Analysis

  • max time kernel
    93s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-11-2024 10:18

General

  • Target

    MilwaukeeRivers.exe

  • Size

    948KB

  • MD5

    e922a4d7d2c3c937231aa937b9a2ad25

  • SHA1

    b78ade0fbd78bff01d5c86079c9224d7b87f0770

  • SHA256

    bdc7b917477bb49af7a5b06e5d9ed20e08fed25944f297a6b36a50d03d8a5777

  • SHA512

    501a15eb4c5c64f2df9f454c11951907f33a834885113e14491a6823d8e3373c09523a3eedb52952aada8071dbeec88338dbdeb02a2c4d7a8e0af48eb1dbe5f6

  • SSDEEP

    24576:7gk8NlvGOgHdQFQ/Dfw/EQky/vgNs9OHYkc:WvGOgHeFODfwcC3WsSS

Score
10/10

Malware Config

Extracted

Family

lumma

C2

https://servicedny.site

https://authorisev.site

https://faulteyotk.site

https://dilemmadu.site

https://contemteny.site

https://goalyfeastz.site

https://opposezmny.site

https://seallysl.site

https://proggresinvj.cyou

Signatures

  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

  • Lumma family
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates processes with tasklist 1 TTPs 2 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\MilwaukeeRivers.exe
    "C:\Users\Admin\AppData\Local\Temp\MilwaukeeRivers.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4180
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c copy Te Te.bat & Te.bat
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1168
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist
        3⤵
        • Enumerates processes with tasklist
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:3104
      • C:\Windows\SysWOW64\findstr.exe
        findstr /I "wrsa opssvc"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2500
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist
        3⤵
        • Enumerates processes with tasklist
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2284
      • C:\Windows\SysWOW64\findstr.exe
        findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3012
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c md 215655
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3960
      • C:\Windows\SysWOW64\findstr.exe
        findstr /V "GeologicalAllowStoryVirtually" Commitments
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4740
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c copy /b ..\Started + ..\Spend + ..\Seek + ..\Etc + ..\Reliability + ..\Lingerie + ..\Washing g
        3⤵
        • System Location Discovery: System Language Discovery
        PID:184
      • C:\Users\Admin\AppData\Local\Temp\215655\Comparing.pif
        Comparing.pif g
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:1072
      • C:\Windows\SysWOW64\choice.exe
        choice /d y /t 5
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3968

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\215655\Comparing.pif

    Filesize

    872KB

    MD5

    18ce19b57f43ce0a5af149c96aecc685

    SHA1

    1bd5ca29fc35fc8ac346f23b155337c5b28bbc36

    SHA256

    d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd

    SHA512

    a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558

  • C:\Users\Admin\AppData\Local\Temp\215655\g

    Filesize

    497KB

    MD5

    d266b3c08227e9cb46232736b80e5aa0

    SHA1

    173c8acee3adeae51142bd0e72c3309e34ee520f

    SHA256

    ec2604a7647c0186b5e12315f62c27927dbb1cf8f939612e129dcdfc1392b998

    SHA512

    59cfe54e855d98f3f4b01fa7670b9594376c450cfe210e5f626574dd7449e066f55b6c8d218428601ac526a9d0f2ba7a244d54c12b4dca6e0919800b58f31f0b

  • C:\Users\Admin\AppData\Local\Temp\Commitments

    Filesize

    6KB

    MD5

    95b88aac08c10ed0630bff6e25a48d22

    SHA1

    ad839ffe077b94d8aa26523557826b66268db8ad

    SHA256

    7c047d4bd015bf4db77fa60edadd2cd71a0969c8b6ba68c7a1799b63ab3a4ed3

    SHA512

    5342208ef56103e9329f877aec12fc3e85dca2e1363f21960c8293841f0093463a16298ccb8be6d418835febfb3e3e10cee5336ba342a5d170942186974590a3

  • C:\Users\Admin\AppData\Local\Temp\Etc

    Filesize

    77KB

    MD5

    a2e6f3d6b4b15803fc39db66d53d5a68

    SHA1

    4d9e598b94c8a1c3f88a7d70c72c726b306b7da1

    SHA256

    fc1405b7240e36717d575f651d792db859226ff4ea8ea80773bf7200b6a582b8

    SHA512

    56254f9a620fb0e38e8252a8cc1dd7d0e599d9c4854ffb8ca69771ef9fb0b3deb6508492d4d2095ab8b7e1bbc0f381dd9fe743d1161ca344f4445d1c5e1b811c

  • C:\Users\Admin\AppData\Local\Temp\Lingerie

    Filesize

    77KB

    MD5

    2f47e917ab451b39dee57628583e0e49

    SHA1

    9a5323f7f24a7d98acb6ad484f39ae2211297dc7

    SHA256

    fe0de264e44fe42611ad2faafa7a97d45c48de38f251cbc446913611f170e3eb

    SHA512

    71044cf3e0848e8d7bac6666e452690ef2ee623f408477f815235d0f737b1ec200f44152bfd59616bcd8db538765337c62019f3ff5a122c3fd6f6e8eff16f0c1

  • C:\Users\Admin\AppData\Local\Temp\Mate

    Filesize

    866KB

    MD5

    25c0cca1b4b6c482fd0135e0e5e747a0

    SHA1

    339571736c2fc5cde1ad6f9e7dc58ee62a863c63

    SHA256

    1de377cc55c433743b916de2cfabda2ba5e73ff825f3e7f968ad8905bdd8dfb4

    SHA512

    a5b2ade00f9f896578f97feccd320675fa1c2824934549352edc9bcb39ca411278ea8a91f0649c3a1aae3c46ee6b6f9b25bb6e2d0afaee57dc35bf50843b2089

  • C:\Users\Admin\AppData\Local\Temp\Reliability

    Filesize

    60KB

    MD5

    8c746ced3ce86327e752383866d630d8

    SHA1

    3d6befc5ad1e28419ad7834dae43a2b51dbb818a

    SHA256

    e7db8c4fda3f419f74f3939af4984a4ff079541b02843d6805b048d8bdff0421

    SHA512

    06b54b6279b80aab06d1e47c221058cae54fa5b9c875fc3c7f4d82f90dbc4acce9b246b678056c2a3d45493b82ceddcd5e2420ca4014c15cd9093cee2b0f27db

  • C:\Users\Admin\AppData\Local\Temp\Seek

    Filesize

    88KB

    MD5

    54c81389f168a434cf19946888499a41

    SHA1

    3bcb690da7b8809ddf88e833a47dacc04633bc80

    SHA256

    c9766c34ff13cbb3b62afbc794bc79171e1d573b5d4e2e3ff2c4b21885d537f6

    SHA512

    61a2a3b2dcbca67ca41e5bb96bba3d31c4f17d491f6430f5b1584ca083310a4d4adb612b5baa6561b0aa5966ba062a0ba85a09e09065f0ec149eacd665328394

  • C:\Users\Admin\AppData\Local\Temp\Spend

    Filesize

    90KB

    MD5

    3b05748621287f6259899970ef155a38

    SHA1

    def8acf6355fbe03c1f369c86475a1880755fcb2

    SHA256

    450619a5707d27235f489c4f5b6dbaa953405b7907dd23c03c6ccac08e1187a1

    SHA512

    787fcbac6a9cea27f2033bdce73c0390d1c8c74d7fbd857fec66efb4d679a9981ec095d289801c92cafc4d5cfb6747f6fce87619d55c5ed10927d25731e9b0a4

  • C:\Users\Admin\AppData\Local\Temp\Started

    Filesize

    86KB

    MD5

    6517aa64b07030e6916dfaa84c900553

    SHA1

    40de8c112f344c59e045e3bcd9d7f9f9cb427d7e

    SHA256

    3bfc145b382f207a3aded6e9ac0bc61f07c94c0b81658fd43cbb741a1aa7fefe

    SHA512

    ad71d36193b99219e36cda11dc98bd4d44768c6ea0557f76c1902286942317a66cfab6359d36a7439ec7e30ca85041941e55d5bb77abbe9eb10183c7f7b8c7f6

  • C:\Users\Admin\AppData\Local\Temp\Te

    Filesize

    23KB

    MD5

    1e40cfd6dfe1b3c142469bec11eb51f7

    SHA1

    0e13c823035cbec02e0745e1970bfb7f3bdaa1bc

    SHA256

    d720ff2ac7655230dc5cf3512402471ce822e7dea81e3cd6121ba34f93081c1e

    SHA512

    3bfac352f9a61d151a2b217a893ca2e0c2819cf5e06a7c39d60f0fff8481482bde885596d4aaaacc0eba97f5e8d030937315d1df5ebc6768e0e7bdc8893837d4

  • C:\Users\Admin\AppData\Local\Temp\Washing

    Filesize

    19KB

    MD5

    93654b776416f68061f5812121d460e3

    SHA1

    917be2e9a18b06f4b49c9f506faa596d8da4084e

    SHA256

    6cfb0951411a034c4b06886a3d8bbbe1b58c988c8280183d0409b49aa4069d92

    SHA512

    6f0dae32fa26e7f02d1b781e7837d971b8e4fdab7ef03df2b1082ca9c7cc048dc23bbf092d827e2fc46b2fd293a26d1bdaeaff34d5c62d4a20b44c2c17cd4570

  • memory/1072-543-0x0000000004290000-0x00000000042F0000-memory.dmp

    Filesize

    384KB

  • memory/1072-544-0x0000000004290000-0x00000000042F0000-memory.dmp

    Filesize

    384KB

  • memory/1072-545-0x0000000004290000-0x00000000042F0000-memory.dmp

    Filesize

    384KB

  • memory/1072-546-0x0000000004290000-0x00000000042F0000-memory.dmp

    Filesize

    384KB

  • memory/1072-547-0x0000000004290000-0x00000000042F0000-memory.dmp

    Filesize

    384KB