Overview

overview

10

Static

static

1

57bdd9c5ec...5b.msi

windows7-x64

10

57bdd9c5ec...5b.msi

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    30/12/2024, 05:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    57bdd9c5eca5fa517551038cefce58470fa011d1a461e9e4650d34918f23755b.msi

  • Size

    2.4MB

  • MD5

    896fb90e32e5ac077d7048884ba7aff9

  • SHA1

    dac99dae9ff264eaa302dbca0cecd42d78dfc94f

  • SHA256

    57bdd9c5eca5fa517551038cefce58470fa011d1a461e9e4650d34918f23755b

  • SHA512

    3eb744de0ed9ae0611486ac1bc654e227ce9a97b2b84cbc6dc5a72b9cac1b16204e7d4d34c5e5dd3500abdef81255ea694bf0c218f6d0c925d99f905337eecc7

  • SSDEEP

    49152:+k2GffEmyfZgElK2Th08HZVT0k5AiLUMUu+PhxiSFxT0kEpd:bffEmOZgElKEdZe3MoPhgSPT0ld

Score
10/10
lummadiscoverypersistenceprivilege_escalationstealer

Malware Config

Extracted

Family

lumma

C2

https://cloudewahsj.shop/api

https://rabidcowse.shop/api

https://noisycuttej.shop/api

https://tirepublicerj.shop/api

https://framekgirus.shop/api

https://wholersorie.shop/api

https://abruptyopsn.shop/api

https://nearycrepso.shop/api

Extracted

Family

lumma

C2

https://abruptyopsn.shop/api

https://wholersorie.shop/api

https://framekgirus.shop/api

https://tirepublicerj.shop/api

https://noisycuttej.shop/api

https://rabidcowse.shop/api

https://cloudewahsj.shop/api

Signatures

  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Lumma family
    lumma
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 10 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 14 IoCs
  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 43 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\57bdd9c5eca5fa517551038cefce58470fa011d1a461e9e4650d34918f23755b.msi
    1⤵
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2776
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2696
    • C:\Users\Admin\AppData\Local\Layby\ManyCam.exe
      "C:\Users\Admin\AppData\Local\Layby\ManyCam.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2800
      • C:\Users\Admin\AppData\Roaming\ZWS_Agent\ManyCam.exe
        C:\Users\Admin\AppData\Roaming\ZWS_Agent\ManyCam.exe
        3⤵
        • Suspicious use of SetThreadContext
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:2872
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\SysWOW64\cmd.exe
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:1928
          • C:\Windows\SysWOW64\explorer.exe
            C:\Windows\SysWOW64\explorer.exe
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1208
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2668
  • C:\Windows\system32\DrvInst.exe
    DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000338" "00000000000005C0"
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:3028

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Config.Msi\f77038c.rbs
    Filesize

    8KB

    MD5

    1de9c4c10927a9bc82d704b1183d6e0e

    SHA1

    488e205e0da1b2553e74ff4dcdff49a2cb5d8828

    SHA256

    0e1fa0beac6e60b9d2083fc58d642128cae5b7b7688db154e6ea8a7c98274652

    SHA512

    786433f58d264c8ca73d6727a74a3903e4a5796d6efefaf2ae7ded25ec384ca67a6d81e34fb0f7fcdef65523ea5352966371033e805bf79379b5384700165aa1

    Download Submit

  • C:\Users\Admin\AppData\Local\Layby\CrashRpt.dll
    Filesize

    114KB

    MD5

    62ea1a57e6f1939eef5bf2bccf8bfe08

    SHA1

    d1792b6c7f19420fe925210777e99a92f7173c3b

    SHA256

    75a4c10bcdf5ae133dc809e413143a96ca9522569a05b39fa3168ae6ee6da6e7

    SHA512

    02f57bc51e0e407eeadb4f3bb39cf1191b5906e76a5b86a0388bdc66f2ef871b49d72f3c76eeca1357795dbe67a08009597adb41dadf5f758f00aea9c02a2786

    Download Submit

  • C:\Users\Admin\AppData\Local\Layby\ManyCam.exe
    Filesize

    1.7MB

    MD5

    ba699791249c311883baa8ce3432703b

    SHA1

    f8734601f9397cb5ebb8872af03f5b0639c2eac6

    SHA256

    7c4eb51a737a81c163f95b50ec54518b82fcf91389d0560e855f3e26cec07282

    SHA512

    6a0386424c61fbf525625ebe53bb2193accd51c2be9a2527fd567d0a6e112b0d1a047d8f7266d706b726e9c41ea77496e1ede186a5e59f5311eeea829a302325

    Download Submit

  • C:\Users\Admin\AppData\Local\Layby\cv099.dll
    Filesize

    664KB

    MD5

    2a8b33fee2f84490d52a3a7c75254971

    SHA1

    16ce2b1632a17949b92ce32a6211296fee431dca

    SHA256

    faff6a0745e1720413a028f77583fff013c3f4682756dc717a0549f1be3fefc2

    SHA512

    8daf104582547d6b3a6d8698836e279d88ad9a870e9fdd66c319ecada3757a3997f411976461ed30a5d24436baa7504355b49d4acec2f7cdfe10e1e392e0f7fb

    Download Submit

  • C:\Users\Admin\AppData\Local\Layby\cxcore099.dll
    Filesize

    908KB

    MD5

    286284d4ae1c67d0d5666b1417dcd575

    SHA1

    8b8a32577051823b003c78c86054874491e9ecfa

    SHA256

    37d9a8057d58b043ad037e9905797c215cd0832d48a29731c1687b23447ce298

    SHA512

    2efc47a8e104baa13e19bee3b3b3364da09cea80601bc87492de348f1c8d61008002540ba8f0df99b2d20e333d09ea8e097a87c97e91910d7d592d11a953917a

    Download Submit

  • C:\Users\Admin\AppData\Local\Layby\cximagecrt.dll
    Filesize

    487KB

    MD5

    c36f6e088c6457a43adb7edcd17803f3

    SHA1

    b25b9fb4c10b8421c8762c7e7b3747113d5702de

    SHA256

    8e1243454a29998cc7dc89caecfadc0d29e00e5776a8b5777633238b8cd66f72

    SHA512

    87cad4c3059bd7de02338922cf14e515af5cad663d473b19dd66a4c8befc8bce61c9c2b5a14671bc71951fdff345e4ca7a799250d622e2c9236ec03d74d4fe4e

    Download Submit

  • C:\Users\Admin\AppData\Local\Layby\dbghelp.dll
    Filesize

    478KB

    MD5

    e458d88c71990f545ef941cd16080bad

    SHA1

    cd24ccec2493b64904cf3c139cd8d58d28d5993b

    SHA256

    5ec121730240548a85b7ef1f7e30d5fdbee153bb20dd92c2d44bf37395294ec0

    SHA512

    b1755e3db10b1d12d6eaffd1d91f5ca5e0f9f8ae1350675bc44ae7a4af4a48090a9828a8acbbc69c5813eac23e02576478113821cb2e04b6288e422f923b446f

    Download Submit

  • C:\Users\Admin\AppData\Local\Layby\highgui099.dll
    Filesize

    388KB

    MD5

    a354c42fcb37a50ecad8dde250f6119e

    SHA1

    0eb4ad5e90d28a4a8553d82cec53072279af1961

    SHA256

    89db6973f4ec5859792bcd8a50cd10db6b847613f2cea5adef740eec141673b2

    SHA512

    981c82f6334961c54c80009b14a0c2cd48067baf6d502560d508be86f5185374a422609c7fdc9a2cde9b98a7061efab7fd9b1f4f421436a9112833122bc35059

    Download Submit

  • C:\Users\Admin\AppData\Local\Layby\intercessor.raw
    Filesize

    775KB

    MD5

    5cf9c5ab7c4f58ddb2e30818731a546c

    SHA1

    ced3fc10281409a893881d458160e4fc02625687

    SHA256

    f1a74a1988d5a88e161fd8ffe3e4c332f6566a61f7afc0536446ce28c0e6432e

    SHA512

    ec3003a76840de0fe876a9bd6391d443dfbe7fc0fed1593b52b26e4ad7635efe11d0d585893b7e4b9380cbcdf625478cf41c2a2e7284f36614d501434c9548ed

    Download Submit

  • C:\Users\Admin\AppData\Local\Layby\javelin.mp3
    Filesize

    27KB

    MD5

    a0996395ddf43ba787ba62e48b24074d

    SHA1

    9fa7af708aa2d1626a8885ef336acd3abda913f4

    SHA256

    1578d251a4bc8d538d0688de2c585d6b9d8d4223f10308c86fb25790e23833d0

    SHA512

    55371f41f3cc8e324fa75bd6d293160da3af5a3178bd5f726067bc48e9a04b18914020f75f45ae1c9368e3cfd6b4cae2b8ea29640c79ef0a4d8bf44b06bf3ba1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Cab9DA8.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tar9DBB.tmp
    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\e025117
    Filesize

    1014KB

    MD5

    662fedcccd7e564ea42f86e65a63dfc4

    SHA1

    e18ba8327eac05050b05e79a853b2f171e42ba9f

    SHA256

    8b3ac75ee5680509eefaba984a94a88db337e871d3be74274af872d5db2689cf

    SHA512

    063f91029175fcbc87981862fbea72884a4dc0da1a4c4cf09f3066130244a7864c1ba980219be6192b600bc693c74ec336083b94fece1a4dd64a1b8690ea3d38

    Download Submit

  • C:\Windows\Installer\f77038a.msi
    Filesize

    2.4MB

    MD5

    896fb90e32e5ac077d7048884ba7aff9

    SHA1

    dac99dae9ff264eaa302dbca0cecd42d78dfc94f

    SHA256

    57bdd9c5eca5fa517551038cefce58470fa011d1a461e9e4650d34918f23755b

    SHA512

    3eb744de0ed9ae0611486ac1bc654e227ce9a97b2b84cbc6dc5a72b9cac1b16204e7d4d34c5e5dd3500abdef81255ea694bf0c218f6d0c925d99f905337eecc7

    Download Submit

  • memory/1208-175-0x00000000000C0000-0x0000000000116000-memory.dmp

    Filesize

    344KB

    Download

  • memory/1208-102-0x00000000000C0000-0x0000000000116000-memory.dmp

    Filesize

    344KB

    Download

  • memory/1208-101-0x0000000077660000-0x0000000077809000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/1928-99-0x0000000074910000-0x0000000074A84000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/1928-98-0x0000000077660000-0x0000000077809000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/2800-54-0x0000000074900000-0x0000000074A74000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/2800-55-0x0000000077660000-0x0000000077809000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/2800-46-0x0000000000140000-0x00000000001A2000-memory.dmp

    Filesize

    392KB

    Download

  • memory/2800-42-0x0000000000330000-0x00000000003DD000-memory.dmp

    Filesize

    692KB

    Download

  • memory/2800-38-0x0000000000240000-0x000000000032C000-memory.dmp

    Filesize

    944KB

    Download

  • memory/2872-93-0x0000000074910000-0x0000000074A84000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/2872-95-0x0000000074910000-0x0000000074A84000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/2872-94-0x0000000077660000-0x0000000077809000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/2872-85-0x0000000000B70000-0x0000000000BD2000-memory.dmp

    Filesize

    392KB

    Download

  • memory/2872-81-0x0000000000AC0000-0x0000000000B6D000-memory.dmp

    Filesize

    692KB

    Download

  • memory/2872-77-0x00000000002B0000-0x000000000039C000-memory.dmp

    Filesize

    944KB

    Download