Overview

overview

10

Static

static

3

MDE_File_S...01.zip

windows10-2004-x64

10

Analysis

  • max time kernel
    406s
  • max time network
    304s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-01-2025 14:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    MDE_File_Sample_9b0fcdf44e0deaaea8ac045a268e7ddc98d5a101.zip

  • Size

    298KB

  • MD5

    7cd86bcbaefe62af32cebbefc5a37e04

  • SHA1

    31eb887abb6dcc035b8b3c1fb166bbe5450999ea

  • SHA256

    cb42390c2f309c26fdd5e47563233afc73fd866af234b9838626440ea62ce7e7

  • SHA512

    20633335cc29068c7e9e56e58edc30ce5c9619cb8d7e315612882075e94d30fce06c4e12f0608079d0d113e05c0184a95f519b29328b1695a67de8b0c9b2759e

  • SSDEEP

    6144:TPIAmVevkm1q93H3ug+J9ggDUGI7Jf6NJeRkZGfhErOyzk+4/wQSdvfE:TgAbE3HWJ9gSROf6Noe1ra+4/ydk

Score
10/10
lummadiscoverystealer

Malware Config

Extracted

Family

lumma

C2

https://foreigoiru.cyou/api

Signatures

  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Lumma family
    lumma
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 6 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 18 IoCs
  • Suspicious use of FindShellTrayWindow 15 IoCs
  • Suspicious use of SetWindowsHookEx 27 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\MDE_File_Sample_9b0fcdf44e0deaaea8ac045a268e7ddc98d5a101.zip"
    1⤵
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2456
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k SDRSVC
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3604
  • C:\Users\Admin\Desktop\soryte.exe
    "C:\Users\Admin\Desktop\soryte.exe"
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    PID:3508
  • C:\Users\Admin\Desktop\soryte.exe
    "C:\Users\Admin\Desktop\soryte.exe"
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    PID:1292
  • C:\Users\Admin\Desktop\soryte.exe
    "C:\Users\Admin\Desktop\soryte.exe" C:\Users\Admin\Desktop\wincr.dll
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    PID:1300
  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\soryte.exe"
    1⤵
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:3424
    • C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" cryptext.dll,CryptExtOpenCER C:\Users\Admin\AppData\Local\Temp\7zO06D0596B\.CRT
      2⤵
        PID:2556
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" cryptext.dll,CryptExtOpenCER C:\Users\Admin\AppData\Local\Temp\7zO06DDE30B\.CRT
        2⤵
          PID:488
        • C:\Windows\notepad.exe
          "C:\Windows\notepad.exe" "C:\Users\Admin\AppData\Local\Temp\7zO06D1CC2B\.CRT"
          2⤵
            PID:4900
          • C:\Windows\notepad.exe
            "C:\Windows\notepad.exe" "C:\Users\Admin\AppData\Local\Temp\7zO06D7632C\.data"
            2⤵
              PID:1504
            • C:\Windows\notepad.exe
              "C:\Windows\notepad.exe" "C:\Users\Admin\AppData\Local\Temp\7zO06DE73EC\.rdata"
              2⤵
                PID:2204
              • C:\Windows\notepad.exe
                "C:\Windows\notepad.exe" "C:\Users\Admin\AppData\Local\Temp\7zO06D4B2BC\.text"
                2⤵
                  PID:3116
              • C:\Windows\system32\OpenWith.exe
                C:\Windows\system32\OpenWith.exe -Embedding
                1⤵
                • Modifies registry class
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:2524
                • C:\Windows\system32\NOTEPAD.EXE
                  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zO06D8ECEB\1
                  2⤵
                    PID:2804
                • C:\Windows\system32\OpenWith.exe
                  C:\Windows\system32\OpenWith.exe -Embedding
                  1⤵
                  • Modifies registry class
                  • Suspicious behavior: GetForegroundWindowSpam
                  • Suspicious use of SetWindowsHookEx
                  • Suspicious use of WriteProcessMemory
                  PID:3208
                  • C:\Windows\system32\NOTEPAD.EXE
                    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\wincr.dll
                    2⤵
                    • Opens file in notepad (likely ransom note)
                    PID:1164
                • C:\Windows\system32\OpenWith.exe
                  C:\Windows\system32\OpenWith.exe -Embedding
                  1⤵
                  • Modifies registry class
                  • Suspicious use of SetWindowsHookEx
                  PID:4420

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Temp\7zO06D0596B\.CRT
                  Filesize

                  512B

                  MD5

                  45003b91b0ad757bc0863cf7a4a7a971

                  SHA1

                  4d09acb04ef01680b924017644c54d80092d4c66

                  SHA256

                  57eabbff30055474d5becf4820f49d043a7b3473351093c5ee3b4f87f6bc9fb9

                  SHA512

                  5080eb332533430c8c1fe8ad90d4d97ff19aab76d041bc3d77d9998ecd3214bcf6cd50198090041f178c7d8490480d37aa55712a4d78cdb7da3884b1a443b402

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\7zO06D4B2BC\.text
                  Filesize

                  8KB

                  MD5

                  79a282f63e3fa04012ac1fe6c80ab91e

                  SHA1

                  353b2d13f742b1e9317c4befa74ff6c040c5e41e

                  SHA256

                  26feb4e3d8e404c6425ad5572640e7006a721442b9d7a3e3d48ddf2acd68d341

                  SHA512

                  415d28a36edbca5a76c588d2dd6832ccfdc4981c1c270905ed6aeee87b24ff51e18eacfea427c8fc4dbd3f459f6e98a04b8e73c0c1b37a1602debfb46007c493

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\7zO06D7632C\.data
                  Filesize

                  512B

                  MD5

                  acc90889d7a1fc5ff46cb69e24dc987a

                  SHA1

                  00e72cadfdca6c66226e828d97bafb73ffbecad5

                  SHA256

                  2af8fb4b244d11d6179ad240f5ccb49b499bf649cff06279371bacfe18f7313b

                  SHA512

                  32cbe159b11595a5fb059c8e4f2a39ee6541f77314e704abd73ddcd6302e8fde5212bdbf72b5a0c42588c0b1dc24bdaa66b7cf6c9077c7ecc62ba67f75b65d5b

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\7zO06D8ECEB\1
                  Filesize

                  1KB

                  MD5

                  5aa04ce935e78505e230765e85c34355

                  SHA1

                  6c93b8c5fde8be4b2231dca6b8ec513cdc82c991

                  SHA256

                  a73f26a8d504043f785d7360e8febf2eeb8522ec873a0d4dd5d1d4bfd1e67d3d

                  SHA512

                  c6a77beea050c63740d216a32478223d0905e94cf158f3c8f247b125d13ecce58ea7e3b3c4435da4bbdf3b9730e5b7076ff46ccab7930f6579e66ec95a17e6f5

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\7zO06DE73EC\.rdata
                  Filesize

                  2KB

                  MD5

                  711c4e06539d3771241367a2cc3680b0

                  SHA1

                  81a781c5a5bc4854ade7b3ba08d52f1c75a2f034

                  SHA256

                  a8630f95ac0b816aef3042cc7e7127a8f4b6dd0397c5214432218d1a869038ee

                  SHA512

                  80a08f59d492b54cd32943806b6ef946c5c15cb8b7eb506ccf6c3e2bcdab23264220fe61a04ce8751b3e9fc74f3ae5796ca9a0a0bea11a7d2c57e8b8950302ca

                  Download Submit

                • C:\Users\Admin\Desktop\soryte.exe
                  Filesize

                  21KB

                  MD5

                  094e3d100ff3b088c886b96b5ed47d25

                  SHA1

                  c02bee1b4259c664b8ccbcf1376011349ba7e9c0

                  SHA256

                  e666c48de937578c9cc65f6f36806691a33ee63b12339df27975a570f8bb1bbd

                  SHA512

                  cdbace32e02be4e4d471e1c84b7011476631f304dcb3ebaa1a7068e34b7233bae43271fbfcde3b0ffb8964713756f68fcaa15f86d3f022be409dd4454a5ef7ea

                  Download Submit

                • C:\Users\Admin\Desktop\wincr.dll
                  Filesize

                  971KB

                  MD5

                  301110636d01147ed054b745f8f876f5

                  SHA1

                  a24dbad0b7433e823ac3b5d3f5388e689a97388e

                  SHA256

                  6e03be3d3a4c237e28f0245b93f11277185a69e28ffeb18f0791ea10c435fa98

                  SHA512

                  30ba95ac58b2af4ed8ede34ba60ba3e834ebc4c00fbfcd176d5991309659736e132c616d93b0514712206b6da35944cec12720f3eaf0497f17c10b6fc47f712e

                  Download Submit

                • memory/1292-19-0x0000000000EB0000-0x0000000000F07000-memory.dmp

                  Filesize

                  348KB

                  Download

                • memory/1292-21-0x0000000075610000-0x000000007570A000-memory.dmp

                  Filesize

                  1000KB

                  Download

                • memory/1292-20-0x0000000000070000-0x000000000007D000-memory.dmp

                  Filesize

                  52KB

                  Download

                • memory/1300-27-0x0000000075610000-0x000000007570A000-memory.dmp

                  Filesize

                  1000KB

                  Download

                • memory/1300-25-0x0000000000EF0000-0x0000000000F47000-memory.dmp

                  Filesize

                  348KB

                  Download

                • memory/1300-26-0x0000000000070000-0x000000000007D000-memory.dmp

                  Filesize

                  52KB

                  Download

                • memory/1300-29-0x0000000075610000-0x000000007570A000-memory.dmp

                  Filesize

                  1000KB

                  Download

                • memory/3508-14-0x0000000075570000-0x000000007566A000-memory.dmp

                  Filesize

                  1000KB

                  Download

                • memory/3508-15-0x0000000001600000-0x0000000001657000-memory.dmp

                  Filesize

                  348KB

                  Download

                • memory/3508-13-0x0000000000070000-0x000000000007D000-memory.dmp

                  Filesize

                  52KB

                  Download

                • memory/3508-12-0x0000000001600000-0x0000000001657000-memory.dmp

                  Filesize

                  348KB

                  Download

                • memory/3508-11-0x0000000001600000-0x0000000001657000-memory.dmp

                  Filesize

                  348KB

                  Download

                • memory/3508-10-0x0000000001600000-0x0000000001657000-memory.dmp

                  Filesize

                  348KB

                  Download

                • memory/3508-9-0x0000000001600000-0x0000000001657000-memory.dmp

                  Filesize

                  348KB

                  Download

                • memory/3508-8-0x0000000077B32000-0x0000000077B33000-memory.dmp

                  Filesize

                  4KB

                  Download