Overview

overview

10

Static

static

3

special be...ru.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    64s
  • max time network
    69s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-11-2024 21:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    special beauty 49 (miniskirt, skirt, dress), carrefour (jupe jeans..collant r @imgsrc.ru.exe

  • Size

    860.2MB

  • MD5

    a37390fa3bc3648ceeba771bf296b5c8

  • SHA1

    6404b44b96db5a2426e84d737cd1e1a7ef49a91a

  • SHA256

    91c5dbe4968ab28c2480251a70b9a67abe8a8cf915fdb567f315c1a4bf916343

  • SHA512

    5bc925ae5261782da67a2e385a65af504a02de76d5094e4c50c697cd0396b5cf0614eec81f0820923513d07829b100c872bbdcdeeac809aa78b14c2d33fd2355

  • SSDEEP

    1572864:nAFP6FHJVdhRX6S9d6mEuQRZPy+SHQpKOPYYlf:nzZ8pf

Score
10/10
lummadiscoverystealer

Malware Config

Extracted

Family

lumma

C2

https://ch33sep3ts.cyou/api

Signatures

  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Lumma family
    lumma
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates processes with tasklist 1 TTPs 2 IoCs
    discovery
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\special beauty 49 (miniskirt, skirt, dress), carrefour (jupe jeans..collant r @imgsrc.ru.exe
    "C:\Users\Admin\AppData\Local\Temp\special beauty 49 (miniskirt, skirt, dress), carrefour (jupe jeans..collant r @imgsrc.ru.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2768
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c copy Syracuse Syracuse.cmd & Syracuse.cmd
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:5028
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist
        3⤵
        • Enumerates processes with tasklist
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:1876
      • C:\Windows\SysWOW64\findstr.exe
        findstr /I "wrsa opssvc"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4664
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist
        3⤵
        • Enumerates processes with tasklist
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2168
      • C:\Windows\SysWOW64\findstr.exe
        findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3144
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c md 767301
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4848
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c copy /b ..\Opponents + ..\Bo + ..\Ambien + ..\Cumshot + ..\Displaying + ..\Ebook + ..\Researchers + ..\Avi w
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3660
      • C:\Users\Admin\AppData\Local\Temp\767301\Observer.com
        Observer.com w
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:4332
      • C:\Windows\SysWOW64\choice.exe
        choice /d y /t 5
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3992

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\767301\w
    Filesize

    489KB

    MD5

    5ce1cc9a6832021b36f0975485324cc3

    SHA1

    89a043a78a96ec2efb37edc937a5b6e1d472ecf9

    SHA256

    74ba764d1e4c5e3da89ecfa99a8fbd94af3b2dd9f5eac3788c653cf4c8772af0

    SHA512

    a85894e9a1772c9c625393bbbb7eafda75ff98e5c037a3384c6849f57cd6459ec82330542e83701c96b442c20b82b704bbf189e4caf3b3236d36db6b1cd62233

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Ambien
    Filesize

    63KB

    MD5

    8d2681913967561fc518dd6a5465e18b

    SHA1

    79c50f3b777aaa66c528ac3205f7ded898cac397

    SHA256

    d4b330ce0950ff152fd727cec432ecfe78bec28d3d7306f872da18093cf655ca

    SHA512

    a68e1f1feab856acde21f66509a04ba456f9ca0b95486b9b16dbaba922e6d3440e6363775e927d91f769008d0fd884c91b2b7f55c1e6471aeba3309bbf55ecee

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Avi
    Filesize

    3KB

    MD5

    1e336d072410b496fda87c847325983e

    SHA1

    cd4b87106840eefd7ffdb0e795f95b8b0a6d201f

    SHA256

    5b1b89b7777c134723908feeaf2cc245a8036be90260b2c856425f38d17374cf

    SHA512

    4808a4b94602a0cfca5fba496b49126781567434d4b387856f6356c38799b801cc088ae4c5d09690aec26f4dc766ec0b00205e57b18fb808b6180ddd2be55fd3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Bo
    Filesize

    60KB

    MD5

    8a11bd7ad355595a592e218725b8b573

    SHA1

    30efdd168531aeee4733c0aa8675b9cf4006ec86

    SHA256

    5a9d5c712c91c26c89a5b40759fc94a2617ebfdd946228fb965e53339eb6deee

    SHA512

    16adf9b4c03520f559a054afb26a68eb866daa919c980e34237bb025e32beb526d33ed97602cf480374fa30321b29423e81bb7269344d565f46c539bfa6e4c15

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Cumshot
    Filesize

    67KB

    MD5

    df5d519036c96811fcc75838c11d38a3

    SHA1

    d547007a85efedf94eba6ccd911ba2124018b96d

    SHA256

    febfe13dd39ab80346b134a1a4307b4efa4ded2bf66f44fb865e280b75013f07

    SHA512

    88340669709fc991606c545ec269faee7f3da3139cca4355b4dc7bb4d8e1d2439b345e0001d7748dda5ef9313f120d48b90adb7ed20dc16340c33ae54f7124c9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Dan
    Filesize

    925KB

    MD5

    62d09f076e6e0240548c2f837536a46a

    SHA1

    26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

    SHA256

    1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

    SHA512

    32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Displaying
    Filesize

    63KB

    MD5

    8d8fe0a2499564e13751f4117a713488

    SHA1

    495f6ec1241a0f4c88bbb41b00c892a89db8acd6

    SHA256

    3871b3c8247f0738934766b419b26a74d37b6315145809e710f4f04cdd9d0dd5

    SHA512

    85bec441899049d7d0c604308440d38d7a9690ff47d1aa46b253f519e0eb969ee0250d81a0033d4c8163d35c625988ae19633816b2bb81c9b614b64049cd62c0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Ebook
    Filesize

    92KB

    MD5

    6e335fc879e61d36521b674139634d2d

    SHA1

    333912fe605e1f8eaebe23e4c898f0fbcd3f65cb

    SHA256

    47c9ea673c3f3dd968ac0ccea9f3ef68716f63c5610be1144f6977ad078a5cee

    SHA512

    d8a25c309d70a575ce75b23d25a7d6730fdc3f2916c7c37853559731ae18fc7159a7b3173b50c9151c3eea2ebd36065bb43b73aa1e8495353f240911cf689b48

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Opponents
    Filesize

    89KB

    MD5

    0d263eb80592c3da3dd0456383efd8c9

    SHA1

    0fe9e9b85cf276de179762211ac9d0198811fbf4

    SHA256

    008b346c70abf80301848d30212347d52033363fa2060e900943c9c62cf3915e

    SHA512

    e9faeb069f832aa24013b461e5ef77a57f3e6c548d30d4685531a3e19cc952f5bf09fcf7b2cfdd43567ff2f3a3597132ea259eba9ad191b9cb4f0d275881bd55

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Researchers
    Filesize

    52KB

    MD5

    948073fddb1dcb8e9e470cb6577990aa

    SHA1

    2c511ef74f6dbed1b50a23a44aeba54115dc0748

    SHA256

    5e4ad8a41667fe90e5dad80c2c616f23dbc5654980fd14aeb5e04cc42a0fb134

    SHA512

    7be2997df2a06394ea4f4d20c2b25286827b396e9fa54923cd696fd99cd8e6436196f2bec5963b25db206d23eaf7cc8239830f672118620e4db4767b0ae9f975

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Syracuse
    Filesize

    18KB

    MD5

    901ca0a6078bd68df4a5bc00046cf1ce

    SHA1

    f82e06fc210bf0541fbf1f29bfd93ab816bf50ff

    SHA256

    aad66a3cb481380f74aa40c06d101b66612607faaf14ec25d743ec3164ec0ace

    SHA512

    1cf7898f35fe9e95c7abdb75ded49710c22a170fe4a312648f3b76e1fe259a6c6af36f8c6393db6738d42d97742b886012e0c7d116e8ad2862d8393a02edb40e

    Download Submit

  • memory/4332-446-0x00000000045B0000-0x000000000460B000-memory.dmp

    Filesize

    364KB

    Download

  • memory/4332-448-0x00000000045B0000-0x000000000460B000-memory.dmp

    Filesize

    364KB

    Download

  • memory/4332-447-0x00000000045B0000-0x000000000460B000-memory.dmp

    Filesize

    364KB

    Download

  • memory/4332-450-0x00000000045B0000-0x000000000460B000-memory.dmp

    Filesize

    364KB

    Download

  • memory/4332-449-0x00000000045B0000-0x000000000460B000-memory.dmp

    Filesize

    364KB

    Download

  • memory/4332-451-0x00000000045B0000-0x000000000460B000-memory.dmp

    Filesize

    364KB

    Download