Analysis
-
max time kernel
94s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
27-11-2024 02:18
Static task
static1
Behavioral task
behavioral1
Sample
34df64b26f3c69ef710eb56dd0204eaf3c4e083c74c038265a81700e7d07e459.exe
Resource
win7-20240729-en
General
-
Target
34df64b26f3c69ef710eb56dd0204eaf3c4e083c74c038265a81700e7d07e459.exe
-
Size
1.8MB
-
MD5
eebcc9dcc7640b92a0939d1cc2449160
-
SHA1
2993ca642310a1c6b4f72fef7093aae28eafed53
-
SHA256
34df64b26f3c69ef710eb56dd0204eaf3c4e083c74c038265a81700e7d07e459
-
SHA512
1dc304eee1204367af8e33e5338758ac397a015a6eb8a77d9731b20017a7b08c63058281e08d4dcdab7e5ea0984ec7cdc1d4f3bd5a08d46e2c8ae97b9ef99e08
-
SSDEEP
49152:GYToCYGH+14UyrNOt/HfSFqtyS0DcnUcWeXi:GC7JYt3SfS0YTWey
Malware Config
Extracted
lumma
https://powerful-avoids.sbs
https://motion-treesz.sbs
https://disobey-curly.sbs
https://leg-sate-boat.sbs
https://story-tense-faz.sbs
https://blade-govern.sbs
https://occupy-blushi.sbs
https://frogs-severz.sbs
https://property-imper.sbs
Extracted
lumma
https://blade-govern.sbs/api
https://story-tense-faz.sbs/api
Signatures
-
Lumma family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
34df64b26f3c69ef710eb56dd0204eaf3c4e083c74c038265a81700e7d07e459.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 34df64b26f3c69ef710eb56dd0204eaf3c4e083c74c038265a81700e7d07e459.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
34df64b26f3c69ef710eb56dd0204eaf3c4e083c74c038265a81700e7d07e459.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 34df64b26f3c69ef710eb56dd0204eaf3c4e083c74c038265a81700e7d07e459.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 34df64b26f3c69ef710eb56dd0204eaf3c4e083c74c038265a81700e7d07e459.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
34df64b26f3c69ef710eb56dd0204eaf3c4e083c74c038265a81700e7d07e459.exedescription ioc Process Key opened \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Wine 34df64b26f3c69ef710eb56dd0204eaf3c4e083c74c038265a81700e7d07e459.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
34df64b26f3c69ef710eb56dd0204eaf3c4e083c74c038265a81700e7d07e459.exepid Process 376 34df64b26f3c69ef710eb56dd0204eaf3c4e083c74c038265a81700e7d07e459.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
34df64b26f3c69ef710eb56dd0204eaf3c4e083c74c038265a81700e7d07e459.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 34df64b26f3c69ef710eb56dd0204eaf3c4e083c74c038265a81700e7d07e459.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
34df64b26f3c69ef710eb56dd0204eaf3c4e083c74c038265a81700e7d07e459.exepid Process 376 34df64b26f3c69ef710eb56dd0204eaf3c4e083c74c038265a81700e7d07e459.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\34df64b26f3c69ef710eb56dd0204eaf3c4e083c74c038265a81700e7d07e459.exe"C:\Users\Admin\AppData\Local\Temp\34df64b26f3c69ef710eb56dd0204eaf3c4e083c74c038265a81700e7d07e459.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:376