Analysis

  • max time kernel
    150s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-08-2024 06:52

General

  • Target

    downloader.exe

  • Size

    70.1MB

  • MD5

    dfcb8f3c04b0f4be1effc1f18c98d9ea

  • SHA1

    3c44e26a8cda8c8d4ab186f4882117f3023e7006

  • SHA256

    b550a1e40fb269d8bf54ecfb7615d3eca1d926bcafed4acadf272634a07abb29

  • SHA512

    401bffa963c428965682605e5b591a3dc743e6e28f50e4ec6ca1ccfdd4b6128f221eb431ab313ca3cdcf351f68ad680b921cc375ec067d83f72f976c1ce36f46

  • SSDEEP

    393216:lWxQN89qQk4adiJCuE2fUCdod+OvqKkZHzXhJ/KTe8uiBUtkc0k3qRsGg4GUo3N9:lWoI7zGP5ahWc3Imz

Malware Config

Extracted

Family

lumma

C2

https://securedosqpsn.shop/api

https://potentioallykeos.shop/api

Signatures

  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 2 IoCs
  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

  • SectopRAT payload 2 IoCs
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 12 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\downloader.exe
    "C:\Users\Admin\AppData\Local\Temp\downloader.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1448
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\notepadd.exe""
      2⤵
        PID:880
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\Ap%D0%BEc%D0%B0lypse.exe""
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:5052
        • C:\Users\Admin\AppData\Local\Temp\Ap%D0%BEc%D0%B0lypse.exe
          "C:\Users\Admin\AppData\Local\Temp\Ap%D0%BEc%D0%B0lypse.exe"
          3⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:5096
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\run.vbs"
            4⤵
            • Checks computer location settings
            • Suspicious use of WriteProcessMemory
            PID:4992
            • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Apocalypse.exe
              "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Apocalypse.exe"
              5⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Modifies registry class
              • Suspicious use of WriteProcessMemory
              PID:5088
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX1\run.vbs"
                6⤵
                • Checks computer location settings
                • Suspicious use of WriteProcessMemory
                PID:3292
                • C:\Users\Admin\AppData\Local\Temp\RarSFX1\Apocalypse.exe
                  "C:\Users\Admin\AppData\Local\Temp\RarSFX1\Apocalypse.exe"
                  7⤵
                  • Executes dropped EXE
                  • Suspicious use of SetThreadContext
                  • Suspicious use of WriteProcessMemory
                  PID:1028
                  • C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                    C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                    8⤵
                    • System Location Discovery: System Language Discovery
                    PID:436
                • C:\Users\Admin\AppData\Local\Temp\RarSFX1\downloader.exe
                  "C:\Users\Admin\AppData\Local\Temp\RarSFX1\downloader.exe"
                  7⤵
                  • Executes dropped EXE
                  • Suspicious use of WriteProcessMemory
                  PID:2060
                  • C:\Windows\system32\cmd.exe
                    C:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\notepadd.exe""
                    8⤵
                      PID:2976
                    • C:\Windows\system32\cmd.exe
                      C:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\Obfuscasted.exe""
                      8⤵
                      • Suspicious use of WriteProcessMemory
                      PID:4528
                      • C:\Users\Admin\AppData\Local\Temp\Obfuscasted.exe
                        "C:\Users\Admin\AppData\Local\Temp\Obfuscasted.exe"
                        9⤵
                        • Executes dropped EXE
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:4848
                    • C:\Windows\system32\cmd.exe
                      C:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\notepadd.exe""
                      8⤵
                        PID:688
                      • C:\Windows\system32\cmd.exe
                        C:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\Obfuscasted.exe""
                        8⤵
                        • Suspicious use of WriteProcessMemory
                        PID:4524
                        • C:\Users\Admin\AppData\Local\Temp\Obfuscasted.exe
                          "C:\Users\Admin\AppData\Local\Temp\Obfuscasted.exe"
                          9⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1900
                      • C:\Windows\system32\cmd.exe
                        C:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\notepadd.exe""
                        8⤵
                          PID:4880
                        • C:\Windows\system32\cmd.exe
                          C:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\Obfuscasted.exe""
                          8⤵
                          • Suspicious use of WriteProcessMemory
                          PID:3208
                          • C:\Users\Admin\AppData\Local\Temp\Obfuscasted.exe
                            "C:\Users\Admin\AppData\Local\Temp\Obfuscasted.exe"
                            9⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            • Suspicious use of AdjustPrivilegeToken
                            PID:3292
                        • C:\Windows\system32\cmd.exe
                          C:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\notepadd.exe""
                          8⤵
                            PID:1452
                          • C:\Windows\system32\cmd.exe
                            C:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\Obfuscasted.exe""
                            8⤵
                            • Suspicious use of WriteProcessMemory
                            PID:1584
                            • C:\Users\Admin\AppData\Local\Temp\Obfuscasted.exe
                              "C:\Users\Admin\AppData\Local\Temp\Obfuscasted.exe"
                              9⤵
                              • Executes dropped EXE
                              • System Location Discovery: System Language Discovery
                              • Suspicious use of AdjustPrivilegeToken
                              PID:4464
                          • C:\Windows\system32\cmd.exe
                            C:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\notepadd.exe""
                            8⤵
                              PID:4524
                            • C:\Windows\system32\cmd.exe
                              C:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\Obfuscasted.exe""
                              8⤵
                              • Suspicious use of WriteProcessMemory
                              PID:4388
                              • C:\Users\Admin\AppData\Local\Temp\Obfuscasted.exe
                                "C:\Users\Admin\AppData\Local\Temp\Obfuscasted.exe"
                                9⤵
                                • Executes dropped EXE
                                • System Location Discovery: System Language Discovery
                                • Suspicious use of AdjustPrivilegeToken
                                PID:2916
                            • C:\Windows\system32\cmd.exe
                              C:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\notepadd.exe""
                              8⤵
                                PID:4912
                              • C:\Windows\system32\cmd.exe
                                C:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\Obfuscasted.exe""
                                8⤵
                                • Suspicious use of WriteProcessMemory
                                PID:2584
                                • C:\Users\Admin\AppData\Local\Temp\Obfuscasted.exe
                                  "C:\Users\Admin\AppData\Local\Temp\Obfuscasted.exe"
                                  9⤵
                                  • Executes dropped EXE
                                  • System Location Discovery: System Language Discovery
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:2672
                              • C:\Windows\system32\cmd.exe
                                C:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\notepadd.exe""
                                8⤵
                                  PID:4560
                                • C:\Windows\system32\cmd.exe
                                  C:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\Obfuscasted.exe""
                                  8⤵
                                    PID:3312
                                    • C:\Users\Admin\AppData\Local\Temp\Obfuscasted.exe
                                      "C:\Users\Admin\AppData\Local\Temp\Obfuscasted.exe"
                                      9⤵
                                      • Executes dropped EXE
                                      • System Location Discovery: System Language Discovery
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:2428
                                  • C:\Windows\system32\cmd.exe
                                    C:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\notepadd.exe""
                                    8⤵
                                      PID:5084
                                    • C:\Windows\system32\cmd.exe
                                      C:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\Obfuscasted.exe""
                                      8⤵
                                        PID:2884
                                        • C:\Users\Admin\AppData\Local\Temp\Obfuscasted.exe
                                          "C:\Users\Admin\AppData\Local\Temp\Obfuscasted.exe"
                                          9⤵
                                          • Executes dropped EXE
                                          • System Location Discovery: System Language Discovery
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:4448
                          • C:\Windows\system32\cmd.exe
                            C:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\notepadd.exe""
                            2⤵
                              PID:3144

                          Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Obfuscasted.exe.log

                            Filesize

                            1KB

                            MD5

                            505861fca24126e2089d7e02f3935a3b

                            SHA1

                            eb560579af7bdf7a61c6eb222f84c03f5e517e40

                            SHA256

                            9e668271632cc2f203099b0ff3f8872b2004a7fa01f020dafb807355c6d189ec

                            SHA512

                            15794393eced500ed655deebba3bb1205a7aac996c4a78a6eca2121f58dca25273336a1db7be414694eac16b03320e0ee427469f79f7d763a0320eddf0a53d26

                          • C:\Users\Admin\AppData\Local\Temp\Ap%D0%BEc%D0%B0lypse.exe

                            Filesize

                            35.7MB

                            MD5

                            ae346157ae99b564e458b345859aaa30

                            SHA1

                            8320c250a6501c158a155ab1c7b79421caf9835c

                            SHA256

                            334eb7b5f11d321b6d687b139af2aab847e9e3333d46a8c0bc76f87ba547895b

                            SHA512

                            3f6e2dec3472acb02c17d19c8ba5e9738a1f02aa15196dd7c846cb2143a0978ceb56a991b8228e4ef0f6918cb2bcb15708466572cc2bb8081aab05790ff6f36d

                          • C:\Users\Admin\AppData\Local\Temp\Obfuscasted.exe

                            Filesize

                            104KB

                            MD5

                            5ea90dcd703ccbbb22a574f5cb87e787

                            SHA1

                            8db264cfb4f20abe2cf2fa53292dd1e93e569499

                            SHA256

                            c56c9659ded43499a8c5b918458ce92a348f321866c5e424b568a11ff323b495

                            SHA512

                            9e90c94aa0619e79a1ea9012a91545e05b19d2187c5bd1035abd806bf226cbfacb82bd49e80b9d16a9d3fe68c123babd96ae5f59db68bc3609e33bea753f7175

                          • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Apocalypse.exe

                            Filesize

                            34.0MB

                            MD5

                            c9fff06d7427543315b792ae31c9b2f2

                            SHA1

                            517ce37e0aac209869588729fa1a571a12299eaa

                            SHA256

                            61ac4ba546fa0d8863f100570924994636ab73c0266590d937383736e923fca3

                            SHA512

                            1e0b2593e8403bd3d9f5514bb30e24adb530e9aa5876c7c2deed5f523b501356f1cab5ae765d4dd0a0382823c0fd71c4f261169552370ea425456153f494eacd

                          • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Configs\up.dll

                            Filesize

                            740KB

                            MD5

                            f643e6ddd7afeed1c03ca69a8e71b66a

                            SHA1

                            a2c6655ead23c3c4dea9171c5aff4adfeb15ea47

                            SHA256

                            5733dc037491e1fbbd639131ee462afb69a8fe10680e72a240eed268878bdac4

                            SHA512

                            ad599fbeac0fdbd86ab6e2395c3d82a589e66bdfbef24870122580da4aaf534d610425da8cc82181b326b0fcb65972957c2e74430f6f950c1bc3cdc0da93671f

                          • C:\Users\Admin\AppData\Local\Temp\RarSFX0\run.vbs

                            Filesize

                            73B

                            MD5

                            174ea6d7029a1d6da818f682a48a16a7

                            SHA1

                            63b28bb32b323bcd4bd0c9b633be52d9afc0a3f1

                            SHA256

                            83cfea955b8e775a3ec2b6925bf80d830c81ecc0cd364a01993b954374d57688

                            SHA512

                            821cceadd53b510f5dd7488d37081836b6916c90d47c0aaf5ccefffdb5d45ed5fbc685d21424e46f794ba2d19b03130e4d4f7a8815acb744b5a2355a47d4aad9

                          • C:\Users\Admin\AppData\Local\Temp\RarSFX1\run.vbs

                            Filesize

                            144B

                            MD5

                            eee990ccf51da35c3a6109db037f64ce

                            SHA1

                            4e80d6c324e0220b1da42e98ef71b40f20877911

                            SHA256

                            b9cef8f58514e3a136c7f3c6a860a76573af22e42836dcfe17dac4ee036613cf

                            SHA512

                            364b1ba4ed94bbec77ff9fb42f66eed8b3a5ee429554caebc26690e2c85f022d1dd62e08aa41d83a0b59e7ed50e39e705af1d01fa6924a52b0639124c171dcb9

                          • C:\Users\Admin\AppData\Local\Temp\notepadd.exe

                            Filesize

                            36B

                            MD5

                            a1ca4bebcd03fafbe2b06a46a694e29a

                            SHA1

                            ffc88125007c23ff6711147a12f9bba9c3d197ed

                            SHA256

                            c3fa59901d56ce8a95a303b22fd119cb94abf4f43c4f6d60a81fd78b7d00fa65

                            SHA512

                            6fe1730bf2a6bba058c5e1ef309a69079a6acca45c0dbca4e7d79c877257ac08e460af741459d1e335197cf4de209f2a2997816f2a2a3868b2c8d086ef789b0e

                          • memory/436-102-0x0000000000980000-0x00000000009CC000-memory.dmp

                            Filesize

                            304KB

                          • memory/436-100-0x0000000000980000-0x00000000009CC000-memory.dmp

                            Filesize

                            304KB

                          • memory/1028-81-0x00007FF718440000-0x00007FF71C8B9000-memory.dmp

                            Filesize

                            68.5MB

                          • memory/1028-99-0x00007FF718440000-0x00007FF71C8B9000-memory.dmp

                            Filesize

                            68.5MB

                          • memory/1028-101-0x00007FF718440000-0x00007FF71C8B9000-memory.dmp

                            Filesize

                            68.5MB

                          • memory/1900-87-0x0000000005410000-0x000000000545C000-memory.dmp

                            Filesize

                            304KB

                          • memory/4848-70-0x0000000004AB0000-0x0000000004AFC000-memory.dmp

                            Filesize

                            304KB

                          • memory/4848-71-0x0000000004D10000-0x0000000004E1A000-memory.dmp

                            Filesize

                            1.0MB

                          • memory/4848-75-0x0000000006020000-0x00000000061E2000-memory.dmp

                            Filesize

                            1.8MB

                          • memory/4848-76-0x0000000006720000-0x0000000006C4C000-memory.dmp

                            Filesize

                            5.2MB

                          • memory/4848-69-0x0000000004A70000-0x0000000004AAC000-memory.dmp

                            Filesize

                            240KB

                          • memory/4848-68-0x0000000004A10000-0x0000000004A22000-memory.dmp

                            Filesize

                            72KB

                          • memory/4848-67-0x0000000005170000-0x0000000005788000-memory.dmp

                            Filesize

                            6.1MB

                          • memory/4848-66-0x0000000000180000-0x00000000001A0000-memory.dmp

                            Filesize

                            128KB