Overview

overview

10

Static

static

1

Dogusign R...6g.msi

windows7-x64

10

Dogusign R...6g.msi

windows10-2004-x64

10

Resubmissions

10-01-2025 18:05

250110-wn7cts1pct 10

10-01-2025 18:03

250110-wnc4zs1pay 10

10-01-2025 17:59

250110-wkqwns1ndx 10

Analysis

  • max time kernel
    148s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    10-01-2025 18:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Dogusign Reader 1.26g.msi

  • Size

    10.5MB

  • MD5

    35f774e65e57f419fff8d8f74945ea51

  • SHA1

    c3e1d2d50a9bbca445576e0d71c6984cc1dc60bb

  • SHA256

    d00a3e22e53210acbd5c3e39b85332e3d47c8ec001d2bbf7a13abb07427bbba2

  • SHA512

    34db08df1751754159ca37249dd8a66a811150e2a0bbdc020858f5ee55f9fb8ef763bb74bbb723633f79ea9fde8dd0feeb0c79e0c442ca6f15a8c6d8ffa58a26

  • SSDEEP

    196608:xaZKIcPtwQbOmV7SPjZJrtiXPFsKASDdybmR67JU6OpkKM1sQT9nAJDPMRAl6q7r:Y3cPt30JrtiXdsKAcrR67J0kR1syAtMU

Score
10/10
lummadiscoverystealer

Malware Config

Extracted

Family

lumma

C2

https://robinsharez.shop/api

https://handscreamny.shop/api

https://chipdonkeruz.shop/api

https://versersleep.shop/api

https://crowdwarek.shop/api

https://apporholis.shop/api

https://femalsabler.shop/api

https://soundtappysk.shop/api

Signatures

  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Lumma family
    lumma
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 10 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 10 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • GoLang User-Agent 6 IoCs

    Uses default user-agent string defined by GoLang HTTP packages.

  • Modifies data under HKEY_USERS 43 IoCs
  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 41 IoCs
  • Suspicious use of SendNotifyMessage 39 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\Dogusign Reader 1.26g.msi"
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2940
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2028
    • C:\Users\Admin\AppData\Local\Yarrow\RttHlp.exe
      "C:\Users\Admin\AppData\Local\Yarrow\RttHlp.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1640
      • C:\Users\Admin\AppData\Roaming\configRemote_PZ4\RttHlp.exe
        C:\Users\Admin\AppData\Roaming\configRemote_PZ4\RttHlp.exe
        3⤵
        • Suspicious use of SetThreadContext
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:912
        • C:\Users\Admin\AppData\Roaming\configRemote_PZ4\BMLDPVGXZERMHUZWYS\RttHlp.exe
          C:\Users\Admin\AppData\Roaming\configRemote_PZ4\BMLDPVGXZERMHUZWYS\RttHlp.exe
          4⤵
          • Suspicious use of SetThreadContext
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:2424
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\SysWOW64\cmd.exe
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of WriteProcessMemory
            PID:1624
            • C:\Windows\SysWOW64\explorer.exe
              C:\Windows\SysWOW64\explorer.exe
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1060
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\SysWOW64\cmd.exe
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:2976
          • C:\Windows\SysWOW64\explorer.exe
            C:\Windows\SysWOW64\explorer.exe
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1996
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2800
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2852
  • C:\Windows\system32\DrvInst.exe
    DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000060" "000000000000005C"
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:108

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Config.Msi\f77d8e4.rbs
    Filesize

    8KB

    MD5

    ee66ae0bf3c57798a55377dc0f9aecba

    SHA1

    26c77f198a8342e31abf02d6cf72cf4d8dd0b9d0

    SHA256

    6ba043353601caf20adaeea96c092a975ef3364aa2dcd1b8fee053dee646d909

    SHA512

    f82f8a318084ffad33d8886576a286763c6cc2cac5832d6e412cf7a019112cbbde4874216fb489acc558d792bc943f9ca365cc6c500ea270129000e4656f5427

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\28d80d4e
    Filesize

    12.9MB

    MD5

    00c5437a4f153bf1b325f648f186413b

    SHA1

    a6b0b1a657a82fdfeabadc6c7d8121f4359690c7

    SHA256

    0743337f37af340b16c277621ca5755a80d2e764e41b5e36a7d77cc50aa46872

    SHA512

    834bc6042e63d2bdd4283389ae3e2ff2d3d3bff168ae1ba518b0a5963a91e6a905be9238c8ea045967520ef397b927845ce6d86475dba6f3f5f8d8b7adbd5e45

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\290d4c5a
    Filesize

    1.0MB

    MD5

    42ca2cfd637cf1be4eb2b2b65316d755

    SHA1

    b407822248eaf4afb675c3a68c2708b79d3a8b28

    SHA256

    0555393dc84ef57d83f53bbaf9b541892cf6d66bf366b62977d2c98f038c1e74

    SHA512

    ab363d9179190d7f1649cbeb4e4af1ee9658dc12a43918e1181eb7445d5bfccea3f60d40a2d837b5a97a4067d679808664b4a09736c94abe79acfc02c6851233

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\CabCE1A.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\TarCEB9.tmp
    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    Download Submit

  • C:\Users\Admin\AppData\Local\Yarrow\Register.dll
    Filesize

    1.0MB

    MD5

    40b9628354ef4e6ef3c87934575545f4

    SHA1

    8fb5da182dea64c842953bf72fc573a74adaa155

    SHA256

    372b14fce2eb35b264f6d4aeef7987da56d951d3a09ef866cf55ed72763caa12

    SHA512

    02b0ea82efbfbe2e7308f86bfbec7a5109f3fe91d42731812d2e46aebedce50aabc565d2da9d3fbcd0f46febbff49c534419d1a91e0c14d5a80f06b74888c641

    Download Submit

  • C:\Users\Admin\AppData\Local\Yarrow\RttHlp.exe
    Filesize

    135KB

    MD5

    a2d70fbab5181a509369d96b682fc641

    SHA1

    22afcdc180400c4d2b9e5a6db2b8a26bff54dd38

    SHA256

    8aed681ad8d660257c10d2f0e85ae673184055a341901643f27afc38e5ef8473

    SHA512

    219c6e7e88004fad9f4392be9a852c58fc43b7f6900e40370991427f37eaea5c18f48d2954f9479dde8bcb787345f4e292d5620add8224aec4d93d7968820b83

    Download Submit

  • C:\Users\Admin\AppData\Local\Yarrow\burro.ini
    Filesize

    10.5MB

    MD5

    95a61e7f85bc8b48e6e52992d39eefc6

    SHA1

    df90ab3e50a7e566948ff56dde540139d23934c0

    SHA256

    0cea6a8a1b71eaaf329b70552ebe353d1a468ae2da5ac9c018d1927b55406bf5

    SHA512

    7a2ebb2caebe5efed73b701ee96a7880dea32301776a16beb288ab008531b396d06e36f6d0c4e60590c02355b4e1fc206e1468bc181042900fc18bc7b9f20086

    Download Submit

  • C:\Users\Admin\AppData\Local\Yarrow\magnesium.csv
    Filesize

    52KB

    MD5

    038c02b1cdce1b2738c09d9d2b8bbd74

    SHA1

    0f20d6c4a1cb65ca8a33c613b0f297148f9a39b2

    SHA256

    ff5f5110ca6ca5d57db34ec4ea566d28d4b2535d71540331448711a25a89b3f4

    SHA512

    afb692a8bddf29feb352a3129165c045187c5a41ac134515d5d5ff884b26f24789113929e9c49f0277b8e509755566f5725be05d15a268fd07f03771ab004717

    Download Submit

  • C:\Users\Admin\AppData\Local\Yarrow\rtl120.bpl
    Filesize

    1.1MB

    MD5

    adf82ed333fb5567f8097c7235b0e17f

    SHA1

    e6ccaf016fc45edcdadeb40da64c207ddb33859f

    SHA256

    d6dd7a4f46f2cfde9c4eb9463b79d5ff90fc690da14672ba1da39708ee1b9b50

    SHA512

    2253c7b51317a3b5734025b6c7639105dbc81c340703718d679a00c13d40dd74ccaba1f6d04b21ee440f19e82ba680aa4b2a6a75c618aed91bd85a132be9fc92

    Download Submit

  • C:\Users\Admin\AppData\Local\Yarrow\vcl120.bpl
    Filesize

    1.9MB

    MD5

    37c89f8997af129d230837c87997b737

    SHA1

    5031df412eaf09cc72688e7865e4604cda6c2fbd

    SHA256

    f3ea5d6457089b4c4ab207f0b96dd5f321cdc7b3360ca27cd6ed273ec25d807e

    SHA512

    3ede7277cb8d16c83e65bb6e6626f30b124ff9cb1579cfc8fbea7358489f9520d416238e998707219b4b0debb6cc1fc2634133f2fe9457a840d8b2bc76ddb3bf

    Download Submit

  • C:\Users\Admin\AppData\Roaming\configRemote_PZ4\BMLDPVGXZERMHUZWYS\burro.ini
    Filesize

    791KB

    MD5

    28431839e39dffad0485cc51b34c705f

    SHA1

    0b63857ea0abe841fdae8fd8b9f9b3ef0af881a0

    SHA256

    d832c2fd66e09b3eb829901fa6e7a2b610a398d8e007d6352edf4763ea3ce363

    SHA512

    cca16a18f52f2d059308214897673acd48cfca144a5075fba372ad33b8c645d202ebf32576d9d299d95e37e059d78dfdf70f7e844c479bd8c8484dc06bfe9d03

    Download Submit

  • C:\Windows\Installer\f77d8e2.msi
    Filesize

    10.5MB

    MD5

    35f774e65e57f419fff8d8f74945ea51

    SHA1

    c3e1d2d50a9bbca445576e0d71c6984cc1dc60bb

    SHA256

    d00a3e22e53210acbd5c3e39b85332e3d47c8ec001d2bbf7a13abb07427bbba2

    SHA512

    34db08df1751754159ca37249dd8a66a811150e2a0bbdc020858f5ee55f9fb8ef763bb74bbb723633f79ea9fde8dd0feeb0c79e0c442ca6f15a8c6d8ffa58a26

    Download Submit

  • memory/912-68-0x00000000775E0000-0x0000000077789000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/912-96-0x0000000074880000-0x00000000749F4000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/912-104-0x0000000050000000-0x0000000050116000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/912-70-0x0000000074880000-0x00000000749F4000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/912-67-0x0000000074880000-0x00000000749F4000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/1060-135-0x0000000000400000-0x000000000045A000-memory.dmp

    Filesize

    360KB

    Download

  • memory/1060-130-0x0000000000400000-0x000000000045A000-memory.dmp

    Filesize

    360KB

    Download

  • memory/1060-128-0x00000000775E0000-0x0000000077789000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/1060-137-0x0000000000400000-0x000000000045A000-memory.dmp

    Filesize

    360KB

    Download

  • memory/1624-114-0x0000000074880000-0x00000000749F4000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/1624-112-0x00000000775E0000-0x0000000077789000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/1640-59-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download

  • memory/1640-60-0x0000000050000000-0x0000000050116000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/1640-61-0x0000000050120000-0x000000005030D000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/1640-42-0x00000000775E0000-0x0000000077789000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/1640-41-0x0000000074A00000-0x0000000074B74000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/1996-131-0x0000000000700000-0x0000000000E74000-memory.dmp

    Filesize

    7.5MB

    Download

  • memory/1996-136-0x0000000000700000-0x0000000000E74000-memory.dmp

    Filesize

    7.5MB

    Download

  • memory/1996-179-0x0000000000700000-0x0000000000E74000-memory.dmp

    Filesize

    7.5MB

    Download

  • memory/1996-178-0x0000000000700000-0x0000000000E74000-memory.dmp

    Filesize

    7.5MB

    Download

  • memory/1996-177-0x0000000000700000-0x0000000000E74000-memory.dmp

    Filesize

    7.5MB

    Download

  • memory/1996-129-0x00000000775E0000-0x0000000077789000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/1996-175-0x0000000000700000-0x0000000000E74000-memory.dmp

    Filesize

    7.5MB

    Download

  • memory/1996-174-0x0000000000700000-0x0000000000E74000-memory.dmp

    Filesize

    7.5MB

    Download

  • memory/1996-145-0x0000000000700000-0x0000000000E74000-memory.dmp

    Filesize

    7.5MB

    Download

  • memory/2424-101-0x0000000050120000-0x000000005030D000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/2424-94-0x0000000074880000-0x00000000749F4000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/2424-95-0x00000000775E0000-0x0000000077789000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/2424-97-0x0000000074880000-0x00000000749F4000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/2424-100-0x0000000050000000-0x0000000050116000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2852-3-0x0000000140000000-0x00000001405E8000-memory.dmp

    Filesize

    5.9MB

    Download

  • memory/2852-2-0x0000000001D10000-0x0000000001D20000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2852-1-0x0000000140000000-0x00000001405E8000-memory.dmp

    Filesize

    5.9MB

    Download

  • memory/2852-0-0x0000000140000000-0x00000001405E8000-memory.dmp

    Filesize

    5.9MB

    Download

  • memory/2976-113-0x00000000775E0000-0x0000000077789000-memory.dmp

    Filesize

    1.7MB

    Download