Overview

overview

10

Static

static

10

aaaa.ps1

windows7-x64

3

aaaa.ps1

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    206s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-11-2024 05:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    aaaa.ps1

  • Size

    451B

  • MD5

    9a6ccc9afb164bff29d969bb8e6b5624

  • SHA1

    79e602dee0b7a411e5db13739b43fae1ac2c0dd3

  • SHA256

    b9f126c04bb56be08519685eb906a650027fc68931015b7202e09373766155ea

  • SHA512

    03faa5b073947f90fbba90f2292537442dc91b89c9778c3cc4ee81c5e7cc5b662558c6b30284f7fbc16ea8af7ec80ea6990b4f22f5f5620037a76789fbde11b6

Score
10/10
lummadiscoveryexecutionstealer

Malware Config

Extracted

Family

lumma

C2

https://stopruthless.cyou/api

Signatures

  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Lumma family
    lumma
  • Blocklisted process makes network request 7 IoCs
  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\aaaa.ps1
    1⤵
    • Blocklisted process makes network request
    • Command and Scripting Interpreter: PowerShell
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2228
    • C:\Users\Admin\AppData\Roaming\Extracted1\222.exe
      "C:\Users\Admin\AppData\Roaming\Extracted1\222.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2360
      • C:\Windows\SysWOW64\more.com
        C:\Windows\SysWOW64\more.com
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:4744
        • C:\Windows\SysWOW64\msiexec.exe
          C:\Windows\SysWOW64\msiexec.exe
          4⤵
          • Blocklisted process makes network request
          • System Location Discovery: System Language Discovery
          PID:3668

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\5e74dd9a
    Filesize

    1.2MB

    MD5

    5a75f659ffc75a302f528fe7081777ad

    SHA1

    88bd1061283e27f2c9dfa059c724f741e92a05a4

    SHA256

    6c2ed09d1333bab38fa4380b22ecb5149b3dd361b694217402264b121c4cf7f8

    SHA512

    fdf08ed9a66d2c01f9b998477ec416c7000afc777826b0ea022f62bc521a53b1f09f724b0def1f2347a5d3a4c4d5229fdeaef35bccc44176c162e46dbfe858d3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\6c3ed78c
    Filesize

    1022KB

    MD5

    55364661a5503fc418b413fca45fbb73

    SHA1

    a4656fc310d435161ec67b04877ee4c8099ec934

    SHA256

    5b6de94e26ea986ac6f92f9de2ebf0f0f0e199141da64782388b18b645125acf

    SHA512

    07662049e10ad25af09f17a32151267f4c9e35f493509c1935c3317ef55b246094df94a16a86210ff9b505a73e56f8d6d4d9431f2d8cb526f468600586ec7966

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nhj0gu0l.3og.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Extracted1\222.exe
    Filesize

    11.0MB

    MD5

    b3450f42aa8c6ed0aaca0be210da8d0a

    SHA1

    eeeaea9f807d1c99bc41f6600fe7b7acda8de22d

    SHA256

    bbceb39ab4cd6bdcb75169c0010a72be880f071728c270f31e22ab7cf28adf2b

    SHA512

    00749482865dca1429d6fbfea7642d89432d617e6523c3f1c70c9e23434b74452a775c38b0581f767575593b2f35a0385fbd12b2f0cbfd324bddd9494be054ae

    Download Submit

  • memory/2228-14-0x00007FF9A1C03000-0x00007FF9A1C05000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2228-13-0x00007FF9A1C00000-0x00007FF9A26C1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2228-12-0x00007FF9A1C00000-0x00007FF9A26C1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2228-15-0x00007FF9A1C00000-0x00007FF9A26C1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2228-17-0x0000024AED430000-0x0000024AED43A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2228-18-0x0000024AEF980000-0x0000024AEF992000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2228-11-0x00007FF9A1C00000-0x00007FF9A26C1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2228-36-0x00007FF9A1C00000-0x00007FF9A26C1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2228-0-0x00007FF9A1C03000-0x00007FF9A1C05000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2228-1-0x0000024AECE70000-0x0000024AECE92000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2360-37-0x0000000001450000-0x0000000001451000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2360-44-0x00007FF9B16C0000-0x00007FF9B1832000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/2360-45-0x00007FF9B16D9000-0x00007FF9B16DA000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2360-46-0x00007FF9B16C0000-0x00007FF9B1832000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/2360-47-0x0000000001450000-0x0000000001451000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2360-48-0x00007FF9B16C0000-0x00007FF9B1832000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/2360-38-0x0000000000560000-0x0000000000EC8000-memory.dmp

    Filesize

    9.4MB

    Download

  • memory/3668-58-0x0000000000400000-0x000000000045B000-memory.dmp

    Filesize

    364KB

    Download

  • memory/3668-59-0x00007FF9C01D0000-0x00007FF9C03C5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3668-61-0x0000000000180000-0x0000000000192000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3668-60-0x0000000000400000-0x000000000045B000-memory.dmp

    Filesize

    364KB

    Download

  • memory/4744-53-0x00007FF9C01D0000-0x00007FF9C03C5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4744-54-0x00000000757D0000-0x000000007594B000-memory.dmp

    Filesize

    1.5MB

    Download