Overview

overview

10

Static

static

3

r6_interna...ar.exe

windows7-x64

10

r6_interna...ar.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    91s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-01-2025 18:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    r6_internal_free_cheat.rar.exe

  • Size

    852.2MB

  • MD5

    37d8c5974a5f387bd89405fdd1aea581

  • SHA1

    1e498afbfaf4f79b34ef900273ffadc300f50f1a

  • SHA256

    e5cd8af4c7685c5427354054de735f971df3e8eba9e9352844beeeb21c3bfee8

  • SHA512

    4785bd5fb83bc0cdb555e597a35e8787ad9fbe96b79bbc181ac059404cd7423eaec3943e8d49a24421aeecd14d87625c50ac111fa214be510689c31447d00fc0

  • SSDEEP

    393216:mCMAUBGCDgY9yJUzqsQXh7b3ii/YC2E3SeLsl8vgSy6:mnbByYmT7308V

Score
10/10
lummadiscoverystealer

Malware Config

Extracted

Family

lumma

C2

https://comptetscant.shop/api

Signatures

  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Lumma family
    lumma
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates processes with tasklist 1 TTPs 2 IoCs
    discovery
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\r6_internal_free_cheat.rar.exe
    "C:\Users\Admin\AppData\Local\Temp\r6_internal_free_cheat.rar.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4056
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c move Jvc Jvc.cmd & Jvc.cmd
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3360
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist
        3⤵
        • Enumerates processes with tasklist
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:3300
      • C:\Windows\SysWOW64\findstr.exe
        findstr /I "opssvc wrsa"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2928
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist
        3⤵
        • Enumerates processes with tasklist
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2876
      • C:\Windows\SysWOW64\findstr.exe
        findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1360
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c md 742992
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1868
      • C:\Windows\SysWOW64\extrac32.exe
        extrac32 /Y /E Gm
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3120
      • C:\Windows\SysWOW64\findstr.exe
        findstr /V "Aw" Ultram
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4168
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c copy /b 742992\Missile.com + Applies + Filled + Accent + Deviation + Guns + Brave + Netscape + Officers + Storage 742992\Missile.com
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4468
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c copy /b ..\Regional + ..\Minor + ..\Either + ..\Refugees + ..\Gothic + ..\Utils u
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2380
      • C:\Users\Admin\AppData\Local\Temp\742992\Missile.com
        Missile.com u
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:3616
      • C:\Windows\SysWOW64\choice.exe
        choice /d y /t 5
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1612

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\742992\Missile.com
    Filesize

    136B

    MD5

    bdd240fde36ab67dacba20c0ac60e497

    SHA1

    ea2709a11e13a59df202c7c24b1e809819281a46

    SHA256

    268d75c78fc36195c232d3d51460bde0dc7781acee37408e81c50b73a3d0083e

    SHA512

    bbb28a3485630943d774d6351bba0d6dee559e05c997ae5fd1beea5dde5fd73a7a6a4b4b0ac379745d6cf35f6735be2ec3374ad4a3150d08602b631b16e4d9c1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\742992\Missile.com
    Filesize

    925KB

    MD5

    62d09f076e6e0240548c2f837536a46a

    SHA1

    26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

    SHA256

    1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

    SHA512

    32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\742992\u
    Filesize

    475KB

    MD5

    ca5912c9ec5f05cdb1c5b69a3e1cc9e9

    SHA1

    c2497dffcfe06e066fa2e6dc935cf5892120711d

    SHA256

    670413128488eb212d6070f4539a0734c23127a02ed3dd9d99df48dc12e128de

    SHA512

    d36212b1f7fff8a926b0be6823950f9df865d64e6e7c53d22d84c8b8b5c55c8fb8c12ceab331af42876ae5f4923c97c2ccae5426d5163864690a096c69337237

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Accent
    Filesize

    128KB

    MD5

    cdc4850983aa0c38e38bd1c5ea3c0a8c

    SHA1

    28774132652ad30ab99b5ebbe14453aa00ecac9e

    SHA256

    e243e4f12d12f2bee82e1d118b7c2a540fe701cf7c14c098e31fde5d76780c82

    SHA512

    95806983eca623d31c4a468389cc0e71a06b53cba204193fd61c5e311defff91d17b03da557e0da8a4abe4ca46ef579be5302e7f71674f8d910ec21140648f04

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Applies
    Filesize

    113KB

    MD5

    22e4cc4b4e6a01a435ef2b2cf9d4ae2e

    SHA1

    5dd27b653213d24f5801f88090b713dd9a5ff96e

    SHA256

    f942b79a29bd76f0d6e66708b89b6db461d92a5eae6ea4555c220ef7b069a3d4

    SHA512

    f3853b529f28f46ad73b03f7e1bfb366738bf5516e87088880dfeb4db937d8f9e428da41bbd8a9f19ba3948d8b91c589e347ea5a94ba7cf0aae5460d3321a2f4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Brave
    Filesize

    85KB

    MD5

    f9a5e51274730ff6f68bebf32bd37e77

    SHA1

    c4e98237e94799fadb54d56b9d95ddbfb9896cc7

    SHA256

    351d2cee1ad25d0ea8b5e7f153e266d21787084ac38126211f281c6b5c84fb7e

    SHA512

    3eb9bc8f27cd906c7e15e306ee6f0e8d9f4bf47351f2409cdf2930714b45610bdc6a96c68bd03e0ee1a7f4919caf431308872b8b77358abfdb4ed47eb51e236b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Deviation
    Filesize

    129KB

    MD5

    e928c41942564cb8913765841cf04f25

    SHA1

    294f75238366bb5cd3b1cc0b8e7f0f4e0ac98f7e

    SHA256

    9ca24270c94d4abb65109a3d66c8df25a6e257ffb88947f7e0ffca75b44e8e78

    SHA512

    c3c39938061f6083256677e9b7cd3f9d73a17788e5ef01bea351ede9d4025934b5b84464da921795a2c4d8e5afc2d5383a5fe45fbfb7599c144cbdaf934a0fa6

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Either
    Filesize

    94KB

    MD5

    462e0c19616536badc14cbc5bb5c30d7

    SHA1

    4236297c3d315691863d61174a81592128b76971

    SHA256

    a5fe1ad9a4e2ccc4ec5d96941e1035b243019ff449849c6f4a306c94645ca398

    SHA512

    0bb23b2a4eed1fd7dd871786b05fa376ee3a7659c8b6b7e4239de20b7ea11ee9a682b1ad2ee015cad47867ce38d2b44b4f8d8b4beb867494fe5941105edea8e0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Filled
    Filesize

    88KB

    MD5

    1a17a767dcbbd6a9d0540b76d36480da

    SHA1

    33e9c3e951f29bc975b34a1beae43f7c9a15ca4a

    SHA256

    c9a746e21586b11d8c7c966fb36d5e6b23b787167aa718a8029d2dfa983d740f

    SHA512

    c9325950991a3ac18466f49979b8262aea6203e30070c9957ff3e5cf397551111e5abda02a31efa7f010a5ca3969f89a42c7d32a4bd34f7319e4d0f7c51805ca

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Gm
    Filesize

    476KB

    MD5

    1e33dd4b10e760ab7758ced44e22bcef

    SHA1

    d2bd3c81a2448c2da09cf172d492f6023b39e6b7

    SHA256

    a911577dd3b05350be00d1d42f73c506ca4303084e633583503b22b712b69bd1

    SHA512

    e7b71bc86c55c7d192f2652a74d67ee475c4e9321962ae17d1b131bd1e4c350b427f8bbcec9549400882cc71a6cb4779920450080657d564fbf23f4183d19712

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Gothic
    Filesize

    71KB

    MD5

    79bfa125d6c8994f029dfac6b7affc3d

    SHA1

    b00b2b53a1a8e2cceb8f6385957ab9c30ba1a7ab

    SHA256

    877e2754e58b69df37884908bfd4d141505728f0f5bf1a7ec29fe41bcf042f3d

    SHA512

    5f079a5802b579632abe5a758fab6772cec32bdd57bcc0255cbadf31075616f978f1b2319194bbf6fc35aad9c8feb4e5ebcf6f15bdbda801190c7461cb8a22b9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Guns
    Filesize

    120KB

    MD5

    a64f415e1ee063001fbf173ff04051d4

    SHA1

    885ff1a8a83b684e47afd282f940eabf39261898

    SHA256

    e59a4c866d2c324e469321735cc7563cb7e4b1b8d81c67250d6391da760d0dc2

    SHA512

    923a4521e3733c5cfdbbc9473cdfe33a4a856d309f6e4834dc9403aabc3c951d166a89d7b883c4e2e74221919e54622a7d0e22405576e0e7e199af50ba4d83d0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Jvc
    Filesize

    9KB

    MD5

    38acf58cb648e0df461ca4d4f4dbe0ed

    SHA1

    557c12a43d9ddc14b724a1eb08e5476839faf8a4

    SHA256

    4709a400319e403f43e5208194bce529bbc190c0fd77586a5bd9674f56b20ad1

    SHA512

    aea50d82dcabc72407776f9780eb9856b94b0184be3c8a7d71d574497c03f6d4de0f33f397936f3ee7f97c263c452ae9a81b9bfa5d9ccee2c96e91e302f1385d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Minor
    Filesize

    63KB

    MD5

    2dae3f1e78cdea1f6c70a2ba347f3657

    SHA1

    f6ca1370aeb039fab7d5e43e5d817f2e375cbc6a

    SHA256

    b5222bbb5366a12d8bc15cf7f0b45844259382b7a80178b2bbd0dedc63cc0fe2

    SHA512

    89dbf47a2803c5bcb7bbee788332eb71141b152b945b18f17579f2da05e95cf8cc1087d90a53ab7738150cf45920db68329c29469e80bf394b35e98b8d7cf852

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Netscape
    Filesize

    91KB

    MD5

    5d7a031f30a220bebb6bf82c62ebfb45

    SHA1

    212ca7de87df0cc711837f5961da5d47fd481012

    SHA256

    23706fca324d201f4e8fbf2a3f1754c701f6701a97beff4aa56869e859cb82b0

    SHA512

    8e7143989b84e55db806af72e907d1cdca964be17b37800632eb7b92a3030ef2bb499a101d3b877e58d9abffb0e7743b73b1be963e7c8289817048e8785b2897

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Officers
    Filesize

    89KB

    MD5

    3ce9ccd550f8f45cff0c215db2098671

    SHA1

    5e5f73092fc2ea47714239ad51b6695b7c6ae96b

    SHA256

    25ece6848b6432d06f6317f9ce2e8c58f988e0abf78f921e9b43ad74f34e19d9

    SHA512

    43988c0dc4bf6f0454265b1e4895598a0758919da092fe5ca19e4d333f0919c28722df03f0282ad6754e479659fa0583e3108e35341383c879613fe611a7cfcd

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Refugees
    Filesize

    76KB

    MD5

    aeeeabf1b1f7699078d8b3bf2de64ca8

    SHA1

    5a8cc592d28b6dc2f414dd220d146455028f6fe8

    SHA256

    8aacc1ffad00e2d7a3b1a70891d5efb47e5a7d247cef0666f96b50bd792eab15

    SHA512

    495ac1b2ea9de7d5cfb582de0ae458dcc73883575ee3d38b6fe7e733b92946fb74b612d9e91634ee676fa6156f2416a33c9412866ac1be9e07a26809a71fff67

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Regional
    Filesize

    89KB

    MD5

    2031feb788b18c63453d160451b0e2cf

    SHA1

    3ad74b8097f6307efb0e2cdbd0efcc5056fd07a6

    SHA256

    9fd341a6409e50e7c0ca0df98135928d2f0d24626554495e33b2489bb217d41d

    SHA512

    16835172111ff5c17bbf3a03aa49e8fc78459668514f9f839c305ccaa7bfd38d5742189a136b94be41f4300d3b1b0d52cd41a16e1323ad2f56c1d8e037f4fba2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Storage
    Filesize

    81KB

    MD5

    c16c4a01b74e68c0ed8cce567a2361d7

    SHA1

    dd522f5e2a33df224a3c9eed9adc3d50e7dd0666

    SHA256

    c59ff8a06ce249a5992d01edfe7d675ccfc910d2e24bbf9c90e757be9ede6d4b

    SHA512

    f9bead2403a82f44ae87759e8b93d93fee3fe9eec64b8b33146d2df988df05d0d22ca6430076044fb534b836768b558d61853a8c60db5252fc3141978248a0e5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Ultram
    Filesize

    138B

    MD5

    9eb5a2793730043e1fea41f26f220e98

    SHA1

    6ac96560288d3f2f5256a2db398e2dd3c9c05f69

    SHA256

    fd3e46043fd1345b70c3fe5044c0231ca740ab4f6c255d4ddc0d8da9efb3825d

    SHA512

    c68317506a1a6d7bc35a0a0f95e1c5747323387c616e4e27f19170a3671e398883805036671e7f0d2a1918ccab26d3c520ab83d502d8f907820279c39e13a586

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Utils
    Filesize

    82KB

    MD5

    a7428a8558f5cc5d1e0234b429fffc33

    SHA1

    975dd3dc4317ddde6275fc40485524ef7b141424

    SHA256

    920b54733eec251b06b15a94c425a800edbde3f6f05a34fff8e7af471a9ec1a6

    SHA512

    9c404d556464a417372e1ddfa73d6fa3712f07a1ec8a08ba4a2a4f5a2de2d5033574bddcd526a910a2acc0c01a90f00275b0dd53fc3dacfb09fa9f0619670fc9

    Download Submit

  • memory/3616-64-0x00000000007B0000-0x0000000000807000-memory.dmp

    Filesize

    348KB

    Download

  • memory/3616-65-0x00000000007B0000-0x0000000000807000-memory.dmp

    Filesize

    348KB

    Download

  • memory/3616-67-0x00000000007B0000-0x0000000000807000-memory.dmp

    Filesize

    348KB

    Download

  • memory/3616-68-0x00000000007B0000-0x0000000000807000-memory.dmp

    Filesize

    348KB

    Download

  • memory/3616-66-0x00000000007B0000-0x0000000000807000-memory.dmp

    Filesize

    348KB

    Download