Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    10-01-2025 10:36

General

  • Target

    PortugalForum_nopump.exe

  • Size

    1.0MB

  • MD5

    c944017da5de050c1538cd9d03658b3c

  • SHA1

    4ced8ba4ee138c33940afdbec83e9b2c318ed9a7

  • SHA256

    d4d3992ed00504f3f0ee087687b655c9bd98cf2ad345a7c58a2654706192c873

  • SHA512

    bbac1e9d702464a24f9c418dcea2305815acbb1a5a249170fb380bb913c5e1e0f82d26a305fe06a869c973e750fee122cd7a223c7b402ab1f1239750a00531f0

  • SSDEEP

    24576:Ga88iU++Wl4qyvCCGY9CaHl/JqLDRRBtspOJ2SUT:9TW+qyvCaJqfRR7f2F

Score
10/10

Malware Config

Extracted

Family

lumma

C2

https://ingreem-eilish.biz/api

Signatures

  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

  • Lumma family
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates processes with tasklist 1 TTPs 2 IoCs
  • Drops file in Windows directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies system certificate store 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PortugalForum_nopump.exe
    "C:\Users\Admin\AppData\Local\Temp\PortugalForum_nopump.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2608
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c move Audience Audience.cmd & Audience.cmd
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2560
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist
        3⤵
        • Enumerates processes with tasklist
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:1448
      • C:\Windows\SysWOW64\findstr.exe
        findstr /I "opssvc wrsa"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2884
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist
        3⤵
        • Enumerates processes with tasklist
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2472
      • C:\Windows\SysWOW64\findstr.exe
        findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2532
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c md 630620
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2588
      • C:\Windows\SysWOW64\findstr.exe
        findstr /V "Magazine" Utilities
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2984
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c copy /b ..\Scheduling + ..\Asked + ..\Narrow + ..\Francisco + ..\Future + ..\Turning + ..\Bear h
        3⤵
        • System Location Discovery: System Language Discovery
        PID:320
      • C:\Users\Admin\AppData\Local\Temp\630620\Iceland.com
        Iceland.com h
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Modifies system certificate store
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:584
      • C:\Windows\SysWOW64\choice.exe
        choice /d y /t 5
        3⤵
        • System Location Discovery: System Language Discovery
        PID:876

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\630620\h

    Filesize

    455KB

    MD5

    5dc2b27d27fa15bb4065d2b4eb76640b

    SHA1

    6e5833ae33cb1c7c8b79c063164e6f7c0ba20333

    SHA256

    8d860fb58801a2b7bcc7ec1f67ef6b9673a4a382486efa4dd617975b96bffbed

    SHA512

    3854748f9aff68aaae1e54500b8bba9189f00d4b5459e029d175bfab9d0ed0362acab6bc201d170558d3e301965989380660f9835e6d793a2faeb0e46a808ee7

  • C:\Users\Admin\AppData\Local\Temp\Asked

    Filesize

    64KB

    MD5

    8ef78954ab3e3a5cefa451444064d941

    SHA1

    297c23b8d61bcf6299179c2cc3a9cb5a943af164

    SHA256

    10c46ff6ca211d18e15641ecd5db2a8d5896b390f7c8aef6fb751a9253bacde6

    SHA512

    54ed4c22cde1f6b8ed3112080d3483941636983e2365b012127bea9618f3617388d97f9f31df91946658377c885789a498d7ff42ac23226f4827fe63287f631d

  • C:\Users\Admin\AppData\Local\Temp\Audience

    Filesize

    20KB

    MD5

    831d51b5d4b61d8c67a59c021e8cc56a

    SHA1

    34d2dfb435bdc865bd76b3b232743639f1999877

    SHA256

    bc9bff9c30461c1c58af72e51af88676cd223dbfedf99ac263ab66aeb4448d18

    SHA512

    e2e25e2f7d3e9e61bdb55599f845ec088a8422442c3561f2c87dbb6ed4456b4ebf5224d24e42ee421d01defbd65efe1f69ddc4892563a5a9cef64ece1be4d345

  • C:\Users\Admin\AppData\Local\Temp\Bear

    Filesize

    44KB

    MD5

    f131fa82b94b7afa4cd4561d16a04e7b

    SHA1

    bc5cdcd5b6a0e8661a4c71444c1a44385e639f56

    SHA256

    5f31ca1ff22eb1045d4228becb2702e30653e2f2dfb0fb3152354207c12b148e

    SHA512

    6f121b900d91c866212607001b8464f1aefc5ba2ccae035bd0377382db76f7852230c1d7940831f6c852bf66cc021c48940fd8ade75b0fee9dce48d111c674d0

  • C:\Users\Admin\AppData\Local\Temp\Bg

    Filesize

    61KB

    MD5

    74166770821de3ba843232e3c7930a97

    SHA1

    d1f938dadd9ba5730b25494e1dfb2f9dfe3eeb11

    SHA256

    1d73dbd4613668f2cce7c5657e12a018e19673bfffdbf243205a5bfc7b6a24d4

    SHA512

    2c3e150159c51c49229a91c6beb4f65180450255e35241d82c14cb62bdcf711ca5a616047e33bd5409a5d25cc9deb1cbf0b0762c5bdc61853d11a430385051c9

  • C:\Users\Admin\AppData\Local\Temp\CabE90A.tmp

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\Local\Temp\Ceremony

    Filesize

    140KB

    MD5

    eebfdc3f7bcd067f270d4c25f7235b2b

    SHA1

    c7a2b657909ec05016c30fe9d4840b86c2fb609f

    SHA256

    d3f9e82e7664bb9397a400e4eecc262c4545d8e76cc4a3ccdb690c23e19b196d

    SHA512

    93b214649501f16e27dcb74466d088bfe0f334356ac20e4fe000413564f4233e6ccb8b56f61aef1e51b9c469c1ff0150b20d1f7c316bda236c7006001f1f4395

  • C:\Users\Admin\AppData\Local\Temp\Constraint

    Filesize

    100KB

    MD5

    e51fe3a620833975036623d6e197fdb8

    SHA1

    464cab620d65cfa654798326aa479a4899619e69

    SHA256

    c93f220dbf5e5ea2d57bfe4d0ca8e388446f52b578eba39eed8b8ec01ada59e3

    SHA512

    eaf95dd0f1fcbfd53db50409cd575b4b1d04ac7c57eb5793eec7e972e1fa8d173d775792e824c630ffa15d9d56e3c624da77396315b884c662875fe021400f86

  • C:\Users\Admin\AppData\Local\Temp\Continually

    Filesize

    107KB

    MD5

    4babfd4c1e7092da43457efbab2c9495

    SHA1

    9f47b56ba662b13ffd116725b5424938f52ac638

    SHA256

    770985518aac385690c7eae35b390ea088287010485ed57a89b88a59b63f08e1

    SHA512

    b5304a9a6bca1f509527dd1eb6b101e3237d901787cf8b7773a8750b2d902e5a8c6bf1f61d627076f4ffad8ca6693a8bb62de3e8b134e62d7b948db50e15e47f

  • C:\Users\Admin\AppData\Local\Temp\Francisco

    Filesize

    62KB

    MD5

    6ddd57af3a3dff26b82f946ce7375100

    SHA1

    21c6882738381f2496e28ef5417357bb44b80e66

    SHA256

    50dc4bfb3a921f371bffa45b220e6b8271e1e0603fda5bef252514fd040cee42

    SHA512

    4c5adfc983196747c32e1560c56b32a9e1cb7653bc5f72df6ba7a3451fedeb89cb735a15e890587f4b316559414db17135e96e72b137a617159d92f6be81250d

  • C:\Users\Admin\AppData\Local\Temp\Future

    Filesize

    70KB

    MD5

    fcb831c17d9c6385e13ff593e138b221

    SHA1

    52c9d6dc7b2799a731b0db516b346a5543f933be

    SHA256

    f7a5ea48b63a9cbe66090ce131ebc2692478b2493f67bd9173f754270ba650af

    SHA512

    1302dd0e319dfbfa64923e17c1f4053f339a2d5f18081227e7c8ae3852d3688b2d63175a3d12dde0f3a8a4bd9b8b579c5efe1f39102d5245ea7c3d7062a920cd

  • C:\Users\Admin\AppData\Local\Temp\Inbox

    Filesize

    58KB

    MD5

    33ccfc63074875c27f396fa8eb3fed65

    SHA1

    851519946ebcebc636b6159d3b5ac79c9691dfa7

    SHA256

    0ad48af0dfbb4210911c0487e5e741f830cd3edb3da6306a537d1018de7e46f7

    SHA512

    7a7cda274ac611a00797af83484a38d93fcedf64b44585cab6dc2d14ff78f6f042f6b69e5c7b218163beabe72f9adf44aba7941db60947a9654631c2f8203865

  • C:\Users\Admin\AppData\Local\Temp\Narrow

    Filesize

    61KB

    MD5

    efe92467145e63a37fcaa3c125ac1408

    SHA1

    828137f0a74aa7800ea1ebcf45218cb202ea1371

    SHA256

    48fb48a26c2d8a75f3d7cfd99e9dfe06186efb7d1c29bcb862074db44f7bba18

    SHA512

    69cef69f0275e865ae5b5bb37e373d55dd3af27f02020998579d334465f5ddfc1251326c9499f4633f3b50177fb6ce5522d9c81b5753258c824991165de0f22a

  • C:\Users\Admin\AppData\Local\Temp\Ne

    Filesize

    93KB

    MD5

    9b9755f364ece6ad099b5777e512623d

    SHA1

    a60b37c3e12a9ce10517df090e808975c37c9b4e

    SHA256

    18801940d53d2417e105af37fb6e81255fa6ec5236775cf5c8ed516a2beb03a2

    SHA512

    6fde6f76867e12dee3718985598c9f2b829237fde2fb63aa635960758351fae08da6eb7f70efc42a83a98b5e89a8b1efbceecedcf8763a4aa5aa1fcb2432af60

  • C:\Users\Admin\AppData\Local\Temp\Scheduling

    Filesize

    87KB

    MD5

    80a93407982844de86a55240b9af858e

    SHA1

    15bb7ada3edf4d0e69f4b75528ab4287335414dc

    SHA256

    9937c8009cc08a1b17c40e08d5acea4f8f26a570122d46b6bb67e29a0ec1c8d4

    SHA512

    df258e712da2290d11cd9a229e90599a2dbf6adcf1bd1a27d56516ff6b72d01c135c3d1d1ebd50a3c8d9186bb37d16de8e9dd61eaabe3fd7a57a22ac9b78f881

  • C:\Users\Admin\AppData\Local\Temp\Sluts

    Filesize

    34KB

    MD5

    7e338a81ce2e1b70b46ce0d393224c96

    SHA1

    8fcaf15eab382142b50cfc550ac84b230a9cda15

    SHA256

    8e5f5cf98ecc59708b27a32a0681a8eadb6a280929f2cc01ba9d0a4d241a5d3e

    SHA512

    bf208c9d4e33d2b16c72f72697a68c2ecc716468578b37051c6b125fc4143bd0352334e6389ad297e090760160d4975ecbd61b7754d76127235ca16ae0167bd7

  • C:\Users\Admin\AppData\Local\Temp\Smilies

    Filesize

    53KB

    MD5

    e107227e235ad79a412ea02cf89e7bd4

    SHA1

    4a4372b7035b64bf27a8c16982bd4262f4f3c14c

    SHA256

    fc3a5408718b6803690c68792906e7eb3e6dd47ec4dcb1dd6be86dbb1d963b93

    SHA512

    44de863e4b33c79cbdd030c1def7a1a81f54e1ab39105519df32be17fd789850c364b575bc74c6249d89f27f4b73a70cd37ee65d32cb64b4928c4ca641db65b4

  • C:\Users\Admin\AppData\Local\Temp\Social

    Filesize

    58KB

    MD5

    ea6c3060fe6c2906c3bf09d1b3c8cbc0

    SHA1

    d6f2e612c4d036fd5ac9adab8de0874f603df905

    SHA256

    6a9b15f5dd9238338bccb71c88f1ad1246642b81e2f41dcfc75aeb26b00240a4

    SHA512

    0e514b1d7f5f44fb14b0090b577c22de80c0e2c5eb195f2ca66dcfa155773c69fcde5708fd1287b1adbfdd2fe8c9fdfdb637bb50a634359aec9cab88bd0eb019

  • C:\Users\Admin\AppData\Local\Temp\TarE91C.tmp

    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

  • C:\Users\Admin\AppData\Local\Temp\Turning

    Filesize

    67KB

    MD5

    bc116a5762f5fff91b41ef32e9f8251d

    SHA1

    571f267a44eb5ffbdbef77a840549853a9677bb4

    SHA256

    0c2c09341a39996c01aa917364686f169edc519f317233b1e2b7f6d9db7f6a21

    SHA512

    f592b1a3e3794cf53aafdb63f5a50d55213031946484a8e03312a0ff77a7fc99bab950573bdb2b62165e1106e5b67e9ee572523fadbc9895b5fee113d9a0542f

  • C:\Users\Admin\AppData\Local\Temp\Urban

    Filesize

    118KB

    MD5

    e17201b8b2c75dce8f7080c1de6c3f94

    SHA1

    ed7964dd24080ccdd78f3cd54fa06913350cbba3

    SHA256

    cece49ca9de531fc2988aa84bfb27d03aa0a5e7cc8786d0afdb33bed019abccf

    SHA512

    16e99bb9651d44f4af2e34ce96d12ae9ce5683f787ce3edd68d6e9f72159732151278f2f89fcf8e028a69f36fb24d174f9a18a92ccfada8f118eaaca038672cc

  • C:\Users\Admin\AppData\Local\Temp\Utilities

    Filesize

    2KB

    MD5

    565c8ae6bac0ea4687df549f65098e94

    SHA1

    e64db632d9839341c40f7822c6b7d0222697a5a3

    SHA256

    9c13c1d59286f1ae8e61fb927e36d617aa00f19fd7b3f28cd5e1588b31adc92f

    SHA512

    65959f0e18475887ffd96321af4b5e81bad640e07dd98949f71ceca089f139fa9893f864df9496ecca816c0ba539f196bcea4e2ef000a60f1c16dae67accd8dd

  • C:\Users\Admin\AppData\Local\Temp\Ve

    Filesize

    101KB

    MD5

    592d0f644f456c3df5d68f9594c0831a

    SHA1

    a2785cb1e47381feb210869087272a2ad65af45b

    SHA256

    3158d544e75024e602d0205d4595aa065ee3ce1b67ae9f3e288de113557490d8

    SHA512

    ff333272d8cb9e85f0c06d2ecc4317dfbd675c98965348a76b61951d16d37e667086bd0bd9c20a25c9e8a5999b0ae28db3e9f3e0df65f9acaacb17d3d0110bc5

  • \Users\Admin\AppData\Local\Temp\630620\Iceland.com

    Filesize

    925KB

    MD5

    62d09f076e6e0240548c2f837536a46a

    SHA1

    26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

    SHA256

    1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

    SHA512

    32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

  • memory/584-54-0x0000000003750000-0x00000000037A6000-memory.dmp

    Filesize

    344KB

  • memory/584-53-0x0000000003750000-0x00000000037A6000-memory.dmp

    Filesize

    344KB

  • memory/584-52-0x0000000003750000-0x00000000037A6000-memory.dmp

    Filesize

    344KB

  • memory/584-50-0x0000000003750000-0x00000000037A6000-memory.dmp

    Filesize

    344KB

  • memory/584-55-0x0000000003750000-0x00000000037A6000-memory.dmp

    Filesize

    344KB

  • memory/584-51-0x0000000003750000-0x00000000037A6000-memory.dmp

    Filesize

    344KB