Overview

overview

10

Static

static

3

desde mi c...nt.exe

windows7-x64

10

desde mi c...nt.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    92s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/12/2024, 05:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    desde mi cielo 1080p torrent.exe

  • Size

    810.0MB

  • MD5

    936a667975ad732b9559bca4fede3148

  • SHA1

    2b85c19176ab5777355e05cf2a3bb7c83e0e3ea9

  • SHA256

    ec3b6fd0fb2cf71a999bd66f47ad392780f735344a3a7856e874420463a80793

  • SHA512

    20ddb8c49283a309b11775d0c52cd726f885cd33a0f7a2af16c89c096a288db1d7f01ec8df5c94cd8f9db069949b84c4cdd0d3857b0c42d23e6b7ac059a8bff3

  • SSDEEP

    786432:z2ja5CDqNKngw0ll1apGvuhNgrGnIymt3:iu050llAF5mt3

Score
10/10
lummadiscoverystealer

Malware Config

Extracted

Family

lumma

C2

https://offybirhtdi.sbs/api

https://activedomest.sbs/api

https://arenbootk.sbs/api

https://mediavelk.sbs/api

https://definitib.sbs/api

https://elaboretib.sbs/api

https://strikebripm.sbs/api

https://ostracizez.sbs/api

Signatures

  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Lumma family
    lumma
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates processes with tasklist 1 TTPs 2 IoCs
    discovery
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\desde mi cielo 1080p torrent.exe
    "C:\Users\Admin\AppData\Local\Temp\desde mi cielo 1080p torrent.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3512
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c copy Shorter Shorter.bat & Shorter.bat
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2672
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist
        3⤵
        • Enumerates processes with tasklist
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:4360
      • C:\Windows\SysWOW64\findstr.exe
        findstr /I "wrsa opssvc"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4572
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist
        3⤵
        • Enumerates processes with tasklist
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:1716
      • C:\Windows\SysWOW64\findstr.exe
        findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1104
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c md 469796
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4268
      • C:\Windows\SysWOW64\findstr.exe
        findstr /V "YardRejectedXmlBm" Beijing
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2724
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c copy /b ..\Herbal + ..\Aerospace + ..\Freeware + ..\Thousand + ..\Father + ..\Laura + ..\Liechtenstein R
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4256
      • C:\Users\Admin\AppData\Local\Temp\469796\Lanka.pif
        Lanka.pif R
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:3416
      • C:\Windows\SysWOW64\choice.exe
        choice /d y /t 5
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4596

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\469796\Lanka.pif
    Filesize

    872KB

    MD5

    18ce19b57f43ce0a5af149c96aecc685

    SHA1

    1bd5ca29fc35fc8ac346f23b155337c5b28bbc36

    SHA256

    d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd

    SHA512

    a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\469796\R
    Filesize

    500KB

    MD5

    767751717a43e657e77bced6ee51548c

    SHA1

    e249e59f20446ef5a6d1b9798948eece89203614

    SHA256

    cd1790dc1950c9f31ebc8167a4524a6844a295f84780a3593d7bdd0fbfbf4037

    SHA512

    0f67d6689582939cbd6ad28c335c8aa58e5ec3f14e46616ec0487e4a577b578fe8613613d6cf3604c8f6c29a2376e12adf8fe12a59695a9f4a8527d564e3c365

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Aerospace
    Filesize

    93KB

    MD5

    6f2c9f972fb7762db3a7cee19adfc8ef

    SHA1

    176cf257a42a92255da54965d86b136abb9be9d5

    SHA256

    a7c8d321fa44d2e8022c68d4ded41398e445117a3d0011dce8cb4b054f0728f1

    SHA512

    9d4e29dc98b571affbf28146a4b47840dba2d41c91cdae271884076dcd30cc15ed79d40a345cbe56ae47b0a3020fc75d21f082f515eda91e7fb99b8e9899d7be

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Beijing
    Filesize

    5KB

    MD5

    8a36f26715aade86b7320b4863aba4d6

    SHA1

    e212ff87c64af3fbc2e49512c1c982c9dcad83a9

    SHA256

    e51f03629e17c1751a4ec1bf882fbe8857daa60df006f597ff6e9bc9ba4266f0

    SHA512

    2e17ee3e4b17c1ce3abfb4dc22ca9151106c8bbbb1781a989224ccda5246a7e15090e221e12d3a7d519ac5789b2ddecb42f03b2510a2b38fa75ce7acf2a173c1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Beyond
    Filesize

    867KB

    MD5

    e328d3a88a3dc54187aed4718852dc97

    SHA1

    867e94279933dd8843a6bdf8f5d4b77a07394428

    SHA256

    2b5fba4631cad2e2f7325a5c3933537c0ced903d0d864d249b815c7455827e33

    SHA512

    c319a64d535fadab0761592f2d9127007e3d2b0aad56a44fb081922507945946b153f1ae2903d68d8b85a4fe8188eee502aa802e4c8db3196c3ef719ecb58c48

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Father
    Filesize

    84KB

    MD5

    e33108d3ebd3192eca0f33e9608a8c9e

    SHA1

    17ae3110e2269d7fc8fe0f250d1b95e74a4c6925

    SHA256

    ec8fce10d8fd097306396bd7e397911dee61c21581bc6980266fe521d516a26b

    SHA512

    e3c80b4a68fe8c330073b932e90306677789b10aa928ea7d8314e39d2a1e6eeb6f746c5bfa5a76f944b083e5131fc8f1c7d277e6b1403ca4d6cb3d7737f621ed

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Freeware
    Filesize

    96KB

    MD5

    0f09febf3fb160b7aa483c8c98a9b112

    SHA1

    76612fbbb45afa319b898f56fd77cf5054f7aec7

    SHA256

    10c321ff76328484218aa4152cf10ca49fb161f20049fde1fe7f41a4d56ebe1a

    SHA512

    fa8849358d1b1ac08c9af5e260de143fdd27a1669a8ebdbaced9d71de9bac508f59e9b553548ecd5452f765bb6ae76205c01b45f425a7bbd1ce82dd5e4aacea9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Herbal
    Filesize

    80KB

    MD5

    58ef415d4faacc562911da262c6ec211

    SHA1

    9fe97e5b798b7c063a99a728fd7ccb7ea5514ce0

    SHA256

    cf301a469d167182ca46cfa50f7f360f44ffd89833821e749f01d8890f7002c7

    SHA512

    cff8e04e15e2aefa81e74e4ea6da4224e09282c2cfdd639ee279a85360670e1abb5a4bc53c2ef4aa085b5de5302c1b91fd6aa182094900c71e37abdb76b52daf

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Laura
    Filesize

    65KB

    MD5

    b90ca47e06c39a3b65cf8d9fa07e939f

    SHA1

    c1d571251b01d1822f4defb4c6344f3a3efdafe9

    SHA256

    e735052d4c4cf8c324729d4395eea5ac20d588709b420bb03b2f111a905771f2

    SHA512

    4ff91149866a350becbace627835e6e0a666736c325403c50245d420be2b46f610f7ff1dcf911d34d1b9493c112e453c8170688808072aa6d32ffa598a8a298f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Liechtenstein
    Filesize

    12KB

    MD5

    3e2f5192be4bcc565481b83d50d86704

    SHA1

    9253acb569f845531c1bfb1bf2f4e2f83450b98a

    SHA256

    e9543047fa33fd6e2a472360bc8410f7adda502cbf8c70de3e4a3f103514c312

    SHA512

    6497eb7673eee571700d0839b17ceb160f77de5723e56e1cdd7832150b476c4a0813cf040e3ea6d0a20a8f0e1f41efe59390cb32283ac549b8602e78cc24656c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Shorter
    Filesize

    19KB

    MD5

    931ffaa54c401ba808bc5f45617d639d

    SHA1

    cdc51cb6e567ea14bb160ffb6e37df06893ddcf2

    SHA256

    f97aa1ce2faa4bb8d8e804a3da157a2f3da7fac8e5a9c3187c2d7ee6359d393d

    SHA512

    f5da67a5156c5c362a4f58e107782d5ee388dbc598a285e019cae79d0085cce21158722c4cfa751cac0605ec8485bb44b2b19e9c9e742139076ffb370bb1c33a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Thousand
    Filesize

    70KB

    MD5

    300d29f97d78b653bcfaaf668acbb40e

    SHA1

    2e0997300535a5f11e8e2377bfa8a48b65d9eb23

    SHA256

    0c165fb4489249c5d5ecf3cd3c25a432cfeeb5e1dbca24a208364178bd07b122

    SHA512

    e3719acd3e68c40a37b13453a0b92705b86e16fa8becbc3483871e1748be28ccc987266d942752aa7e7d67e04103f9360ceecb7dc0301ff83b7483f55eab2f7a

    Download Submit

  • memory/3416-485-0x0000000003E20000-0x0000000003E80000-memory.dmp

    Filesize

    384KB

    Download

  • memory/3416-486-0x0000000003E20000-0x0000000003E80000-memory.dmp

    Filesize

    384KB

    Download

  • memory/3416-487-0x0000000003E20000-0x0000000003E80000-memory.dmp

    Filesize

    384KB

    Download

  • memory/3416-488-0x0000000003E20000-0x0000000003E80000-memory.dmp

    Filesize

    384KB

    Download

  • memory/3416-489-0x0000000003E20000-0x0000000003E80000-memory.dmp

    Filesize

    384KB

    Download