Overview

overview

10

Static

static

1

URLScan

urlscan

https://github.com/S...

windows11-21h2-x64

10

Resubmissions

26-11-2024 02:33

241126-c195pszkew 3

25-11-2024 23:21

241125-3b38zaylgj 10

Analysis

  • max time kernel
    27s
  • max time network
    29s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    25-11-2024 23:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    https://github.com/Slikswid/FivemExternalCheat/blob/main/Loader.exe

Score
10/10
lummadefense_evasiondiscoverystealer

Malware Config

Extracted

Family

lumma

C2

https://covvercilverow.shop/api

https://surroundeocw.shop/api

https://abortinoiwiam.shop/api

https://pumpkinkwquo.shop/api

https://priooozekw.shop/api

https://deallyharvenw.shop/api

https://defenddsouneuw.shop/api

https://racedsuitreow.shop/api

https://roaddrermncomplai.shop/api

Signatures

  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Lumma family
    lumma
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

    When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

    defense_evasion
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 2 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 52 IoCs
  • Suspicious use of FindShellTrayWindow 34 IoCs
  • Suspicious use of SendNotifyMessage 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/Slikswid/FivemExternalCheat/blob/main/Loader.exe
    1⤵
    • Drops file in Windows directory
    • Enumerates system info in registry
    • Modifies data under HKEY_USERS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3496
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe945acc40,0x7ffe945acc4c,0x7ffe945acc58
      2⤵
        PID:3324
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1816,i,7551752518030607479,8098733161689051709,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1812 /prefetch:2
        2⤵
          PID:4092
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2032,i,7551752518030607479,8098733161689051709,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2096 /prefetch:3
          2⤵
            PID:1600
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2164,i,7551752518030607479,8098733161689051709,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2180 /prefetch:8
            2⤵
              PID:1864
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3056,i,7551752518030607479,8098733161689051709,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3108 /prefetch:1
              2⤵
                PID:1808
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3064,i,7551752518030607479,8098733161689051709,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3256 /prefetch:1
                2⤵
                  PID:1200
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4536,i,7551752518030607479,8098733161689051709,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4544 /prefetch:8
                  2⤵
                    PID:1576
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5056,i,7551752518030607479,8098733161689051709,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5080 /prefetch:8
                    2⤵
                      PID:4700
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5068,i,7551752518030607479,8098733161689051709,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5124 /prefetch:8
                      2⤵
                        PID:3576
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5084,i,7551752518030607479,8098733161689051709,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5384 /prefetch:8
                        2⤵
                          PID:2844
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5076,i,7551752518030607479,8098733161689051709,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5524 /prefetch:8
                          2⤵
                            PID:3808
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4652,i,7551752518030607479,8098733161689051709,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5676 /prefetch:8
                            2⤵
                              PID:4712
                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5664,i,7551752518030607479,8098733161689051709,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4908 /prefetch:8
                              2⤵
                              • Subvert Trust Controls: Mark-of-the-Web Bypass
                              • NTFS ADS
                              PID:3312
                            • C:\Users\Admin\Downloads\Loader.exe
                              "C:\Users\Admin\Downloads\Loader.exe"
                              2⤵
                              • Executes dropped EXE
                              • Loads dropped DLL
                              • Suspicious use of SetThreadContext
                              • System Location Discovery: System Language Discovery
                              PID:3744
                              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
                                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
                                3⤵
                                • System Location Discovery: System Language Discovery
                                PID:1412
                          • C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
                            "C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
                            1⤵
                              PID:2040
                            • C:\Windows\system32\svchost.exe
                              C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
                              1⤵
                                PID:3232

                              Network

                              MITRE ATT&CK Enterprise v15

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState
                                Filesize

                                649B

                                MD5

                                a814b0a325666fb36d35d2437ed0b839

                                SHA1

                                bdaa9d95d79bced52446e3989ce9ca0b588b4146

                                SHA256

                                12f1df7f33519504cb5e0884bc01c3f6acf437ef53ed42f99478a91d038a3e10

                                SHA512

                                75ec5fbee2bfac6046c1021ee308cfd7e1697c13dd18405894af2ee39b3dc6741ba350008e0255054b056491bfb2d7bc1e416626a37ea323e0247aa34a6e3ad5

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
                                Filesize

                                1KB

                                MD5

                                1c59c1cebde9bf58b9a2c8039916f810

                                SHA1

                                1854078d646b11e8a4d2a2e4c7716a6b0d22fa88

                                SHA256

                                2fcd0a210b6960eccf95b16a5477a6b46b22d9227632674b4615d22b2c71f733

                                SHA512

                                577201ccface0f4fa6f696db185964327d400f7a3a0564017be32f0a6a1492ee9d63d6dbd6c10975750e06e85b63bb62459f9bb875c9f84204c8b3bdf5d6a827

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
                                Filesize

                                2B

                                MD5

                                d751713988987e9331980363e24189ce

                                SHA1

                                97d170e1550eee4afc0af065b78cda302a97674c

                                SHA256

                                4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                                SHA512

                                b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
                                Filesize

                                1KB

                                MD5

                                189cf47b1343a96ba0290caed5d201be

                                SHA1

                                2d702e05af1c7e470728a879f4218600a1e9b233

                                SHA256

                                1fd2646c436fd2042be1e86af5e07446f49e9fd4dc16c5f5e856766a1742d146

                                SHA512

                                dc78264eb0c9d7a855e722756ea24401f65dc4c9a48720d38b4856e7981b3d474e1eec763cc4dab4d7a429411e0e66f99750dc9300ffd1436ef2fe72af17087a

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
                                Filesize

                                1KB

                                MD5

                                9e05b537b6e226e35f308ecc0066be4b

                                SHA1

                                d19b72064800e4067b908126f69fac9bc513cf92

                                SHA256

                                b1702c831c81b6e22bc89bb243dd66266ba802c80d70c2c62f328a0149f6ee94

                                SHA512

                                92aaeab301f8cd0453ab2510512b1a3c9210446d0f6f9389dcfb6f14a359ec67b13a41fa17a010f7be6d9bd487aaa38d6e7a3c4e72f773b76189bd223af49780

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                                Filesize

                                9KB

                                MD5

                                1525a21dfcdfc0546d4fe6fd1baad2ad

                                SHA1

                                8d3256204b0dad067092cbfdffe49802a9ee7b3a

                                SHA256

                                d59988f96923c15818dbe2516b032507e4c40ee72fc25cb23c13b4776bac5710

                                SHA512

                                48ec61323fe1841a35fe44442e1f07f80288013a01474acada75fd19b6706ca9dc8f6f7de0a9219f2ee24ea755099581bb146e248f5c575afed5751fae11d7f9

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                                Filesize

                                9KB

                                MD5

                                4e8a991f846f83d8a0455d1b2f8556b6

                                SHA1

                                9024f53a812a8a4a85c045b96d61f07fee0c4e20

                                SHA256

                                b8bce6c25e49203a580c824205e459181cb53b11d805f95a26b2be83b1d4d7cf

                                SHA512

                                a195954255344f9e75aadd69b4ec8976844e0aee99c74e0e2cf50e506ab1c4eef349156ce3728ee650a17aa7f91d502ffadafa19a0d3cd39e020c76da96de7f5

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
                                Filesize

                                228KB

                                MD5

                                cc2e26be1fc7cdd6fb1e295d8509dca9

                                SHA1

                                de2da9848fa432713b4ac79f0dddae9a356ed142

                                SHA256

                                392f3bbf52efe92747c1969889d7de156399e7bc3aa8168112b810f07c12e61b

                                SHA512

                                26bb93a3849d9524a94d9bf4402b4fe46f4bac1b351fa7087d588af333a08b0d5643af5d54d4c46a805dea69176d433c32265fd4c0c1dcf83ba10140dc6b24cf

                                Download Submit

                              • C:\Users\Admin\AppData\Roaming\msvcp110.dll
                                Filesize

                                642KB

                                MD5

                                9bc424be13dca227268ab018dca9ef0c

                                SHA1

                                f6f42e926f511d57ef298613634f3a186ec25ddc

                                SHA256

                                59d3999d0989c9c91dae93c26499f5a14b837a0fe56e6fc29f57456f54a1f8a2

                                SHA512

                                70a1abb35bd95efc40af6653d5db2e155fab9a8575b7ae5b69ab3fbcd60925c66a675dac6cba57564a430e9b92f1a2ea9e912c4d7f356b82696ed77e92b52715

                                Download Submit

                              • C:\Users\Admin\Downloads\Loader.exe:Zone.Identifier
                                Filesize

                                205B

                                MD5

                                ab6eeb5c57256470694d103af4dabdb0

                                SHA1

                                a7c88ca9f11b0dd89c414b560b5cc803d665b9ad

                                SHA256

                                255802c39a973a5aede125f400ee3287c84b271dafcb7e19e292f7b0cc8f4354

                                SHA512

                                92dc51d9f00d9d54f9b73f246ea9aeb6f69d30a59786093f13579ce9eaf820114481dda70ed3f50c6a3fb7f28ffcd3934114b301e138a362670861c2c271e902

                                Download Submit

                              • C:\Users\Admin\Downloads\Unconfirmed 444773.crdownload
                                Filesize

                                550KB

                                MD5

                                ee6be1648866b63fd7f860fa0114f368

                                SHA1

                                42cab62fff29eb98851b33986b637514fc904f4b

                                SHA256

                                e17bf83e09457d8cecd1f3e903fa4c9770e17e823731650a453bc479591ac511

                                SHA512

                                d6492d3b3c1d94d6c87b77a9a248e8c46b889d2e23938ddb8a8e242caccb23e8cd1a1fbeffee6b140cf6fd3ea7e8da89190286a912032ce4a671257bd8e3e28a

                                Download Submit

                              • \??\pipe\crashpad_3496_AQNPZRVNDFROXVYJ
                                MD5

                                d41d8cd98f00b204e9800998ecf8427e

                                SHA1

                                da39a3ee5e6b4b0d3255bfef95601890afd80709

                                SHA256

                                e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                SHA512

                                cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                Download Submit

                              • memory/1412-197-0x0000000000400000-0x0000000000465000-memory.dmp

                                Filesize

                                404KB

                                Download

                              • memory/1412-200-0x0000000000400000-0x0000000000465000-memory.dmp

                                Filesize

                                404KB

                                Download

                              • memory/1412-203-0x0000000000400000-0x0000000000465000-memory.dmp

                                Filesize

                                404KB

                                Download

                              • memory/3744-189-0x0000000000270000-0x0000000000300000-memory.dmp

                                Filesize

                                576KB

                                Download

                              • memory/3744-195-0x0000000074CC0000-0x0000000075471000-memory.dmp

                                Filesize

                                7.7MB

                                Download

                              • memory/3744-202-0x0000000076A70000-0x0000000076AD6000-memory.dmp

                                Filesize

                                408KB

                                Download

                              • memory/3744-201-0x0000000074CC0000-0x0000000075471000-memory.dmp

                                Filesize

                                7.7MB

                                Download

                              • memory/3744-188-0x0000000074CCE000-0x0000000074CCF000-memory.dmp

                                Filesize

                                4KB

                                Download