Overview

overview

10

Static

static

1

IaslcsMo.ps1

windows10-ltsc 2021-x64

10

Analysis

  • max time kernel
    162s
  • max time network
    211s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241023-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    25-11-2024 09:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    IaslcsMo.ps1

  • Size

    29.7MB

  • MD5

    d7c9613ed12144aea20bee90fd5057e5

  • SHA1

    268f3d77e4b82f68c842a4c01f96a6ba864c09fb

  • SHA256

    aa22e017141e1c5974e00c72f2de158072cf9279cfedff86ac1734c6947a19e8

  • SHA512

    e4a89e623561f5b8434cabb5aaa2cef9d15bdff3f791029dbae8d017c8027928efec9371300b55ad5edde394673ba9c2a0ccac56f7996f69324010f55c30f77b

  • SSDEEP

    49152:TUfvkgL6E9gTSTWi6fMJyDHol83vPi037qiLya6YWBJacr69CKwmxJUEqw2cl3+2:1

Score
10/10
lummadiscoveryexecutionpersistencestealer

Malware Config

Extracted

Family

lumma

C2

https://marchhappen.cyou/api

Signatures

  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Lumma family
    lumma
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 9 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Blocklisted process makes network request 11 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\IaslcsMo.ps1
    1⤵
    • Adds Run key to start application
    • Command and Scripting Interpreter: PowerShell
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4480
    • C:\Users\Admin\AppData\Roaming\VWPGdipf\Set-up.exe
      "C:\Users\Admin\AppData\Roaming\VWPGdipf\Set-up.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:4424
      • C:\Windows\SysWOW64\more.com
        C:\Windows\SysWOW64\more.com
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:3480
        • C:\Windows\SysWOW64\msiexec.exe
          C:\Windows\SysWOW64\msiexec.exe
          4⤵
          • Blocklisted process makes network request
          • System Location Discovery: System Language Discovery
          PID:5608
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:4020

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\74c1141a
      Filesize

      1020KB

      MD5

      aac42c67caff9ca07bf5f052460f6dbf

      SHA1

      187b1a0a38e41612e9a41147305d876af2166296

      SHA256

      51fbeb6070877005204b5f8e679adb3bdabee64974d6ac1930a38ab8215e9c8b

      SHA512

      385580295da351057b686a55682c7db0b6a87044733972e128a647637cbb42dabd903679c270f40d12ff9a9d36694a42d714b5a3787a18b1998631c46bd1412d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5a4015ih.ahf.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Roaming\VWPGdipf\QtCore4.dll
      Filesize

      2.5MB

      MD5

      17d26d22913c19d7a93f7f6af7ec5d95

      SHA1

      0bbc1e108af53990e4b9f2c34cbf7efbe442bc92

      SHA256

      e18684e62b3c076b91a776b71539a8b7640932055ae0831b73ad5fee7c5dd4e7

      SHA512

      fb2a4288be915d7e62e6dcd1a4425a77c5da69cc58daa7f175b921fd017cddb07f0d76c9016eb40475dead5dc7984b32b988ad6f5c5d14813b5a9e2867eb629a

      Download Submit

    • C:\Users\Admin\AppData\Roaming\VWPGdipf\QtGui4.dll
      Filesize

      8.2MB

      MD5

      831ba3a8c9d9916bdf82e07a3e8338cc

      SHA1

      6c89fd258937427d14d5042736fdfccd0049f042

      SHA256

      d2c8c8b6cc783e4c00a5ef3365457d776dfc1205a346b676915e39d434f5a52d

      SHA512

      beda57851e0e3781ece1d0ee53a3f86c52ba99cb045943227b6c8fc1848a452269f2768bf4c661e27ddfbe436df82cfd1de54706d814f81797a13fefec4602c5

      Download Submit

    • C:\Users\Admin\AppData\Roaming\VWPGdipf\QtNetwork4.dll
      Filesize

      1.0MB

      MD5

      8a2e025fd3ddd56c8e4f63416e46e2ec

      SHA1

      5f58feb11e84aa41d5548f5a30fc758221e9dd64

      SHA256

      52ae07d1d6a467283055a3512d655b6a43a42767024e57279784701206d97003

      SHA512

      8e3a449163e775dc000e9674bca81ffabc7fecd9278da5a40659620cfc9cc07f50cc29341e74176fe10717b2a12ea3d5148d1ffc906bc809b1cd5c8c59de7ba1

      Download Submit

    • C:\Users\Admin\AppData\Roaming\VWPGdipf\QtXml4.dll
      Filesize

      348KB

      MD5

      e9a9411d6f4c71095c996a406c56129d

      SHA1

      80b6eefc488a1bf983919b440a83d3c02f0319dd

      SHA256

      c9b2a31bfe75d1b25efcc44e1df773ab62d6d5c85ec5d0bc2dfe64129f8eab5e

      SHA512

      93bb3dd16de56e8bed5ac8da125681391c4e22f4941c538819ad4849913041f2e9bb807eb5570ee13da167cfecd7a08d16ad133c244eb6d25f596073626ce8a2

      Download Submit

    • C:\Users\Admin\AppData\Roaming\VWPGdipf\Set-up.exe
      Filesize

      6.2MB

      MD5

      11c8962675b6d535c018a63be0821e4c

      SHA1

      a150fa871e10919a1d626ffe37b1a400142f452b

      SHA256

      421e36788bfcb4433178c657d49aa711446b3a783f7697a4d7d402a503c1f273

      SHA512

      3973c23fc652e82f2415ff81f2756b55e46c6807cc4a8c37e5e31009cec45ab47c5d4228c03b5e3a972cacd6547cf0d3273965f263b1b2d608af89f5be6e459a

      Download Submit

    • C:\Users\Admin\AppData\Roaming\VWPGdipf\StarBurn.dll
      Filesize

      654KB

      MD5

      f75225db13e3b86477dc8658c63f9b99

      SHA1

      6ffd5596fd69e161b788001abab195cc609476cf

      SHA256

      4286cf3c1ed10b8d6e2794ab4ed1cfcded0ea40d6794016ce926cd9b547c6a00

      SHA512

      07dee210de39e9f303bb72558c4b2aeb5de597638f0a5bfdcbe8f8badfb46a45f7a1518726d543f18682214668d22586299159e2c3947a9285990867bc457327

      Download Submit

    • C:\Users\Admin\AppData\Roaming\VWPGdipf\isjii
      Filesize

      15KB

      MD5

      744424fbbac9bba03e53dea3587e327e

      SHA1

      b1cd89346897aa9a0787336b44e638e231b3cc15

      SHA256

      e34c2c400fc112e079d825580f536ee43d5951f4dca0c2c6c9c521ca609f09a5

      SHA512

      7c2291b8e813efd2c55d4d55620c435205848fcb3e0d7f8dc3153afa7d6b4bca7bbf80bb3f3732f850f80add87d8165deeb3b94bc735a70e18509e276627e812

      Download Submit

    • C:\Users\Admin\AppData\Roaming\VWPGdipf\looelll
      Filesize

      779KB

      MD5

      150e5e57ae9177a2cd6e587df2d3b0ea

      SHA1

      88c981fb86b2624165cd1fab41f2c7cceb57151f

      SHA256

      1c11168b529642ba3139672e4dd6be5b1cab7a206f220554155af997427d3da8

      SHA512

      361c1596782bb064169f8ba622838ee945cb83ca422ff3277eebf574ac3e6257b7470a6705e0e4da2e996971ec04a849bbb45f8d86181a4db74b782a47814107

      Download Submit

    • C:\Users\Admin\AppData\Roaming\VWPGdipf\msvcp100.dll
      Filesize

      411KB

      MD5

      03e9314004f504a14a61c3d364b62f66

      SHA1

      0aa3caac24fdf9d9d4c618e2bbf0a063036cd55d

      SHA256

      a3ba6421991241bea9c8334b62c3088f8f131ab906c3cc52113945d05016a35f

      SHA512

      2fcff4439d2759d93c57d49b24f28ae89b7698e284e76ac65fe2b50bdefc23a8cc3c83891d671de4e4c0f036cef810856de79ac2b028aa89a895bf35abff8c8d

      Download Submit

    • C:\Users\Admin\AppData\Roaming\VWPGdipf\msvcr100.dll
      Filesize

      752KB

      MD5

      67ec459e42d3081dd8fd34356f7cafc1

      SHA1

      1738050616169d5b17b5adac3ff0370b8c642734

      SHA256

      1221a09484964a6f38af5e34ee292b9afefccb3dc6e55435fd3aaf7c235d9067

      SHA512

      9ed1c106df217e0b4e4fbd1f4275486ceba1d8a225d6c7e47b854b0b5e6158135b81be926f51db0ad5c624f9bd1d09282332cf064680dc9f7d287073b9686d33

      Download Submit

    • memory/3480-465-0x00000000746B0000-0x000000007482B000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/3480-461-0x00000000746B0000-0x000000007482B000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/3480-460-0x00007FFA8FD50000-0x00007FFA8FF48000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/3480-458-0x00000000746B0000-0x000000007482B000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/4424-453-0x00007FFA8FD50000-0x00007FFA8FF48000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/4424-454-0x00000000746C3000-0x00000000746C5000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4424-456-0x00000000746B0000-0x000000007482B000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/4424-455-0x00000000746B0000-0x000000007482B000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/4424-452-0x00000000746B0000-0x000000007482B000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/4480-11-0x00007FFA71900000-0x00007FFA723C2000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4480-16-0x00000277B0FE0000-0x00000277B0FEA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4480-0-0x00007FFA71903000-0x00007FFA71905000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4480-449-0x00007FFA71900000-0x00007FFA723C2000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4480-450-0x00007FFA71900000-0x00007FFA723C2000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4480-10-0x00000277B12C0000-0x00000277B12E2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/4480-12-0x00007FFA71900000-0x00007FFA723C2000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4480-13-0x00007FFA71900000-0x00007FFA723C2000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4480-15-0x00000277B0FF0000-0x00000277B1002000-memory.dmp

      Filesize

      72KB

      Download

    • memory/5608-466-0x00007FFA8FD50000-0x00007FFA8FF48000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/5608-467-0x0000000000ED0000-0x0000000000F2A000-memory.dmp

      Filesize

      360KB

      Download

    • memory/5608-468-0x0000000000900000-0x0000000000912000-memory.dmp

      Filesize

      72KB

      Download