Analysis
-
max time kernel
94s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 03:19
Static task
static1
Behavioral task
behavioral1
Sample
7c700b74cfa885fd18abe0c42a71e28a3f82bb7e20bb0bb883a49f3e4e3e48f3.exe
Resource
win7-20240903-en
General
-
Target
7c700b74cfa885fd18abe0c42a71e28a3f82bb7e20bb0bb883a49f3e4e3e48f3.exe
-
Size
1.8MB
-
MD5
36e8bef9e64aab447e4deed78acb16a4
-
SHA1
102c5e3e7bc0448c9a564411ecb5a831a6899c79
-
SHA256
7c700b74cfa885fd18abe0c42a71e28a3f82bb7e20bb0bb883a49f3e4e3e48f3
-
SHA512
e9d2bcc4cfbbf3ec02f1daa360696446e1a821be2253a57db833d667c3cb70706343e59aaa252ec341079fc604dcd7d2cc48ecc5c5f650de9a6e416769a4d0e6
-
SSDEEP
49152:1eYB58EGCuOD1Ch9EPrj7QfpjSvJF+m6b9AXIS:1gdORuyUjSvT+zAXI
Malware Config
Extracted
lumma
Extracted
stealc
stok
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Signatures
-
Lumma family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 05EE29BXYX8SKO2M0G7Q21GWT4F2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 05EE29BXYX8SKO2M0G7Q21GWT4F2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 05EE29BXYX8SKO2M0G7Q21GWT4F2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 05EE29BXYX8SKO2M0G7Q21GWT4F2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 05EE29BXYX8SKO2M0G7Q21GWT4F2.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 05EE29BXYX8SKO2M0G7Q21GWT4F2.exe -
Stealc family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 7c700b74cfa885fd18abe0c42a71e28a3f82bb7e20bb0bb883a49f3e4e3e48f3.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 05EE29BXYX8SKO2M0G7Q21GWT4F2.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ ZE7CJMI2P6ISY1JRR.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 05EE29BXYX8SKO2M0G7Q21GWT4F2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ZE7CJMI2P6ISY1JRR.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ZE7CJMI2P6ISY1JRR.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 7c700b74cfa885fd18abe0c42a71e28a3f82bb7e20bb0bb883a49f3e4e3e48f3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 7c700b74cfa885fd18abe0c42a71e28a3f82bb7e20bb0bb883a49f3e4e3e48f3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 05EE29BXYX8SKO2M0G7Q21GWT4F2.exe -
Executes dropped EXE 2 IoCs
pid Process 2772 05EE29BXYX8SKO2M0G7Q21GWT4F2.exe 1888 ZE7CJMI2P6ISY1JRR.exe -
Identifies Wine through registry keys 2 TTPs 3 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine 7c700b74cfa885fd18abe0c42a71e28a3f82bb7e20bb0bb883a49f3e4e3e48f3.exe Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine 05EE29BXYX8SKO2M0G7Q21GWT4F2.exe Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine ZE7CJMI2P6ISY1JRR.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 05EE29BXYX8SKO2M0G7Q21GWT4F2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 05EE29BXYX8SKO2M0G7Q21GWT4F2.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
pid Process 2424 7c700b74cfa885fd18abe0c42a71e28a3f82bb7e20bb0bb883a49f3e4e3e48f3.exe 2772 05EE29BXYX8SKO2M0G7Q21GWT4F2.exe 1888 ZE7CJMI2P6ISY1JRR.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7c700b74cfa885fd18abe0c42a71e28a3f82bb7e20bb0bb883a49f3e4e3e48f3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 05EE29BXYX8SKO2M0G7Q21GWT4F2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ZE7CJMI2P6ISY1JRR.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 2424 7c700b74cfa885fd18abe0c42a71e28a3f82bb7e20bb0bb883a49f3e4e3e48f3.exe 2424 7c700b74cfa885fd18abe0c42a71e28a3f82bb7e20bb0bb883a49f3e4e3e48f3.exe 2424 7c700b74cfa885fd18abe0c42a71e28a3f82bb7e20bb0bb883a49f3e4e3e48f3.exe 2424 7c700b74cfa885fd18abe0c42a71e28a3f82bb7e20bb0bb883a49f3e4e3e48f3.exe 2424 7c700b74cfa885fd18abe0c42a71e28a3f82bb7e20bb0bb883a49f3e4e3e48f3.exe 2424 7c700b74cfa885fd18abe0c42a71e28a3f82bb7e20bb0bb883a49f3e4e3e48f3.exe 2772 05EE29BXYX8SKO2M0G7Q21GWT4F2.exe 2772 05EE29BXYX8SKO2M0G7Q21GWT4F2.exe 1888 ZE7CJMI2P6ISY1JRR.exe 1888 ZE7CJMI2P6ISY1JRR.exe 2772 05EE29BXYX8SKO2M0G7Q21GWT4F2.exe 2772 05EE29BXYX8SKO2M0G7Q21GWT4F2.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2772 05EE29BXYX8SKO2M0G7Q21GWT4F2.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2424 wrote to memory of 2772 2424 7c700b74cfa885fd18abe0c42a71e28a3f82bb7e20bb0bb883a49f3e4e3e48f3.exe 87 PID 2424 wrote to memory of 2772 2424 7c700b74cfa885fd18abe0c42a71e28a3f82bb7e20bb0bb883a49f3e4e3e48f3.exe 87 PID 2424 wrote to memory of 2772 2424 7c700b74cfa885fd18abe0c42a71e28a3f82bb7e20bb0bb883a49f3e4e3e48f3.exe 87 PID 2424 wrote to memory of 1888 2424 7c700b74cfa885fd18abe0c42a71e28a3f82bb7e20bb0bb883a49f3e4e3e48f3.exe 88 PID 2424 wrote to memory of 1888 2424 7c700b74cfa885fd18abe0c42a71e28a3f82bb7e20bb0bb883a49f3e4e3e48f3.exe 88 PID 2424 wrote to memory of 1888 2424 7c700b74cfa885fd18abe0c42a71e28a3f82bb7e20bb0bb883a49f3e4e3e48f3.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\7c700b74cfa885fd18abe0c42a71e28a3f82bb7e20bb0bb883a49f3e4e3e48f3.exe"C:\Users\Admin\AppData\Local\Temp\7c700b74cfa885fd18abe0c42a71e28a3f82bb7e20bb0bb883a49f3e4e3e48f3.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Users\Admin\AppData\Local\Temp\05EE29BXYX8SKO2M0G7Q21GWT4F2.exe"C:\Users\Admin\AppData\Local\Temp\05EE29BXYX8SKO2M0G7Q21GWT4F2.exe"2⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2772
-
-
C:\Users\Admin\AppData\Local\Temp\ZE7CJMI2P6ISY1JRR.exe"C:\Users\Admin\AppData\Local\Temp\ZE7CJMI2P6ISY1JRR.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1888
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Registry
2Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.7MB
MD551501deb706a509a1dec7745ecf713e3
SHA17a925e2f3231498ab0cbd8cefe9b475fbab5f58b
SHA256fe72e6a8775634e7d76adecf570a2866a81714d3e3d7be6174c8fefb327f2f0b
SHA512cae65b34492e2c8413bcc19448697bd8c76e685046b60ecc65b313a49e4d7f9e9df24f0593f4691cffca1d8c7e9bc077bb2df7918767614b2172167bdc847476
-
Filesize
2.7MB
MD5b02d86ff1695f8c3faf80f6e5cd1b8bf
SHA1aaf7bc27106152a25b5ad8ce4c643f4def00bfe8
SHA256ff283c5f3e854c82dcfb4ea631f5f68496fb1654d025b5f3acfae5318c5ed088
SHA5124c219352d2555f183b143ec875f7944c622d1f5fdd5969caf46844e537fd8852c0309e9d9d0cadc55e151bda2cc49eff2d8bb2d84e81ce5261f2e0f474fc7098