Overview

overview

10

Static

static

1

DogusignRe...6g.msi

windows7-x64

10

DogusignRe...6g.msi

windows10-2004-x64

10

Resubmissions

10-01-2025 20:32

250110-zbg4yswlht 10

10-01-2025 18:08

250110-wqvf2s1pfz 10

Analysis

  • max time kernel
    141s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    10-01-2025 18:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    DogusignReader1.26g.msi

  • Size

    10.5MB

  • MD5

    35f774e65e57f419fff8d8f74945ea51

  • SHA1

    c3e1d2d50a9bbca445576e0d71c6984cc1dc60bb

  • SHA256

    d00a3e22e53210acbd5c3e39b85332e3d47c8ec001d2bbf7a13abb07427bbba2

  • SHA512

    34db08df1751754159ca37249dd8a66a811150e2a0bbdc020858f5ee55f9fb8ef763bb74bbb723633f79ea9fde8dd0feeb0c79e0c442ca6f15a8c6d8ffa58a26

  • SSDEEP

    196608:xaZKIcPtwQbOmV7SPjZJrtiXPFsKASDdybmR67JU6OpkKM1sQT9nAJDPMRAl6q7r:Y3cPt30JrtiXdsKAcrR67J0kR1syAtMU

Score
10/10
lummadiscoverypersistenceprivilege_escalationstealer

Malware Config

Extracted

Family

lumma

C2

https://robinsharez.shop/api

https://handscreamny.shop/api

https://chipdonkeruz.shop/api

https://versersleep.shop/api

https://crowdwarek.shop/api

https://apporholis.shop/api

https://femalsabler.shop/api

https://soundtappysk.shop/api

Signatures

  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Lumma family
    lumma
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 10 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 10 IoCs
  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • GoLang User-Agent 6 IoCs

    Uses default user-agent string defined by GoLang HTTP packages.

  • Modifies data under HKEY_USERS 43 IoCs
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\DogusignReader1.26g.msi
    1⤵
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2356
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2156
    • C:\Users\Admin\AppData\Local\Yarrow\RttHlp.exe
      "C:\Users\Admin\AppData\Local\Yarrow\RttHlp.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1792
      • C:\Users\Admin\AppData\Roaming\configRemote_PZ4\RttHlp.exe
        C:\Users\Admin\AppData\Roaming\configRemote_PZ4\RttHlp.exe
        3⤵
        • Suspicious use of SetThreadContext
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:2872
        • C:\Users\Admin\AppData\Roaming\configRemote_PZ4\RACZMCTHJLPF\RttHlp.exe
          C:\Users\Admin\AppData\Roaming\configRemote_PZ4\RACZMCTHJLPF\RttHlp.exe
          4⤵
          • Suspicious use of SetThreadContext
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:1312
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\SysWOW64\cmd.exe
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of WriteProcessMemory
            PID:2436
            • C:\Windows\SysWOW64\explorer.exe
              C:\Windows\SysWOW64\explorer.exe
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2976
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\SysWOW64\cmd.exe
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:2392
          • C:\Windows\SysWOW64\explorer.exe
            C:\Windows\SysWOW64\explorer.exe
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1804
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2996
  • C:\Windows\system32\DrvInst.exe
    DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005E8" "00000000000003E0"
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:2304

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Config.Msi\f76debd.rbs
    Filesize

    8KB

    MD5

    9e22870349b394d4a81335231f457cd2

    SHA1

    53ee20926c25d90b07ac43cf012e8959c4f3cc94

    SHA256

    3ee5512b6698a1cd20dbf8054bb34232f966a4fdded99249d0e6dbb529057978

    SHA512

    dedfa4e64a47e27fee2514b0627cabf77426ec9d85f0fa134bf250692a83a8344244fd9b4060cec3ec7e87220e088437a06583bb37f183b1f9159351d22e5d79

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Cab9BE4.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tar9BF6.tmp
    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\d3d8b765
    Filesize

    12.9MB

    MD5

    5a918e938c17394bc905e8a08bd8d326

    SHA1

    35c72cf63cb7107bd0ae3b9f9f7cc84e2c1c907a

    SHA256

    2f699d404b812ceb1d3e4e5b798287d1aa0ebef0024ebadb3b7e4258199ae0b3

    SHA512

    fdef4d4f9c2f1791d9496fd8a3d416d6d8bc6e6b1d9f8c37776607872e8df270090b2e10228b7aebe528540f8729476940e7cbf116435aa1d8156befdebb5695

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\d6bfff7c
    Filesize

    1.0MB

    MD5

    cb606d1027c266602c3f0a78fad18bdd

    SHA1

    6e21250561cb55434078586e88a68af7a890fe5a

    SHA256

    05c370140bfec8f4e09aef5fcc8b6deb9753fe3ba867bb2073015a711329891d

    SHA512

    1be8239f56847dfbef4afdbe9b0318f070a81545849f861e2559d4ef46d15d8140180ade2f746d3274fe8cdb9817c7f794b376665d2e515e03bd9f6895f705b6

    Download Submit

  • C:\Users\Admin\AppData\Local\Yarrow\Register.dll
    Filesize

    1.0MB

    MD5

    40b9628354ef4e6ef3c87934575545f4

    SHA1

    8fb5da182dea64c842953bf72fc573a74adaa155

    SHA256

    372b14fce2eb35b264f6d4aeef7987da56d951d3a09ef866cf55ed72763caa12

    SHA512

    02b0ea82efbfbe2e7308f86bfbec7a5109f3fe91d42731812d2e46aebedce50aabc565d2da9d3fbcd0f46febbff49c534419d1a91e0c14d5a80f06b74888c641

    Download Submit

  • C:\Users\Admin\AppData\Local\Yarrow\RttHlp.exe
    Filesize

    135KB

    MD5

    a2d70fbab5181a509369d96b682fc641

    SHA1

    22afcdc180400c4d2b9e5a6db2b8a26bff54dd38

    SHA256

    8aed681ad8d660257c10d2f0e85ae673184055a341901643f27afc38e5ef8473

    SHA512

    219c6e7e88004fad9f4392be9a852c58fc43b7f6900e40370991427f37eaea5c18f48d2954f9479dde8bcb787345f4e292d5620add8224aec4d93d7968820b83

    Download Submit

  • C:\Users\Admin\AppData\Local\Yarrow\burro.ini
    Filesize

    10.5MB

    MD5

    95a61e7f85bc8b48e6e52992d39eefc6

    SHA1

    df90ab3e50a7e566948ff56dde540139d23934c0

    SHA256

    0cea6a8a1b71eaaf329b70552ebe353d1a468ae2da5ac9c018d1927b55406bf5

    SHA512

    7a2ebb2caebe5efed73b701ee96a7880dea32301776a16beb288ab008531b396d06e36f6d0c4e60590c02355b4e1fc206e1468bc181042900fc18bc7b9f20086

    Download Submit

  • C:\Users\Admin\AppData\Local\Yarrow\magnesium.csv
    Filesize

    52KB

    MD5

    038c02b1cdce1b2738c09d9d2b8bbd74

    SHA1

    0f20d6c4a1cb65ca8a33c613b0f297148f9a39b2

    SHA256

    ff5f5110ca6ca5d57db34ec4ea566d28d4b2535d71540331448711a25a89b3f4

    SHA512

    afb692a8bddf29feb352a3129165c045187c5a41ac134515d5d5ff884b26f24789113929e9c49f0277b8e509755566f5725be05d15a268fd07f03771ab004717

    Download Submit

  • C:\Users\Admin\AppData\Local\Yarrow\rtl120.bpl
    Filesize

    1.1MB

    MD5

    adf82ed333fb5567f8097c7235b0e17f

    SHA1

    e6ccaf016fc45edcdadeb40da64c207ddb33859f

    SHA256

    d6dd7a4f46f2cfde9c4eb9463b79d5ff90fc690da14672ba1da39708ee1b9b50

    SHA512

    2253c7b51317a3b5734025b6c7639105dbc81c340703718d679a00c13d40dd74ccaba1f6d04b21ee440f19e82ba680aa4b2a6a75c618aed91bd85a132be9fc92

    Download Submit

  • C:\Users\Admin\AppData\Local\Yarrow\vcl120.bpl
    Filesize

    1.9MB

    MD5

    37c89f8997af129d230837c87997b737

    SHA1

    5031df412eaf09cc72688e7865e4604cda6c2fbd

    SHA256

    f3ea5d6457089b4c4ab207f0b96dd5f321cdc7b3360ca27cd6ed273ec25d807e

    SHA512

    3ede7277cb8d16c83e65bb6e6626f30b124ff9cb1579cfc8fbea7358489f9520d416238e998707219b4b0debb6cc1fc2634133f2fe9457a840d8b2bc76ddb3bf

    Download Submit

  • C:\Users\Admin\AppData\Roaming\configRemote_PZ4\RACZMCTHJLPF\burro.ini
    Filesize

    791KB

    MD5

    28431839e39dffad0485cc51b34c705f

    SHA1

    0b63857ea0abe841fdae8fd8b9f9b3ef0af881a0

    SHA256

    d832c2fd66e09b3eb829901fa6e7a2b610a398d8e007d6352edf4763ea3ce363

    SHA512

    cca16a18f52f2d059308214897673acd48cfca144a5075fba372ad33b8c645d202ebf32576d9d299d95e37e059d78dfdf70f7e844c479bd8c8484dc06bfe9d03

    Download Submit

  • C:\Windows\Installer\f76debb.msi
    Filesize

    10.5MB

    MD5

    35f774e65e57f419fff8d8f74945ea51

    SHA1

    c3e1d2d50a9bbca445576e0d71c6984cc1dc60bb

    SHA256

    d00a3e22e53210acbd5c3e39b85332e3d47c8ec001d2bbf7a13abb07427bbba2

    SHA512

    34db08df1751754159ca37249dd8a66a811150e2a0bbdc020858f5ee55f9fb8ef763bb74bbb723633f79ea9fde8dd0feeb0c79e0c442ca6f15a8c6d8ffa58a26

    Download Submit

  • memory/1312-96-0x0000000050000000-0x0000000050116000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/1312-97-0x0000000050120000-0x000000005030D000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/1312-93-0x0000000074A90000-0x0000000074C04000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/1312-95-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download

  • memory/1312-90-0x0000000074A90000-0x0000000074C04000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/1312-91-0x0000000077630000-0x00000000777D9000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/1792-54-0x0000000050000000-0x0000000050116000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/1792-53-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download

  • memory/1792-37-0x0000000074B80000-0x0000000074CF4000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/1792-38-0x0000000077630000-0x00000000777D9000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/1792-55-0x0000000050120000-0x000000005030D000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/1804-117-0x0000000000400000-0x0000000000B74000-memory.dmp

    Filesize

    7.5MB

    Download

  • memory/1804-168-0x0000000000400000-0x0000000000B74000-memory.dmp

    Filesize

    7.5MB

    Download

  • memory/1804-164-0x0000000000400000-0x0000000000B74000-memory.dmp

    Filesize

    7.5MB

    Download

  • memory/1804-163-0x0000000000400000-0x0000000000B74000-memory.dmp

    Filesize

    7.5MB

    Download

  • memory/1804-167-0x0000000000400000-0x0000000000B74000-memory.dmp

    Filesize

    7.5MB

    Download

  • memory/1804-169-0x0000000000400000-0x0000000000B74000-memory.dmp

    Filesize

    7.5MB

    Download

  • memory/1804-112-0x0000000077630000-0x00000000777D9000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/1804-165-0x0000000000400000-0x0000000000B74000-memory.dmp

    Filesize

    7.5MB

    Download

  • memory/1804-114-0x0000000000400000-0x0000000000B74000-memory.dmp

    Filesize

    7.5MB

    Download

  • memory/2392-106-0x0000000077630000-0x00000000777D9000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/2436-107-0x0000000074A90000-0x0000000074C04000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/2436-99-0x0000000077630000-0x00000000777D9000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/2872-92-0x0000000074A90000-0x0000000074C04000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/2872-64-0x0000000077630000-0x00000000777D9000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/2872-66-0x0000000074A90000-0x0000000074C04000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/2872-103-0x0000000050000000-0x0000000050116000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2872-63-0x0000000074A90000-0x0000000074C04000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/2976-113-0x0000000000400000-0x000000000045A000-memory.dmp

    Filesize

    360KB

    Download

  • memory/2976-152-0x0000000000400000-0x000000000045A000-memory.dmp

    Filesize

    360KB

    Download

  • memory/2976-116-0x0000000000400000-0x000000000045A000-memory.dmp

    Filesize

    360KB

    Download

  • memory/2976-110-0x0000000077630000-0x00000000777D9000-memory.dmp

    Filesize

    1.7MB

    Download