Overview

overview

10

Static

static

10

secrator.ps1

windows7-x64

3

secrator.ps1

windows10-2004-x64

10

Resubmissions

19-11-2024 10:42

241119-mrxs5avbkd 10

19-11-2024 10:11

241119-l79besyrap 10

Analysis

  • max time kernel
    93s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-11-2024 10:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    secrator.ps1

  • Size

    493B

  • MD5

    7cc08429b87f9aba8606e95114957b82

  • SHA1

    2ba425be1fe0f12fa419bc93c22e7a2079b0c6b7

  • SHA256

    856be8a4d18a57d625d371054956b9ff1b9824e05894530bcf843629dce33cac

  • SHA512

    91bf2f2c4090505e0606802aa64c1220729f08f1f3087cd5d4d81923d4d838a8459686a33fa60c2291398560aa47b19f697a29d067bd4cfbc4ff018c909bc4c9

Score
10/10
lummadiscoveryexecutionstealer

Malware Config

Extracted

Family

lumma

C2

https://processhol.sbs/api

https://p10tgrace.sbs/api

https://peepburry828.sbs/api

https://3xp3cts1aim.sbs/api

https://p3ar11fter.sbs/api

Signatures

  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Lumma family
    lumma
  • Blocklisted process makes network request 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Enumerates processes with tasklist 1 TTPs 2 IoCs
    discovery
  • Drops file in Windows directory 8 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\secrator.ps1
    1⤵
    • Blocklisted process makes network request
    • Command and Scripting Interpreter: PowerShell
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3428
    • C:\Users\Admin\AppData\Roaming\Extracted3\RomanticCopyright.exe
      "C:\Users\Admin\AppData\Roaming\Extracted3\RomanticCopyright.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3304
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c copy Uni Uni.cmd & Uni.cmd
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4860
        • C:\Windows\SysWOW64\tasklist.exe
          tasklist
          4⤵
          • Enumerates processes with tasklist
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:2652
        • C:\Windows\SysWOW64\findstr.exe
          findstr /I "wrsa opssvc"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3652
        • C:\Windows\SysWOW64\tasklist.exe
          tasklist
          4⤵
          • Enumerates processes with tasklist
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:4460
        • C:\Windows\SysWOW64\findstr.exe
          findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2840
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c md 796989
          4⤵
          • System Location Discovery: System Language Discovery
          PID:212
        • C:\Windows\SysWOW64\findstr.exe
          findstr /V "SigConsumptionDisciplinesSong" Envelope
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2576
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c copy /b ..\Wan + ..\Module + ..\Is + ..\Read + ..\Bibliography + ..\Match + ..\Qld I
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4352
        • C:\Users\Admin\AppData\Local\Temp\796989\Dept.com
          Dept.com I
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          PID:3868
        • C:\Windows\SysWOW64\choice.exe
          choice /d y /t 5
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1968

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\796989\Dept.com
    Filesize

    921KB

    MD5

    78ba0653a340bac5ff152b21a83626cc

    SHA1

    b12da9cb5d024555405040e65ad89d16ae749502

    SHA256

    05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

    SHA512

    efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\796989\I
    Filesize

    489KB

    MD5

    35431b1f719e5f8edd3ee4c56d590bc9

    SHA1

    c4667dc8990f03e9d3410e636957d5e9c73773c7

    SHA256

    427536f6a144672b8c5cd873d89c0374dab2c6383256347eef80b291729b99b0

    SHA512

    358ea29b484c7e7d493fec6270a7d3a6147852ba68f1c1f5fd9dc277e65dc24239b3718fb1ca986f354b5ebc954dae51f1e478db9d034a6f3417f6564d967fbd

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Bibliography
    Filesize

    91KB

    MD5

    0124e182e6ab32c597551f987c8efc9e

    SHA1

    5b1504b161a4748cfdff1463b4a370b7ee6caf14

    SHA256

    6484dd9a145b3178a2534dd802441a7b8d08a679c3241c11395c22bfa6ba6826

    SHA512

    70e76a19d9f3382e14463e9f79dee0db404482e714f1ca9b0330ad144c055b6c6464d9be6bbb94e7e05048925b8f2dd1049276b4982722b7e8a2d8fe7e2dd010

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Envelope
    Filesize

    1KB

    MD5

    930b977ce8cf5c68e617c0cc083b6915

    SHA1

    07ab167616b479dd68ea9cfdad2c51d180757596

    SHA256

    cd56fdf1345808d2c8d7a099dabc0d8667581b2888fa973eba477509f7875f3e

    SHA512

    a823ba03f129037c1feb58f7f5408070f512dc0d4044cbaa5aa28295a1e7d952b4172119a1609c271273e8b31ec6aed5d4b3a570cfc5bbc3846821eb1f791814

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Is
    Filesize

    56KB

    MD5

    84df1af81b44c0e9ac087f6b724dbfe1

    SHA1

    c2604b423fa3a1dfd0d41fd05364f390db94e0f0

    SHA256

    649f01b11633d4f45165010db7e1150d9ddf533fb2906cc7f26ebf4d3807d2c4

    SHA512

    b69aca208184bac03392a91a04cb737772576a2e29ad8a9549d1917c88e86d2fe12e22d9d1a9d01dd08eb1fefa27c13c26a14c41a0551e75dc72f3d64ce97403

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Match
    Filesize

    81KB

    MD5

    cce2e35fcd13802b894592bfa8bc4832

    SHA1

    e4b2ebbcea783891bae927d45a5d20a99b0d2c57

    SHA256

    49c9f0a08d446ac52e26ec0a79578d6e8cd0363adce44af727c537c2c127f278

    SHA512

    1f2ac58895ebf1a4c3989a5d76ffac39012fe511030508bfef1c164e0d8301f5f7ce2b87381604b1fa1a0443b5f6ca59948061f7a2f7634d6cdfa0880dc33798

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Module
    Filesize

    86KB

    MD5

    c3a23aa50702baadcffdb632c0781eaf

    SHA1

    26adb4b06851eb66a2fc3a4b2dc29055e6291e91

    SHA256

    e27aec3fc7086af2906fbf8d5a1a17e3f6871651f2663f8e5a3f5b44dd1e7d61

    SHA512

    545aefc06ba554d32183d8e96f3eafc6204e609d95c4bc8e8bbede315ccc78605d916533fabe995dd9e50b3a0ea63d12e64445e3346dafe24267281b8ca23284

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Qld
    Filesize

    39KB

    MD5

    47b8c8360718381beb75b78cad9989d4

    SHA1

    b1c9ed94b846670c0fbb0322b607b3e5affce120

    SHA256

    0d7c733985efc3042c41b2b26c32b7b8ce65ff9071ebdd872c3d0520a18351ed

    SHA512

    724d7030e1fab1adc5a9798e18cf75c11159cce1e57ab493a4595bdb14b68129c46a518616c427131963a7fd06e741965faca545fc5f007ab120cf28c1fe4d98

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Read
    Filesize

    62KB

    MD5

    b09b69ffbbb1c92beb55c7fd798c8c66

    SHA1

    a648e5a9721d8623dd6fca06d5295d1f07b13519

    SHA256

    4b54975d3405ea89c477daa9802d93b4a56683a901039d31e8eb1218deb742fa

    SHA512

    74d6cb22483b46a36887584c97060b16a1f8b6dcc280a8d9c7456d1c8c174b61487990af0bd7426b431ca7fde197ade2f5785784d27ab4371003feaecf2bb409

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Standing
    Filesize

    919KB

    MD5

    4414fe8f2635b6344106903d0f52455d

    SHA1

    70f135830f92733b3f0bbdfa35b1f0e36e9e5746

    SHA256

    578f765c46f2b2842f3455c37549326a9ea665aeedf5b86f6c3ff0be1a5f1244

    SHA512

    3c818c29afc91ce177db19c91026017cb567e2e6b0727ba271d66cc5c4f107661a677abc4ea5d1c281c56b3de166ed8ceaf298fa2ecb8f50a08bc1fcb6a0c91f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Uni
    Filesize

    7KB

    MD5

    df066c1e3038ff1c556a50a0782e0de1

    SHA1

    ebad7031e3b7651898e3d916d0aa0cb09397d03a

    SHA256

    cb4ca6cf393c39f6fffab51f095518826e38d4eff4fb0f42aa1fb9a4d7ef0b3a

    SHA512

    649874ac78af57207d1d06059e9e5eac3814c13910d08e9325cb500434ad4cb553cdab659db3291839523d0ae636251ac925224db04ea29dde8be41e1d8cb194

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Wan
    Filesize

    74KB

    MD5

    cf96668f1c4973c8b43a72d90221e4d3

    SHA1

    3b512b9979650f556936a5b0866387820d112745

    SHA256

    720160bb915923d8cf54be5d580ac5c13e67a261daf3ae65f972435dd716cd07

    SHA512

    1d9c6299cce257f780252fe4805836f4f27914a816ef89d81119e2553008083754bdb16f25f895f85e35ccb5daa5c5f79fcff2d203b40c5444c88f9fc76b276e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uscvq3gb.rt5.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Extracted3\RomanticCopyright.exe
    Filesize

    10.0MB

    MD5

    a737e94c53a284ae8c712eb7b2a2d209

    SHA1

    a5d4113415f38413b5bcc2698e4aaf573cf8217c

    SHA256

    677b2f7ea578826adb9c0f359c6436c364f712803080b38d81ecc1f25e5b97f5

    SHA512

    ab87ef25549d4860269015d279aaf90a35bfd4c26457271a84cacf64c0a0c97d0e4c435136fb9defd2c64307d1bc1e9596ee278c868e101f6a2c657f87bd80b6

    Download Submit

  • memory/3428-11-0x00007FF91EC90000-0x00007FF91F751000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3428-15-0x000001D478A80000-0x000001D478A92000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3428-14-0x000001D45E300000-0x000001D45E30A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3428-12-0x00007FF91EC90000-0x00007FF91F751000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3428-0-0x00007FF91EC93000-0x00007FF91EC95000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3428-30-0x00007FF91EC90000-0x00007FF91F751000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3428-1-0x000001D45E260000-0x000001D45E282000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3868-240-0x00000000040C0000-0x000000000411F000-memory.dmp

    Filesize

    380KB

    Download

  • memory/3868-241-0x00000000040C0000-0x000000000411F000-memory.dmp

    Filesize

    380KB

    Download

  • memory/3868-242-0x00000000040C0000-0x000000000411F000-memory.dmp

    Filesize

    380KB

    Download

  • memory/3868-244-0x00000000040C0000-0x000000000411F000-memory.dmp

    Filesize

    380KB

    Download

  • memory/3868-245-0x00000000040C0000-0x000000000411F000-memory.dmp

    Filesize

    380KB

    Download

  • memory/3868-243-0x00000000040C0000-0x000000000411F000-memory.dmp

    Filesize

    380KB

    Download