Analysis

  • max time kernel
    92s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-11-2024 10:22

General

  • Target

    Release/Xeno.exe

  • Size

    1.0MB

  • MD5

    c7581deaff2cb6b2a04301e7eed178d1

  • SHA1

    9a5fc31cf91344cfe29ffe31b013c0bff72b707b

  • SHA256

    a37b5f789d4b44a83ed1e9de6b2d4da18072c8a5e31494fcd1a302a9e0f4ab12

  • SHA512

    f599f7e49c48cef40be2a8aa1f4d7965aaea6da1934c8b459553ad789b78b6b01d6b499df18e4bb297a18da32d62bb61212b17d97a5021f0d38d8b7c96f6d57d

  • SSDEEP

    24576:ijhLIH1HVUfSHSpAjPBQZpVRJOLCroyoBz4ge:MqH11VyocRkLC8ysz4z

Score
10/10

Malware Config

Extracted

Family

lumma

C2

https://financiauglyk.cyou/api

https://thicktoys.sbs/api

https://3xc1aimbl0w.sbs/api

https://300snails.sbs/api

https://faintbl0w.sbs/api

Signatures

  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

  • Lumma family
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates processes with tasklist 1 TTPs 2 IoCs
  • Drops file in Windows directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Release\Xeno.exe
    "C:\Users\Admin\AppData\Local\Temp\Release\Xeno.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:820
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c copy Sufficient Sufficient.cmd & Sufficient.cmd
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1564
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist
        3⤵
        • Enumerates processes with tasklist
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:116
      • C:\Windows\SysWOW64\findstr.exe
        findstr /I "wrsa opssvc"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1084
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist
        3⤵
        • Enumerates processes with tasklist
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:996
      • C:\Windows\SysWOW64\findstr.exe
        findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4696
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c md 720301
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1460
      • C:\Windows\SysWOW64\findstr.exe
        findstr /V "VegetarianBoobsProvinceApplications" Continuing
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3380
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c copy /b ..\Networks + ..\Immigration + ..\Cgi + ..\Insertion + ..\Headers + ..\Plastics Q
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1924
      • C:\Users\Admin\AppData\Local\Temp\720301\Af.pif
        Af.pif Q
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:1716
      • C:\Windows\SysWOW64\choice.exe
        choice /d y /t 5
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3472

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\720301\Af.pif

    Filesize

    921KB

    MD5

    78ba0653a340bac5ff152b21a83626cc

    SHA1

    b12da9cb5d024555405040e65ad89d16ae749502

    SHA256

    05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

    SHA512

    efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

  • C:\Users\Admin\AppData\Local\Temp\720301\Q

    Filesize

    473KB

    MD5

    492a40dc62f5c0c66b904bbfe7479433

    SHA1

    176e0292b637e5dbb12f2c51303a1ebea250ccb2

    SHA256

    a9ab82ef3f7873f747adb0f83c72d2400758c88979c98997f5742d1714c3f967

    SHA512

    cea5235a8a8d410a3c8fdb530adec2e7e8dd7519b85e236e541f3d725efefbd3aaff496a55625528ab167699976f2970f47bc182b7dd55cd3e82eab4e5fb391f

  • C:\Users\Admin\AppData\Local\Temp\Cgi

    Filesize

    82KB

    MD5

    39620223462a6f9ce0752f5ca3c2f4aa

    SHA1

    22f3a0b4e7c0e9527cd56b76526cd2ead3365709

    SHA256

    c98c5bd18e9426a25e1f2c8d447a1467fb3146f020d2652be69317c3f062f29e

    SHA512

    f8ba5839645ce29d051f7ce6318aa3af573806f1b2d7d10e957b1b1ebed198f405c03fe6adb4a4b0edd0a5c307f49929f5106659ddedacee994a7a967b4450ea

  • C:\Users\Admin\AppData\Local\Temp\Continuing

    Filesize

    17KB

    MD5

    510efb15198403472ea2c4f8a4d038f8

    SHA1

    1a92c910dfa5d0e1ea88d22b112fade0f3fc3a33

    SHA256

    d80259d59d1e66a080af7f1d053e3640abebb8f6bfe2a5aab7612703eb9d1a85

    SHA512

    3982f07260cdc57bb6d9124e61c14d1216c428309418e5f532649fd18e7820e6d172016b7677ac07bfa0386ce9c554959ae7cdcbc5643fe1b1d1c1578159e784

  • C:\Users\Admin\AppData\Local\Temp\Headers

    Filesize

    80KB

    MD5

    7caa8114f6b6811129eaa1279455b788

    SHA1

    2dba419876bd031b990d40049c48bc916449f797

    SHA256

    90295dfd575ead9a4a8e95c850eae249300ab930d188a32378dbf5945c8a708c

    SHA512

    0e6ac3ae43a258f76984b1a3224c9bc9e9ce4eeaa2824d73220bec0828bde0025bd5342df3384143ccde9768763a06b0f8f8506f648d54850fc171e9f37707e9

  • C:\Users\Admin\AppData\Local\Temp\Immigration

    Filesize

    88KB

    MD5

    cb5b2c31ede8feb58e6abe2753a6c39a

    SHA1

    1a28c52a991247012f16a5b5869a7adfae08f104

    SHA256

    725080ee2795da5d11778bfa65a3d4e6f5a2d5b23bd96877814aa2da4f410976

    SHA512

    c312cdc9d56f0ecb4d411a6ee2fa0ae3edc7c8d8fbb05c967e5552052d35661f59aac21bb6538c954b0cb0a308e9ff6a3a122e87d7ce8c27f4b7984bc90b2a2e

  • C:\Users\Admin\AppData\Local\Temp\Insertion

    Filesize

    71KB

    MD5

    c4758caf508433c8552e2e42b5b26703

    SHA1

    8e8c261160459aeff69a991bd9eadd0a0c5a8894

    SHA256

    8063f6b97a66957d5366d306e55584e6e8cd3801f46a4f69700addab78d3421f

    SHA512

    088ace94863287fb82803bac41d4a17d77e6e23a65f1868204f46121aec70a3713368c35ca60fd392ca6e30dca5045eb70dad7fa53cb9e7d59e3d02f6eba9be0

  • C:\Users\Admin\AppData\Local\Temp\Kentucky

    Filesize

    903KB

    MD5

    dde5bab95c3f57d28b925532086d0556

    SHA1

    26fdd5fe71bfe0c149b2adc1696768e850258ce4

    SHA256

    9367e8ba3dc3fe5c6062d501d3a881f163fb08d5ce07f9f77865b23278ceb1c9

    SHA512

    4617154e1e2eda03ea5b07f1204b91b23edb160ab6ee7dca97df76450960374b85b8f23822e02ee87e37c2fe9583d37c2f1b3587ba77f16ba3ff0a5e5fc8fad3

  • C:\Users\Admin\AppData\Local\Temp\Networks

    Filesize

    98KB

    MD5

    abda13de932bcb2c0f12f26b68599d7f

    SHA1

    a27f131dea283556e76849de070dc4df2a07e408

    SHA256

    2d600926f2bb72023f1e9330131f795a953ebfd8286ae9b36929e6e8b903bdd3

    SHA512

    b0b247841dc64cc65e35a2de29710faf96819e2aa639c17f1797cc735afb6e6671250669acc27e76ccc0c427b7826fce9b0ac2168020148e0efb9bdf74f12d9e

  • C:\Users\Admin\AppData\Local\Temp\Plastics

    Filesize

    54KB

    MD5

    4a9d11868425359ae68808dd1354da69

    SHA1

    9446d29147e6538caef24faa4c63f3405e448eab

    SHA256

    6f133efcf577fc97e301992c9ef7ed3008ad6023403cd48960cc546632d62bc4

    SHA512

    35b8dc30d8cd1b30be893db7cdc719bdc149ebeaa9613c62acf67068cce2c22939767449739b8f03fa58806c1e6fe9fbfd21aa906f422d75d608e093b3d2f9e0

  • C:\Users\Admin\AppData\Local\Temp\Sufficient

    Filesize

    7KB

    MD5

    b47f1e1763dca7643b4bd29057f2a3f7

    SHA1

    2212f08c6efa9549c0de09e1aa73e99adabb50f0

    SHA256

    f5774c1fa7c8bb8696f79f05aa7175e3bb7f7c01a1c8498576ba62ff69fb4722

    SHA512

    39a1e0cee8ab3f2995dc9c20ddb48383b9eeca391d6f16e6596eff0aac0dbcc40b5d57cfbf60b559f00cd44f97d5114cc39c6fa8c3b211236cbaba806861a796

  • memory/1716-205-0x0000000000610000-0x0000000000669000-memory.dmp

    Filesize

    356KB

  • memory/1716-207-0x0000000000610000-0x0000000000669000-memory.dmp

    Filesize

    356KB

  • memory/1716-206-0x0000000000610000-0x0000000000669000-memory.dmp

    Filesize

    356KB

  • memory/1716-210-0x0000000000610000-0x0000000000669000-memory.dmp

    Filesize

    356KB

  • memory/1716-209-0x0000000000610000-0x0000000000669000-memory.dmp

    Filesize

    356KB

  • memory/1716-208-0x0000000000610000-0x0000000000669000-memory.dmp

    Filesize

    356KB