Analysis
-
max time kernel
146s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
30-10-2024 20:47
General
-
Target
Malware Code.ps1
-
Size
5KB
-
MD5
bc7784357ac3b5378743bd38c9950a73
-
SHA1
969545148c0f6f15ba7a00baa92a6466848c8e7a
-
SHA256
be5ef0d0c91f8a841bc6f588998994df25a91d5c626f20ec0f72bf2825d3947a
-
SHA512
10e1015444ee2da8552ef79f683147a9e1dc1eeb2a44d25933fcc444f0f575b7231f939232a1e2c8225986c710417b09995cebdaae18041d4bb2ac742b2bae3f
-
SSDEEP
96:uPaXFIUEQVxJXXcoG3wI1PaXFIUEQVxJXXcoG3wII:uPaXFfEGzMP3wI1PaXFfEGzMP3wII
Malware Config
Extracted
lumma
https://forbidstow.site/api
https://goalyfeastz.site/api
https://contemteny.site/api
https://dilemmadu.site/api
https://authorisev.site/api
Signatures
-
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
-
Lumma family
-
Executes dropped EXE 4 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
-
Program crash 2 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 13 IoCs
-
Suspicious behavior: MapViewOfSection 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 11 IoCs
-
Suspicious use of WriteProcessMemory 28 IoCs
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\Malware Code.ps1"1⤵
- Adds Run key to start application
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\DATA1053\Setup.exe"C:\Users\Admin\AppData\Roaming\DATA1053\Setup.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\kfqyosirg\CKVQTDQVVRZMZDXL\nc.exeC:\Users\Admin\AppData\Roaming\kfqyosirg\CKVQTDQVVRZMZDXL\nc.exe3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\more.comC:\Windows\SysWOW64\more.com3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\OpenWith.exeC:\Windows\SysWOW64\OpenWith.exe4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 13165⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 13405⤵
- Program crash
-
C:\Users\Admin\AppData\Roaming\DATA8739\Setup.exe"C:\Users\Admin\AppData\Roaming\DATA8739\Setup.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\kfqyosirg\CKVQTDQVVRZMZDXL\nc.exeC:\Users\Admin\AppData\Roaming\kfqyosirg\CKVQTDQVVRZMZDXL\nc.exe3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\more.comC:\Windows\SysWOW64\more.com3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\OpenWith.exeC:\Windows\SysWOW64\OpenWith.exe4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3608 -ip 36081⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3608 -ip 36081⤵
-
C:\Windows\system32\prevhost.exeC:\Windows\system32\prevhost.exe {914FEED8-267A-4BAA-B8AA-21E233792679} -Embedding1⤵
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
46B
MD560e6d43578ba1d9fcb7bf86ab2dc87a6
SHA12e70d2413d99899b5a3624da7d5b63b7d54dcb4d
SHA256b482ce0447202b463a67bd027d9608dcffcbcda0c75a8bebc8e25eaa12c28e9e
SHA51275f865ee6075c4186de839041dfadac00de0ed5fc0e7600f958489146c6b8adf00244baa1884cc82fc326aac7ad7d485bc0e7786547110f8065b807ff1c24f1e
-
Filesize
1.4MB
MD5d94d579a4af0ed1f07f988bed8f33871
SHA10076e7427782ccbff03bd9af226d619c7863b836
SHA2563f20727e86b75e6589d970df06aa44831ba0af819dcab048029b6ba931cfe14e
SHA512322d040b4baeae5212295e096af5fd99e72011b68e8610c598ca6eea3dfc2c810fac5ff5e9dbfa3639664cf69ce05a79687b07aad0459e7f2ddd114892fd6759
-
Filesize
1.4MB
MD5d4741b5c722f84d837ed46b748ce8e45
SHA1d1941263207f1300ce48270c86c435049aa98413
SHA2562cd0df9756b4ee0005a4eb801dc78cf0f3311ff1cc0f3fc493822d9edfe93213
SHA512e8eb70d42ae6000ea5dfbf2aadceaedb355505051dccb2c457b801e4d7be189a29f34c32a7782f097fa46198bccb917c8a8cd4d2655688cc9af71fb9785db799
-
Filesize
245KB
MD5f883b260a8d67082ea895c14bf56dd56
SHA17954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1.4MB
MD50d7908a6522185d12a08460c68205f59
SHA125a5af0c25262bfb3f879587aa42c7d52cb60db0
SHA256ae0f8b49af3d1e0b331656dce1d3c72ff6df3709cda68563550af6f48ef5987d
SHA512ba6b6a74134e4ad8e73d7029d5aae7d7e53ffcd0c3aa5722041619bac3dd05fbb98ae403207f14d67d042bfbd1c48d455cc7db904186e3e71aae3dc008ef8b11
-
Filesize
285KB
MD57fb44c5bca4226d8aab7398e836807a2
SHA147128e4f8afabfde5037ed0fcaba8752c528ff52
SHA256a64ead73c06470bc5c84cfc231b0723d70d29fec7d385a268be2c590dc5eb1ef
SHA512f0bd093f054c99bcc50df4005d0190bd7e3dcefea7008ae4c9b67a29e832e02ae9ff39fa75bc1352c127aeb13afdea9bfdcc238ac826ef17f288d6fbd2ec8cab
-
Filesize
480KB
-
Filesize
112KB
-
Filesize
2.0MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.5MB
-
Filesize
4KB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
9.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.5MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.5MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
2.0MB
-
Filesize
1.5MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
2.0MB
-
Filesize
1.5MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.5MB
-
Filesize
2.0MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.2MB
-
Filesize
9.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
10.8MB
-
Filesize
136KB
-
Filesize
80KB
-
Filesize
10.8MB
-
Filesize
2.1MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
8KB
-
Filesize
10.8MB
-
Filesize
40KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
152KB
-
Filesize
480KB
-
Filesize
112KB
-
Filesize
2.0MB
-
Filesize
480KB
-
Filesize
2.0MB