73026fe79f4984278e65d87ba1d2ccb1833c50319f5cf5d44a6865bd9ad8cd12586e0500f99c670174b8e544e440d7d5e3be27acf2e068e8b1

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Keyboards
      Filesize

      2KB

      MD5

      648848687fe144ab2925ff056f85e839

      SHA1

      ad8601e28076e553bdce4b49e5585d193ce9f26f

      SHA256

      68340ba1f2afcb31904ad77653b22b19601a86d2031b39ce320611fc26a30462

      SHA512

      ff5b5d86710242944a6c5a6ba6ec29e57e561ce156022243f0d6028a8ec2eba0d6f13dcb2ab007a5c38c5f69fb8bb5816ddcead72588626a6626bb1336f77b27

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Medicines
      Filesize

      63KB

      MD5

      394e00f0b18a19021b82919b0953a251

      SHA1

      3dfd4dbf28f4aa4c08c74b70662c01c950bf3ad9

      SHA256

      9d32778c46127d2af6991663c47dac68ac3424181063b44e82e3b82af73369a1

      SHA512

      b5e6c76075e19bdcbcd0ae4ccf9acb37154d84dbe1a17b9c2e40ce9e4d5b194774d608d812ae54f8f6331e255d3f1820a526eb8ad80b174babe6a39a2002f5f5

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Powell
      Filesize

      7KB

      MD5

      4ae2c64145fe81c75f62a1ac65904a58

      SHA1

      fd70229a1fcd534498c7179ca3a02abb6523a277

      SHA256

      315e74622a85b4dce78188b734154a595ff1a1a8cb191b2d92a95be1c0bdbc37

      SHA512

      bf81502fe99ba78b414577df49c86c98c8154f409c41ee536dcf29fe979a859e40561b3d97245ee76d9ccfc908f9a623372c77ec05b8a8e665777aae01a475a0

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Remained
      Filesize

      94KB

      MD5

      7eb0c07b15f6891636b5b18e6c8782eb

      SHA1

      41f132b6db4d2b5253e91d84e927995a00e96976

      SHA256

      a378de033ee73a1881a1d65e6a49686d087614d46286360698b639b62c097e84

      SHA512

      688e2327e9afb9561fb7b4e932efdd22ce56e0efdfcba80eb058cbabb6595c93216590290281a3ae34b45f623d2dd1325edfd5375f3caac129ae2d7b4777f754

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Scott
      Filesize

      96KB

      MD5

      7e600368be6cc5c03b1bf613a36885d1

      SHA1

      c0cc74598ef38940fc48ccb01fa27e9b27e80e62

      SHA256

      0b4bfde6485d29cba34de2cd28191b5fc21dfcd3aca109f68599e19a609cbe44

      SHA512

      b6b66babcadd81d4e4e5b62e778ea79acc2a48b9c0ab9bf81a7ec61f9f9ccf394bc16982b80f07b113645a24f209d68cddc733266d0f0e3d722567f120d425cc

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Statistical
      Filesize

      84KB

      MD5

      5822d1bc4305d9f19939768fdfbf4d31

      SHA1

      30949a77d5c66825c5255566a2c074142d114f04

      SHA256

      15ae29d30cebd36f8b499edd660444cb16e880ec5469e14c608f76a59f15faa7

      SHA512

      b474b021d0e8b405ea64bda4afef1c191834236c759a5e52fb8813fdfca14536942c9600624cfd1d675fd9e119579795c86dddabbf909eea21a585236b2489c7

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Stewart
      Filesize

      872KB

      MD5

      121c1acb3a03bd31c6ae1e13db4469c8

      SHA1

      e1d7be7f98ad139a0a0db4ef4014af420915ff2e

      SHA256

      1ecdd3d64dc38399a17c68412ecba9b9c1a31b9911605f22a362b4f0a1c7f21d

      SHA512

      898740bb7499b5d889c6b81b780cf76ace4ded1c50e26c6b9149fc9143724789328a937d0d6496e5838af5964813ff4d9edb0f8f696d8054ff5e03613f351583

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\While
      Filesize

      71KB

      MD5

      8d0730549c077df4608642def3a3797b

      SHA1

      70ff0d8c5a80918766cee21a944ffcf1a589c35a

      SHA256

      34c4628b7b7f34ba02bf64d730eb7e957f943dc404f2f36a543b8d406b78775c

      SHA512

      ddb2ebebc032ace041df5ff83e2a4b68086ec4f89bd8a30f36cfe6fb7909ac895c00730c47a267bf5ba31ecf5863e4108c869a9d18dab538f4c18a5ee3a3d20f

      Download Submit

    • memory/652-34-0x00000000006D0000-0x000000000072B000-memory.dmp

      Filesize

      364KB

      Download

    • memory/652-35-0x00000000006D0000-0x000000000072B000-memory.dmp

      Filesize

      364KB

      Download

    • memory/652-37-0x00000000006D0000-0x000000000072B000-memory.dmp

      Filesize

      364KB

      Download