Overview

overview

10

Static

static

3

2529fedf71...27.exe

windows7-x64

10

2529fedf71...27.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-09-2024 17:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2529fedf71b1b54b4084a59546956dad83c173fe02e02700cc04b78594cf0727.exe

  • Size

    6.4MB

  • MD5

    b50c1e840e9452d6898eba3458982e88

  • SHA1

    b0144d10b4da7a3074aec23d570677f11a3201de

  • SHA256

    2529fedf71b1b54b4084a59546956dad83c173fe02e02700cc04b78594cf0727

  • SHA512

    dde0ad5cd22c0eea8faebf16bf28dcb07e3a51e46a1573ea857c7a79a832f70f750e670b1e66577c867402714b22e074de0216db9359c299615b5d73122fa0e8

  • SSDEEP

    196608:fgZ1CgmuCZ92WTs6YoQB3NhPn9PKcWkFV:fWV9CZ9n54hf9DlV

Score
10/10
cryptbotlummadiscoveryspywarestealer

Malware Config

Extracted

Family

cryptbot

C2

eihtvf18vt.top

analforeverlovyu.top
Attributes
  • url_path

    /v1/upload.php

Extracted

Family

lumma

C2

https://coinnyfrownwejr.shop/api

https://racedsuitreow.shop/api

Signatures

  • CryptBot

    CryptBot is a C++ stealer distributed widely in bundle with other software.

    spywarestealercryptbot
  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2529fedf71b1b54b4084a59546956dad83c173fe02e02700cc04b78594cf0727.exe
    "C:\Users\Admin\AppData\Local\Temp\2529fedf71b1b54b4084a59546956dad83c173fe02e02700cc04b78594cf0727.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2780
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\VC_redist.x64.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\VC_redist.x64.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:5076
      • C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
        C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3628
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\VC_redist.x86.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\VC_redist.x86.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Suspicious use of WriteProcessMemory
      PID:1828
      • C:\Users\Admin\AppData\Local\Temp\service123.exe
        "C:\Users\Admin\AppData\Local\Temp\service123.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:4452
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\Admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:1580
  • C:\Users\Admin\AppData\Local\Temp\service123.exe
    C:\Users\Admin\AppData\Local\Temp\/service123.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    PID:4232

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\VC_redist.x64.exe
    Filesize

    16.4MB

    MD5

    9a8fcf471ff5cd4b51cc4ce397b85482

    SHA1

    25b2d0fd6b1b0c8bbbfcbd46f608842cfdb59138

    SHA256

    01f29c10eddb472f8c172845d03818c780f833ce9cd8f46e1b48d046060cf98b

    SHA512

    51f5828c98ddb5bca20e3bc1b224ab8fd7d1c1cb3398d2d656d21a70d00c53df7040feda95f73ec382c4d8566f896a378e555c546846d29495524e2474b8c94f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\VC_redist.x86.exe
    Filesize

    6.4MB

    MD5

    e0f961a0645e07efae6aa9d7835d70be

    SHA1

    3e4e5c3e9770f1bf3cf2a49695d4e707e43a0336

    SHA256

    f601b36824f7e81556cd468366914c010c2ab70fc038ab9a6790d4ba94dd22d3

    SHA512

    652f1c4081c6172dd653286e71fcc153df7b796e4a0beb56df1cb791ff9e65f37cdd15891e85ca0f9799ef76cb4a33764478d7b8a8dfcf7df4bbe321cfaa37ef

    Download Submit

  • memory/1828-48-0x0000000000400000-0x0000000001064000-memory.dmp

    Filesize

    12.4MB

    Download

  • memory/1828-36-0x0000000000400000-0x0000000001064000-memory.dmp

    Filesize

    12.4MB

    Download

  • memory/1828-33-0x0000000000400000-0x0000000001064000-memory.dmp

    Filesize

    12.4MB

    Download

  • memory/3628-23-0x0000000001200000-0x0000000001263000-memory.dmp

    Filesize

    396KB

    Download

  • memory/3628-21-0x0000000001200000-0x0000000001263000-memory.dmp

    Filesize

    396KB

    Download

  • memory/3628-24-0x0000000001200000-0x0000000001263000-memory.dmp

    Filesize

    396KB

    Download

  • memory/3628-34-0x0000000001200000-0x0000000001263000-memory.dmp

    Filesize

    396KB

    Download

  • memory/3628-35-0x0000000001200000-0x0000000001263000-memory.dmp

    Filesize

    396KB

    Download

  • memory/4232-58-0x00000000007D0000-0x00000000007E1000-memory.dmp

    Filesize

    68KB

    Download

  • memory/4452-50-0x00000000007D0000-0x00000000007E1000-memory.dmp

    Filesize

    68KB

    Download

  • memory/4452-51-0x00000000737C0000-0x00000000738EC000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/5076-25-0x00007FF6E6380000-0x00007FF6E743E000-memory.dmp

    Filesize

    16.7MB

    Download

  • memory/5076-16-0x00007FF6E6380000-0x00007FF6E743E000-memory.dmp

    Filesize

    16.7MB

    Download

  • memory/5076-15-0x00007FF6E6380000-0x00007FF6E743E000-memory.dmp

    Filesize

    16.7MB

    Download

  • memory/5076-14-0x00007FF6E6380000-0x00007FF6E743E000-memory.dmp

    Filesize

    16.7MB

    Download