Overview

overview

10

Static

static

3

Bootstrapper.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    83s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/09/2024, 17:52

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    Bootstrapper.exe

  • Size

    104KB

  • MD5

    4602690571ce74ace4458896a31ce202

  • SHA1

    5478b08a3a6c8c6762a4628d5a66a32a573c7771

  • SHA256

    ff2fce8e75f0f7261ddef3a3785943cc97623edb1e632ed935c8619f2adc7325

  • SHA512

    0c4fbfea7274eb799cfe6a3a8aec81f011182f3077da6778b1e3ea1c71917639198fde8e2662411894ea788686c3f53c7e2b68c00e2e7d1d2b3f112ceac189b7

  • SSDEEP

    3072:YuElCyYwC+M2FE6CyYwC+M2FE+80IZOAr:YZlhY7X2K6hY7X2K+h

Score
10/10
lummadiscoveryexecutionstealer

Malware Config

Extracted

Family

lumma

C2

https://tenseddrywsqio.shop/api

Signatures

  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Process spawned unexpected child process 3 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
    "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5064
    • C:\Resourse\herasf.exe
      "C:\Resourse\herasf.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:5076
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 1444
        3⤵
        • Program crash
        PID:4256
  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -Command "Add-MpPreference -ExclusionPath 'C:\Resourse'"
    1⤵
    • Process spawned unexpected child process
    • Command and Scripting Interpreter: PowerShell
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:1376
  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop'"
    1⤵
    • Process spawned unexpected child process
    • Command and Scripting Interpreter: PowerShell
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:4068
  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
    1⤵
    • Process spawned unexpected child process
    • Command and Scripting Interpreter: PowerShell
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:1120
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 5076 -ip 5076
    1⤵
      PID:4760
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:2264
      • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
        "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Downloads\InvokeSet.xla"
        1⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of SetWindowsHookEx
        PID:2464

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Resourse\herasf.exe
              Filesize

              1.2MB

              MD5

              e27eafded26de61f55941d55a23b0234

              SHA1

              db7c9d0e3228ed2111ac8113d10891fcf258e5be

              SHA256

              25474a5d32985adc30f8ed8405648b2b500538906405a1ad7a23612864a5f6ba

              SHA512

              fefae9b8fd1e5015853af246bbb256eadf0bad95221980dbde476c56dbc8e6ae85273c894c946ea079c6524fef5f52607a8b1feb26f59e563e838cfb93c436f1

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
              Filesize

              2KB

              MD5

              d85ba6ff808d9e5444a4b369f5bc2730

              SHA1

              31aa9d96590fff6981b315e0b391b575e4c0804a

              SHA256

              84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

              SHA512

              8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              944B

              MD5

              6d3e9c29fe44e90aae6ed30ccf799ca8

              SHA1

              c7974ef72264bbdf13a2793ccf1aed11bc565dce

              SHA256

              2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

              SHA512

              60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              944B

              MD5

              d28a889fd956d5cb3accfbaf1143eb6f

              SHA1

              157ba54b365341f8ff06707d996b3635da8446f7

              SHA256

              21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

              SHA512

              0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_skczx0lh.jmn.ps1
              Filesize

              60B

              MD5

              d17fe0a3f47be24a6453e9ef58c94641

              SHA1

              6ab83620379fc69f80c0242105ddffd7d98d5d9d

              SHA256

              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

              SHA512

              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

              Download Submit

            • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
              Filesize

              433B

              MD5

              89c87f885a9eb97944c2f68bfc1d929f

              SHA1

              ab2068c9741a364209fc229704f42dd267bdbb22

              SHA256

              2ae83a243c95c06e16454c2ed3567d48ea2e24ae77c90e61f3c01cad80d7ac1e

              SHA512

              dc66384aea47fce70bdcdc4c44ea62f13f181e3b4d2203fcd0fa96abfb12a54ad0594cd777d53bf70451bb6ffcc5c2d07707fc7b524b2d5eae4725604b7d5c46

              Download Submit

            • memory/1120-21-0x000001E41FA80000-0x000001E41FAA2000-memory.dmp

              Filesize

              136KB

              Download

            • memory/2464-68-0x00007FF8B2230000-0x00007FF8B2240000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2464-69-0x00007FF8AFEC0000-0x00007FF8AFED0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2464-67-0x00007FF8B2230000-0x00007FF8B2240000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2464-66-0x00007FF8B2230000-0x00007FF8B2240000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2464-70-0x00007FF8AFEC0000-0x00007FF8AFED0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2464-65-0x00007FF8B2230000-0x00007FF8B2240000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2464-103-0x00007FF8B2230000-0x00007FF8B2240000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2464-102-0x00007FF8B2230000-0x00007FF8B2240000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2464-105-0x00007FF8B2230000-0x00007FF8B2240000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2464-104-0x00007FF8B2230000-0x00007FF8B2240000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2464-64-0x00007FF8B2230000-0x00007FF8B2240000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4068-9-0x00007FF8D2F23000-0x00007FF8D2F25000-memory.dmp

              Filesize

              8KB

              Download

            • memory/4068-47-0x00007FF8D2F20000-0x00007FF8D39E1000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/4068-10-0x00007FF8D2F20000-0x00007FF8D39E1000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/4068-20-0x00007FF8D2F20000-0x00007FF8D39E1000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/5064-59-0x000000000C4E0000-0x000000000C572000-memory.dmp

              Filesize

              584KB

              Download

            • memory/5064-6-0x0000000009300000-0x000000000930E000-memory.dmp

              Filesize

              56KB

              Download

            • memory/5064-1-0x0000000000210000-0x000000000022E000-memory.dmp

              Filesize

              120KB

              Download

            • memory/5064-63-0x0000000074A10000-0x00000000751C0000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/5064-2-0x0000000074A10000-0x00000000751C0000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/5064-48-0x0000000074A1E000-0x0000000074A1F000-memory.dmp

              Filesize

              4KB

              Download

            • memory/5064-50-0x0000000074A10000-0x00000000751C0000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/5064-0-0x0000000074A1E000-0x0000000074A1F000-memory.dmp

              Filesize

              4KB

              Download

            • memory/5064-8-0x000000000A9D0000-0x000000000AA36000-memory.dmp

              Filesize

              408KB

              Download

            • memory/5064-7-0x000000000AED0000-0x000000000B474000-memory.dmp

              Filesize

              5.6MB

              Download

            • memory/5064-49-0x0000000074A10000-0x00000000751C0000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/5064-5-0x0000000009320000-0x0000000009358000-memory.dmp

              Filesize

              224KB

              Download

            • memory/5064-4-0x0000000074A10000-0x00000000751C0000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/5064-3-0x00000000092A0000-0x00000000092A8000-memory.dmp

              Filesize

              32KB

              Download

            • memory/5076-60-0x0000000000710000-0x0000000000ACC000-memory.dmp

              Filesize

              3.7MB

              Download

            • memory/5076-61-0x0000000000710000-0x0000000000ACC000-memory.dmp

              Filesize

              3.7MB

              Download