Overview

overview

10

Static

static

3

Bootstrapp...2s.exe

windows10-2004-x64

10

Bootstrapp...2s.exe

windows11-21h2-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    223s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/09/2024, 23:33

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    Bootstrapper_1725665491503_7rgx2s.exe

  • Size

    10.7MB

  • MD5

    6ae74315bdb5b5f757005d23967bcf73

  • SHA1

    834c5b96f91e9349ae91ed4cd5cc8897f58a3fdb

  • SHA256

    66397977e36190a9f7ca77e93bfceb8e731838e5ce824bcd22222339b007891d

  • SHA512

    bf54808fd4ad33d0929868c90fc7b8cf0e9a9ab5c8507d9de676966143b8a9556dadd7ffd7365f3bbc7065ef98b0f75c78267558824df8bea4a358ef52973b77

  • SSDEEP

    196608:bQBhQLJcA1nvCB254dzRiZp+0JhLNL6XpDFvZEw5HTjoA+W+72E/inXeBRfmfR+d:bQrQtHvCYIzE+07LNKZB55zjiW+ge7ee

Score
10/10
lummadiscoverystealer

Malware Config

Extracted

Family

lumma

C2

https://chocolatedwq.shop/api

https://condedqpwqm.shop/api

Signatures

  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates processes with tasklist 1 TTPs 6 IoCs
    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 62 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Bootstrapper_1725665491503_7rgx2s.exe
    "C:\Users\Admin\AppData\Local\Temp\Bootstrapper_1725665491503_7rgx2s.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4720
    • C:\Users\Admin\AppData\Local\Temp\is-PLJJO.tmp\Bootstrapper_1725665491503_7rgx2s.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-PLJJO.tmp\Bootstrapper_1725665491503_7rgx2s.tmp" /SL5="$80062,10256339,804864,C:\Users\Admin\AppData\Local\Temp\Bootstrapper_1725665491503_7rgx2s.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4452
      • C:\Users\Admin\AppData\Local\Temp\Bootstrapper_1725665491503_7rgx2s.exe
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper_1725665491503_7rgx2s.exe" /VERYSILENT /NORESTART
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3168
        • C:\Users\Admin\AppData\Local\Temp\is-97J2A.tmp\Bootstrapper_1725665491503_7rgx2s.tmp
          "C:\Users\Admin\AppData\Local\Temp\is-97J2A.tmp\Bootstrapper_1725665491503_7rgx2s.tmp" /SL5="$80050,10256339,804864,C:\Users\Admin\AppData\Local\Temp\Bootstrapper_1725665491503_7rgx2s.exe" /VERYSILENT /NORESTART
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:5064
          • C:\Windows\system32\cmd.exe
            "cmd.exe" /C tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH | find /I "wrsa.exe"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:3324
            • C:\Windows\system32\tasklist.exe
              tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH
              6⤵
              • Enumerates processes with tasklist
              • Suspicious use of AdjustPrivilegeToken
              PID:4016
            • C:\Windows\system32\find.exe
              find /I "wrsa.exe"
              6⤵
                PID:4888
            • C:\Windows\system32\cmd.exe
              "cmd.exe" /C tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH | find /I "opssvc.exe"
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:3900
              • C:\Windows\system32\tasklist.exe
                tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH
                6⤵
                • Enumerates processes with tasklist
                • Suspicious use of AdjustPrivilegeToken
                PID:2028
              • C:\Windows\system32\find.exe
                find /I "opssvc.exe"
                6⤵
                  PID:2972
              • C:\Windows\system32\cmd.exe
                "cmd.exe" /C tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH | find /I "avastui.exe"
                5⤵
                • Suspicious use of WriteProcessMemory
                PID:2744
                • C:\Windows\system32\tasklist.exe
                  tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH
                  6⤵
                  • Enumerates processes with tasklist
                  • Suspicious use of AdjustPrivilegeToken
                  PID:852
                • C:\Windows\system32\find.exe
                  find /I "avastui.exe"
                  6⤵
                    PID:1144
                • C:\Windows\system32\cmd.exe
                  "cmd.exe" /C tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH | find /I "avgui.exe"
                  5⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2864
                  • C:\Windows\system32\tasklist.exe
                    tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH
                    6⤵
                    • Enumerates processes with tasklist
                    • Suspicious use of AdjustPrivilegeToken
                    PID:4524
                  • C:\Windows\system32\find.exe
                    find /I "avgui.exe"
                    6⤵
                      PID:4992
                  • C:\Windows\system32\cmd.exe
                    "cmd.exe" /C tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH | find /I "nswscsvc.exe"
                    5⤵
                    • Suspicious use of WriteProcessMemory
                    PID:1692
                    • C:\Windows\system32\tasklist.exe
                      tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH
                      6⤵
                      • Enumerates processes with tasklist
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1956
                    • C:\Windows\system32\find.exe
                      find /I "nswscsvc.exe"
                      6⤵
                        PID:1020
                    • C:\Windows\system32\cmd.exe
                      "cmd.exe" /C tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH | find /I "sophoshealth.exe"
                      5⤵
                      • Suspicious use of WriteProcessMemory
                      PID:1332
                      • C:\Windows\system32\tasklist.exe
                        tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH
                        6⤵
                        • Enumerates processes with tasklist
                        • Suspicious use of AdjustPrivilegeToken
                        PID:4012
                      • C:\Windows\system32\find.exe
                        find /I "sophoshealth.exe"
                        6⤵
                          PID:4492
                      • C:\Users\Admin\AppData\Local\nuclear\AutoIt3.exe
                        "C:\Users\Admin\AppData\Local\nuclear\\AutoIt3.exe" "C:\Users\Admin\AppData\Local\nuclear\\braise.a3x"
                        5⤵
                        • Checks computer location settings
                        • Executes dropped EXE
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of WriteProcessMemory
                        PID:3228
                        • C:\Windows\SysWOW64\cmd.exe
                          "C:\Windows\System32\cmd.exe" /c ping -n 5 127.0.0.1 >nul && AutoIt3.exe C:\ProgramData\\UYrjLfe8.a3x && del C:\ProgramData\\UYrjLfe8.a3x
                          6⤵
                          • System Location Discovery: System Language Discovery
                          • System Network Configuration Discovery: Internet Connection Discovery
                          • Suspicious use of WriteProcessMemory
                          PID:3800
                          • C:\Windows\SysWOW64\PING.EXE
                            ping -n 5 127.0.0.1
                            7⤵
                            • System Location Discovery: System Language Discovery
                            • System Network Configuration Discovery: Internet Connection Discovery
                            • Runs ping.exe
                            PID:3824
                          • C:\Users\Admin\AppData\Local\nuclear\AutoIt3.exe
                            AutoIt3.exe C:\ProgramData\\UYrjLfe8.a3x
                            7⤵
                            • Executes dropped EXE
                            • Suspicious use of SetThreadContext
                            • System Location Discovery: System Language Discovery
                            • Checks processor information in registry
                            • Suspicious use of WriteProcessMemory
                            PID:3132
                            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                              C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                              8⤵
                              • System Location Discovery: System Language Discovery
                              PID:3040
                              • C:\Windows\SysWOW64\WerFault.exe
                                C:\Windows\SysWOW64\WerFault.exe -u -p 3040 -s 1160
                                9⤵
                                • Program crash
                                PID:4392
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3040 -ip 3040
                1⤵
                  PID:1404

                Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Users\Admin\AppData\Local\Temp\is-M8L3Q.tmp\_isetup\_iscrypt.dll
                        Filesize

                        2KB

                        MD5

                        a69559718ab506675e907fe49deb71e9

                        SHA1

                        bc8f404ffdb1960b50c12ff9413c893b56f2e36f

                        SHA256

                        2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

                        SHA512

                        e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\is-PLJJO.tmp\Bootstrapper_1725665491503_7rgx2s.tmp
                        Filesize

                        3.1MB

                        MD5

                        92a8f182782b7676afc20be2333e7677

                        SHA1

                        82d7e177cb3e40add5d01b68f5ae13264afb2df8

                        SHA256

                        326db8668e61efa37036e9e7e6934b565e4d4af0454c9c3e6a9799191edabbbc

                        SHA512

                        afedb24077040b81ab761450d4bc1c680862c77291d5c5f9542e5c8cb52d3b0807d3bae02433c3362f88f8bcb5f84dd44d840546f24612e63f35204c2ae69716

                        Download Submit

                      • C:\Users\Admin\AppData\Local\nuclear\AutoIt3.exe
                        Filesize

                        921KB

                        MD5

                        3f58a517f1f4796225137e7659ad2adb

                        SHA1

                        e264ba0e9987b0ad0812e5dd4dd3075531cfe269

                        SHA256

                        1da298cab4d537b0b7b5dabf09bff6a212b9e45731e0cc772f99026005fb9e48

                        SHA512

                        acf740aafce390d06c6a76c84e7ae7c0f721731973aadbe3e57f2eb63241a01303cc6bf11a3f9a88f8be0237998b5772bdaf569137d63ba3d0f877e7d27fc634

                        Download Submit

                      • C:\Users\Admin\AppData\Local\nuclear\braise.a3x
                        Filesize

                        60KB

                        MD5

                        8e1a70b54af4c2bcc655f944bb833453

                        SHA1

                        e3364c0bc8bc33dced566816061ce84ca06f0fb4

                        SHA256

                        8e7a44ea4294d797392441f86aa2090041040c83938ff585bec1f8ccb3b20b29

                        SHA512

                        f81c34bfd738d7d7ba04a35db243c24b2c980576a756d174ab916710ed06c3f2c09f1a92866d89a6985fd6c874fbb97091e4ab188452173e1e0ff60a1b2416e4

                        Download Submit

                      • C:\Users\Admin\AppData\Local\nuclear\braise.adt
                        Filesize

                        476KB

                        MD5

                        10e368548939707ba299e05a5a285f7a

                        SHA1

                        0c190ced4b2746d72bed6240fc4414c4a0b22add

                        SHA256

                        14458c1c57a94145e00116826e6c60e0646a9b62799ecd966b81d957b25dfc90

                        SHA512

                        1cd819c5a83c7965a8998678ab6675673f881df5cfbe7b10b24b0963954d5e85da42e7507e6fdc1d6b68175063ba600a803a56e50e6aca4a949ede4059fdbcb8

                        Download Submit

                      • memory/3040-185-0x0000000000400000-0x0000000000458000-memory.dmp

                        Filesize

                        352KB

                        Download

                      • memory/3040-184-0x0000000000400000-0x0000000000458000-memory.dmp

                        Filesize

                        352KB

                        Download

                      • memory/3168-177-0x0000000000C70000-0x0000000000D42000-memory.dmp

                        Filesize

                        840KB

                        Download

                      • memory/3168-13-0x0000000000C70000-0x0000000000D42000-memory.dmp

                        Filesize

                        840KB

                        Download

                      • memory/4452-15-0x0000000000DE0000-0x0000000001112000-memory.dmp

                        Filesize

                        3.2MB

                        Download

                      • memory/4452-6-0x0000000001720000-0x0000000001721000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/4720-17-0x0000000000C70000-0x0000000000D42000-memory.dmp

                        Filesize

                        840KB

                        Download

                      • memory/4720-0-0x0000000000C70000-0x0000000000D42000-memory.dmp

                        Filesize

                        840KB

                        Download

                      • memory/4720-2-0x0000000000C71000-0x0000000000D19000-memory.dmp

                        Filesize

                        672KB

                        Download

                      • memory/5064-23-0x00000000011A0000-0x00000000011A1000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/5064-174-0x0000000000D00000-0x0000000001032000-memory.dmp

                        Filesize

                        3.2MB

                        Download