Analysis

  • max time kernel
    148s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-11-2024 23:33

General

  • Target

    15833f92c23ba3afbba0f4f273274452.exe

  • Size

    2.4MB

  • MD5

    15833f92c23ba3afbba0f4f273274452

  • SHA1

    f9f68f691644f7be60128ede3005699e7d6f4941

  • SHA256

    7aa7c19de5eaa2409006038a7d0d7423dd0c7d9b3d9514ffb8d790e4fdc51d2c

  • SHA512

    cfe3e16c91e9013c259dcd52527bc458d33b568459995238d8356abf4bb2438a425aa01d517f0ca16e096b80114e6af234dde43cc4ce082f75163f52660f1690

  • SSDEEP

    49152:vslBubuANjnMenjn+TH2dfdWVOm+C8tNPd1Zyiu+vbFxqiedJBBmUdP:vslgb9lMkhd1WYmpktd1ZDvbTqRfBrdP

Malware Config

Extracted

Family

warzonerat

C2

162.230.48.189:56001

Extracted

Family

lumma

C2

https://goalyfeastz.site/api

https://contemteny.site/api

https://dilemmadu.site/api

https://authorisev.site/api

Signatures

  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

  • Lumma family
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

  • Warzonerat family
  • Warzone RAT payload 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 4 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 45 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3584
      • C:\Users\Admin\AppData\Local\Temp\15833f92c23ba3afbba0f4f273274452.exe
        "C:\Users\Admin\AppData\Local\Temp\15833f92c23ba3afbba0f4f273274452.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:896
        • C:\Users\Admin\AppData\Local\Temp\15833f92c23ba3afbba0f4f273274452.exe
          "C:\Users\Admin\AppData\Local\Temp\15833f92c23ba3afbba0f4f273274452.exe"
          3⤵
            PID:3060
          • C:\Users\Admin\AppData\Local\Temp\15833f92c23ba3afbba0f4f273274452.exe
            "C:\Users\Admin\AppData\Local\Temp\15833f92c23ba3afbba0f4f273274452.exe"
            3⤵
              PID:548
            • C:\Users\Admin\AppData\Local\Temp\15833f92c23ba3afbba0f4f273274452.exe
              "C:\Users\Admin\AppData\Local\Temp\15833f92c23ba3afbba0f4f273274452.exe"
              3⤵
              • Checks computer location settings
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:4152
              • C:\Users\Admin\AppData\Roaming\MkH1oeeWOE.exe
                "C:\Users\Admin\AppData\Roaming\MkH1oeeWOE.exe"
                4⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:2880
                • C:\Users\Admin\AppData\Roaming\MkH1oeeWOE.exe
                  "C:\Users\Admin\AppData\Roaming\MkH1oeeWOE.exe"
                  5⤵
                  • Executes dropped EXE
                  PID:1452
                • C:\Users\Admin\AppData\Roaming\MkH1oeeWOE.exe
                  "C:\Users\Admin\AppData\Roaming\MkH1oeeWOE.exe"
                  5⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  PID:1808
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 1808 -s 1264
                    6⤵
                    • Program crash
                    PID:5568
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 2880 -s 272
                  5⤵
                  • Program crash
                  PID:1304
              • C:\Users\Admin\AppData\Roaming\rBr8y66SWW.exe
                "C:\Users\Admin\AppData\Roaming\rBr8y66SWW.exe"
                4⤵
                • Suspicious use of NtCreateUserProcessOtherParentProcess
                • Drops startup file
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2308
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 896 -s 288
              3⤵
              • Program crash
              PID:1972
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
            2⤵
            • System Location Discovery: System Language Discovery
            PID:2148
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 896 -ip 896
          1⤵
            PID:1732
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2880 -ip 2880
            1⤵
              PID:4040
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1808 -ip 1808
              1⤵
                PID:5516

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Roaming\MkH1oeeWOE.exe

                Filesize

                689KB

                MD5

                4936c0448e4102ef927a39dbf8091a28

                SHA1

                d633d0a36ff0b44dc46055ad46f88f2bf4e8cbd1

                SHA256

                89e63f0332e999a1a687c00809b8dc74bbea5a3f4e073b9bf6e5d263e4841f25

                SHA512

                02f068e64bde6d398d9e4847ed25930b07b1dc01a2e18efa4df380bcf01824c32936c11ce58e3de3e5c9a4d2cb42e1c888f33dd065877cb753f4125a0528deba

              • C:\Users\Admin\AppData\Roaming\rBr8y66SWW.exe

                Filesize

                1.1MB

                MD5

                95a0dff56d70a7b7adcffa913f972068

                SHA1

                58ce4ea22d1f6a16a062748c163165f10ed9f4d5

                SHA256

                957aea30bdec9201f6017668fd3dea7af4232a74da1e0316162acdd9f633eb8b

                SHA512

                17c547f275a90dbf75ec84cd05eb5cde9effad970962ddb09b362a26ffa0aedc080ba4208cecb995ec9e0ffa5a64c503c5b89fe9e79adfd6cb0bb5eb165ea276

              • memory/896-0-0x0000000000B09000-0x0000000000B0A000-memory.dmp

                Filesize

                4KB

              • memory/2148-1131-0x0000000000400000-0x000000000055C000-memory.dmp

                Filesize

                1.4MB

              • memory/2148-1125-0x0000000000400000-0x000000000055C000-memory.dmp

                Filesize

                1.4MB

              • memory/2308-65-0x0000000005D60000-0x0000000005E50000-memory.dmp

                Filesize

                960KB

              • memory/2308-34-0x0000000005D60000-0x0000000005E50000-memory.dmp

                Filesize

                960KB

              • memory/2308-1112-0x0000000075330000-0x0000000075AE0000-memory.dmp

                Filesize

                7.7MB

              • memory/2308-27-0x000000007533E000-0x000000007533F000-memory.dmp

                Filesize

                4KB

              • memory/2308-63-0x0000000005D60000-0x0000000005E50000-memory.dmp

                Filesize

                960KB

              • memory/2308-30-0x0000000075330000-0x0000000075AE0000-memory.dmp

                Filesize

                7.7MB

              • memory/2308-31-0x0000000005D60000-0x0000000005E56000-memory.dmp

                Filesize

                984KB

              • memory/2308-33-0x0000000005EF0000-0x0000000005F82000-memory.dmp

                Filesize

                584KB

              • memory/2308-32-0x0000000006400000-0x00000000069A4000-memory.dmp

                Filesize

                5.6MB

              • memory/2308-51-0x0000000005D60000-0x0000000005E50000-memory.dmp

                Filesize

                960KB

              • memory/2308-91-0x0000000005D60000-0x0000000005E50000-memory.dmp

                Filesize

                960KB

              • memory/2308-89-0x0000000005D60000-0x0000000005E50000-memory.dmp

                Filesize

                960KB

              • memory/2308-87-0x0000000005D60000-0x0000000005E50000-memory.dmp

                Filesize

                960KB

              • memory/2308-85-0x0000000005D60000-0x0000000005E50000-memory.dmp

                Filesize

                960KB

              • memory/2308-83-0x0000000005D60000-0x0000000005E50000-memory.dmp

                Filesize

                960KB

              • memory/2308-81-0x0000000005D60000-0x0000000005E50000-memory.dmp

                Filesize

                960KB

              • memory/2308-79-0x0000000005D60000-0x0000000005E50000-memory.dmp

                Filesize

                960KB

              • memory/2308-77-0x0000000005D60000-0x0000000005E50000-memory.dmp

                Filesize

                960KB

              • memory/2308-75-0x0000000005D60000-0x0000000005E50000-memory.dmp

                Filesize

                960KB

              • memory/2308-71-0x0000000005D60000-0x0000000005E50000-memory.dmp

                Filesize

                960KB

              • memory/2308-69-0x0000000005D60000-0x0000000005E50000-memory.dmp

                Filesize

                960KB

              • memory/2308-1108-0x0000000075330000-0x0000000075AE0000-memory.dmp

                Filesize

                7.7MB

              • memory/2308-67-0x0000000005D60000-0x0000000005E50000-memory.dmp

                Filesize

                960KB

              • memory/2308-29-0x0000000005C60000-0x0000000005D56000-memory.dmp

                Filesize

                984KB

              • memory/2308-1110-0x0000000006000000-0x000000000604C000-memory.dmp

                Filesize

                304KB

              • memory/2308-1109-0x0000000005F90000-0x0000000005FF8000-memory.dmp

                Filesize

                416KB

              • memory/2308-1126-0x0000000075330000-0x0000000075AE0000-memory.dmp

                Filesize

                7.7MB

              • memory/2308-28-0x0000000000FD0000-0x00000000010F6000-memory.dmp

                Filesize

                1.1MB

              • memory/2308-1119-0x0000000006120000-0x0000000006174000-memory.dmp

                Filesize

                336KB

              • memory/2308-1116-0x0000000075330000-0x0000000075AE0000-memory.dmp

                Filesize

                7.7MB

              • memory/2308-59-0x0000000005D60000-0x0000000005E50000-memory.dmp

                Filesize

                960KB

              • memory/2308-73-0x0000000005D60000-0x0000000005E50000-memory.dmp

                Filesize

                960KB

              • memory/2308-61-0x0000000005D60000-0x0000000005E50000-memory.dmp

                Filesize

                960KB

              • memory/2308-57-0x0000000005D60000-0x0000000005E50000-memory.dmp

                Filesize

                960KB

              • memory/2308-55-0x0000000005D60000-0x0000000005E50000-memory.dmp

                Filesize

                960KB

              • memory/2308-53-0x0000000005D60000-0x0000000005E50000-memory.dmp

                Filesize

                960KB

              • memory/2308-49-0x0000000005D60000-0x0000000005E50000-memory.dmp

                Filesize

                960KB

              • memory/2308-47-0x0000000005D60000-0x0000000005E50000-memory.dmp

                Filesize

                960KB

              • memory/2308-45-0x0000000005D60000-0x0000000005E50000-memory.dmp

                Filesize

                960KB

              • memory/2308-43-0x0000000005D60000-0x0000000005E50000-memory.dmp

                Filesize

                960KB

              • memory/2308-41-0x0000000005D60000-0x0000000005E50000-memory.dmp

                Filesize

                960KB

              • memory/2308-39-0x0000000005D60000-0x0000000005E50000-memory.dmp

                Filesize

                960KB

              • memory/2308-37-0x0000000005D60000-0x0000000005E50000-memory.dmp

                Filesize

                960KB

              • memory/2308-35-0x0000000005D60000-0x0000000005E50000-memory.dmp

                Filesize

                960KB

              • memory/2308-1115-0x0000000075330000-0x0000000075AE0000-memory.dmp

                Filesize

                7.7MB

              • memory/2308-1117-0x000000007533E000-0x000000007533F000-memory.dmp

                Filesize

                4KB

              • memory/2308-1118-0x0000000075330000-0x0000000075AE0000-memory.dmp

                Filesize

                7.7MB

              • memory/4152-2-0x0000000000400000-0x0000000000604000-memory.dmp

                Filesize

                2.0MB

              • memory/4152-5-0x0000000000AB0000-0x0000000000D10000-memory.dmp

                Filesize

                2.4MB

              • memory/4152-3-0x0000000000400000-0x0000000000604000-memory.dmp

                Filesize

                2.0MB

              • memory/4152-4-0x0000000000400000-0x0000000000604000-memory.dmp

                Filesize

                2.0MB

              • memory/4152-1-0x0000000000400000-0x0000000000604000-memory.dmp

                Filesize

                2.0MB

              • memory/4152-22-0x0000000000400000-0x0000000000604000-memory.dmp

                Filesize

                2.0MB

              • memory/4152-25-0x0000000000AB0000-0x0000000000D10000-memory.dmp

                Filesize

                2.4MB