Overview

overview

10

Static

static

3

winprofile

windows7-x64

10

winprofile

windows10-1703-x64

10

Analysis

  • max time kernel
    193s
  • max time network
    256s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    03/10/2024, 22:36

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    beb7a3127427fa0560207cdb0becfebb2ed1c6d8dad335d3b3266ec741cdd495.exe

  • Size

    1.2MB

  • MD5

    9f2aa036b01b51f6ce185d8c2410c22a

  • SHA1

    b8fa58866b466500c34a5317d3de447bd9b4cd3e

  • SHA256

    beb7a3127427fa0560207cdb0becfebb2ed1c6d8dad335d3b3266ec741cdd495

  • SHA512

    8f23ba3a3fb85021743bd60ab873f753140495d2b3a384063b31df61c175fb6f9b836c4d22e4a39a566866a155be6c82b519b0782e380d260c04961046809c60

  • SSDEEP

    24576:eJuZ5ZXUujO41QKq3/09e3BD9QI4xCGGo9CgFTm3:4uPtcls92xy5Go9hF4

Score
10/10
lummadiscoverystealer

Malware Config

Extracted

Family

lumma

Extracted

Family

lumma

C2

https://beearvagueo.site/api

Signatures

  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Enumerates processes with tasklist 1 TTPs 2 IoCs
    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 32 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3384
      • C:\Users\Admin\AppData\Local\Temp\beb7a3127427fa0560207cdb0becfebb2ed1c6d8dad335d3b3266ec741cdd495.exe
        "C:\Users\Admin\AppData\Local\Temp\beb7a3127427fa0560207cdb0becfebb2ed1c6d8dad335d3b3266ec741cdd495.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4108
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c move Jeffrey Jeffrey.bat & Jeffrey.bat
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:504
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist
            4⤵
            • Enumerates processes with tasklist
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:3584
          • C:\Windows\SysWOW64\findstr.exe
            findstr /I "wrsa opssvc"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:5024
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist
            4⤵
            • Enumerates processes with tasklist
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:3096
          • C:\Windows\SysWOW64\findstr.exe
            findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:428
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c md 527294
            4⤵
            • System Location Discovery: System Language Discovery
            PID:700
          • C:\Windows\SysWOW64\findstr.exe
            findstr /V "phisexyerrorspuzzle" Recorder
            4⤵
            • System Location Discovery: System Language Discovery
            PID:648
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c copy /b ..\Bottle + ..\Audi + ..\Duties + ..\Integral + ..\Warren + ..\Casio + ..\Sunny d
            4⤵
            • System Location Discovery: System Language Discovery
            PID:308
          • C:\Users\Admin\AppData\Local\Temp\527294\Miniature.pif
            Miniature.pif d
            4⤵
            • Suspicious use of NtCreateUserProcessOtherParentProcess
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of WriteProcessMemory
            PID:4128
            • C:\Windows\SysWOW64\nslookup.exe
              C:\Windows\SysWOW64\nslookup.exe
              5⤵
              • System Location Discovery: System Language Discovery
              PID:4420
          • C:\Windows\SysWOW64\choice.exe
            choice /d y /t 5
            4⤵
            • System Location Discovery: System Language Discovery
            PID:3888
      • C:\Windows\SysWOW64\cmd.exe
        cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DatumHub.url" & echo URL="C:\Users\Admin\AppData\Local\DatumHub Technologies\DatumHub.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DatumHub.url" & exit
        2⤵
        • Drops startup file
        • System Location Discovery: System Language Discovery
        PID:3848

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\527294\Miniature.pif
            Filesize

            872KB

            MD5

            18ce19b57f43ce0a5af149c96aecc685

            SHA1

            1bd5ca29fc35fc8ac346f23b155337c5b28bbc36

            SHA256

            d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd

            SHA512

            a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\527294\d
            Filesize

            535KB

            MD5

            ec2a006f0d1e59fe65c60f9c5361879b

            SHA1

            69a90ff69ca89d7579c9e404925fc99bea2d9077

            SHA256

            bc1f9150833c2dd718b0d14ac0e9c4492ef5e6f54ddb1aa4b6eb812fec323bcf

            SHA512

            56371523ee1cf97603a0f35688748c41e7dffa3b9f759eb75f4471146c6f2d1c99796bb040422922aaa0ca4ef75fbbb844fe5cee11da80de35b02f162607d163

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Audi
            Filesize

            83KB

            MD5

            3262c377488e1d796c59b0a12ed324e1

            SHA1

            c1ed21fea0f2841e68e03cf85dd2aa73c6aaf39a

            SHA256

            982a434d95e0a3983acda25b54f44809747e7c3b46c9482f562c4c92cb466bd8

            SHA512

            633690ade5055972e085107e791c34bea8b201c2411078032203adcab25fbc159458f9f62333f9336422e977a470377f6983ce92f9ec7c5a7755e00b672035f6

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Bottle
            Filesize

            97KB

            MD5

            2509818f86189eb152813047dd1aa904

            SHA1

            78a204e4a1633f434925c2e52c2bd6768d78ef36

            SHA256

            71edaeee36e2a29c85dc0580a4c20d1852ec5cdc4cba10a5f60475070bbf7bf7

            SHA512

            f62fa530acc7834465c63ddb8ff461ae118f64a39914716e75121c96ee6a49337684907c440b8f717be3a9a0675ceb516db228abaa309d9777d29d094bbc24fb

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Casio
            Filesize

            72KB

            MD5

            0cc1937386ba018cae3e612cdb2d346c

            SHA1

            56e8bf29ffb4502d9911caa651b483986fda14b4

            SHA256

            a3b3a73e8d91d6c8787f06f6a6b8d094d1da49832a3b067d2a709912849f83f4

            SHA512

            0f29dcd3e9130c214373ddf297dc88afe07b6b4c25fe55ab444382edeaf492d3047d0cdc2e4d544d3f15a5553f1ecb531fc9914b56a886551e63a1ff5b0939ca

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Duties
            Filesize

            66KB

            MD5

            9363f2736820a10bc5049e1aece63758

            SHA1

            617fe29c33f7693f0553b2343f7ae85e770c655e

            SHA256

            8ec3fddbf1d5d5bf9c067c3d89b3cf744ab216e1e9cc8ebf54c44b7ec4fd19be

            SHA512

            3f4802cc72fc9827d650e107309ec0545aac86e6fb9a37c4c189c942dff9349f5af5c7eba7db69b13b4883875a247b4f5ec1d76c6163df90a3a02986b9b07aa1

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Integral
            Filesize

            92KB

            MD5

            e53572d2ad494aee41d5989c07727607

            SHA1

            14a610542d7396e6663864f7c35781c02ff44954

            SHA256

            9ed1a02bde74ea658d47004f36e5e5445b333aa7a0b6c39c25cd9269389daf68

            SHA512

            3c2c4f4fb11e56ed533dd66b7fe1fb4939b2122f3deddb1ca0d46d6a3b2eebc2a996197cc2082218c386d2908dcf02e98685af16a6b291bfc707f3961532fa0c

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Jeffrey
            Filesize

            23KB

            MD5

            40b41729f230faa8c28b9317786898b2

            SHA1

            d26625b2df06bb74b653b1981135d2ade7eeaf1e

            SHA256

            71529389790d0def6d0808c1e03ced6450e4a3f88e63a01c77c22ce93b79fe3c

            SHA512

            358c75f41461384ef9d19b34d18cc1f85257a0ecb51fb096b731f6fa49ac38d8043bebfe72ad4d7b56d97c402f8af273dfdaa15c1a17182ffbc6e4499f737907

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Liechtenstein
            Filesize

            867KB

            MD5

            d898ef04170c81102e0b1b1554372065

            SHA1

            7078ceeef8ac6cd25171b74c3e95f82dfaacad42

            SHA256

            4715054be219f59e350efa9dc7c24df0d1a873c7ad1745e95ad0d2d8af5fe459

            SHA512

            f18d8a0d6989d1af574ace38c2562b1ee7c6efb624d25e95105d2931cd82e2a0799060f4df354ff30c4158502af5739292da30ebdf753883cee4cd513458b41e

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Recorder
            Filesize

            5KB

            MD5

            003deb18901ed03ca41db0be942085f0

            SHA1

            f3bc046b67cb0866e448fd76b2638d87b9c68de3

            SHA256

            0bc723123090afb33de5af8b415dbc7a110600ee00d0400fe88231c8714ae57e

            SHA512

            6f003189bc0f657391b609ff68dc24b992c0487bd92c06857a7c32733e0e65f1b8c70d76a31f7037794463674502aafc827ff0ba240c7623b5451bd68881b546

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Sunny
            Filesize

            38KB

            MD5

            7219f1d95abb31bbe4f64c4a9a4c6618

            SHA1

            fb0aac29620b21f6a26826a5b53eaf6f5bcde224

            SHA256

            451ded112d34145c8445c72b73a07f05f34d05a357a56e5fdceaac45239b721d

            SHA512

            3d224897100412528e1c4e3fd8493df7d34279b77bce87041e2d4783c37034141f22f83604255a2ac78ae61c2c8ca2226f9e997a6511eea54d6bd29034ee8259

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Warren
            Filesize

            87KB

            MD5

            123d5dc78ba93d49eab102c18a2883ce

            SHA1

            b1331a7e9ec78bf05a4a8b84e19adda8c3908ad3

            SHA256

            b43499a7845f4a31540912909e87896c8a50e32a597a9c084e3a29ebf7b3f214

            SHA512

            6cacb9cd127fbc21bd5d039ad4e2eb9a2bb7d33631e80a81f5404a18fde04b74dfe4c6ce151ad8a29a03bb0057baf772d96ee2bc3eacb129b7a2166c8b62ccee

            Download Submit

          • memory/4420-33-0x0000000000F00000-0x0000000000F63000-memory.dmp

            Filesize

            396KB

            Download

          • memory/4420-34-0x0000000000F00000-0x0000000000F63000-memory.dmp

            Filesize

            396KB

            Download

          • memory/4420-35-0x0000000000F00000-0x0000000000F63000-memory.dmp

            Filesize

            396KB

            Download