Overview

overview

10

Static

static

3

robloxRRR.rar

windows11-21h2-x64

10

Analysis

  • max time kernel
    77s
  • max time network
    68s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    03-01-2025 10:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    robloxRRR.rar

  • Size

    102.6MB

  • MD5

    7c16c4bd0b11a014003de2e57f93b211

  • SHA1

    9665671ad9ee9726d3fb06e71a2b90ae93c9d8ff

  • SHA256

    79040bd6e8e007322f94c69b59cbcdf02f328956f92137e13bdbd7ac99a2a482

  • SHA512

    86071d7840feed3d0eed0eb2cfe65512c03789cce0202a0814b990efcbe58a2d7d4a98b208b81fa01c42d49d73cf4c5a049661b979c1bb59485532ddb3da720f

  • SSDEEP

    3145728:Z3SXrrV68OgH66iUckD2aMTddr73md9kgiCF2:1xBpdd73md97A

Score
10/10
lummadiscoverystealer

Malware Config

Extracted

Family

lumma

C2

https://enterwahsh.biz/api

Signatures

  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Lumma family
    lumma
  • Executes dropped EXE 2 IoCs
  • Enumerates processes with tasklist 1 TTPs 2 IoCs
    discovery
  • Drops file in Windows directory 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 37 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 47 IoCs
  • Suspicious use of SendNotifyMessage 45 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\robloxRRR.rar"
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2516
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:3836
    • C:\Users\Admin\Desktop\robloxRRR\WAVE.exe
      "C:\Users\Admin\Desktop\robloxRRR\WAVE.exe"
      1⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2592
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c move Looking Looking.cmd & Looking.cmd
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3736
        • C:\Windows\SysWOW64\tasklist.exe
          tasklist
          3⤵
          • Enumerates processes with tasklist
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:3024
        • C:\Windows\SysWOW64\findstr.exe
          findstr /I "opssvc wrsa"
          3⤵
          • System Location Discovery: System Language Discovery
          PID:2828
        • C:\Windows\SysWOW64\tasklist.exe
          tasklist
          3⤵
          • Enumerates processes with tasklist
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:724
        • C:\Windows\SysWOW64\findstr.exe
          findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
          3⤵
          • System Location Discovery: System Language Discovery
          PID:2088
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c md 157228
          3⤵
          • System Location Discovery: System Language Discovery
          PID:8
        • C:\Windows\SysWOW64\extrac32.exe
          extrac32 /Y /E Sword
          3⤵
          • System Location Discovery: System Language Discovery
          PID:4860
        • C:\Windows\SysWOW64\findstr.exe
          findstr /V "Albert" Ladder
          3⤵
          • System Location Discovery: System Language Discovery
          PID:1656
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c copy /b ..\Planning + ..\Residential + ..\Invision + ..\Dating + ..\Terrorism + ..\Salmon + ..\Earned C
          3⤵
          • System Location Discovery: System Language Discovery
          PID:3932
        • C:\Users\Admin\AppData\Local\Temp\157228\Beverly.com
          Beverly.com C
          3⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          PID:3780
        • C:\Windows\SysWOW64\choice.exe
          choice /d y /t 5
          3⤵
          • System Location Discovery: System Language Discovery
          PID:2944
    • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
      "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:224
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /0
      1⤵
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1064

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\157228\Beverly.com
      Filesize

      925KB

      MD5

      62d09f076e6e0240548c2f837536a46a

      SHA1

      26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

      SHA256

      1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

      SHA512

      32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\157228\C
      Filesize

      477KB

      MD5

      ad75727ca3fd977bc4874e68730bcf27

      SHA1

      abd1950c0a643757cc147fecb654a15608e60af1

      SHA256

      621c644963abfd2361a278bad26e04d429c6a9eebf3df7604cd7ebb473ed6ef1

      SHA512

      ff3dea9797e188b069c436fee411a01674b755adea61fb4ce5573ecf36c48bb2aa0b2dd7c3c40a3862ebb40930de14a0af9d0de97e8ebf4c1a4e47c9417b4664

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\7zE4D94F587\robloxRRR\workspace\.tests\isfile.txt
      Filesize

      7B

      MD5

      260ca9dd8a4577fc00b7bd5810298076

      SHA1

      53a5687cb26dc41f2ab4033e97e13adefd3740d6

      SHA256

      aee408847d35e44e99430f0979c3357b85fe8dbb4535a494301198adbee85f27

      SHA512

      51e85deb51c2b909a21ec5b8e83b1cb28da258b1be227620105a345a2bd4c6aea549cd5429670f2df33324667b9f623a420b3a0bdbbd03ad48602211e75478a7

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Appearing
      Filesize

      129KB

      MD5

      389f15f700ed5096be8174d6e2aafb4d

      SHA1

      41fe1dfa0594465aeebe620904b02f4fc2fe573c

      SHA256

      7249b89b339590a5c8351a57c9fa065d82bb9f85e1a1d7a7a796bcec26900a6b

      SHA512

      ea7e2d6e29e763eafe33ebee99d6b39b7443f9ce1b05ac0bed41a381ede0c5e4e2a506c718ba1c7513cdef8b15a6c71d1b4c99f843c01b4af5211c4c3ebcc4eb

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Clinic
      Filesize

      95KB

      MD5

      6ce657ef78fa3f0566e76e2b22ffb201

      SHA1

      fe940f20590478163b7cb0f0b122976bbb7654b5

      SHA256

      8253a7bd803a78ed4e33740a9e18ecf199a15dd1135cfd77a5c87d09336d75f7

      SHA512

      d171dea2acaf02f3beb64154698e2e686673faff312c21f4dd83b38d0ce3b966b5eb1b018b293f50f622e5f7ca691c799e443a52d80799f1e5b085c216c9ce72

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Dating
      Filesize

      85KB

      MD5

      0c8d8923aa4290a898a9deb197a4426a

      SHA1

      2330672e22c3e11298e34a30de6c853c9324d791

      SHA256

      bbd5c78d2a516616f983418161a293a8e4be8f2e6b12f2a6ff3cbeeebee2478e

      SHA512

      836af8b03b9cbfbc0b523a075ca43eac408e3f81fea9d1fc3cc34f365a6e6d61b6f736d13b3bf7b4a4fbbe6f5743acf24e6fb3281170abcc849bba088a6463c1

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Earned
      Filesize

      44KB

      MD5

      06fca13b2547e95040bfe29831f0bb70

      SHA1

      e0cb6f43d9f86eefe0f0f61287d93cb6d69f2f7c

      SHA256

      3b9c74ad18a320b234333078cbc700a8934845aa40aa925aff85a3e1bdefb568

      SHA512

      54a8466ec5562a4f3bec63365b56cb9eab801b518f1581901fdafbb999c174244f0070024346a8c6f81571b82f16ab054aa8d5ce8b1bf52bd087d9b8381bb758

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Expressed
      Filesize

      149KB

      MD5

      85ae57f61e0086bffba40a1e4c91c6e7

      SHA1

      3a43a0863fc1341188ef150360f29757be0a71a4

      SHA256

      01ff066f0ae54d5b830a6b299eccf6eba2c9ebaff879c0dfea2abefbe1ffa319

      SHA512

      496a5c9513cdd6627ff4e51abcf9e012815ec48e97eb350407c5f0b82f89d896e3daac12df7ede148f7af2dcdd89f5a5846f8c27bf8a1e8862edbad54c71a863

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Invision
      Filesize

      81KB

      MD5

      ff9c8bede3cf96f32ceba7b82f553190

      SHA1

      c54016de5f681df6922cf7358110f3484cdc8bc1

      SHA256

      704bccd0a763a6ecb82c80d674bc5430210bee0dcf7270a185bb091dd82c6e85

      SHA512

      6170ed59c24be2b1b50d7be51d9f0a5f02524fd7d0043796878254ce9e664753f18799f374d6da0294005236fd7a0d8440613a52c2fd6dcd8587d763b0824d5c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Ladder
      Filesize

      1KB

      MD5

      4e20750aa503a6ec5186965bd15919e5

      SHA1

      2e6f31f18a40c56cd7a85ae088a9c37cce56dc62

      SHA256

      6ec8694e622b10aee88142a3993a9f8bffa3d1b7d450da0b38e69957ea287415

      SHA512

      90ce670cace7ce389cc536d0d1830787699cd207ae059181a8c1efeb6f21c4740ce8c05ede9cc3b57cdcceb08598a42c0bb86b78d1e29b84eb1a657de4864591

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Looking
      Filesize

      14KB

      MD5

      f79f564eceedfe379a685f58fbc066c8

      SHA1

      44c07b7a3c37d1f602ba4d880190ca3450cdd133

      SHA256

      e5543e4bfeeed293c5a1a7bb91cec4ec7c84c24966c8723050ae762ba52e390e

      SHA512

      995ac664a92e473bc5bd83fd552fdbc41df125f208be1601f54e6d31ae2adc9a6efe1364689f42d87b84061d6fff9d261ce9a877a18e93966dc01bc40f92c39b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Newsletter
      Filesize

      124KB

      MD5

      b433709ed52acfa0d481d6ca8e19303e

      SHA1

      2defc0b5b503bdd93a4d2d6b41c0b9141cb700a6

      SHA256

      125b2fe3b1a02c99381d32529cd362737b176464d260878befd881c0bb273b54

      SHA512

      676e47d37589356c768632db6c808c86f2d2b8022027c7a59b23154ed0c0cdcc92bb315649bb06f9dd3214f97c052a53bea847fc2be939a7681da292c1875c72

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Nvidia
      Filesize

      111KB

      MD5

      52e79b5824f44420cb1ff69f94308e6b

      SHA1

      231101f444a93a6462ae342e9e841a7e67d56eff

      SHA256

      55668ce84e8aa39c7a25f464bd047b17921b16c43fea2898b5941889d5d86f08

      SHA512

      8b37aee313e2f5331743e9abcbaa69248c2ad7f04a53527e242d773a06afd5378628150c44f57c668e518a53b1df86272c226ff7adcae8fe7f5246b3c7b42eb6

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Planning
      Filesize

      52KB

      MD5

      c3b050e4836913d6140d0a93aaa9c168

      SHA1

      ef5bc1ad348ddf9d605445412e25319b87664c07

      SHA256

      53273e3a932970ac33f28d526d16a04b3067cd02e2136ed2de120d45e1d20d09

      SHA512

      94c6c3fa20a7af1098731b31f44558ac6ef263b5c860ad6afd1501bb89e8875912ab08b2c5039b17749116717817285f3bd4b73bdaacf36ae306e2de8b723483

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Plots
      Filesize

      139KB

      MD5

      bf240879e5901191970301df75f38d46

      SHA1

      e5f2aa255e202ea2dd1a27d821077b7ff68af372

      SHA256

      884ecc272e5af9b8405c7e0fa621992097982d5a73c90b3a872fbe3d94cafdcf

      SHA512

      48ab2cc94058f4b64cb9d5164980670104be0108f362b3d603a7bc16002bfa4fe418e4161e6789bd2fe82c5c0f1516425eb72be7e1271fd1bdc9491e282551e0

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Residential
      Filesize

      74KB

      MD5

      56f6f1af1426a3dd9159d95a84a9fcda

      SHA1

      901a50277c126af6cb91b673e198afa072213d76

      SHA256

      6a1ea52476566e41f06076682f7130694474de1b4b3da1d238dba83a78784d65

      SHA512

      3ca16ad67824c9a68512f5630a7b0c46130a98a4f8aa07649b9a562287b06f68dd94ad4b4e5ffb002a2d36d4780758c3179bf46b45a4a8f138b50a7648b4a3c2

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Salmon
      Filesize

      90KB

      MD5

      1feb4c1357fbbdebf1d8b349274e69e6

      SHA1

      ae7f0a12049d1e3b8599e10a69c8f7bf6cd372e3

      SHA256

      c6c1586afd4643239c682d7ea47a2d4fb7add9bf2414613344d57510d69b0854

      SHA512

      912337306d4d690a1085b8ab1efba9097bd39f2e9d294fb45d1f6665f915c9e0bc0c8aaabfae7b1b877d1c9c1c56b5bbbba5afa2e6a0e53285b06303ab098d4f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Sword
      Filesize

      476KB

      MD5

      499ed03b7ae21cdffff268a0306ad12c

      SHA1

      8eb7280de2c81aff9098d2d27a8fa1c78bb922b5

      SHA256

      aa2f1c40e9e9bc463f7e062208d727453b99882c92d80d22690b32d49b83298c

      SHA512

      467f806ca3fe35263c9d49f0771136b18ef950d5c996f1444a52effe4c5114ba29451474012dc06e6dafce4076e5f7caaffc02513a8cc8f8747d2d325241f4b8

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Taking
      Filesize

      100KB

      MD5

      0db7671ab9e46a601d35c4e15ecbbfe9

      SHA1

      efc2664df62d48f17b41eda8b7128f8d594aae92

      SHA256

      613770da461c0d21c85ad7c78da261a70b8ef707286c7911c5dcec37f3f50d0d

      SHA512

      3a3cc60030dec32e1551f304d72baed1afa062cfd48b794cdbc5a207305bf91573fcd456d935f1f7ccc93389865e42308ec9ca948f3fbe9d915b0f41f01a219f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Terrorism
      Filesize

      51KB

      MD5

      fd7cbdf14fffd0afa1216fea5a0c881b

      SHA1

      5cf92229ad56645f103310cb52809f978fbb5a31

      SHA256

      2fac0ec60fd05a783ce578acbca5123ad846d61f2a7e522c4065463613b44b6e

      SHA512

      3d5cfeaa27a74268e5b4911f1ee167d8b1df716a551fb9dcfd6caa81a6d99b42beb8aaee17e65af37f05328c13f16eef1d86c8ea2e14fd6bb4a841279c79e906

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Whilst
      Filesize

      76KB

      MD5

      8ab94da2ec53e21bb3a1e990eb061535

      SHA1

      5a496ddcc86198244e4c90f07701700f05fdd864

      SHA256

      d728dd7722aa26317077b01b79c8b81c47c60249b8a979410c0bc11febe060f7

      SHA512

      1b8e869034f64b35ca4e9d2689eecc727bda61ae1861c902e7dde1e1794de86e462426e6fd510dd70ce31e78369df21249a9f2bfc51c9f254f2c1984ad1542ef

      Download Submit

    • memory/1064-126-0x00000238C6980000-0x00000238C6981000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1064-124-0x00000238C6980000-0x00000238C6981000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1064-115-0x00000238C6980000-0x00000238C6981000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1064-121-0x00000238C6980000-0x00000238C6981000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1064-127-0x00000238C6980000-0x00000238C6981000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1064-117-0x00000238C6980000-0x00000238C6981000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1064-125-0x00000238C6980000-0x00000238C6981000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1064-116-0x00000238C6980000-0x00000238C6981000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1064-123-0x00000238C6980000-0x00000238C6981000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1064-122-0x00000238C6980000-0x00000238C6981000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3780-128-0x0000000004BF0000-0x0000000004C47000-memory.dmp

      Filesize

      348KB

      Download

    • memory/3780-130-0x0000000004BF0000-0x0000000004C47000-memory.dmp

      Filesize

      348KB

      Download

    • memory/3780-129-0x0000000004BF0000-0x0000000004C47000-memory.dmp

      Filesize

      348KB

      Download

    • memory/3780-132-0x0000000004BF0000-0x0000000004C47000-memory.dmp

      Filesize

      348KB

      Download

    • memory/3780-131-0x0000000004BF0000-0x0000000004C47000-memory.dmp

      Filesize

      348KB

      Download