Analysis

  • max time kernel
    295s
  • max time network
    297s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-10-2024 15:03

General

  • Target

    decrypted.exe

  • Size

    11.7MB

  • MD5

    53ce8ea949f61a9b11651c8eafecff76

  • SHA1

    5cb51086968929125d0615739c380ff142e6ff55

  • SHA256

    58e38db883597286180f4a5bb97386c6b8c5c400a8b1ca7254f3da7ef40acf9c

  • SHA512

    e43d409f65c8e0cda692e3c1d2e1cf221b8995de9aef84b0c1429459c7c4a27979a8ce2aba7f89557db6ab2d78a1f37b26c99a7f90636e7e606c49c6a3715c73

  • SSDEEP

    196608:g0hhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhv:gXsJYxjo42bIImyaBFmY4ceu+C+n

Malware Config

Extracted

Family

lumma

C2

https://professitonwqu.shop/api

https://mobbipenju.store/api

https://eaglepawnoy.store/api

https://dissapoiznw.store/api

https://studennotediw.store/api

https://bathdoomgaz.store/api

https://spirittunek.store/api

Signatures

  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

  • SectopRAT payload 1 IoCs
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 2 IoCs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates processes with tasklist 1 TTPs 6 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\decrypted.exe
    "C:\Users\Admin\AppData\Local\Temp\decrypted.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1612
    • C:\Users\Admin\AppData\Local\Temp\is-KO7JT.tmp\decrypted.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-KO7JT.tmp\decrypted.tmp" /SL5="$80054,11050682,1125376,C:\Users\Admin\AppData\Local\Temp\decrypted.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1288
      • C:\Users\Admin\AppData\Local\Temp\decrypted.exe
        "C:\Users\Admin\AppData\Local\Temp\decrypted.exe" /VERYSILENT /NORESTART
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2516
        • C:\Users\Admin\AppData\Local\Temp\is-4LHIJ.tmp\decrypted.tmp
          "C:\Users\Admin\AppData\Local\Temp\is-4LHIJ.tmp\decrypted.tmp" /SL5="$E0050,11050682,1125376,C:\Users\Admin\AppData\Local\Temp\decrypted.exe" /VERYSILENT /NORESTART
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:4636
          • C:\Windows\system32\cmd.exe
            "cmd.exe" /C tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH | find /I "wrsa.exe"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1072
            • C:\Windows\system32\tasklist.exe
              tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH
              6⤵
              • Enumerates processes with tasklist
              • Suspicious use of AdjustPrivilegeToken
              PID:2744
            • C:\Windows\system32\find.exe
              find /I "wrsa.exe"
              6⤵
                PID:3256
            • C:\Windows\system32\cmd.exe
              "cmd.exe" /C tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH | find /I "opssvc.exe"
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:4552
              • C:\Windows\system32\tasklist.exe
                tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH
                6⤵
                • Enumerates processes with tasklist
                • Suspicious use of AdjustPrivilegeToken
                PID:924
              • C:\Windows\system32\find.exe
                find /I "opssvc.exe"
                6⤵
                  PID:3652
              • C:\Windows\system32\cmd.exe
                "cmd.exe" /C tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH | find /I "avastui.exe"
                5⤵
                • Suspicious use of WriteProcessMemory
                PID:1472
                • C:\Windows\system32\tasklist.exe
                  tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH
                  6⤵
                  • Enumerates processes with tasklist
                  • Suspicious use of AdjustPrivilegeToken
                  PID:3732
                • C:\Windows\system32\find.exe
                  find /I "avastui.exe"
                  6⤵
                    PID:2988
                • C:\Windows\system32\cmd.exe
                  "cmd.exe" /C tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH | find /I "avgui.exe"
                  5⤵
                  • Suspicious use of WriteProcessMemory
                  PID:3268
                  • C:\Windows\system32\tasklist.exe
                    tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH
                    6⤵
                    • Enumerates processes with tasklist
                    • Suspicious use of AdjustPrivilegeToken
                    PID:4012
                  • C:\Windows\system32\find.exe
                    find /I "avgui.exe"
                    6⤵
                      PID:436
                  • C:\Windows\system32\cmd.exe
                    "cmd.exe" /C tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH | find /I "nswscsvc.exe"
                    5⤵
                    • Suspicious use of WriteProcessMemory
                    PID:1496
                    • C:\Windows\system32\tasklist.exe
                      tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH
                      6⤵
                      • Enumerates processes with tasklist
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2072
                    • C:\Windows\system32\find.exe
                      find /I "nswscsvc.exe"
                      6⤵
                        PID:628
                    • C:\Windows\system32\cmd.exe
                      "cmd.exe" /C tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH | find /I "sophoshealth.exe"
                      5⤵
                      • Suspicious use of WriteProcessMemory
                      PID:2256
                      • C:\Windows\system32\tasklist.exe
                        tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH
                        6⤵
                        • Enumerates processes with tasklist
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1344
                      • C:\Windows\system32\find.exe
                        find /I "sophoshealth.exe"
                        6⤵
                          PID:1080
                      • C:\Users\Admin\AppData\Local\fragaria\AutoIt3.exe
                        "C:\Users\Admin\AppData\Local\fragaria\\AutoIt3.exe" "C:\Users\Admin\AppData\Local\fragaria\\VSIXConfigurationUpdater1.a3x"
                        5⤵
                        • Checks computer location settings
                        • Executes dropped EXE
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of WriteProcessMemory
                        PID:4120
                        • C:\Windows\SysWOW64\cmd.exe
                          "C:\Windows\System32\cmd.exe" /c ping -n 5 127.0.0.1 >nul && AutoIt3.exe C:\ProgramData\\RopfISG.a3x && del C:\ProgramData\\RopfISG.a3x
                          6⤵
                          • System Location Discovery: System Language Discovery
                          • System Network Configuration Discovery: Internet Connection Discovery
                          • Suspicious use of WriteProcessMemory
                          PID:4756
                          • C:\Windows\SysWOW64\PING.EXE
                            ping -n 5 127.0.0.1
                            7⤵
                            • System Location Discovery: System Language Discovery
                            • System Network Configuration Discovery: Internet Connection Discovery
                            • Runs ping.exe
                            PID:4420
                          • C:\Users\Admin\AppData\Local\fragaria\AutoIt3.exe
                            AutoIt3.exe C:\ProgramData\\RopfISG.a3x
                            7⤵
                            • Executes dropped EXE
                            • Adds Run key to start application
                            • Suspicious use of SetThreadContext
                            • System Location Discovery: System Language Discovery
                            • Checks processor information in registry
                            • Suspicious use of WriteProcessMemory
                            PID:1060
                            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                              C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                              8⤵
                              • System Location Discovery: System Language Discovery
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of SetWindowsHookEx
                              • Suspicious use of WriteProcessMemory
                              PID:4940
                              • C:\Users\Admin\AppData\Local\Temp\tmpE6BE.tmp.exe
                                "C:\Users\Admin\AppData\Local\Temp\tmpE6BE.tmp.exe"
                                9⤵
                                • Executes dropped EXE
                                • System Location Discovery: System Language Discovery
                                • Suspicious behavior: EnumeratesProcesses
                                PID:2876

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\is-9P47R.tmp\_isetup\_iscrypt.dll

                Filesize

                2KB

                MD5

                a69559718ab506675e907fe49deb71e9

                SHA1

                bc8f404ffdb1960b50c12ff9413c893b56f2e36f

                SHA256

                2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

                SHA512

                e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

              • C:\Users\Admin\AppData\Local\Temp\is-KO7JT.tmp\decrypted.tmp

                Filesize

                3.4MB

                MD5

                edf47d593acf0e39438d621e8357ad34

                SHA1

                5732a17515b0112ce47637393043a1a2e4836218

                SHA256

                5f0f2e763c33ef0d3bb30041927a39191a257b533e16f1f89bf2939d669c9412

                SHA512

                8f49244aa4d4ba31ecef404b9f42b7e9798951a8065dea3699e10464ab676f72227c3084e51c7c256e385605cfa95a35bd88fff01477ecf426153ffcf2f9994f

              • C:\Users\Admin\AppData\Local\Temp\tmp12E9.tmp

                Filesize

                20KB

                MD5

                a603e09d617fea7517059b4924b1df93

                SHA1

                31d66e1496e0229c6a312f8be05da3f813b3fa9e

                SHA256

                ccd15f9c7a997ae2b5320ea856c7efc54b5055254d41a443d21a60c39c565cb7

                SHA512

                eadb844a84f8a660c578a2f8e65ebcb9e0b9ab67422be957f35492ff870825a4b363f96fd1c546eaacfd518f6812fcf57268ef03c149e5b1a7af145c7100e2cc

              • C:\Users\Admin\AppData\Local\Temp\tmp131B.tmp

                Filesize

                20KB

                MD5

                49693267e0adbcd119f9f5e02adf3a80

                SHA1

                3ba3d7f89b8ad195ca82c92737e960e1f2b349df

                SHA256

                d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

                SHA512

                b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

              • C:\Users\Admin\AppData\Local\Temp\tmpE6BE.tmp.exe

                Filesize

                5.1MB

                MD5

                40ec60bf0761652fc0f5cc888128acff

                SHA1

                1fde0d7c443e47efbcd26135b8bdf961bec46a89

                SHA256

                0d7341486b8814c8de2dd5660308e103f293d707da933289ca709ce0be39507e

                SHA512

                7a863d1322947c0781ea839a918ac018d34545a75d2eb61612cea3aadf43f2221d8e993bc0f2a0c8b8f4f5250245142ca9a61d2573a305ea21a38b01e692ef85

              • C:\Users\Admin\AppData\Local\fragaria\AutoIt3.exe

                Filesize

                921KB

                MD5

                3f58a517f1f4796225137e7659ad2adb

                SHA1

                e264ba0e9987b0ad0812e5dd4dd3075531cfe269

                SHA256

                1da298cab4d537b0b7b5dabf09bff6a212b9e45731e0cc772f99026005fb9e48

                SHA512

                acf740aafce390d06c6a76c84e7ae7c0f721731973aadbe3e57f2eb63241a01303cc6bf11a3f9a88f8be0237998b5772bdaf569137d63ba3d0f877e7d27fc634

              • C:\Users\Admin\AppData\Local\fragaria\VSIXConfigurationUpdater.wav

                Filesize

                939KB

                MD5

                c25a5d1ff98e3558b128797de0f7ede8

                SHA1

                e6b742ba4fa0836f16b135ab530391ea52e7a83c

                SHA256

                7344920e5ee6ff4f75013be233fea20b872bd4d9adcf0434eaeebcba79099819

                SHA512

                f515507befee96cf2f86db0db2c8dda831063900729e0449df0f32a88c76c7752ee364d5d1e072175b5a9eccd6f54f72e5c08656b5bf8d711a414ceda91aa5c0

              • C:\Users\Admin\AppData\Local\fragaria\VSIXConfigurationUpdater1.a3x

                Filesize

                60KB

                MD5

                292aad866f9decedfdb2b3126fab6061

                SHA1

                ea5273f207b22196dbed7e1ddc691ce4418a6d87

                SHA256

                5da1f6349763ccbf7ada3167e0a8e1eeeb158c6cdd0b2aee8f9278812be0d59b

                SHA512

                750573570f029858d689836c8ec7e49f9e3646783adeb34597a7cfd6411a86b2aa060626e7ed9d97ec7dac15d295b36ed03225fdd4238aad59cf2851c91a0119

              • memory/1288-15-0x0000000000AA0000-0x0000000000E20000-memory.dmp

                Filesize

                3.5MB

              • memory/1288-6-0x0000000001010000-0x0000000001011000-memory.dmp

                Filesize

                4KB

              • memory/1612-17-0x0000000000EE0000-0x0000000001001000-memory.dmp

                Filesize

                1.1MB

              • memory/1612-0-0x0000000000EE0000-0x0000000001001000-memory.dmp

                Filesize

                1.1MB

              • memory/1612-2-0x0000000000EE1000-0x0000000000F89000-memory.dmp

                Filesize

                672KB

              • memory/2516-13-0x0000000000EE0000-0x0000000001001000-memory.dmp

                Filesize

                1.1MB

              • memory/2516-178-0x0000000000EE0000-0x0000000001001000-memory.dmp

                Filesize

                1.1MB

              • memory/2876-256-0x0000000000400000-0x0000000000922000-memory.dmp

                Filesize

                5.1MB

              • memory/2876-254-0x00000000025D0000-0x000000000262E000-memory.dmp

                Filesize

                376KB

              • memory/4636-21-0x0000000001170000-0x0000000001171000-memory.dmp

                Filesize

                4KB

              • memory/4636-175-0x0000000000940000-0x0000000000CC0000-memory.dmp

                Filesize

                3.5MB

              • memory/4940-189-0x0000000004A50000-0x0000000004AE2000-memory.dmp

                Filesize

                584KB

              • memory/4940-193-0x0000000004C90000-0x0000000004CE0000-memory.dmp

                Filesize

                320KB

              • memory/4940-194-0x0000000004B60000-0x0000000004B6A000-memory.dmp

                Filesize

                40KB

              • memory/4940-195-0x0000000005D00000-0x000000000622C000-memory.dmp

                Filesize

                5.2MB

              • memory/4940-196-0x0000000005850000-0x000000000586E000-memory.dmp

                Filesize

                120KB

              • memory/4940-197-0x0000000005940000-0x00000000059A6000-memory.dmp

                Filesize

                408KB

              • memory/4940-192-0x0000000004BB0000-0x0000000004C26000-memory.dmp

                Filesize

                472KB

              • memory/4940-191-0x0000000004E60000-0x0000000005022000-memory.dmp

                Filesize

                1.8MB

              • memory/4940-221-0x00000000078A0000-0x00000000078AA000-memory.dmp

                Filesize

                40KB

              • memory/4940-223-0x0000000004D00000-0x0000000004D12000-memory.dmp

                Filesize

                72KB

              • memory/4940-224-0x0000000004D60000-0x0000000004D9C000-memory.dmp

                Filesize

                240KB

              • memory/4940-190-0x00000000050A0000-0x0000000005644000-memory.dmp

                Filesize

                5.6MB

              • memory/4940-188-0x0000000000400000-0x00000000004C6000-memory.dmp

                Filesize

                792KB

              • memory/4940-187-0x0000000000400000-0x00000000004C6000-memory.dmp

                Filesize

                792KB