Analysis

  • max time kernel
    93s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-12-2024 07:14

General

  • Target

    4c6a4865f91eb5b226c260ff5fe90dee53500bd58b7b4d122734b832f8b93873N.exe

  • Size

    1.3MB

  • MD5

    8ebe173ef15f3f077c14f0ac60221d30

  • SHA1

    366be85692a300a27a79549350c314acf0bac2db

  • SHA256

    4c6a4865f91eb5b226c260ff5fe90dee53500bd58b7b4d122734b832f8b93873

  • SHA512

    8058484f9c472b43d29674a06cadf3c791f686ecbfac0c189fc1224aeb9c29f6e9be044e933bccc403e682758d8cab3a090e6d88d7328c8e6d0acee5f2cbb9fa

  • SSDEEP

    24576:aE7Cf2MeIDYktoF8/vcipzlE6mnkOGCUOFm4dxT+YDhYDYZvRuxFt49CBa5OdQw:xCO71q/finkOGCE4dZ+YDhYDYZv0x74M

Score
10/10

Malware Config

Extracted

Family

lumma

C2

https://sordid-snaked.cyou/api

https://awake-weaves.cyou/api

https://wrathful-jammy.cyou/api

https://debonairnukk.xyz/api

https://diffuculttan.xyz/api

https://effecterectz.xyz/api

https://deafeninggeh.biz/api

https://immureprech.biz/api

https://tacitglibbr.biz/api

Signatures

  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

  • Lumma family
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates processes with tasklist 1 TTPs 2 IoCs
  • Drops file in Windows directory 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4c6a4865f91eb5b226c260ff5fe90dee53500bd58b7b4d122734b832f8b93873N.exe
    "C:\Users\Admin\AppData\Local\Temp\4c6a4865f91eb5b226c260ff5fe90dee53500bd58b7b4d122734b832f8b93873N.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2716
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c copy Regards Regards.cmd && Regards.cmd
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1192
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist
        3⤵
        • Enumerates processes with tasklist
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2152
      • C:\Windows\SysWOW64\findstr.exe
        findstr /I "opssvc wrsa"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:5012
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist
        3⤵
        • Enumerates processes with tasklist
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:1188
      • C:\Windows\SysWOW64\findstr.exe
        findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1788
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c md 63933
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2608
      • C:\Windows\SysWOW64\findstr.exe
        findstr /V "FLOYD" Benefits
        3⤵
        • System Location Discovery: System Language Discovery
        PID:5088
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c copy /b ..\Ada + ..\Pac + ..\Hidden + ..\Murder + ..\Billy + ..\Tree U
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4820
      • C:\Users\Admin\AppData\Local\Temp\63933\Compare.com
        Compare.com U
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:1772
      • C:\Windows\SysWOW64\choice.exe
        choice /d y /t 5
        3⤵
        • System Location Discovery: System Language Discovery
        PID:116

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\63933\Compare.com

    Filesize

    925KB

    MD5

    62d09f076e6e0240548c2f837536a46a

    SHA1

    26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

    SHA256

    1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

    SHA512

    32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

  • C:\Users\Admin\AppData\Local\Temp\63933\U

    Filesize

    468KB

    MD5

    9ddbc6f3c0992b62cae004a83523fa4f

    SHA1

    aba36e7a19f0194aeaeb513845ff3524d47115cf

    SHA256

    5d3b6fb7ad2684de36a7e35ab0007665661f419f59eeea23af227fdd69e23d55

    SHA512

    f6a08a8d8264c658aa8e753f2fbd022eff78b11faf82458183c97e88eb3b7e92ad8fb2d95977a81f2d744fb147513b21f07a8f57389f45be98c1b320bc87167d

  • C:\Users\Admin\AppData\Local\Temp\Ada

    Filesize

    85KB

    MD5

    572765e3533d7edf424941f84889c7fb

    SHA1

    172192b1443476f3a67979045947d254a96ad28c

    SHA256

    447dd3ddeabe2ee7a5eb1134fa09a7b3ce28f9f23c50e863ca3cd48d983cf87e

    SHA512

    2e0a1eb73c49a0948d899ad6d63cdf383ec3fb1eb34f88067062f2cf2d7aae161b3ada18093ccec7f7a16877ccfd4f1377dfe46ed0fd281cd57c6c2ca7d7d746

  • C:\Users\Admin\AppData\Local\Temp\Author

    Filesize

    123KB

    MD5

    ac8e53279c542fb983ff32be08887477

    SHA1

    2a3db44f11f2c759d24e44dc907e40ccf91f0bdf

    SHA256

    5220bdb2fef7452be3cd0b3b1d62a525660a35710ce27644fe72454ddd020bcc

    SHA512

    90ea81bea63d9ee78db41631053b477f732791907cedcfb3794f62331412a5d954df8422a3d201a1c7d1c69928795cb4de99c76933e8e772ebca4f76fe287766

  • C:\Users\Admin\AppData\Local\Temp\Benefits

    Filesize

    1KB

    MD5

    558727433b13c0e50c574240f6ba47c6

    SHA1

    3c94f3820a2e9003e5ecc024240225ef337ffdad

    SHA256

    372cef0cb2dd963ff4400d53757d26330d704174f42bee2672f7bd023c473980

    SHA512

    9d4d0af01bca6bbf4b62d587355453b110fdd93bd1bf475a016cdc3f48ffb5745672cc04370a6a27cf4289896aa6ec18f416ca583c0fad09105896a896f5b3fc

  • C:\Users\Admin\AppData\Local\Temp\Billy

    Filesize

    70KB

    MD5

    a3843f499291980bc0aa44677b2dde67

    SHA1

    21d766d0f1d82560889514d9f435d849be0c9809

    SHA256

    94fd435c86e9a3a96f9cf24d3647c22c0c2bc59f6f2a7e5459cf42a856939e16

    SHA512

    d981aaa0ffd7ae4dd7e44c5e64371c2c9c3d9b70729282e68965841225f413c4bf98f4457f4b860c5742207da1a9c20c7cfbb53c16488149c92484973d845dfc

  • C:\Users\Admin\AppData\Local\Temp\Creates

    Filesize

    18KB

    MD5

    b1424ba46b55c44b8b6a863813d76084

    SHA1

    a773b48b51e639477848d7e34c536a1d1ae28213

    SHA256

    598c4f845dd14984a8d883120c40021a9276e4eb1c6e4b9eec7a01f7a61bf27e

    SHA512

    7ffbe088dc2b601b042c87446cf12cb3a7a955efc780432a84e6a7880777714dd8cf347a424944f037f140f2455c5f6153aebef6846051cea25ee266ad72c287

  • C:\Users\Admin\AppData\Local\Temp\Distribute

    Filesize

    61KB

    MD5

    14ec61ec00a2bfe96034a7fbdfe07eab

    SHA1

    c80f99c4f300a91335911be2e8afd2609e6af1d4

    SHA256

    f589d7b08b87bd1955f1c87b8da10187e6e583b6c0c8184e547a2b04c0adefac

    SHA512

    3398428e6169823e7ecff9d1e3d9bdd13fbe0b00a2d857c3f3c63a0b71bc75f4b2e82738ab6989f6fe6d67cd2baa74cf30c708a76399730460102817ac251dd3

  • C:\Users\Admin\AppData\Local\Temp\Fold

    Filesize

    65KB

    MD5

    023697fe11a98da9b784c5d79df67271

    SHA1

    783f0773e94f8c31133cb437a318a89d199082b0

    SHA256

    adaf981f6187dbb7c0089039d1e316bdd43cdbc83ae88ce100b322e610c64e61

    SHA512

    45ebae92d5709cb9c140d442b97eb0fdc64e837f0fca911a489b9b32a4f650da2f329223410deedd6961057cd50e0501cc7252b270020012148a3c44ad8dd7cd

  • C:\Users\Admin\AppData\Local\Temp\Hidden

    Filesize

    97KB

    MD5

    d1257688e6e845c4b354d7f7bf9e62b5

    SHA1

    a3d736d4ccf6d711f75dda29e61c369db41f1787

    SHA256

    2f182be17bfbc7f5539153e93b17f12935fcbbab3f2cbc4b43c2710a20531e8e

    SHA512

    6c6b4dcd7836bccd9fb00c17bd225c1fddf68a914d486b07123bd004fe73c206675c2fbf113bcd63a9a301d2793e3a3f353280e1c852267e56d06cd1f2561441

  • C:\Users\Admin\AppData\Local\Temp\Indicator

    Filesize

    117KB

    MD5

    84f86aafc5b60874096506beb0495562

    SHA1

    aa0bc8d60df328d1fff514cee20666c6569e00d7

    SHA256

    6d0a88ae29d79fc9339ffbfdf4acd775e4a1fc7e8a361a3e2bbb3ae8b3ea11ba

    SHA512

    389d65609738d36fb3a83f1b5f5451d17af33881b36c8326eb7f0a1b6b0690852277f107bb27ad245aa4f690352d96e0d8aeb8ae58587d9b87ef8fe7701f77ab

  • C:\Users\Admin\AppData\Local\Temp\Joe

    Filesize

    58KB

    MD5

    5e101d6fce9a8f49fe52f06d20ab1986

    SHA1

    7ccfc584ba6b8fe18d4c4e7b4996797a23cc9a34

    SHA256

    0193896d3f430963179e6c2c205e1379a6c5e67bb8b8dc2edc33cb029089ab05

    SHA512

    3d4a26bc13814bb487481a1b30053489bbbfeba4f6453631a1b6fe8801ab2602ca6b425800d67cad15a0ffcca07bd043a1af4f815a61da09057f234472a7b4b9

  • C:\Users\Admin\AppData\Local\Temp\Melbourne

    Filesize

    108KB

    MD5

    015f102a59ef199628aea96ad1abc7f5

    SHA1

    d7217c0d029a8faa50175d9dcda1be5054301fa6

    SHA256

    deba36b81dd30e3552f59a6228e288c57b1ac0fb06831c4b36ca8b74625b526c

    SHA512

    fe876f727335b278d49075a0cbdb44d75f321cc2b66faf3bdacad79356d868277bb95104cf894350dc8616908f11ba77b6d2f0aa0b4724f46d7a566970717eef

  • C:\Users\Admin\AppData\Local\Temp\Mexico

    Filesize

    116KB

    MD5

    3d49859f103afc62f7ca44b56fb1e3d2

    SHA1

    9482acc5b8eb643f84d58508a67cdd0ad571f895

    SHA256

    9a498853621da4c0c749f17a20f067be6b989d416fbe198e6f339cb482dbeb70

    SHA512

    ef0186670704a682c3bbcb95c4a18ec16edfefe3086220523cbbc479aed744e240eee23b65db69d84bca4ff61152334045581b745e3a556a4222fc78737f3bc0

  • C:\Users\Admin\AppData\Local\Temp\Murder

    Filesize

    73KB

    MD5

    22cc3e7a9e2b41175ce96192153976b1

    SHA1

    8799e7bb491e50f35fac259368439505aa626533

    SHA256

    4722ae236e09f912aa59320e636f17546adfbae4c8d9018aa88e5a9dfb1b0ec1

    SHA512

    1b22d4334cb3af7190b149265511ab3304c262ed1b71e0209e484ca09479d4cb207a6ba96d356a9de61918d42482050494fcc4d3e5544631c9fddf9eccae84db

  • C:\Users\Admin\AppData\Local\Temp\Pac

    Filesize

    99KB

    MD5

    8c055f2536394da01f2f4f89094933c8

    SHA1

    cc7ed4b7b39e915f5659d2d562c493ab95a77d3a

    SHA256

    052d4165e402692097e963c7754ca2db16f81e909d66dd160f31d5baef13c433

    SHA512

    260fc6e254f75eafa5a4e5eff6d12e0eea84b5f0e6f639f50c348fa0defd76c0db0fde477090cb2141589161fb8f63659b5c7a2b3ee90e88800dd2b4b02f1839

  • C:\Users\Admin\AppData\Local\Temp\Particles

    Filesize

    56KB

    MD5

    9eb5ab8b9762d1104b76841a147a47e9

    SHA1

    be761b276c5d086e1b119c6834ec3d6ae0f0eb7a

    SHA256

    19d806b5883d0da104aacc6b4a3449cee32c13d4f50d604af0b4f7bc5b3ee9ac

    SHA512

    4f5b658e3c194a713eae87d706d7933c1fe81fb03d0259224b2013ba10eda97954c1ae6109cf9bd8940ecbc157e15326f441d835d04cae28867940a8004aa1af

  • C:\Users\Admin\AppData\Local\Temp\Regards

    Filesize

    9KB

    MD5

    337c9e7f6c3d1244d2a7f977540f6543

    SHA1

    ed017d14aef9f585112c99dab0ab440ef200736e

    SHA256

    2f8cf4f585106302aac7778b662c02e5be45ee7f6fa98c128fc0ee8c2463b51a

    SHA512

    bd75530e03d2146d5b83076cd76da7e178f53259d892cab2776dfb1833f1478990f4afa1911dc10858328e475a75bfb227d1f69d35b860cbaf791734ffe89187

  • C:\Users\Admin\AppData\Local\Temp\Star

    Filesize

    71KB

    MD5

    32f05ff849745d873a8ba45c37ffc2e7

    SHA1

    11a5e49705329f973127bf18c21ed4a71f0643fe

    SHA256

    1e8b134efe1c131edef569445da98287ce82881b2be8dbb137fd31024e5078e3

    SHA512

    b3f41c64498f8622ad4fb24b497b45842a3e798ac179d689f01af506be67578d49348ccb4a644861d559ea4f9abe0ce4fc5c9cbc6b85e1982fc7cd3c703fc319

  • C:\Users\Admin\AppData\Local\Temp\Swedish

    Filesize

    55KB

    MD5

    065636bb55b8c9175f08faa1e2768988

    SHA1

    b5c9c62589a7a4a8ec0ba59aa152cd70251c61e9

    SHA256

    1836e1f36ebd51487b7bcb29d3707bee7b7d9e32b7be339e8dc6526b69af922a

    SHA512

    da397f759f9bc22f2dac365f81cdb316e1a3a79870191a75a5c41721a271e6b829282bc3f5a8f07a17865627acd2824c60e0f71618d288b4230d9d50a8735ab4

  • C:\Users\Admin\AppData\Local\Temp\Taxi

    Filesize

    75KB

    MD5

    fb6a357b559218affeb06c70f1b37507

    SHA1

    8ffd07ee5a7717c1b4e70ef377fc278254521b64

    SHA256

    e740cc0ec551361cb5ce2991011f77a6e59757acec70a0f53a91d732d677f535

    SHA512

    951d096ba5ac99a682782ad34f4e3b1148e7148813d13a2130ed382e1e194d4e8058e63c775523f2bfba50c92fca039ac30fe8d95ddbef444b5b5a2d039ee05f

  • C:\Users\Admin\AppData\Local\Temp\Tree

    Filesize

    44KB

    MD5

    453b2b4c96ca03db9a82166c6a062783

    SHA1

    980ccc803659ab48a65453aca6f8d9d81d319eb8

    SHA256

    d43e7585d2e0e3172b4f7069f72a2c37baed60bd6b57f91873e2d3ac9c5acf4c

    SHA512

    deac4b555c8a5ee93899aaabc0d3ca9f899f9c8909d7dd413f623ffbe3caaf6e3c54fc72c9b9ae334f97b01db6af2d9dd1146512447a42c334544dc74f7d0bf2

  • memory/1772-272-0x0000000004650000-0x00000000046A8000-memory.dmp

    Filesize

    352KB

  • memory/1772-271-0x0000000004650000-0x00000000046A8000-memory.dmp

    Filesize

    352KB

  • memory/1772-274-0x0000000004650000-0x00000000046A8000-memory.dmp

    Filesize

    352KB

  • memory/1772-276-0x0000000004650000-0x00000000046A8000-memory.dmp

    Filesize

    352KB

  • memory/1772-275-0x0000000004650000-0x00000000046A8000-memory.dmp

    Filesize

    352KB

  • memory/1772-273-0x0000000004650000-0x00000000046A8000-memory.dmp

    Filesize

    352KB