Overview

overview

10

Static

static

3

reiboot li...ee.exe

windows7-x64

10

reiboot li...ee.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    137s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    30/12/2024, 05:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    reiboot licensed email and registration code free.exe

  • Size

    903.0MB

  • MD5

    9919980b5380785aad93aa04498138a7

  • SHA1

    c4d21a82e70d2f7a552c88d38190d6169da0f9f7

  • SHA256

    542680fc792eaabdcb078f2936f3b102ca201541977e7e8655a215b5145d5d27

  • SHA512

    09672f01c43636643962cf0884cc3d28948526883bcb5c22252bdc86b878ce7a8c006deb02a1182e74f1089e2a0ee3a71623a9e11d0d5e2674c344ac3b0316ed

  • SSDEEP

    1572864:Q7cZfns+Fp3l1jSipMLBr/EFQFLe8syMJvV3P/oFk6MBwFAtoFeWLFhK:cmV

Score
10/10
lummadiscoverystealer

Malware Config

Extracted

Family

lumma

C2

https://crib-endanger.sbs/api

https://faintbl0w.sbs/api

https://300snails.sbs/api

https://bored-light.sbs/api

https://3xc1aimbl0w.sbs/api

https://pull-trucker.sbs/api

https://fleez-inc.sbs/api

https://thicktoys.sbs/api

Signatures

  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Lumma family
    lumma
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates processes with tasklist 1 TTPs 2 IoCs
    discovery
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\reiboot licensed email and registration code free.exe
    "C:\Users\Admin\AppData\Local\Temp\reiboot licensed email and registration code free.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2788
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c copy Interpreted Interpreted.cmd & Interpreted.cmd
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2796
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist
        3⤵
        • Enumerates processes with tasklist
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:1348
      • C:\Windows\SysWOW64\findstr.exe
        findstr /I "wrsa opssvc"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2228
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist
        3⤵
        • Enumerates processes with tasklist
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:1400
      • C:\Windows\SysWOW64\findstr.exe
        findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:700
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c md 607425
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1664
      • C:\Windows\SysWOW64\findstr.exe
        findstr /V "AmplifierAnnouncedCumWar" Scores
        3⤵
        • System Location Discovery: System Language Discovery
        PID:436
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c copy /b ..\Days + ..\Impose + ..\Closes + ..\Hollow + ..\Prison + ..\Peninsula + ..\Ethnic d
        3⤵
        • System Location Discovery: System Language Discovery
        PID:320
      • C:\Users\Admin\AppData\Local\Temp\607425\Deferred.pif
        Deferred.pif d
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2348
      • C:\Windows\SysWOW64\choice.exe
        choice /d y /t 5
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3056

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\607425\d
    Filesize

    476KB

    MD5

    6c9804d10abedb905d4f8b92413c1476

    SHA1

    1092016507d2dce098965598ebe3d65d40d59293

    SHA256

    3853400c8779a78a2d9c4673c6b47c909f5e17e8ad9f852324b54f999a33cdea

    SHA512

    411af55d47b144fa3c76b970479110c339404b2332319326dc4dc05139b559e174c45e467c14b6a6b5e99813fdc5b5c04e470fff62fab97d3810ed15eb6016a5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Cab3584.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Closes
    Filesize

    74KB

    MD5

    99fb9c58e2a3c0d9e794afc8efc91dfd

    SHA1

    82d80904eec4179e1465a9e975bdbdb41730d310

    SHA256

    f38e91f73f8977c114a200df60ac37384b7563d389f115c86e2bdbeb99de32de

    SHA512

    bdd75f98e468b79c9cd715640d3f945e8b1e6a471b3e00ee3dec3e996c9dee8a45b081a3e8ab2c151274f3a8576d36c8f86aa8bf0184ba1c54b1a8d7f0bc628a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Days
    Filesize

    92KB

    MD5

    1a988073c9edd73ca230bbeeab3925a1

    SHA1

    51c7c3364ec613a80896afc9f1b40e50e6c0ee55

    SHA256

    afddc14760195490c58e889aff814e1b3d8aba8089d93048ad4274468aa39c0f

    SHA512

    10f31915bb95e3ddb4ffe285edda3d7641c079e8cca924b5ba3b499778fd60df8009e674541ea724ed42772aff287af616ab6fb99b8a5085d3dec589ecadd6bd

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Ethnic
    Filesize

    38KB

    MD5

    8d884e66f241d47400240fdc4c5795e6

    SHA1

    0aebcb56aa2c951007465055caf29aa489e69e17

    SHA256

    848e218d9d915fa2d68e05957044a750bcd03ace3d78ebc55afe8c69edb38b72

    SHA512

    92b95d7060eebce27e6f6a144ac7b86f8cbf83bff8ecfcd169caa7b1f6eb2488df983daecd61f15b866fa68ac02f7a050a058c72f01f3210faf244bc2e3ec3d7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Hollow
    Filesize

    58KB

    MD5

    bcd4937d47c4b3db2b4b91c84dead22b

    SHA1

    8b904f4e20d09de46a3929211cac1b986836950d

    SHA256

    21c05e1e839a3aefd50e785c232416b1c96b503934db7534a19462c5b1048062

    SHA512

    3b30894fcb5da4a4d2d547fdc284ded39618ccd3e0dad12f28048272586185637b3672dbf6ad0078a9328472f539df4b04c776718266365340de6d75770a200f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Impose
    Filesize

    58KB

    MD5

    a418bf4365b98e289e98755495cb18c4

    SHA1

    2442a3f8790f23bbdb198bcfc311bc47add7dfc3

    SHA256

    78ad49b9876b0d27230a2f79fb5df6e9b4c36bbebf341befc634b26522512d06

    SHA512

    87f4f6543e6f94459c4a8bf66752753f59a74d72cbd5626a47a6669a203a75d07cfda533c5aca75611148d53bbeb6103fef8e616a8c2db0b62a367259939f59b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Interpreted
    Filesize

    22KB

    MD5

    75f98f10e09c4433d569147011cc9a05

    SHA1

    224f517e23aad2b6adfa4a40b65ca3cead5a3a0b

    SHA256

    2832875b3dd3e06dc65c8906b2e614c7e936683ac8412d6791216a0ac09b910d

    SHA512

    b08310ead0be4b4a5e4da5fa9fc96cce2d8339d3dd3baae37d37e550b2174e45d67bbc878391707b1c2f87fa90363647bd8299a8f0ac00f7db4d08566d60db04

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Peninsula
    Filesize

    77KB

    MD5

    72d86f3799873992bc1d1ed687e53733

    SHA1

    c3b0354c26196bff38afd650cf3f3cfbe26529cc

    SHA256

    f4b07ebdffe62371c6c8579cbda621d77ba42c4d71884ee8c4fad7b69e326ac6

    SHA512

    7b60bacda5628f5509395982b35f081b123234601429d515420e5cf4ab5cce5690702824c46becf2f7f650abb16067d58fce2247269394904d8977e41b68440b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Prison
    Filesize

    79KB

    MD5

    dce08817a17d5b5b2e9d02e3adfdeb20

    SHA1

    5e7c75da1c952f815dc9e056fb6b560651d1a25f

    SHA256

    2cfc066b6524818cc60ba0261217caf028c9dc01203a9093011ff0816a850581

    SHA512

    de04331f041c106adbcc6e421c2742efa89e6fd33e5b95695130051421d1ba12ea41741e4ef669d09de0e1df234b38df2902774d5909b6f8c241876c06059364

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Scores
    Filesize

    11KB

    MD5

    bd9719de303f6daa2d4ffdffd1ef36fa

    SHA1

    98f7629ee6e590f1cf90b2470062b766e901f689

    SHA256

    96ef58db278c05776541d0090d4d39bd4713883b69a43568f26bca336701e8a0

    SHA512

    6b32a916838958364457079d4599b5ae1cf98d1c0f8f8fc1a6dfbf7470d22612e795e876935cf375be0fcbbef67d017429146d821a43d3f24bcc18b1143a02cd

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tar35E4.tmp
    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Working
    Filesize

    909KB

    MD5

    1feec771fdc37e7fafc5ec0993c3a819

    SHA1

    b1f0e57c3f8d77fca3e26d98308bb4008cd8dc59

    SHA256

    b74e06495f1694988fce28157b6474421608c9356152dd0bc8556be0a43c8e33

    SHA512

    fc7153318ad929f76bf9726f7c744070667e0aa55be78a4d94f1874daf85bfcf646ee152a0361e91544a027de27ae3001b278b7cd381afc176ef02999e320f23

    Download Submit

  • \Users\Admin\AppData\Local\Temp\607425\Deferred.pif
    Filesize

    921KB

    MD5

    78ba0653a340bac5ff152b21a83626cc

    SHA1

    b12da9cb5d024555405040e65ad89d16ae749502

    SHA256

    05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

    SHA512

    efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

    Download Submit

  • memory/2348-522-0x0000000003700000-0x000000000375B000-memory.dmp

    Filesize

    364KB

    Download

  • memory/2348-525-0x0000000003700000-0x000000000375B000-memory.dmp

    Filesize

    364KB

    Download

  • memory/2348-524-0x0000000003700000-0x000000000375B000-memory.dmp

    Filesize

    364KB

    Download

  • memory/2348-523-0x0000000003700000-0x000000000375B000-memory.dmp

    Filesize

    364KB

    Download

  • memory/2348-521-0x0000000003700000-0x000000000375B000-memory.dmp

    Filesize

    364KB

    Download

  • memory/2348-520-0x0000000003700000-0x000000000375B000-memory.dmp

    Filesize

    364KB

    Download