Analysis Overview
SHA256
9f373cdee6065d01164210c338948684703fcf966adab402175117dba115b85f
Threat Level: Known bad
The file 9f373cdee6065d01164210c338948684703fcf966adab402175117dba115b85f was found to be: Known bad.
Malicious Activity Summary
Lumma Stealer, LummaC
CryptBot
Credentials from Password Stores: Credentials from Web Browsers
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Reads user/profile data of web browsers
Checks installed software on the system
Suspicious use of SetThreadContext
Enumerates physical storage devices
Unsigned PE
System Location Discovery: System Language Discovery
Scheduled Task/Job: Scheduled Task
Suspicious use of WriteProcessMemory
Checks processor information in registry
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-09 20:26
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-09 20:26
Reported
2024-09-09 20:29
Platform
win7-20240903-en
Max time kernel
148s
Max time network
129s
Command Line
Signatures
CryptBot
Credentials from Password Stores: Credentials from Web Browsers
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\VC_redist.x64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\VC_redist.x86.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\service123.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\service123.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Checks installed software on the system
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\9f373cdee6065d01164210c338948684703fcf966adab402175117dba115b85f.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX0\VC_redist.x86.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\RarSFX0\VC_redist.x86.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\RarSFX0\VC_redist.x86.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9f373cdee6065d01164210c338948684703fcf966adab402175117dba115b85f.exe
"C:\Users\Admin\AppData\Local\Temp\9f373cdee6065d01164210c338948684703fcf966adab402175117dba115b85f.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\VC_redist.x64.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\VC_redist.x64.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\VC_redist.x86.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\VC_redist.x86.exe"
C:\Users\Admin\AppData\Local\Temp\service123.exe
"C:\Users\Admin\AppData\Local\Temp\service123.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\Admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f
C:\Windows\system32\taskeng.exe
taskeng.exe {0A35FC49-CF70-4C16-8980-4FB6795641BD} S-1-5-21-1846800975-3917212583-2893086201-1000:ZQABOPWE\Admin:Interactive:[1]
C:\Users\Admin\AppData\Local\Temp\service123.exe
C:\Users\Admin\AppData\Local\Temp\/service123.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | eihtv18sb.top | udp |
| US | 8.8.8.8:53 | eihtv18sb.top | udp |
| RU | 194.87.248.136:80 | eihtv18sb.top | tcp |
| RU | 194.87.248.136:80 | eihtv18sb.top | tcp |
Files
\Users\Admin\AppData\Local\Temp\RarSFX0\VC_redist.x64.exe
| MD5 | 5776392593245c0f7ffa5d05e0538b4d |
| SHA1 | e03291fc3ec8c72dd2f75d016b9829a33f2bfcc0 |
| SHA256 | f4b64977aa021edf0d72c5f93f927115f6370876b21219ad303179230db6b1c2 |
| SHA512 | f933ce9ffacfa0826eed707c1c96c54343d87c123b4a5fe6dd910cdb69c8f4e5e8ee6e373af4d6622c4b05b7abeeca822a15e97cf74c083dbbaf194a976d059c |
\Users\Admin\AppData\Local\Temp\RarSFX0\VC_redist.x86.exe
| MD5 | cb2bd11ed77164148a475693db0b02f2 |
| SHA1 | 884a752c92c0f93c7aa2c00aa8c19684ee7b4c50 |
| SHA256 | 192378774c53b5285cffe591b070bfd303fabf2d6acdc96792b10d1233142494 |
| SHA512 | 18fd7141e7c44d0e8111dc12a6764a926db4fd7a701c13bbf3d9c76b063478274dfab87951966a585a050a96e33c20858f59d629ce27374a9c0e450aacfef1c5 |
memory/2896-31-0x0000000000400000-0x000000000106B000-memory.dmp
memory/2896-33-0x0000000000400000-0x000000000106B000-memory.dmp
memory/2896-37-0x0000000000400000-0x000000000106B000-memory.dmp
memory/2896-50-0x0000000000400000-0x000000000106B000-memory.dmp
memory/1864-52-0x0000000001160000-0x0000000001171000-memory.dmp
memory/1864-53-0x0000000074100000-0x000000007423C000-memory.dmp
memory/2128-61-0x0000000001160000-0x0000000001171000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-09-09 20:26
Reported
2024-09-09 20:29
Platform
win10v2004-20240802-en
Max time kernel
149s
Max time network
153s
Command Line
Signatures
CryptBot
Lumma Stealer, LummaC
Credentials from Password Stores: Credentials from Web Browsers
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\9f373cdee6065d01164210c338948684703fcf966adab402175117dba115b85f.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\RarSFX0\VC_redist.x86.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\VC_redist.x64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\VC_redist.x86.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\service123.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\service123.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\service123.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\service123.exe | N/A |
Reads user/profile data of web browsers
Checks installed software on the system
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1428 set thread context of 1164 | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\VC_redist.x64.exe | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX0\VC_redist.x86.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\service123.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\9f373cdee6065d01164210c338948684703fcf966adab402175117dba115b85f.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX0\VC_redist.x64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\RarSFX0\VC_redist.x86.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\RarSFX0\VC_redist.x86.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9f373cdee6065d01164210c338948684703fcf966adab402175117dba115b85f.exe
"C:\Users\Admin\AppData\Local\Temp\9f373cdee6065d01164210c338948684703fcf966adab402175117dba115b85f.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\VC_redist.x64.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\VC_redist.x64.exe"
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\VC_redist.x86.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\VC_redist.x86.exe"
C:\Users\Admin\AppData\Local\Temp\service123.exe
"C:\Users\Admin\AppData\Local\Temp\service123.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\Admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f
C:\Users\Admin\AppData\Local\Temp\service123.exe
C:\Users\Admin\AppData\Local\Temp\/service123.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.143.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | professinowpqqz.shop | udp |
| US | 172.67.215.93:443 | professinowpqqz.shop | tcp |
| US | 8.8.8.8:53 | 93.215.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | locatedblsoqp.shop | udp |
| US | 8.8.8.8:53 | traineiwnqo.shop | udp |
| US | 8.8.8.8:53 | condedqpwqm.shop | udp |
| US | 8.8.8.8:53 | evoliutwoqm.shop | udp |
| US | 8.8.8.8:53 | millyscroqwp.shop | udp |
| US | 8.8.8.8:53 | stagedchheiqwo.shop | udp |
| US | 8.8.8.8:53 | stamppreewntnq.shop | udp |
| US | 8.8.8.8:53 | caffegclasiqwp.shop | udp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 2.22.99.85:443 | steamcommunity.com | tcp |
| US | 8.8.8.8:53 | 85.99.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | eihtv18sb.top | udp |
| US | 8.8.8.8:53 | tenntysjuxmz.shop | udp |
| US | 172.67.141.209:443 | tenntysjuxmz.shop | tcp |
| US | 8.8.8.8:53 | 209.141.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | eihtv18sb.top | udp |
| RU | 194.87.248.136:80 | eihtv18sb.top | tcp |
| US | 8.8.8.8:53 | 136.248.87.194.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\RarSFX0\VC_redist.x64.exe
| MD5 | 5776392593245c0f7ffa5d05e0538b4d |
| SHA1 | e03291fc3ec8c72dd2f75d016b9829a33f2bfcc0 |
| SHA256 | f4b64977aa021edf0d72c5f93f927115f6370876b21219ad303179230db6b1c2 |
| SHA512 | f933ce9ffacfa0826eed707c1c96c54343d87c123b4a5fe6dd910cdb69c8f4e5e8ee6e373af4d6622c4b05b7abeeca822a15e97cf74c083dbbaf194a976d059c |
memory/1164-14-0x0000000000400000-0x0000000000458000-memory.dmp
memory/1164-16-0x0000000000400000-0x0000000000458000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX0\VC_redist.x86.exe
| MD5 | cb2bd11ed77164148a475693db0b02f2 |
| SHA1 | 884a752c92c0f93c7aa2c00aa8c19684ee7b4c50 |
| SHA256 | 192378774c53b5285cffe591b070bfd303fabf2d6acdc96792b10d1233142494 |
| SHA512 | 18fd7141e7c44d0e8111dc12a6764a926db4fd7a701c13bbf3d9c76b063478274dfab87951966a585a050a96e33c20858f59d629ce27374a9c0e450aacfef1c5 |
memory/1164-21-0x0000000000400000-0x0000000000458000-memory.dmp
memory/1164-15-0x0000000000400000-0x0000000000458000-memory.dmp
memory/1164-25-0x0000000000400000-0x0000000000458000-memory.dmp
memory/1648-26-0x0000000000400000-0x000000000106B000-memory.dmp
memory/1648-28-0x0000000000400000-0x000000000106B000-memory.dmp
memory/1648-29-0x0000000000400000-0x000000000106B000-memory.dmp
memory/1648-42-0x0000000000400000-0x000000000106B000-memory.dmp
memory/4996-44-0x00000000000E0000-0x00000000000F1000-memory.dmp
memory/4996-45-0x0000000073340000-0x000000007347C000-memory.dmp
memory/4920-56-0x00000000000E0000-0x00000000000F1000-memory.dmp