Overview

overview

10

Static

static

1

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    11-09-2024 04:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    10.7MB

  • MD5

    c86bfa59db258e777196709f7ca36774

  • SHA1

    cc2d5f8ff4d5405c12b87e01ae13d79f898282f4

  • SHA256

    5659f401e9c479d51bf256092e8d7b0c00abc6286e7f3b2d7f527995a145593d

  • SHA512

    65f4d5c986364dbbb535d0179b1d2a1a595b12aa6cf332b1b3cb2283c8c90756f9250f19e5a1025f5099aa9cbeb60596449d17539fa9f77a4392c49de6256b1d

  • SSDEEP

    196608:lct7PPvR14i+krW7XWgKWTDv7El9Co1ex/PPDDXXgCU2SITN8EzopVF3KdJqyx6j:lctd1FaWgK6D59xPXgCFSITiEz9dfwgQ

Score
10/10
lummadiscoverystealer

Malware Config

Extracted

Family

lumma

C2

https://sculpturedowqm.shop/api

https://preachstrwnwjw.shop/api

https://complainnykso.shop/api

https://basedsymsotp.shop/api

https://charistmatwio.shop/api

https://grassemenwji.shop/api

https://ignoracndwko.shop/api

https://stitchmiscpaew.shop/api

https://commisionipwn.shop/api

Signatures

  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 6 IoCs
  • Enumerates processes with tasklist 1 TTPs 6 IoCs
    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2656
    • C:\Users\Admin\AppData\Local\Temp\is-ULHNK.tmp\file.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-ULHNK.tmp\file.tmp" /SL5="$40150,10262448,812544,C:\Users\Admin\AppData\Local\Temp\file.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2080
      • C:\Users\Admin\AppData\Local\Temp\file.exe
        "C:\Users\Admin\AppData\Local\Temp\file.exe" /VERYSILENT /NORESTART
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2768
        • C:\Users\Admin\AppData\Local\Temp\is-SOPCB.tmp\file.tmp
          "C:\Users\Admin\AppData\Local\Temp\is-SOPCB.tmp\file.tmp" /SL5="$50150,10262448,812544,C:\Users\Admin\AppData\Local\Temp\file.exe" /VERYSILENT /NORESTART
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:2716
          • C:\Windows\system32\cmd.exe
            "cmd.exe" /C tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH | find /I "wrsa.exe"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:824
            • C:\Windows\system32\tasklist.exe
              tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH
              6⤵
              • Enumerates processes with tasklist
              • Suspicious use of AdjustPrivilegeToken
              PID:3060
            • C:\Windows\system32\find.exe
              find /I "wrsa.exe"
              6⤵
                PID:2520
            • C:\Windows\system32\cmd.exe
              "cmd.exe" /C tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH | find /I "opssvc.exe"
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:2000
              • C:\Windows\system32\tasklist.exe
                tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH
                6⤵
                • Enumerates processes with tasklist
                • Suspicious use of AdjustPrivilegeToken
                PID:2224
              • C:\Windows\system32\find.exe
                find /I "opssvc.exe"
                6⤵
                  PID:1900
              • C:\Windows\system32\cmd.exe
                "cmd.exe" /C tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH | find /I "avastui.exe"
                5⤵
                • Suspicious use of WriteProcessMemory
                PID:1616
                • C:\Windows\system32\tasklist.exe
                  tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH
                  6⤵
                  • Enumerates processes with tasklist
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1936
                • C:\Windows\system32\find.exe
                  find /I "avastui.exe"
                  6⤵
                    PID:1996
                • C:\Windows\system32\cmd.exe
                  "cmd.exe" /C tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH | find /I "avgui.exe"
                  5⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2676
                  • C:\Windows\system32\tasklist.exe
                    tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH
                    6⤵
                    • Enumerates processes with tasklist
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1876
                  • C:\Windows\system32\find.exe
                    find /I "avgui.exe"
                    6⤵
                      PID:2160
                  • C:\Windows\system32\cmd.exe
                    "cmd.exe" /C tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH | find /I "nswscsvc.exe"
                    5⤵
                    • Suspicious use of WriteProcessMemory
                    PID:1904
                    • C:\Windows\system32\tasklist.exe
                      tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH
                      6⤵
                      • Enumerates processes with tasklist
                      • Suspicious use of AdjustPrivilegeToken
                      PID:748
                    • C:\Windows\system32\find.exe
                      find /I "nswscsvc.exe"
                      6⤵
                        PID:2304
                    • C:\Windows\system32\cmd.exe
                      "cmd.exe" /C tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH | find /I "sophoshealth.exe"
                      5⤵
                        PID:2316
                        • C:\Windows\system32\tasklist.exe
                          tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH
                          6⤵
                          • Enumerates processes with tasklist
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2644
                        • C:\Windows\system32\find.exe
                          find /I "sophoshealth.exe"
                          6⤵
                            PID:2868
                        • C:\Users\Admin\AppData\Local\bindweed\AutoIt3.exe
                          "C:\Users\Admin\AppData\Local\bindweed\\AutoIt3.exe" "C:\Users\Admin\AppData\Local\bindweed\\premierjus.a3x"
                          5⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:664
                          • C:\Windows\SysWOW64\cmd.exe
                            "C:\Windows\System32\cmd.exe" /c ping -n 5 127.0.0.1 >nul && AutoIt3.exe C:\ProgramData\\z041PR7o.a3x && del C:\ProgramData\\z041PR7o.a3x
                            6⤵
                            • Loads dropped DLL
                            • System Location Discovery: System Language Discovery
                            • System Network Configuration Discovery: Internet Connection Discovery
                            PID:904
                            • C:\Windows\SysWOW64\PING.EXE
                              ping -n 5 127.0.0.1
                              7⤵
                              • System Location Discovery: System Language Discovery
                              • System Network Configuration Discovery: Internet Connection Discovery
                              • Runs ping.exe
                              PID:600
                            • C:\Users\Admin\AppData\Local\bindweed\AutoIt3.exe
                              AutoIt3.exe C:\ProgramData\\z041PR7o.a3x
                              7⤵
                              • Executes dropped EXE
                              • Suspicious use of SetThreadContext
                              • System Location Discovery: System Language Discovery
                              • Checks processor information in registry
                              PID:1704
                              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                8⤵
                                • System Location Discovery: System Language Discovery
                                PID:2540

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Temp\CabA99A.tmp
                  Filesize

                  70KB

                  MD5

                  49aebf8cbd62d92ac215b2923fb1b9f5

                  SHA1

                  1723be06719828dda65ad804298d0431f6aff976

                  SHA256

                  b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                  SHA512

                  bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\TarA9AC.tmp
                  Filesize

                  181KB

                  MD5

                  4ea6026cf93ec6338144661bf1202cd1

                  SHA1

                  a1dec9044f750ad887935a01430bf49322fbdcb7

                  SHA256

                  8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                  SHA512

                  6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                  Download Submit

                • C:\Users\Admin\AppData\Local\bindweed\premierjus.a3x
                  Filesize

                  61KB

                  MD5

                  82c127115e8e81280f18a975c2309ba4

                  SHA1

                  5989b807a84380a6158b5d388843ce8671981f67

                  SHA256

                  bdeddaf8c7c3b7a0e42f60ee5eb1c7473da0c90b9f8a4af545825022359ae0ed

                  SHA512

                  d385c5b0122b3167001fbfdf0d1decbdc7733ba18eaf001e4f600a0c0d9e07ffdb90ec13faa8b33afa5a74bda64fcfe7b3bc4802110119549d85e4c49a7ce488

                  Download Submit

                • C:\Users\Admin\AppData\Local\bindweed\premierjus.avi
                  Filesize

                  474KB

                  MD5

                  758639304b680e37b69446e104e9987c

                  SHA1

                  ebd98600f9487ad7a56535b0420947872a73b992

                  SHA256

                  478ec70a2db08d05e180302b7daf1c3f95ce6379edc84aa969bacbf0d750f25e

                  SHA512

                  c6bdff139137c206ce1162d7d63b5181137320b1e95de8e3e336306c6d68e7153e9a708f1eb69fe3191d0ae1d358d43d2fa9d87a1a2a7a15810a71fcdd83ff36

                  Download Submit

                • \Users\Admin\AppData\Local\Temp\is-U3CH3.tmp\_isetup\_iscrypt.dll
                  Filesize

                  2KB

                  MD5

                  a69559718ab506675e907fe49deb71e9

                  SHA1

                  bc8f404ffdb1960b50c12ff9413c893b56f2e36f

                  SHA256

                  2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

                  SHA512

                  e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

                  Download Submit

                • \Users\Admin\AppData\Local\Temp\is-ULHNK.tmp\file.tmp
                  Filesize

                  3.1MB

                  MD5

                  6dd0feead09d3f9b4f5b3374998e1268

                  SHA1

                  36b3d1fddfc31b848c0d2c902510446c64618aa4

                  SHA256

                  58c16d86a75182e4991dc5e79356b91157ba42a1962a2d589fa17dd766392a76

                  SHA512

                  96033864d1263dc45075c467b1408f3d93744fe83e47d8c62e8be133343da5720f98cce167cfef82e10a96f34a9283b93e3129dd86ec1b2a04be3af46967e25f

                  Download Submit

                • \Users\Admin\AppData\Local\bindweed\AutoIt3.exe
                  Filesize

                  921KB

                  MD5

                  3f58a517f1f4796225137e7659ad2adb

                  SHA1

                  e264ba0e9987b0ad0812e5dd4dd3075531cfe269

                  SHA256

                  1da298cab4d537b0b7b5dabf09bff6a212b9e45731e0cc772f99026005fb9e48

                  SHA512

                  acf740aafce390d06c6a76c84e7ae7c0f721731973aadbe3e57f2eb63241a01303cc6bf11a3f9a88f8be0237998b5772bdaf569137d63ba3d0f877e7d27fc634

                  Download Submit

                • memory/2080-15-0x00000000003D0000-0x0000000000704000-memory.dmp

                  Filesize

                  3.2MB

                  Download

                • memory/2080-8-0x0000000000100000-0x0000000000101000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/2540-190-0x0000000000400000-0x0000000000458000-memory.dmp

                  Filesize

                  352KB

                  Download

                • memory/2540-191-0x0000000000400000-0x0000000000458000-memory.dmp

                  Filesize

                  352KB

                  Download

                • memory/2656-19-0x0000000000BA0000-0x0000000000C74000-memory.dmp

                  Filesize

                  848KB

                  Download

                • memory/2656-0-0x0000000000BA0000-0x0000000000C74000-memory.dmp

                  Filesize

                  848KB

                  Download

                • memory/2656-2-0x0000000000BA1000-0x0000000000C49000-memory.dmp

                  Filesize

                  672KB

                  Download

                • memory/2716-179-0x0000000001150000-0x0000000001484000-memory.dmp

                  Filesize

                  3.2MB

                  Download

                • memory/2768-16-0x0000000000BA0000-0x0000000000C74000-memory.dmp

                  Filesize

                  848KB

                  Download

                • memory/2768-181-0x0000000000BA0000-0x0000000000C74000-memory.dmp

                  Filesize

                  848KB

                  Download