Overview

overview

10

Static

static

1

IaslcsMo.txt.ps1

windows7-x64

3

IaslcsMo.txt.ps1

windows10-2004-x64

10

Analysis

  • max time kernel
    93s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-11-2024 09:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    IaslcsMo.txt.ps1

  • Size

    29.7MB

  • MD5

    d7c9613ed12144aea20bee90fd5057e5

  • SHA1

    268f3d77e4b82f68c842a4c01f96a6ba864c09fb

  • SHA256

    aa22e017141e1c5974e00c72f2de158072cf9279cfedff86ac1734c6947a19e8

  • SHA512

    e4a89e623561f5b8434cabb5aaa2cef9d15bdff3f791029dbae8d017c8027928efec9371300b55ad5edde394673ba9c2a0ccac56f7996f69324010f55c30f77b

  • SSDEEP

    49152:TUfvkgL6E9gTSTWi6fMJyDHol83vPi037qiLya6YWBJacr69CKwmxJUEqw2cl3+2:1

Score
10/10
lummadiscoveryexecutionpersistencestealer

Malware Config

Extracted

Family

lumma

C2

https://marchhappen.cyou/api

Signatures

  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Lumma family
    lumma
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 9 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Blocklisted process makes network request 11 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\IaslcsMo.txt.ps1
    1⤵
    • Adds Run key to start application
    • Command and Scripting Interpreter: PowerShell
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1520
    • C:\Users\Admin\AppData\Roaming\VWPGdipf\Set-up.exe
      "C:\Users\Admin\AppData\Roaming\VWPGdipf\Set-up.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:1888
      • C:\Windows\SysWOW64\more.com
        C:\Windows\SysWOW64\more.com
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:700
        • C:\Windows\SysWOW64\msiexec.exe
          C:\Windows\SysWOW64\msiexec.exe
          4⤵
          • Blocklisted process makes network request
          • System Location Discovery: System Language Discovery
          PID:5028

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\947a6642
    Filesize

    1020KB

    MD5

    0e64ffcd8bb08b8f01da27021ba30534

    SHA1

    7441223f930036dbcbfa27b74cdb5cbcfb3f3005

    SHA256

    f4b0d7637e54c1fdf171471943d7c7c840ddde0cb507b4e3bb07c4c2172deafc

    SHA512

    1cfba49c83f3a7a17ca19ba47d1574fc158c8ba8eb60c354bfe4371fd9c86d2dca92ee66a00c728b1bcd1024a863466d34f771e642e62f9552563e2778059fb7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rpybcpdm.psz.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Roaming\VWPGdipf\MSVCP100.dll
    Filesize

    411KB

    MD5

    03e9314004f504a14a61c3d364b62f66

    SHA1

    0aa3caac24fdf9d9d4c618e2bbf0a063036cd55d

    SHA256

    a3ba6421991241bea9c8334b62c3088f8f131ab906c3cc52113945d05016a35f

    SHA512

    2fcff4439d2759d93c57d49b24f28ae89b7698e284e76ac65fe2b50bdefc23a8cc3c83891d671de4e4c0f036cef810856de79ac2b028aa89a895bf35abff8c8d

    Download Submit

  • C:\Users\Admin\AppData\Roaming\VWPGdipf\QtCore4.dll
    Filesize

    2.5MB

    MD5

    17d26d22913c19d7a93f7f6af7ec5d95

    SHA1

    0bbc1e108af53990e4b9f2c34cbf7efbe442bc92

    SHA256

    e18684e62b3c076b91a776b71539a8b7640932055ae0831b73ad5fee7c5dd4e7

    SHA512

    fb2a4288be915d7e62e6dcd1a4425a77c5da69cc58daa7f175b921fd017cddb07f0d76c9016eb40475dead5dc7984b32b988ad6f5c5d14813b5a9e2867eb629a

    Download Submit

  • C:\Users\Admin\AppData\Roaming\VWPGdipf\QtGui4.dll
    Filesize

    8.2MB

    MD5

    831ba3a8c9d9916bdf82e07a3e8338cc

    SHA1

    6c89fd258937427d14d5042736fdfccd0049f042

    SHA256

    d2c8c8b6cc783e4c00a5ef3365457d776dfc1205a346b676915e39d434f5a52d

    SHA512

    beda57851e0e3781ece1d0ee53a3f86c52ba99cb045943227b6c8fc1848a452269f2768bf4c661e27ddfbe436df82cfd1de54706d814f81797a13fefec4602c5

    Download Submit

  • C:\Users\Admin\AppData\Roaming\VWPGdipf\QtNetwork4.dll
    Filesize

    1.0MB

    MD5

    8a2e025fd3ddd56c8e4f63416e46e2ec

    SHA1

    5f58feb11e84aa41d5548f5a30fc758221e9dd64

    SHA256

    52ae07d1d6a467283055a3512d655b6a43a42767024e57279784701206d97003

    SHA512

    8e3a449163e775dc000e9674bca81ffabc7fecd9278da5a40659620cfc9cc07f50cc29341e74176fe10717b2a12ea3d5148d1ffc906bc809b1cd5c8c59de7ba1

    Download Submit

  • C:\Users\Admin\AppData\Roaming\VWPGdipf\QtXml4.dll
    Filesize

    348KB

    MD5

    e9a9411d6f4c71095c996a406c56129d

    SHA1

    80b6eefc488a1bf983919b440a83d3c02f0319dd

    SHA256

    c9b2a31bfe75d1b25efcc44e1df773ab62d6d5c85ec5d0bc2dfe64129f8eab5e

    SHA512

    93bb3dd16de56e8bed5ac8da125681391c4e22f4941c538819ad4849913041f2e9bb807eb5570ee13da167cfecd7a08d16ad133c244eb6d25f596073626ce8a2

    Download Submit

  • C:\Users\Admin\AppData\Roaming\VWPGdipf\Set-up.exe
    Filesize

    6.2MB

    MD5

    11c8962675b6d535c018a63be0821e4c

    SHA1

    a150fa871e10919a1d626ffe37b1a400142f452b

    SHA256

    421e36788bfcb4433178c657d49aa711446b3a783f7697a4d7d402a503c1f273

    SHA512

    3973c23fc652e82f2415ff81f2756b55e46c6807cc4a8c37e5e31009cec45ab47c5d4228c03b5e3a972cacd6547cf0d3273965f263b1b2d608af89f5be6e459a

    Download Submit

  • C:\Users\Admin\AppData\Roaming\VWPGdipf\StarBurn.dll
    Filesize

    654KB

    MD5

    f75225db13e3b86477dc8658c63f9b99

    SHA1

    6ffd5596fd69e161b788001abab195cc609476cf

    SHA256

    4286cf3c1ed10b8d6e2794ab4ed1cfcded0ea40d6794016ce926cd9b547c6a00

    SHA512

    07dee210de39e9f303bb72558c4b2aeb5de597638f0a5bfdcbe8f8badfb46a45f7a1518726d543f18682214668d22586299159e2c3947a9285990867bc457327

    Download Submit

  • C:\Users\Admin\AppData\Roaming\VWPGdipf\isjii
    Filesize

    15KB

    MD5

    744424fbbac9bba03e53dea3587e327e

    SHA1

    b1cd89346897aa9a0787336b44e638e231b3cc15

    SHA256

    e34c2c400fc112e079d825580f536ee43d5951f4dca0c2c6c9c521ca609f09a5

    SHA512

    7c2291b8e813efd2c55d4d55620c435205848fcb3e0d7f8dc3153afa7d6b4bca7bbf80bb3f3732f850f80add87d8165deeb3b94bc735a70e18509e276627e812

    Download Submit

  • C:\Users\Admin\AppData\Roaming\VWPGdipf\looelll
    Filesize

    779KB

    MD5

    150e5e57ae9177a2cd6e587df2d3b0ea

    SHA1

    88c981fb86b2624165cd1fab41f2c7cceb57151f

    SHA256

    1c11168b529642ba3139672e4dd6be5b1cab7a206f220554155af997427d3da8

    SHA512

    361c1596782bb064169f8ba622838ee945cb83ca422ff3277eebf574ac3e6257b7470a6705e0e4da2e996971ec04a849bbb45f8d86181a4db74b782a47814107

    Download Submit

  • C:\Users\Admin\AppData\Roaming\VWPGdipf\msvcr100.dll
    Filesize

    752KB

    MD5

    67ec459e42d3081dd8fd34356f7cafc1

    SHA1

    1738050616169d5b17b5adac3ff0370b8c642734

    SHA256

    1221a09484964a6f38af5e34ee292b9afefccb3dc6e55435fd3aaf7c235d9067

    SHA512

    9ed1c106df217e0b4e4fbd1f4275486ceba1d8a225d6c7e47b854b0b5e6158135b81be926f51db0ad5c624f9bd1d09282332cf064680dc9f7d287073b9686d33

    Download Submit

  • memory/700-466-0x00007FFF0C430000-0x00007FFF0C625000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/700-464-0x0000000073CC0000-0x0000000073E3B000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/700-467-0x0000000073CC0000-0x0000000073E3B000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/700-471-0x0000000073CC0000-0x0000000073E3B000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/1520-377-0x00007FFEEE0C3000-0x00007FFEEE0C5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1520-1-0x00000201FE440000-0x00000201FE462000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1520-447-0x00007FFEEE0C0000-0x00007FFEEEB81000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1520-15-0x00000201FE3B0000-0x00000201FE3C2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1520-0-0x00007FFEEE0C3000-0x00007FFEEE0C5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1520-11-0x00007FFEEE0C0000-0x00007FFEEEB81000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1520-12-0x00007FFEEE0C0000-0x00007FFEEEB81000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1520-14-0x00007FFEEE0C0000-0x00007FFEEEB81000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1520-16-0x00000201FE3A0000-0x00000201FE3AA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1888-462-0x0000000073CC0000-0x0000000073E3B000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/1888-461-0x0000000073CC0000-0x0000000073E3B000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/1888-460-0x0000000073CD3000-0x0000000073CD5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1888-450-0x00007FFF0C430000-0x00007FFF0C625000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1888-449-0x0000000073CC0000-0x0000000073E3B000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/5028-472-0x00007FFF0C430000-0x00007FFF0C625000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/5028-473-0x0000000000DF0000-0x0000000000E4A000-memory.dmp

    Filesize

    360KB

    Download

  • memory/5028-474-0x0000000000AB0000-0x0000000000AC2000-memory.dmp

    Filesize

    72KB

    Download