Analysis

  • max time kernel
    149s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-12-2024 14:15

General

  • Target

    c507f450ad1b6173f54279f63f93d878545560bd234a19acb442a22a40d9e28b.exe

  • Size

    2.8MB

  • MD5

    62cfbf48cbec19b909d15fc91d70cb47

  • SHA1

    1c900301e2fa4b10cc69fb53c160f27254c607c6

  • SHA256

    c507f450ad1b6173f54279f63f93d878545560bd234a19acb442a22a40d9e28b

  • SHA512

    952f885a05b2474d76cf53607323c06646908470bf30770f2c639c5440421b1ad8c8a130807b0ad38ca88267dff2d52cbdc790aaff827b8e422d04b2148e878c

  • SSDEEP

    49152:2r4wwAxziwgFtvyMcy4MmjQfcMIQVzhzsSWSbnDBQkk:2r7wOefvyMc1MmUflFWSbnDBQkk

Malware Config

Extracted

Family

amadey

Version

4.41

Botnet

fed3aa

C2

http://185.215.113.16

Attributes
  • install_dir

    44111dbc49

  • install_file

    axplong.exe

  • strings_key

    8d0ad6945b1a30a186ec2d30be6db0b5

  • url_paths

    /Jo89Ku7d/index.php

rc4.plain

Extracted

Family

lumma

C2

https://sordid-snaked.cyou/api

https://awake-weaves.cyou/api

https://wrathful-jammy.cyou/api

https://debonairnukk.xyz/api

https://diffuculttan.xyz/api

https://effecterectz.xyz/api

https://deafeninggeh.biz/api

https://immureprech.biz/api

https://shineugler.biz/api

Extracted

Family

lumma

C2

https://shineugler.biz/api

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • Amadey family
  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

  • Lumma family
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 8 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Identifies Wine through registry keys 2 TTPs 4 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c507f450ad1b6173f54279f63f93d878545560bd234a19acb442a22a40d9e28b.exe
    "C:\Users\Admin\AppData\Local\Temp\c507f450ad1b6173f54279f63f93d878545560bd234a19acb442a22a40d9e28b.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:2412
    • C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
      "C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Checks computer location settings
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2232
      • C:\Users\Admin\AppData\Local\Temp\1006591001\sintv.exe
        "C:\Users\Admin\AppData\Local\Temp\1006591001\sintv.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3300
        • C:\Windows\System32\certutil.exe
          "C:\Windows\System32\certutil.exe" -silent -importPFX -p "" -f "C:\Users\Admin\AppData\Local\Temp\tmp8908.tmp"
          4⤵
            PID:2268
        • C:\Users\Admin\AppData\Local\Temp\1006664001\Out.exe
          "C:\Users\Admin\AppData\Local\Temp\1006664001\Out.exe"
          3⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:756
          • C:\Users\Admin\AppData\Local\Temp\1006664001\Out.exe
            "C:\Users\Admin\AppData\Local\Temp\1006664001\Out.exe"
            4⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            PID:5116
    • C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
      C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
      1⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:3540
    • C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
      C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
      1⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:4748

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\1006591001\sintv.exe

      Filesize

      4.5MB

      MD5

      38fcaa23700e62fb0b3fc2591f82cc80

      SHA1

      abedd6ec573a6fede05d15920f3ac3763062c75c

      SHA256

      fb829a6a8535a443932cd167e8301b5e74c60702b5f7fade7e9f13a736ce72b0

      SHA512

      5da88a61c716a9891cb225f36f275040d69915c4c731c2a5c042d5c997ca39241a3e9d6646569468d477f47db42462c21b58f2de7f56a84cb145e6cee478eeef

    • C:\Users\Admin\AppData\Local\Temp\1006664001\Out.exe

      Filesize

      2.5MB

      MD5

      7ff947867bc70055adffa2164a741b01

      SHA1

      cff424168c2f6bcef107ebc9bd65590f3ead76ae

      SHA256

      b6d6628d2dc7dea808eef05180c27abe10a1af245d624aacdacccc52a1eb7b40

      SHA512

      da507d1847056d0dc2c122c45ecbea4901a81c06890bcdbffc2f18ad4b96f0ac2c2fa9ebde1a315828c74a97af653062a8c50ce70c9b6d6966c48871150747ee

    • C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

      Filesize

      2.8MB

      MD5

      62cfbf48cbec19b909d15fc91d70cb47

      SHA1

      1c900301e2fa4b10cc69fb53c160f27254c607c6

      SHA256

      c507f450ad1b6173f54279f63f93d878545560bd234a19acb442a22a40d9e28b

      SHA512

      952f885a05b2474d76cf53607323c06646908470bf30770f2c639c5440421b1ad8c8a130807b0ad38ca88267dff2d52cbdc790aaff827b8e422d04b2148e878c

    • C:\Users\Admin\AppData\Local\Temp\Tmp88B8.tmp

      Filesize

      2KB

      MD5

      672a8e6ec2586079941130a4864da99d

      SHA1

      b2277e422c886528e4bf7cc8df302f7406a1c28d

      SHA256

      36136eba77d1bdaac3d15c9374fc18febba966e74f7a812a4486c98613a77449

      SHA512

      2ba1d5abe612d5d99323a4058fecf8c26ada3aa7eac96edc86ef733f77f988d9de3b9e10a6c943c95fb9876b3d4648256d33567dc3ea417d047ef344114b37ed

    • C:\Users\Admin\AppData\Local\Temp\tmp8908.tmp

      Filesize

      2KB

      MD5

      129a8f2f7d23a27feff0e65809658249

      SHA1

      be154b3a87f3e661114781b9a498c4d5ebbaa893

      SHA256

      0f05be961dee1be611827b96aa12df4673672a6c02eb5c4a695e5fc4ed632e57

      SHA512

      9ab9cbf68c017d5439d25071921fea65d5f3f3f8c2087ecdaf3ed079de67ba87e8304be6d206b3318aa524b53d05aec6bcf9bfec985e519cc74107f3dfd2141f

    • C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\2DA4AA4D1DA45876978C05BCE34E20CF177B77CA

      Filesize

      1KB

      MD5

      1721f0d1a609972036059a72af07b6e2

      SHA1

      afec55d2ee616969af5597d371375b00b2880fa3

      SHA256

      9115250974b70b0c96f4e5e44748b3412188ac85702b1ccd4ef0390a30d8cd86

      SHA512

      be09dc2d8ddc8c01600f271603f8b86add9c04bf5dfc54f838c01973c124a75277b304a4e9a525fee4619788e4bf30ea2144b24ae514ff562bbefeb668300b8c

    • memory/2232-21-0x0000000000990000-0x0000000000C9F000-memory.dmp

      Filesize

      3.1MB

    • memory/2232-112-0x0000000000990000-0x0000000000C9F000-memory.dmp

      Filesize

      3.1MB

    • memory/2232-20-0x0000000000990000-0x0000000000C9F000-memory.dmp

      Filesize

      3.1MB

    • memory/2232-19-0x0000000000991000-0x00000000009BF000-memory.dmp

      Filesize

      184KB

    • memory/2232-133-0x0000000000990000-0x0000000000C9F000-memory.dmp

      Filesize

      3.1MB

    • memory/2232-22-0x0000000000990000-0x0000000000C9F000-memory.dmp

      Filesize

      3.1MB

    • memory/2232-16-0x0000000000990000-0x0000000000C9F000-memory.dmp

      Filesize

      3.1MB

    • memory/2232-132-0x0000000000990000-0x0000000000C9F000-memory.dmp

      Filesize

      3.1MB

    • memory/2232-131-0x0000000000990000-0x0000000000C9F000-memory.dmp

      Filesize

      3.1MB

    • memory/2232-44-0x0000000000990000-0x0000000000C9F000-memory.dmp

      Filesize

      3.1MB

    • memory/2232-130-0x0000000000990000-0x0000000000C9F000-memory.dmp

      Filesize

      3.1MB

    • memory/2232-129-0x0000000000990000-0x0000000000C9F000-memory.dmp

      Filesize

      3.1MB

    • memory/2232-126-0x0000000000990000-0x0000000000C9F000-memory.dmp

      Filesize

      3.1MB

    • memory/2232-125-0x0000000000990000-0x0000000000C9F000-memory.dmp

      Filesize

      3.1MB

    • memory/2232-124-0x0000000000990000-0x0000000000C9F000-memory.dmp

      Filesize

      3.1MB

    • memory/2232-110-0x0000000000990000-0x0000000000C9F000-memory.dmp

      Filesize

      3.1MB

    • memory/2232-111-0x0000000000990000-0x0000000000C9F000-memory.dmp

      Filesize

      3.1MB

    • memory/2232-123-0x0000000000990000-0x0000000000C9F000-memory.dmp

      Filesize

      3.1MB

    • memory/2232-122-0x0000000000990000-0x0000000000C9F000-memory.dmp

      Filesize

      3.1MB

    • memory/2232-121-0x0000000000990000-0x0000000000C9F000-memory.dmp

      Filesize

      3.1MB

    • memory/2232-118-0x0000000000990000-0x0000000000C9F000-memory.dmp

      Filesize

      3.1MB

    • memory/2232-117-0x0000000000990000-0x0000000000C9F000-memory.dmp

      Filesize

      3.1MB

    • memory/2412-4-0x0000000000020000-0x000000000032F000-memory.dmp

      Filesize

      3.1MB

    • memory/2412-2-0x0000000000021000-0x000000000004F000-memory.dmp

      Filesize

      184KB

    • memory/2412-0-0x0000000000020000-0x000000000032F000-memory.dmp

      Filesize

      3.1MB

    • memory/2412-3-0x0000000000020000-0x000000000032F000-memory.dmp

      Filesize

      3.1MB

    • memory/2412-18-0x0000000000020000-0x000000000032F000-memory.dmp

      Filesize

      3.1MB

    • memory/2412-1-0x00000000777A4000-0x00000000777A6000-memory.dmp

      Filesize

      8KB

    • memory/3300-45-0x000002AE42EE0000-0x000002AE430A2000-memory.dmp

      Filesize

      1.8MB

    • memory/3300-42-0x000002AE281E0000-0x000002AE28670000-memory.dmp

      Filesize

      4.6MB

    • memory/3300-41-0x00007FFDB5243000-0x00007FFDB5245000-memory.dmp

      Filesize

      8KB

    • memory/3540-120-0x0000000000990000-0x0000000000C9F000-memory.dmp

      Filesize

      3.1MB

    • memory/4748-128-0x0000000000990000-0x0000000000C9F000-memory.dmp

      Filesize

      3.1MB

    • memory/5116-113-0x00000000000C0000-0x0000000000116000-memory.dmp

      Filesize

      344KB

    • memory/5116-116-0x00000000000C0000-0x0000000000116000-memory.dmp

      Filesize

      344KB

    • memory/5116-115-0x00000000000C0000-0x0000000000116000-memory.dmp

      Filesize

      344KB