Overview

overview

10

Static

static

1

URLScan

urlscan

1

https://moolaplace.c...

windows11-21h2-x64

10

Analysis

  • max time kernel
    31s
  • max time network
    31s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    07-01-2025 15:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    https://moolaplace.com/requer.exe

Score
10/10
lummadefense_evasiondiscoverystealer

Malware Config

Extracted

Family

lumma

C2

https://cloudewahsj.shop/api

https://rabidcowse.shop/api

https://noisycuttej.shop/api

https://tirepublicerj.shop/api

https://framekgirus.shop/api

https://wholersorie.shop/api

https://abruptyopsn.shop/api

https://nearycrepso.shop/api

Signatures

  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Lumma family
    lumma
  • Downloads MZ/PE file
  • Executes dropped EXE 7 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Drops file in Windows directory 1 IoCs
  • Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

    When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

    defense_evasion
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 2 IoCs
  • Modifies registry class 1 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 19 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 21 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 40 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://moolaplace.com/requer.exe
    1⤵
    • Drops file in Windows directory
    • Enumerates system info in registry
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:5468
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff6398cc40,0x7fff6398cc4c,0x7fff6398cc58
      2⤵
        PID:2872
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1824,i,5901559592636829818,11537453596805370411,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1820 /prefetch:2
        2⤵
          PID:6088
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2064,i,5901559592636829818,11537453596805370411,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2088 /prefetch:3
          2⤵
            PID:3384
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2164,i,5901559592636829818,11537453596805370411,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2340 /prefetch:8
            2⤵
              PID:2676
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3084,i,5901559592636829818,11537453596805370411,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3120 /prefetch:1
              2⤵
                PID:5544
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3112,i,5901559592636829818,11537453596805370411,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3152 /prefetch:1
                2⤵
                  PID:6028
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4476,i,5901559592636829818,11537453596805370411,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4608 /prefetch:8
                  2⤵
                    PID:1416
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4972,i,5901559592636829818,11537453596805370411,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4976 /prefetch:8
                    2⤵
                      PID:5784
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4968,i,5901559592636829818,11537453596805370411,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5124 /prefetch:8
                      2⤵
                        PID:1336
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4616,i,5901559592636829818,11537453596805370411,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5276 /prefetch:8
                        2⤵
                        • Subvert Trust Controls: Mark-of-the-Web Bypass
                        • NTFS ADS
                        PID:2208
                    • C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
                      "C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
                      1⤵
                        PID:1572
                      • C:\Windows\system32\svchost.exe
                        C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
                        1⤵
                          PID:4912
                        • C:\Windows\System32\rundll32.exe
                          C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                          1⤵
                            PID:5216
                          • C:\Users\Admin\Downloads\requer.exe
                            "C:\Users\Admin\Downloads\requer.exe"
                            1⤵
                            • Executes dropped EXE
                            • Suspicious use of SetThreadContext
                            • System Location Discovery: System Language Discovery
                            PID:5612
                            • C:\Users\Admin\Downloads\requer.exe
                              "C:\Users\Admin\Downloads\requer.exe"
                              2⤵
                              • Executes dropped EXE
                              • System Location Discovery: System Language Discovery
                              PID:3240
                            • C:\Users\Admin\Downloads\requer.exe
                              "C:\Users\Admin\Downloads\requer.exe"
                              2⤵
                              • Executes dropped EXE
                              • System Location Discovery: System Language Discovery
                              PID:5100
                            • C:\Windows\SysWOW64\WerFault.exe
                              C:\Windows\SysWOW64\WerFault.exe -u -p 5612 -s 820
                              2⤵
                              • Program crash
                              PID:4080
                          • C:\Windows\SysWOW64\WerFault.exe
                            C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5612 -ip 5612
                            1⤵
                              PID:3204
                            • C:\Windows\system32\taskmgr.exe
                              "C:\Windows\system32\taskmgr.exe" /0
                              1⤵
                              • Checks SCSI registry key(s)
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of FindShellTrayWindow
                              • Suspicious use of SendNotifyMessage
                              PID:788
                            • C:\Users\Admin\Downloads\requer.exe
                              "C:\Users\Admin\Downloads\requer.exe"
                              1⤵
                              • Executes dropped EXE
                              • Suspicious use of SetThreadContext
                              • System Location Discovery: System Language Discovery
                              PID:484
                              • C:\Users\Admin\Downloads\requer.exe
                                "C:\Users\Admin\Downloads\requer.exe"
                                2⤵
                                • Executes dropped EXE
                                • System Location Discovery: System Language Discovery
                                PID:5092
                              • C:\Users\Admin\Downloads\requer.exe
                                "C:\Users\Admin\Downloads\requer.exe"
                                2⤵
                                • Executes dropped EXE
                                PID:5420
                              • C:\Users\Admin\Downloads\requer.exe
                                "C:\Users\Admin\Downloads\requer.exe"
                                2⤵
                                • Executes dropped EXE
                                • System Location Discovery: System Language Discovery
                                PID:3528
                              • C:\Windows\SysWOW64\WerFault.exe
                                C:\Windows\SysWOW64\WerFault.exe -u -p 484 -s 788
                                2⤵
                                • Program crash
                                PID:1924
                            • C:\Windows\SysWOW64\WerFault.exe
                              C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 484 -ip 484
                              1⤵
                                PID:1300

                              Network

                              MITRE ATT&CK Enterprise v15

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState
                                Filesize

                                649B

                                MD5

                                d7749534045d762cbf406ec30e842c51

                                SHA1

                                27bea1da5c7583f06a2cb7bfe234697324cdbcdd

                                SHA256

                                99ae1e024365a46e713eb179960eab8c4837a6c1121a09c60405b4ce8d099549

                                SHA512

                                b35a88fba9d42bca16a17e3c874f573f8216a54e9fdc216ddf90e1dd1248cfa8d3a8371572ec185c3d80d19950f345f841fc58f0732ab983b1b83b2f1644b793

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
                                Filesize

                                1KB

                                MD5

                                f2aa9dfed933e2ac9a69a1bfe2f5d55c

                                SHA1

                                7c9496fdae0a891875db452c488f6e544819c8e2

                                SHA256

                                d0746dcf2d9178b0160f997b6e378a6c7214e9068087508a1e44aacd6b96399c

                                SHA512

                                f9c3be20e93c1dadb41fb726b71658f65cca93c78bc74ef2d6fed313020e7d28a8cf93129f6636eba83c3e365559d5d8fa7b6d16fc2897e5b32da4f023e7a3e8

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
                                Filesize

                                2B

                                MD5

                                d751713988987e9331980363e24189ce

                                SHA1

                                97d170e1550eee4afc0af065b78cda302a97674c

                                SHA256

                                4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                                SHA512

                                b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                                Filesize

                                9KB

                                MD5

                                5fea8687424f2a5d69a37f4d14415906

                                SHA1

                                ac1d670240cd509d4dd348960da17ded09afda1a

                                SHA256

                                29859b6a316737aefd56063d6bd077a075251b59845f52acb9549b61b7422fdb

                                SHA512

                                415893d3cfa23acd26e81100282c7cdab580af8f7e3a261aa7a844024379f681067fa07d690075c4842464159949216f6fb82cd5bc65810291eb17e722e29711

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GraphiteDawnCache\data_1
                                Filesize

                                264KB

                                MD5

                                f50f89a0a91564d0b8a211f8921aa7de

                                SHA1

                                112403a17dd69d5b9018b8cede023cb3b54eab7d

                                SHA256

                                b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

                                SHA512

                                bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
                                Filesize

                                228KB

                                MD5

                                da181c0634b14e466381f5936256f42e

                                SHA1

                                fb5cebe1e3285be0189c55442f7ac613c3fef524

                                SHA256

                                0cd9ee439dda20f084393d492fec5448ffb8046851a79789ab3db66220429dce

                                SHA512

                                145245bc5ef016ce2d0d9c7d8abf759bfd1213955df8ddb46879ef36b583c279e4f10116a7efe027030186768351c828c421966323d7b8c02bf5a776ac964050

                                Download Submit

                              • C:\Users\Admin\Downloads\Unconfirmed 579863.crdownload
                                Filesize

                                358KB

                                MD5

                                801b534c3bbb710cd39e2ceda44933a2

                                SHA1

                                dbfab577de772cd2cf5524cafbe51f3afff63601

                                SHA256

                                a076412bacbd1db9f889c46c87b9a6a674f96add23492eb2abbf6bcd526c9f53

                                SHA512

                                ce9fa7a7dc0b66ed8dcfd072445ccd4980d20ca5be7621d0d2173678f8723c46f160982995f648a2a1abcebcaea56abc4ab4967410a8ddd74045c6a6e53414d3

                                Download Submit

                              • C:\Users\Admin\Downloads\requer.exe:Zone.Identifier
                                Filesize

                                73B

                                MD5

                                6f528285cdcc55ddcef75e66e806d429

                                SHA1

                                35323c9de7629415036507f74681fd64f3cc58e9

                                SHA256

                                52e88ba562dd1b95dcd2ccffdb6b80a5761e5fb1f69b7b4c2d668f466ed41848

                                SHA512

                                994b0c7aa08cec4b1eb5b2287bf5121511a6f80c12d25bd99ab20fb33ab996b6361c91a96b8497ec496d489130f597a2ab2a9228c98017e42e2c83762015d20b

                                Download Submit

                              • memory/788-145-0x000001E80F1A0000-0x000001E80F1A1000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/788-144-0x000001E80F1A0000-0x000001E80F1A1000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/788-139-0x000001E80F1A0000-0x000001E80F1A1000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/788-140-0x000001E80F1A0000-0x000001E80F1A1000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/788-141-0x000001E80F1A0000-0x000001E80F1A1000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/788-142-0x000001E80F1A0000-0x000001E80F1A1000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/788-143-0x000001E80F1A0000-0x000001E80F1A1000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/788-134-0x000001E80F1A0000-0x000001E80F1A1000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/788-135-0x000001E80F1A0000-0x000001E80F1A1000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/788-133-0x000001E80F1A0000-0x000001E80F1A1000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/3240-131-0x0000000000400000-0x000000000045B000-memory.dmp

                                Filesize

                                364KB

                                Download

                              • memory/3240-121-0x0000000000400000-0x000000000045B000-memory.dmp

                                Filesize

                                364KB

                                Download

                              • memory/3240-126-0x0000000000400000-0x000000000045B000-memory.dmp

                                Filesize

                                364KB

                                Download

                              • memory/5100-132-0x0000000000400000-0x000000000045B000-memory.dmp

                                Filesize

                                364KB

                                Download

                              • memory/5100-130-0x0000000000400000-0x000000000045B000-memory.dmp

                                Filesize

                                364KB

                                Download

                              • memory/5612-117-0x000000007525E000-0x000000007525F000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/5612-118-0x0000000000200000-0x0000000000262000-memory.dmp

                                Filesize

                                392KB

                                Download

                              • memory/5612-129-0x0000000075250000-0x0000000075A01000-memory.dmp

                                Filesize

                                7.7MB

                                Download

                              • memory/5612-119-0x0000000005200000-0x00000000057A6000-memory.dmp

                                Filesize

                                5.6MB

                                Download