Overview

overview

10

Static

static

1

0P3N.ME-VE...O].zip

windows10-2004-x64

10

Analysis

  • max time kernel
    237s
  • max time network
    187s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-01-2025 21:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0P3N.ME-VER[%xEkCCOC#HuO].zip

  • Size

    12.0MB

  • MD5

    6e0f86bd8de38abfb21f5c2ed34d322e

  • SHA1

    278e8c98c707836522bb988919ac610155de344a

  • SHA256

    a8bd7db8fd786b347734747368791d8017120cf5858453b96417c4a4ff2c6765

  • SHA512

    655ec0a1d0723a23ae5c5732e6cfed2ad64e3581265a3c28ceb2fff4075fb9f062ff3c60437f4cf635540fa5b4918c99b43514ebc8bf157aca035528a1ff2ba5

  • SSDEEP

    196608:DEqConWmlQxDh4j+5TDj4rk0UF4VI41YpXvN35D1AAqODFnIMdmEBIAgcXNQ:DEqRHQN6y5T3pYm4HAqODiMkEBIAgkQ

Score
10/10
lummadiscoverystealer

Malware Config

Extracted

Family

lumma

C2

https://deedcompetlk.cyou/api

Signatures

  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Lumma family
    lumma
  • Executes dropped EXE 1 IoCs
  • Enumerates processes with tasklist 1 TTPs 2 IoCs
    discovery
  • Drops file in Windows directory 8 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 14 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 41 IoCs

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\0P3N.ME-VER[%xEkCCOC#HuO].zip"
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:3172
    • C:\Program Files\7-Zip\7zG.exe
      "C:\Program Files\7-Zip\7zG.exe" a -i#7zMap10256:356:7zEvent16065 -ad -saa -- "C:\7zE46CE6538"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1592
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:2344
    • C:\Users\Admin\Desktop\New folder\Bootstrapper V2.exe
      "C:\Users\Admin\Desktop\New folder\Bootstrapper V2.exe"
      1⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1560
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c copy Briefly Briefly.cmd & Briefly.cmd
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2820
        • C:\Windows\SysWOW64\tasklist.exe
          tasklist
          3⤵
          • Enumerates processes with tasklist
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:1264
        • C:\Windows\SysWOW64\findstr.exe
          findstr /I "opssvc wrsa"
          3⤵
          • System Location Discovery: System Language Discovery
          PID:2336
        • C:\Windows\SysWOW64\tasklist.exe
          tasklist
          3⤵
          • Enumerates processes with tasklist
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:4828
        • C:\Windows\SysWOW64\findstr.exe
          findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
          3⤵
          • System Location Discovery: System Language Discovery
          PID:3516
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c md 347157
          3⤵
          • System Location Discovery: System Language Discovery
          PID:2412
        • C:\Windows\SysWOW64\extrac32.exe
          extrac32 /Y /E National
          3⤵
          • System Location Discovery: System Language Discovery
          PID:1036
        • C:\Windows\SysWOW64\findstr.exe
          findstr /V "Cheese" Difficulties
          3⤵
          • System Location Discovery: System Language Discovery
          PID:3780
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c copy /b 347157\Folding.com + Saddam + Visa + Bowling + Rt + Chapters + Advertise + Continuous + Accessibility + Destruction + Architectural + Any 347157\Folding.com
          3⤵
          • System Location Discovery: System Language Discovery
          PID:4980
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c copy /b ..\Basement + ..\Florida + ..\Passenger + ..\Msg + ..\Welding + ..\Terrace + ..\Stretch j
          3⤵
          • System Location Discovery: System Language Discovery
          PID:2900
        • C:\Users\Admin\AppData\Local\Temp\347157\Folding.com
          Folding.com j
          3⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          PID:2720
        • C:\Windows\SysWOW64\choice.exe
          choice /d y /t 5
          3⤵
          • System Location Discovery: System Language Discovery
          PID:4412
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /4
      1⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3568
    • C:\Users\Admin\Desktop\New folder\Bootstrapper V2.exe
      "C:\Users\Admin\Desktop\New folder\Bootstrapper V2.exe"
      1⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1568
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c copy Briefly Briefly.cmd & Briefly.cmd
        2⤵
        • System Location Discovery: System Language Discovery
        PID:760
    • C:\Windows\System32\NOTEPAD.EXE
      "C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\New folder\Briefly.cmd
      1⤵
        PID:4036

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\347157\Folding.com
        Filesize

        1KB

        MD5

        bc0c466ea461f70dc2bab92020f1e643

        SHA1

        f17c66912508e95eac59bda2e773849600471a88

        SHA256

        f3c6eb4b4f81b5e1aa458d46225dccd651a2d44d1367a14718b6bb76beec1de1

        SHA512

        b1d03c359b8fcf46e7f07536004f7d11ab7bdd0cb044ca7bcfe63501428c4c93e43591e8367e5676478da8d554e4bd579cb6e37dc617f97f8a54a372361073c9

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\347157\Folding.com
        Filesize

        925KB

        MD5

        62d09f076e6e0240548c2f837536a46a

        SHA1

        26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

        SHA256

        1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

        SHA512

        32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\347157\j
        Filesize

        494KB

        MD5

        549720d78c44a4ca96f98a02d7376be0

        SHA1

        c18a7ddd59ea61df41acfac5544aadc72bb6acba

        SHA256

        37204d5c24cd97f012e61ba6c4aab3f6bd8778237ecbec3080fa54bfa5dcaf67

        SHA512

        392674f314a993f0eb2e22354a9922b006e28b01cb2abdf416a188e48b8fbbea8df93cb793cefd6e91259b7de71c502ac1e5c33273d94e1a3671ee1147cbdab4

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Accessibility
        Filesize

        118KB

        MD5

        539587208032af4b529a60d530f100a4

        SHA1

        ef39ddfa82f53bde5a674e51318aa3ce9a8789b2

        SHA256

        bcee5e27e34159419173575bf6e22e23f0dad46cf6fa6aa84a1bb01c96516662

        SHA512

        4c261199485e6a40ce46147c98e244f1297446115ebd6c944a29e4242b361816980ccb6096286c8f9dbec00f13ea9fdfa417648980bf06721abc866630c5e53f

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Advertise
        Filesize

        55KB

        MD5

        eaab0c7db38adca2364923dc1bb8bacf

        SHA1

        182819623bdee90678ae233b8094d05e51d48d68

        SHA256

        5a5c226453b9c7c7f7bdb980ad2a02838456f9420d182d14c7336f8264a894f0

        SHA512

        53d2c6559e2d1e71b62f91444608f1e61a246433499b75d6e3193cfd645ac4af3c4e4e1359da02b522d1e121de31f51d0010d96e8ef435a92328cef69aba4910

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Any
        Filesize

        15KB

        MD5

        59051edf957c7f4fec5e278f07cfdaa9

        SHA1

        409217185334c187412941583e5814753d3f670f

        SHA256

        71cb36f1506fa645a90a6f06619b67c4f2f0e1e0140bac2e6f8a91ed1988446f

        SHA512

        f1897fa7dcc38c845cc3862f1eb33d493ca6c09338a6a7817fac6e99a72ecd07001a84e1935eccddf58e163fd8396c3333fad4c365cd5c8ade281dbc84735aba

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Architectural
        Filesize

        102KB

        MD5

        ac3b8c0b9d965801a696519bc3bce457

        SHA1

        c2fb54f9d7ffbbea6e5db175ca214eccc0b8ee7c

        SHA256

        fbc3b647efe255870931d9dfa77a43c7248a7d8613712bcf0663862a4e97fb66

        SHA512

        0aeeb7d05c46063a892b3aae756bfb92f245aae66c2fcd4c34610a348ad0c0904addabb99d97ca0c9c3cba3df7e8e96500f084b840487a9ed2582d1badf638c6

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Basement
        Filesize

        63KB

        MD5

        44a805a4e5ba191661485ef167275506

        SHA1

        45c2594c944f02e5260bd97a185c2f21ab232182

        SHA256

        e394dccd197c59fa4e2da7146174485a6681946d34faa3007bd5c1419d7125e0

        SHA512

        a3a8f7283ca0a0ae16b21f2b81b9cd48b953112c50e64b99daba378cd0e098108512566208365db4bb7b78355439f94bbcace6f5169091fab0202cf7d55f1952

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Bowling
        Filesize

        106KB

        MD5

        7cbcc0fbb084bead6d5bbb8a00cbb997

        SHA1

        75bfaaa5232ab2cf9f2291ee1ce08f2acb076ebb

        SHA256

        e0a98926b1e0968481640078ac6b833af96773a7f715851634346379f282795d

        SHA512

        6b33f8afe19a28e5b300e8a32c3ec98a0365fc1594c693c4527d9b0275f46f6558c50e29417499650d9c1ea7091ea7af340c4111b90af06c5ab4277170170c9a

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Briefly
        Filesize

        23KB

        MD5

        bb009bb1ab11657dd763b3a85e90f26f

        SHA1

        32fb786e48105f1574e8d345e66d2b16fc051d6e

        SHA256

        e7b3f1da61a207080f7859d12764b1243ce5c84beaf1a7f026b3d0da5f9dec4c

        SHA512

        ac73396967c496b93f8d4084537a286b4d5fe1315b0fd5992b03cc019521c1c25bafcb9826f85af59495a01ec711a2ec789c43af5befa46557f99224d0ce92bc

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Chapters
        Filesize

        56KB

        MD5

        19f399e75e91c4917cce10422db7b0fb

        SHA1

        145fb431681a91d64a77b0ca99ba31b4ed7457b9

        SHA256

        bbe32640a1be9b9dc5570043a2c72bd3d1da1e3480e61e41a1dc8daa42b07bd7

        SHA512

        25b85fe872e3e9fc5e70d3dfd1647a6bbf2919d67126bb9007dcc61aae549d64a9b79fd3c05bc996202b03630420ecb4eb5b5613d0a1adeab0d2670e6a5aff6f

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Continuous
        Filesize

        119KB

        MD5

        87cfc9cbddca81f037640e23869fd727

        SHA1

        e71c0a8106944e238edba3b2d6194cf5cb383168

        SHA256

        f648aed5047fa8e5b99ce81cf85f05f4cfb193b8b349e6e5656e5c6dd0917cb2

        SHA512

        2a3c9bbdbd222f9328b1379de025bff3f8d2c693fe68558cdb24a516ee7c9ac6615a9d1d62e4682532f8567138e67e6c26b6c7068d87b00415fc915172928e4f

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Destruction
        Filesize

        75KB

        MD5

        e9ed56e42470ceb7a46263c49b9d8110

        SHA1

        13794b6f705be789af214a4f81585dee3710512b

        SHA256

        d97494026b70f37cabc0ac614f54206ae2c5a5ab601b71888ae6491241dc2b20

        SHA512

        ca1c0f00a68267274e9d31f3a2de0fb34ccfce0a57d67ffe76633fe1a156c05f1381b0c696f75898fd8b370cb8a6e56174bdfb43729ab2668e444ee6748d8040

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Difficulties
        Filesize

        1KB

        MD5

        d2ac6356ed5ed3a32e46acb2f47d68f5

        SHA1

        e41205fe32c1ed0cc4a265e942dd472a76a22592

        SHA256

        6b6a43352b0b87107609d9c91992b30069200b308e5a2a50ed5a931315f82bdc

        SHA512

        47bafca4c789c7fad4db0534a93b8c7b659abb999393425f58d9b28ba553be1cc45b9001da1d5820e65b107034f48cd441c6855c7d7fc08117985d81054394a0

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Florida
        Filesize

        81KB

        MD5

        35ee0a5fee1964bd57f2c66347d726df

        SHA1

        d37bb5ba2456a310891f93d8e9ae1ad196dabcf6

        SHA256

        9b8ab89609b074479bc9fe749e12792c34ab4799ea7ea5ac67cdd3758a1c1181

        SHA512

        2006b993a36599a56131d744ea750a3de3d5eeb629d111d751d552e86cf3a4ea1c7d9b9dbb727e77b65ec8684cf0f22476840aed73df15186041b087476c0689

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Msg
        Filesize

        91KB

        MD5

        478eae0d2d8bc46181226c275688315d

        SHA1

        674d1c954b6ba8bc77ea6e112912b2fbde64fbeb

        SHA256

        aae6d5fc0e80a6033d55b81e05db13c66604f5fe453f78440de3912a44c553c1

        SHA512

        9833ef8d0d29cbf1b1738eefd4c175a169c770f70f2699bde703092e5102439c779e7474866534bba6b58f49d160a49be0750b686c171415191ddb10469eb26d

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\National
        Filesize

        478KB

        MD5

        f5406ccecddc6c9bd30ed30343c756ab

        SHA1

        080ebf3593ee3c272e7e4f7c98fee6d326da45f8

        SHA256

        a46bd5c1472f8b655ace3314ca667d39b10d989b6f8ed17b6c753b8b947a6938

        SHA512

        a25eba5ea58855e65c529b858399b1574ccbed89038e90d50170562eceb11efba4f16242d54ad3b5232edc11f3f61109bbafc4398124c1bb45e43693657b1e81

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Passenger
        Filesize

        68KB

        MD5

        355fafaeefdaaa291b3f48356e24216c

        SHA1

        c675a50bffcf18f357966ec51e0adaf05a25b86b

        SHA256

        d3210c22706049ab7ca2304fd17507bfa4a842af579a00b60644e09178f9fddb

        SHA512

        f2fb4e46b4d6b24cba584e51c6a43e8ed1174a5048a69bd61a6e24e2772f389e55c2f6384d1ffe7c6f44eab8a6fe059608e39a0a60ad30f06eb63589c723ab4d

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Rt
        Filesize

        86KB

        MD5

        fc6c4e0bdb11443834c6af5b2ff6e6bb

        SHA1

        3c4bf0970e36371844c9a27a041fd09cbf65cf56

        SHA256

        445d2c74ae1ba5af2eba4cc4a4deeabbda1ef920e272ce9f54a7d9374eb23402

        SHA512

        9588272669bf2ecf277c83c836be28d4757a21b033e9919747fc11a7767abaf5d3af002d3379626b65e537aaa8fd2e30113994353592bcee577f3fbdd02dea5a

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Saddam
        Filesize

        54KB

        MD5

        7b8c4652937f053027395d23ef6c5b93

        SHA1

        3e203439da403069184a56d40d00b51e8a03a2cf

        SHA256

        733b3e2f49984688e345d1acb07d22c9d5e44742f572fd610c114c50c04c3024

        SHA512

        67b5aac27923f00fa7e39cefb6adc6714845cc9e3db51aa2fe8c910e09f95b2fe46ddc901257afa63ede0988792ee6245089ea419bd257e53f05c926793de929

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Stretch
        Filesize

        58KB

        MD5

        110f9b2d470e415d55f8a0d78ae1f8a1

        SHA1

        eeb9c0bf82f9a797fceed7d9725221348f45dcf1

        SHA256

        fbafdc9359e5294e8410d3862aee050c5cc03aec557bd83345bdca27981c0138

        SHA512

        1a8bf9fe93ff1b8cff52191bae71fed8822f4d99dd59ee6420709d037e26a185695e819535c793ffbe849e63637725e9ebdf487b57bb8f1ec3b4852e93954551

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Terrace
        Filesize

        50KB

        MD5

        6f3b4f30afb0c2fc164daaee95348815

        SHA1

        c59e8d78f11d5af9aca282d52752c0846292d5e6

        SHA256

        987fdfe4cb214563ecd4ba6d1990284e485a7701c323c1564d9d4afd3554c890

        SHA512

        ce51ba253dc008b82ae51ac797362f93515b1ef481d6189f596f74c1172379bfa4bb86aa713ea62520a11c24281047aaee0d203d48fa1f3dcdc5121fff385809

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Visa
        Filesize

        137KB

        MD5

        0fffca2125ec2d790c02b2bcd12ec8aa

        SHA1

        55883ab44b36fa0efe4747e2653786fbda5b60a5

        SHA256

        9dc03047dec2d31586916298828447b291b3eadae317bab07f8917e4bf4dde96

        SHA512

        53d6bb959d2d5ad5b3be4dde2b6c877eee4ae65e411f095bad980fc6ee58f49437dc8503186d544ab60aa6824cd70e616bf79cc13b713e27c5f75640db8ed70f

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Welding
        Filesize

        83KB

        MD5

        9a2d8d245f55c0918e6a7e8b9e22ed25

        SHA1

        827ace99c5e1570e3ea912e67dcf7ef6851c3ee1

        SHA256

        e252cd74c35df37627de02488911ecfc1d57320be7dec21a7de03ccb9664d84b

        SHA512

        076fba85e84cb31486a947e31c39464e08faacdad7b26645699f39fbe6f3d6bc6a7b926f46909f227e9c78f2ce8d9c2af0871e057db10345504db2226a2272c1

        Download Submit

      • memory/2720-608-0x0000000004950000-0x00000000049AB000-memory.dmp

        Filesize

        364KB

        Download

      • memory/2720-611-0x0000000004950000-0x00000000049AB000-memory.dmp

        Filesize

        364KB

        Download

      • memory/2720-612-0x0000000004950000-0x00000000049AB000-memory.dmp

        Filesize

        364KB

        Download

      • memory/2720-610-0x0000000004950000-0x00000000049AB000-memory.dmp

        Filesize

        364KB

        Download

      • memory/2720-609-0x0000000004950000-0x00000000049AB000-memory.dmp

        Filesize

        364KB

        Download

      • memory/3568-592-0x0000022AE54A0000-0x0000022AE54A1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3568-595-0x0000022AE54A0000-0x0000022AE54A1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3568-594-0x0000022AE54A0000-0x0000022AE54A1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3568-593-0x0000022AE54A0000-0x0000022AE54A1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3568-596-0x0000022AE54A0000-0x0000022AE54A1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3568-597-0x0000022AE54A0000-0x0000022AE54A1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3568-585-0x0000022AE54A0000-0x0000022AE54A1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3568-591-0x0000022AE54A0000-0x0000022AE54A1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3568-587-0x0000022AE54A0000-0x0000022AE54A1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3568-586-0x0000022AE54A0000-0x0000022AE54A1000-memory.dmp

        Filesize

        4KB

        Download