Overview

overview

10

Static

static

1

gkzHdqfg.ps1

windows7-x64

3

gkzHdqfg.ps1

windows10-2004-x64

10

Analysis

  • max time kernel
    93s
  • max time network
    137s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-11-2024 15:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    gkzHdqfg.ps1

  • Size

    51.3MB

  • MD5

    d71c930452ae704ac29ec1e5e4586fe3

  • SHA1

    8651de4941bb4660fb3b3ae9442a8f6fcda2d51f

  • SHA256

    ee27463e66262cb5be6a087222573b30516fa70b911e359e469e7cc03427e38c

  • SHA512

    e665f1de54c422f8947e59fa8ebf8136c3157c1686e5e153904d97f1d7a904e2d10f611359b2808d0ceb0e40862fdf0d33c1ad4f2f5960b2a60294378e485466

  • SSDEEP

    49152:DXyMg7Tu4U0/N/sNe3nxbrLU9Y+HiKzc06HSr5nNALrfJ+Wa93QJkHVgTETwWfc/:s

Score
10/10
lummadiscoveryexecutionpersistencestealer

Malware Config

Extracted

Family

lumma

C2

https://candidatersz.cyou/api

Signatures

  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Lumma family
    lumma
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 8 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Blocklisted process makes network request 6 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\gkzHdqfg.ps1
    1⤵
    • Adds Run key to start application
    • Command and Scripting Interpreter: PowerShell
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3600
    • C:\Users\Admin\AppData\Roaming\QHUPRmIp\Set-up.exe
      "C:\Users\Admin\AppData\Roaming\QHUPRmIp\Set-up.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:1028
      • C:\Windows\SysWOW64\more.com
        C:\Windows\SysWOW64\more.com
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:3456
        • C:\Windows\SysWOW64\msiexec.exe
          C:\Windows\SysWOW64\msiexec.exe
          4⤵
          • Blocklisted process makes network request
          • System Location Discovery: System Language Discovery
          PID:4816

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\3f8f7215
    Filesize

    1.0MB

    MD5

    1654141a09f78364429e72351ab317c6

    SHA1

    e18c437e1b49abd916788a3ad44c74824682c727

    SHA256

    a479ba0dc4bf97d08a6e76ec5a38238ee0faabea07bc432458b0c3a770737659

    SHA512

    6b4f9ca890da79f074c7434dd1396f5aef4ba32508a137f52e83687d2bf5d3f4bcc059ed3ff68e7027620fcf792accabc0f6b70eae9e56173da640b11694330d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vzc0g0gf.5uf.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Roaming\QHUPRmIp\MSVCR100.dll
    Filesize

    752KB

    MD5

    67ec459e42d3081dd8fd34356f7cafc1

    SHA1

    1738050616169d5b17b5adac3ff0370b8c642734

    SHA256

    1221a09484964a6f38af5e34ee292b9afefccb3dc6e55435fd3aaf7c235d9067

    SHA512

    9ed1c106df217e0b4e4fbd1f4275486ceba1d8a225d6c7e47b854b0b5e6158135b81be926f51db0ad5c624f9bd1d09282332cf064680dc9f7d287073b9686d33

    Download Submit

  • C:\Users\Admin\AppData\Roaming\QHUPRmIp\QtCore4.dll
    Filesize

    2.5MB

    MD5

    fecc62a37d37d9759e6b02041728aa23

    SHA1

    0c5f646caef7a6e9073d58ed698f6cfbfb2883a3

    SHA256

    94c1395153d7758900979351e633ab68d22ae9b306ef8e253b712a1aab54c805

    SHA512

    698f90f1248dacbd4bdc49045a4e80972783d9dcec120d187abd08f5ef03224b511f7870320938b7e8be049c243ffb1c450c847429434ef2e2c09288cb9286a6

    Download Submit

  • C:\Users\Admin\AppData\Roaming\QHUPRmIp\QtGui4.dll
    Filesize

    8.2MB

    MD5

    831ba3a8c9d9916bdf82e07a3e8338cc

    SHA1

    6c89fd258937427d14d5042736fdfccd0049f042

    SHA256

    d2c8c8b6cc783e4c00a5ef3365457d776dfc1205a346b676915e39d434f5a52d

    SHA512

    beda57851e0e3781ece1d0ee53a3f86c52ba99cb045943227b6c8fc1848a452269f2768bf4c661e27ddfbe436df82cfd1de54706d814f81797a13fefec4602c5

    Download Submit

  • C:\Users\Admin\AppData\Roaming\QHUPRmIp\QtNetwork4.dll
    Filesize

    1.0MB

    MD5

    8a2e025fd3ddd56c8e4f63416e46e2ec

    SHA1

    5f58feb11e84aa41d5548f5a30fc758221e9dd64

    SHA256

    52ae07d1d6a467283055a3512d655b6a43a42767024e57279784701206d97003

    SHA512

    8e3a449163e775dc000e9674bca81ffabc7fecd9278da5a40659620cfc9cc07f50cc29341e74176fe10717b2a12ea3d5148d1ffc906bc809b1cd5c8c59de7ba1

    Download Submit

  • C:\Users\Admin\AppData\Roaming\QHUPRmIp\QtXml4.dll
    Filesize

    348KB

    MD5

    e9a9411d6f4c71095c996a406c56129d

    SHA1

    80b6eefc488a1bf983919b440a83d3c02f0319dd

    SHA256

    c9b2a31bfe75d1b25efcc44e1df773ab62d6d5c85ec5d0bc2dfe64129f8eab5e

    SHA512

    93bb3dd16de56e8bed5ac8da125681391c4e22f4941c538819ad4849913041f2e9bb807eb5570ee13da167cfecd7a08d16ad133c244eb6d25f596073626ce8a2

    Download Submit

  • C:\Users\Admin\AppData\Roaming\QHUPRmIp\Set-up.exe
    Filesize

    6.2MB

    MD5

    11c8962675b6d535c018a63be0821e4c

    SHA1

    a150fa871e10919a1d626ffe37b1a400142f452b

    SHA256

    421e36788bfcb4433178c657d49aa711446b3a783f7697a4d7d402a503c1f273

    SHA512

    3973c23fc652e82f2415ff81f2756b55e46c6807cc4a8c37e5e31009cec45ab47c5d4228c03b5e3a972cacd6547cf0d3273965f263b1b2d608af89f5be6e459a

    Download Submit

  • C:\Users\Admin\AppData\Roaming\QHUPRmIp\StarBurn.dll
    Filesize

    648KB

    MD5

    bbf0b66f271322a7c5701d5488d6a6dd

    SHA1

    d4978e0cfcb374066bdaefea2aacf0417830ed95

    SHA256

    39f8082f72067be64270647f899919582438a0c7461c439174767b139406abd8

    SHA512

    a98c6bbb312ecb1ba30dacb39c755de7f48ee105bb014f51f3096b225ef6a0f73258d7f142965ec94a8f4dbf8da4d0cef4e6e3b85d17201236fa7a02555cb532

    Download Submit

  • C:\Users\Admin\AppData\Roaming\QHUPRmIp\msvcp100.dll
    Filesize

    411KB

    MD5

    03e9314004f504a14a61c3d364b62f66

    SHA1

    0aa3caac24fdf9d9d4c618e2bbf0a063036cd55d

    SHA256

    a3ba6421991241bea9c8334b62c3088f8f131ab906c3cc52113945d05016a35f

    SHA512

    2fcff4439d2759d93c57d49b24f28ae89b7698e284e76ac65fe2b50bdefc23a8cc3c83891d671de4e4c0f036cef810856de79ac2b028aa89a895bf35abff8c8d

    Download Submit

  • C:\Users\Admin\AppData\Roaming\QHUPRmIp\nmprwjs
    Filesize

    787KB

    MD5

    7ab8ef9419f402c83e0cd0346d9a1a67

    SHA1

    caa661be7346c474de569b19b09507c58a6f7d10

    SHA256

    4ec0eef7ce80b0181dbf5d946c7a2d40067b9bf89292b27f7496482e2f7a80a1

    SHA512

    aacd71428a25abb693b5e3773c94b595d659ace9894448e733809ecfacd3e1f066b1ae4bc8d477c8b112fcff44fd7f3a20e0a1fd39c8d7a7d199ce330c971c9d

    Download Submit

  • C:\Users\Admin\AppData\Roaming\QHUPRmIp\ovaw
    Filesize

    23KB

    MD5

    90284f3d3121827201d9233a4d7cd97d

    SHA1

    0dff5c2b5aa628d7800b6fb163f7be7948229af5

    SHA256

    2c373d4495aa2e52a9f27039998bb42f3a5139929ec8d8e8963c30d3f558cc57

    SHA512

    dcd9c837f38970d1dd5336732ed42fa2524791c23e6410018e9e149fbd6ee584101b951f851418ca522e571a775e34ee4f45786dddb33340fc67ef1bd1c4db64

    Download Submit

  • memory/1028-125-0x0000000074830000-0x00000000749AB000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/1028-136-0x0000000074843000-0x0000000074845000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1028-138-0x0000000074830000-0x00000000749AB000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/1028-137-0x0000000074830000-0x00000000749AB000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/1028-126-0x00007FFE57530000-0x00007FFE57725000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3456-147-0x0000000074830000-0x00000000749AB000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/3456-143-0x0000000074830000-0x00000000749AB000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/3456-142-0x00007FFE57530000-0x00007FFE57725000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3456-140-0x0000000074830000-0x00000000749AB000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/3600-14-0x00007FFE39140000-0x00007FFE39C01000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3600-16-0x00000261B87C0000-0x00000261B87CA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3600-15-0x00000261D0E00000-0x00000261D0E12000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3600-122-0x00007FFE39140000-0x00007FFE39C01000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3600-1-0x00000261D0DB0000-0x00000261D0DD2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3600-0-0x00007FFE39143000-0x00007FFE39145000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3600-11-0x00007FFE39140000-0x00007FFE39C01000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3600-12-0x00007FFE39140000-0x00007FFE39C01000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4816-148-0x00007FFE57530000-0x00007FFE57725000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4816-149-0x0000000000EA0000-0x0000000000EFD000-memory.dmp

    Filesize

    372KB

    Download

  • memory/4816-150-0x00000000004B0000-0x00000000004C2000-memory.dmp

    Filesize

    72KB

    Download