Analysis
-
max time kernel
92s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
26-11-2024 16:15
General
-
Target
(Protected Document) Sony 2024. Integration Pricing.docx.exe
-
Size
8.2MB
-
MD5
aee0ce66aced945ef94a1d8adf8732ca
-
SHA1
013b7fa9204f35049b8502b55c5030f07133add5
-
SHA256
12cce70bc9223da41e808348799ff100a0ef144bdef5bda5d06504d815aa9665
-
SHA512
e3649f525d25809cd36f498952ead9d4ff965acf2cc77168bb9f1dc91f8dfd1ebf560c61d91aeac17687f196ff5ec711cddaf019c9bf1c7d595708037bbcdcd4
-
SSDEEP
196608:oYe6WYQXNfe6ADY354vbNNS10J1os6dX48ViId256:oD7YQXNvAkmbvaS1SBViG26
Malware Config
Extracted
lumma
https://p3ar11fter.sbs
https://3xp3cts1aim.sbs
https://owner-vacat10n.sbs
https://peepburry828.sbs
https://p10tgrace.sbs
https://befall-sm0ker.sbs
https://librari-night.sbs
https://processhol.sbs
https://pear-meat.cyou
Extracted
lumma
https://pear-meat.cyou/api
Signatures
-
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
-
Lumma family
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 6 IoCs
-
Loads dropped DLL 8 IoCs
-
Enumerates processes with tasklist 1 TTPs 6 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 13 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
-
Suspicious use of AdjustPrivilegeToken 11 IoCs
-
Suspicious use of FindShellTrayWindow 38 IoCs
-
Suspicious use of SendNotifyMessage 36 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\(Protected Document) Sony 2024. Integration Pricing.docx.exe"C:\Users\Admin\AppData\Local\Temp\(Protected Document) Sony 2024. Integration Pricing.docx.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-PKH1N.tmp\(Protected Document) Sony 2024. Integration Pricing.docx.tmp"C:\Users\Admin\AppData\Local\Temp\is-PKH1N.tmp\(Protected Document) Sony 2024. Integration Pricing.docx.tmp" /SL5="$50288,7598121,955392,C:\Users\Admin\AppData\Local\Temp\(Protected Document) Sony 2024. Integration Pricing.docx.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\(Protected Document) Sony 2024. Integration Pricing.docx.exe"C:\Users\Admin\AppData\Local\Temp\(Protected Document) Sony 2024. Integration Pricing.docx.exe" /VERYSILENT3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-BR5T4.tmp\(Protected Document) Sony 2024. Integration Pricing.docx.tmp"C:\Users\Admin\AppData\Local\Temp\is-BR5T4.tmp\(Protected Document) Sony 2024. Integration Pricing.docx.tmp" /SL5="$60288,7598121,955392,C:\Users\Admin\AppData\Local\Temp\(Protected Document) Sony 2024. Integration Pricing.docx.exe" /VERYSILENT4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"cmd.exe" /C tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH | find /I "wrsa.exe"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\tasklist.exetasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\find.exefind /I "wrsa.exe"6⤵
-
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /C tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH | find /I "opssvc.exe"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\tasklist.exetasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\find.exefind /I "opssvc.exe"6⤵
-
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /C tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH | find /I "avastui.exe"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\tasklist.exetasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\find.exefind /I "avastui.exe"6⤵
-
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /C tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH | find /I "avgui.exe"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\tasklist.exetasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\find.exefind /I "avgui.exe"6⤵
-
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /C tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH | find /I "nswscsvc.exe"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\tasklist.exetasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\find.exefind /I "nswscsvc.exe"6⤵
-
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /C tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH | find /I "sophoshealth.exe"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\tasklist.exetasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\find.exefind /I "sophoshealth.exe"6⤵
-
-
-
C:\Users\Admin\AppData\Roaming\LilyPond\scanner.exe"C:\Users\Admin\AppData\Roaming\LilyPond\\scanner.exe" "C:\Users\Admin\AppData\Roaming\LilyPond\\rancours.eml"5⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping -n 5 127.0.0.1 >nul && scanner.exe C:\ProgramData\\MP4FUaq.a3x && del C:\ProgramData\\MP4FUaq.a3x6⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping -n 5 127.0.0.17⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\LilyPond\scanner.exescanner.exe C:\ProgramData\\MP4FUaq.a3x7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe8⤵
- System Location Discovery: System Language Discovery
-
-
-
-
-
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /71⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\2956994623\payload.txt1⤵
- Opens file in notepad (likely ransom note)
-
C:\Users\Admin\AppData\Local\Temp\(Protected Document) Sony 2024. Integration Pricing.docx.exe"C:\Users\Admin\AppData\Local\Temp\(Protected Document) Sony 2024. Integration Pricing.docx.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-4K3NF.tmp\(Protected Document) Sony 2024. Integration Pricing.docx.tmp"C:\Users\Admin\AppData\Local\Temp\is-4K3NF.tmp\(Protected Document) Sony 2024. Integration Pricing.docx.tmp" /SL5="$1A03D8,7598121,955392,C:\Users\Admin\AppData\Local\Temp\(Protected Document) Sony 2024. Integration Pricing.docx.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\(Protected Document) Sony 2024. Integration Pricing.docx.exe"C:\Users\Admin\AppData\Local\Temp\(Protected Document) Sony 2024. Integration Pricing.docx.exe" /VERYSILENT3⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\is-J3G6K.tmp\(Protected Document) Sony 2024. Integration Pricing.docx.tmp"C:\Users\Admin\AppData\Local\Temp\is-J3G6K.tmp\(Protected Document) Sony 2024. Integration Pricing.docx.tmp" /SL5="$110386,7598121,955392,C:\Users\Admin\AppData\Local\Temp\(Protected Document) Sony 2024. Integration Pricing.docx.exe" /VERYSILENT4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
-
-
-
Network
MITRE ATT&CK Enterprise v15
Discovery
Peripheral Device Discovery
1Process Discovery
1Query Registry
3Remote System Discovery
1System Information Discovery
4System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
28KB
MD5077cb4461a2767383b317eb0c50f5f13
SHA1584e64f1d162398b7f377ce55a6b5740379c4282
SHA2568287d0e287a66ee78537c8d1d98e426562b95c50f569b92cea9ce36a9fa57e64
SHA512b1fcb0265697561ef497e6a60fcee99dc5ea0cf02b4010da9f5ed93bce88bdfea6bfe823a017487b8059158464ea29636aad8e5f9dd1e8b8a1b6eaaab670e547
-
Filesize
3.3MB
MD527e431ca1612ca5bc0e6ee7d1c62ae55
SHA1ba6ab5a440e8cbe39e9bbaf52ec59adf53c8368c
SHA2567528e38201c64c8fe0596e4fa7060408d0f1fa9b3009c04b9f192beba27d70f1
SHA512898e0391282b7e2262c7984b465f339e11eb982ee022ca9d74d459d2f8cf5dd0f66328e55194fefa6e872edd6ac903a6b615a0592dab29b3714c2b2559a108ff
-
Filesize
60KB
MD555f8cfb6288104f8be860148f658d659
SHA15c0125f0ba169672ce7e2e7c0c255f5ef1bb1392
SHA256502dd89d1ec6386a834a532be749fdf91c8695be78dbb2e72b345d258add98b8
SHA5121d95c7129e59534c3bdcaa1f9e6ac49b796d211bcf8ebe1afd8baf20b5a7b96704c947888d0069fee5bc5cd0c3181164e0e48a32ef420c93cc0cdcfd11d7cc42
-
Filesize
4.5MB
MD5a5287661a860a29c01e8c3557d31fc31
SHA1f05d0115a5ce3ecfdf4576669160bad3db3ab118
SHA256eb9253bace991dcbd4308660e7857483d73e099e5430e5f17ef9b02d9ff6b73a
SHA5125726c0cfdaef620b2015468d0e88225292361202a0abf7b99efa11d2c599581fd6a556fe04aeab1db4798d58206555d607fc280028056a2baa164c183ee00982
-
Filesize
921KB
MD53f58a517f1f4796225137e7659ad2adb
SHA1e264ba0e9987b0ad0812e5dd4dd3075531cfe269
SHA2561da298cab4d537b0b7b5dabf09bff6a212b9e45731e0cc772f99026005fb9e48
SHA512acf740aafce390d06c6a76c84e7ae7c0f721731973aadbe3e57f2eb63241a01303cc6bf11a3f9a88f8be0237998b5772bdaf569137d63ba3d0f877e7d27fc634
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
3.3MB
-
Filesize
4KB
-
Filesize
3.3MB
-
Filesize
376KB
-
Filesize
376KB
-
Filesize
3.3MB
-
Filesize
988KB
-
Filesize
988KB
-
Filesize
988KB
-
Filesize
988KB
-
Filesize
672KB
-
Filesize
988KB
-
Filesize
988KB
-
Filesize
988KB
-
Filesize
988KB
-
Filesize
988KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB