Overview

overview

10

Static

static

1

#Pa$$w0rD_...#$.rar

windows10-ltsc 2021-x64

10

Analysis

  • max time kernel
    94s
  • max time network
    90s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241211-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    09-01-2025 10:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    #Pa$$w0rD__6654--0peɴ_Set-Up#$.rar

  • Size

    15.4MB

  • MD5

    e4b9f067e0a7f3b2d6156d2679fd03d5

  • SHA1

    07f0fe0c79f65db10b7586b81282402241dd88ad

  • SHA256

    48abeeb6a5fb89c37e451f73d40a672d808264b14ed7163a622100fb94d7d053

  • SHA512

    8179d0cf9be8bfb0c75cf8dda73645ab4cf0389b440d2afc692850230c25d3fb208690e679bf8de82f85ab551ac1bd618299bf7fe494bc9886d36e951773afdb

  • SSDEEP

    393216:TFfcTb4DjXbZPtueI3aCwuNlfIUsZNuXeu3T50:TFfcXIZPtunawOBHuOu3O

Score
10/10
lummadiscoverystealer

Malware Config

Extracted

Family

lumma

C2

https://rhythmsellk.cyou/api

Signatures

  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Lumma family
    lumma
  • Executes dropped EXE 5 IoCs
  • Drops file in Windows directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\#Pa$$w0rD__6654--0peɴ_Set-Up#$.rar"
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:4528
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:3820
    • C:\Users\Admin\Desktop\#Pa$$w0rD__6654--0peɴ_Set-Up#$\#Pa$$w0rD__6654--0peɴ_Set-Up#$\Set-up.exe
      "C:\Users\Admin\Desktop\#Pa$$w0rD__6654--0peɴ_Set-Up#$\#Pa$$w0rD__6654--0peɴ_Set-Up#$\Set-up.exe"
      1⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2468
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /4
      1⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2908
    • C:\Users\Admin\Desktop\#Pa$$w0rD__6654--0peɴ_Set-Up#$\#Pa$$w0rD__6654--0peɴ_Set-Up#$\Set-up.exe
      "C:\Users\Admin\Desktop\#Pa$$w0rD__6654--0peɴ_Set-Up#$\#Pa$$w0rD__6654--0peɴ_Set-Up#$\Set-up.exe"
      1⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:4500
    • C:\Windows\system32\mspaint.exe
      "C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\#Pa$$w0rD__6654--0peɴ_Set-Up#$\#Pa$$w0rD__6654--0peɴ_Set-Up#$\Resources\Data\MigrationService\helper\Welcome.Python.Stepping.Locals.png"
      1⤵
      • Drops file in Windows directory
      • System Network Configuration Discovery: Internet Connection Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1224
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
      1⤵
        PID:4244
      • C:\Users\Admin\Desktop\#Pa$$w0rD__6654--0peɴ_Set-Up#$\#Pa$$w0rD__6654--0peɴ_Set-Up#$\Resources\Data\MigrationService\helper\bin\adig.exe
        "C:\Users\Admin\Desktop\#Pa$$w0rD__6654--0peɴ_Set-Up#$\#Pa$$w0rD__6654--0peɴ_Set-Up#$\Resources\Data\MigrationService\helper\bin\adig.exe"
        1⤵
        • Executes dropped EXE
        PID:3992
      • C:\Users\Admin\Desktop\#Pa$$w0rD__6654--0peɴ_Set-Up#$\#Pa$$w0rD__6654--0peɴ_Set-Up#$\Set-up.exe
        "C:\Users\Admin\Desktop\#Pa$$w0rD__6654--0peɴ_Set-Up#$\#Pa$$w0rD__6654--0peɴ_Set-Up#$\Set-up.exe"
        1⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:4716
      • C:\Users\Admin\Desktop\#Pa$$w0rD__6654--0peɴ_Set-Up#$\#Pa$$w0rD__6654--0peɴ_Set-Up#$\Set-up.exe
        "C:\Users\Admin\Desktop\#Pa$$w0rD__6654--0peɴ_Set-Up#$\#Pa$$w0rD__6654--0peɴ_Set-Up#$\Set-up.exe"
        1⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:3568

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\Desktop\#Pa$$w0rD__6654--0peɴ_Set-Up#$\#Pa$$w0rD__6654--0peɴ_Set-Up#$\Resources\Data\MigrationService\helper\Welcome.Python.Stepping.Locals.png
        Filesize

        14KB

        MD5

        642b27cbd4e9d7c6c344e50c04afb883

        SHA1

        303577685118cfab3dcaf952c284dc3e95fc25e9

        SHA256

        91fa37de037ab5e9b998c94f028c12b5507bec7d3f277b7c27c24dce039a1962

        SHA512

        d986ae0866a670f0cf1cedb937f20ca594de4744008fb317227cd4b4f24545e9d25aa131a05f7f4eb756c7662b5929c76fe5d3f7e92e14ce6f835467691fd3c7

        Download Submit

      • C:\Users\Admin\Desktop\#Pa$$w0rD__6654--0peɴ_Set-Up#$\#Pa$$w0rD__6654--0peɴ_Set-Up#$\Resources\Data\MigrationService\helper\bin\adig.exe
        Filesize

        56KB

        MD5

        6dcec20dea659bbc1c48064868fe2d65

        SHA1

        56cd96ab3647c9fb2ccb29fba085f7122e80e5dc

        SHA256

        e737d575dfbd5e00f143dea4e6ced6e64be6f06270cc9ce137b3504a6d3b3068

        SHA512

        208f0a1cb306584f393d81797abb42e2e196305ac28983abf8ad87a76c592b9777ad5c315d2968ec4b45bb3c920f22ed83b227fbb98e1f6461118357ce15ad5c

        Download Submit

      • memory/2468-110-0x0000000000B80000-0x0000000001B80000-memory.dmp

        Filesize

        16.0MB

        Download

      • memory/2908-124-0x0000024B4CF00000-0x0000024B4CF01000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2908-113-0x0000024B4CF00000-0x0000024B4CF01000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2908-123-0x0000024B4CF00000-0x0000024B4CF01000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2908-122-0x0000024B4CF00000-0x0000024B4CF01000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2908-121-0x0000024B4CF00000-0x0000024B4CF01000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2908-120-0x0000024B4CF00000-0x0000024B4CF01000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2908-119-0x0000024B4CF00000-0x0000024B4CF01000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2908-118-0x0000024B4CF00000-0x0000024B4CF01000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2908-114-0x0000024B4CF00000-0x0000024B4CF01000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2908-112-0x0000024B4CF00000-0x0000024B4CF01000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3568-136-0x0000000000B80000-0x0000000001B80000-memory.dmp

        Filesize

        16.0MB

        Download

      • memory/4500-126-0x0000000000B80000-0x0000000001B80000-memory.dmp

        Filesize

        16.0MB

        Download

      • memory/4716-134-0x0000000000B80000-0x0000000001B80000-memory.dmp

        Filesize

        16.0MB

        Download