Overview

overview

10

Static

static

1

¡Archivos...c!.rar

windows7-x64

1

¡Archivos...c!.rar

windows10-2004-x64

10

Analysis

  • max time kernel
    87s
  • max time network
    103s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-11-2024 22:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ¡Archivos!AutomáticaConfiguración! paraPc!.rar

  • Size

    113.1MB

  • MD5

    25284dcf16e765d81872552a22e9d9e5

  • SHA1

    9cf2bc65712f2b95f34739e8157dcf8aee732501

  • SHA256

    76f70c669264a65fa2ab3f5dacba4b4ccd9408e731658f9e9f6ac081154de3f6

  • SHA512

    a2fb77e7ff87727eae06da273803cc08d358db8dbba7b7262371ab37f2455af9075c72be14dbb85ad10779d4f9212d0ab422c2f1aa8591c52cba40d3d50e1081

  • SSDEEP

    3145728:9ypm02nTzoneGu+Jz/2T83G6MbbpMhULICz5c:YpmxzipR3MpHLICz5c

Score
10/10
lummadiscoverystealer

Malware Config

Extracted

Family

lumma

C2

https://teentyinch.fun/api

Signatures

  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Lumma family
    lumma
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Enumerates processes with tasklist 1 TTPs 2 IoCs
    discovery
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 34 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3428
      • C:\Program Files\7-Zip\7zFM.exe
        "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\¡Archivos!AutomáticaConfiguración! paraPc!.rar"
        2⤵
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        PID:3060
      • C:\Program Files\7-Zip\7zG.exe
        "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\¡Archivos!AutomáticaConfiguración!! paraPc!\" -spe -an -ai#7zMap12683:144:7zEvent31461
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        PID:1512
      • C:\Users\Admin\Desktop\¡Archivos!AutomáticaConfiguración!! paraPc!\Setup.exe
        "C:\Users\Admin\Desktop\¡Archivos!AutomáticaConfiguración!! paraPc!\Setup.exe"
        2⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3536
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c copy Wired Wired.cmd & Wired.cmd
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4756
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist
            4⤵
            • Enumerates processes with tasklist
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:3880
          • C:\Windows\SysWOW64\findstr.exe
            findstr /I "wrsa opssvc"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:2784
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist
            4⤵
            • Enumerates processes with tasklist
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:2956
          • C:\Windows\SysWOW64\findstr.exe
            findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:1272
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c md 565533
            4⤵
            • System Location Discovery: System Language Discovery
            PID:436
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c copy /b ..\Ampland + ..\Become + ..\Permalink + ..\Consisting + ..\Bridges + ..\Transcripts + ..\Destroy e
            4⤵
            • System Location Discovery: System Language Discovery
            PID:4536
          • C:\Users\Admin\AppData\Local\Temp\565533\Settings.com
            Settings.com e
            4⤵
            • Suspicious use of NtCreateUserProcessOtherParentProcess
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of WriteProcessMemory
            PID:4272
          • C:\Windows\SysWOW64\choice.exe
            choice /d y /t 5
            4⤵
            • System Location Discovery: System Language Discovery
            PID:1980
      • C:\Windows\SysWOW64\cmd.exe
        cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CryptoMindTechPro360X.url" & echo URL="C:\Users\Admin\AppData\Local\CryptoTechMind360 Elite Innovations Co\CryptoMindTechPro360X.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CryptoMindTechPro360X.url" & exit
        2⤵
        • Drops startup file
        • System Location Discovery: System Language Discovery
        PID:2708
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\¡Archivos!AutomáticaConfiguración!! paraPc!\About\UI.txt
        2⤵
          PID:2156
      • C:\Windows\system32\OpenWith.exe
        C:\Windows\system32\OpenWith.exe -Embedding
        1⤵
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:4576
      • C:\Windows\System32\rundll32.exe
        C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
        1⤵
          PID:632
        • C:\Windows\system32\OpenWith.exe
          C:\Windows\system32\OpenWith.exe -Embedding
          1⤵
          • Modifies registry class
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3532
          • C:\Windows\system32\NOTEPAD.EXE
            "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\¡Archivos!AutomáticaConfiguración!! paraPc!\geo.dat
            2⤵
              PID:216

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\565533\e
            Filesize

            487KB

            MD5

            836ad855ba514497c8a91b0c17c24397

            SHA1

            af532652daefa5d28c28e3b352519a72804ee185

            SHA256

            95285d4d060d3b6ff463a56296b12f82ee3ccd91b08b0808d82bd7f235414d39

            SHA512

            f741bf4d3fc2a6f9e3bd3958f0ee3bd2a060eac2486ffb680d536edabefeb30f2fa21d4151b5545a50d0c50aac21a290aba878e08918011c278080485d7bc09b

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Ampland
            Filesize

            59KB

            MD5

            5c44e94926d373b80b95d40f6820ccb6

            SHA1

            969da0724590fe73c3135b2f4385375e1c602dbb

            SHA256

            bff0da0c8553b655c528e9cb6ffe044f578328b29fb0d08ee0c30b68489f9ea3

            SHA512

            d1fa810e7799d3a41311112633eeb2dc57d0f91d3fe6098baa4ce8fd65fe979475ffacd529c266a9bff8156c34ffe436787f0c19a580615320624ce80070549a

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Become
            Filesize

            94KB

            MD5

            0939cb1f527fc0c1bb4269d3505d7c19

            SHA1

            cf5a01e84bd5080cb917b2828f320e54a4ee7c29

            SHA256

            47c3806f1ece16b0792c627774d202455bf2464fe9f7107298d83eaeb6d8b688

            SHA512

            330ff37b7bb12f63bfbd6e611ac55ef3b44cba02c8964b0fc1852ee4dc6430f2202a263d6f4c033f27b57745fe6f2fd2e414f32181ccd3ad8bf5938b9229a24c

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Bridges
            Filesize

            72KB

            MD5

            3f2d675ebfe718105f12ffc753095336

            SHA1

            3a682948d18e5a7e2e809616abdb2dea67e6ecf6

            SHA256

            06485a9fa84984850c5cb5ee703c51fbdedb9021c7c864e769b720cdd2e1bc04

            SHA512

            594988e5bd0bd596137123f05b8d913694804ce7943f2f3c73219bce04a70dd706b23833c0742368b36770159baf74d12c1baad4efa21b554c2d6031573688a2

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Consisting
            Filesize

            99KB

            MD5

            87dabfee297c02b7e25bec22e3ec59a3

            SHA1

            ddc5bce355152b24c96fb1d1e077ff2bcbdc0deb

            SHA256

            381cc1566f9f13c985f8a7f180133c4d4e4b4537abf41949157f3f3795cb0d4b

            SHA512

            f6f072977d47cf692c5dcef9eadb8096ef3ac4e60d8d78c7259b9ade8dfbb25b1dcca3945d0a4e9d4533213d5defa2f08c650a66d32b38989fc873c673cfc570

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Contributed
            Filesize

            925KB

            MD5

            62d09f076e6e0240548c2f837536a46a

            SHA1

            26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

            SHA256

            1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

            SHA512

            32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Destroy
            Filesize

            11KB

            MD5

            9c60ad9ef8a19004301e8d0459ddb134

            SHA1

            4ec1b5d3a8cd32166bb703e891c7985bb0852550

            SHA256

            60de8a8eec2743d0e470d9c2216c8c9e223647a18339992e222a11dd3fcc5e0b

            SHA512

            5fd12bb5979bc870f5a2f621f18e758e2521ecb5d4b67805040f0bf012c429c9e61c1054e79ef082a256222f6d0d98e3a5d7146b71b715a4407344cd85f5ebb3

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Permalink
            Filesize

            66KB

            MD5

            8ff64a29a44bd6b4fe4015353a1d0a97

            SHA1

            b538dee653cebb0cf5b712408c7be6088c3a274d

            SHA256

            fc60c67a5faf349bc1a3ce0cea0150961eaa80c958cd406152df0bb7b302daab

            SHA512

            acfb52d39821c9780da415de215adacd7b5a73c235ce335435f360bd49c27188e6bf3fd22aeebae91e0f0cceaf00c3cb39f53f79ae63227e234e4b9fa8be318e

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Transcripts
            Filesize

            86KB

            MD5

            5739347062149710eb8a0e362ada50da

            SHA1

            0581da93aaae41101d0c64d70f916a0fce16923e

            SHA256

            a3cd03ba5bdd4c13b27346f11521e73f3571a56a87858e161933993648b3eba6

            SHA512

            404b622f9dcbb2e5beda3fc6ae13bb196b78f14c5eccfa919fa2e1b84d0a48438e4cf92b36bdd1c8b37dedeaba64285e21c35a5381b4d645e5f6c7d588f44afa

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Wired
            Filesize

            7KB

            MD5

            17f89c311dcd640e19c4f5fd3d063ad0

            SHA1

            c31cc7ae5740e86ada56a616819b3bdbdee56049

            SHA256

            f9bee368b9938a0fc9410e6ce986750bf29d0ef8b1e9db52666e601511926921

            SHA512

            5145a8fc4c18b7303288c9b076fd598148318b2b171d9885de0ac8e3d168d80d704c738c0714ffa02cf7c31a28274ad9a60227420bc3740a98e397b5a8b20a4e

            Download Submit

          • C:\Users\Admin\Desktop\¡Archivos!AutomáticaConfiguración!! paraPc!\About\UI.txt
            Filesize

            6KB

            MD5

            073da378c252e721e14fb5ac101a7c35

            SHA1

            2065803864bbcdea59f39f2f615ac48d6a0c0949

            SHA256

            26150135b7012938737fc95971b5c93e0cbcc1c1ab5f2f3ea4f358b41b7f00cc

            SHA512

            d49e9e1299daa146e325e29994ca8bb7a815427c75f114c637e0ff65cb98cf38bcb64659811395bbef6673804eade8b608dbff22d794c6213eff645f25d68363

            Download Submit

          • C:\Users\Admin\Desktop\¡Archivos!AutomáticaConfiguración!! paraPc!\DAC\KeyFile\1049\sharedmanagementobjects_keyfile.dll
            Filesize

            23KB

            MD5

            5e54cb9759d1a9416f51ac1e759bbccf

            SHA1

            1a033a7aae7c294967b1baba0b1e6673d4eeefc6

            SHA256

            f7e5cae32e2ec2c35346954bfb0b7352f9a697c08586e52494a71ef00e40d948

            SHA512

            32dcca4432ec0d2a8ad35fe555f201fef828b2f467a2b95417b42ff5b5149aee39d626d244bc295dca8a00cd81ef33a20f9e681dd47eb6ee47932d5d8dd2c664

            Download Submit

          • C:\Users\Admin\Desktop\¡Archivos!AutomáticaConfiguración!! paraPc!\geo.dat
            Filesize

            1.4MB

            MD5

            79423daa2bf4f352b7b18dde5e4accad

            SHA1

            f5824f30f3b78bd6a15b64ce0c2fb4530e813604

            SHA256

            e8da9867f215b070f5a2d184aa6473279b06c06c8c8c7d9610548a3bc501cbfa

            SHA512

            57d1e9824a16f7fb7ddd2f4bbd7228e5604c1d63db42e139fa1f76dd028059e2cf8f29ce6dbdf2caeef0f8c2ed2cb6c541caa2e18d837c63238badd87d9b6974

            Download Submit

          • memory/4272-704-0x0000000003BC0000-0x0000000003C1B000-memory.dmp

            Filesize

            364KB

            Download

          • memory/4272-706-0x0000000003BC0000-0x0000000003C1B000-memory.dmp

            Filesize

            364KB

            Download

          • memory/4272-705-0x0000000003BC0000-0x0000000003C1B000-memory.dmp

            Filesize

            364KB

            Download

          • memory/4272-707-0x0000000003BC0000-0x0000000003C1B000-memory.dmp

            Filesize

            364KB

            Download

          • memory/4272-708-0x0000000003BC0000-0x0000000003C1B000-memory.dmp

            Filesize

            364KB

            Download

          • memory/4272-709-0x0000000003BC0000-0x0000000003C1B000-memory.dmp

            Filesize

            364KB

            Download