Overview

overview

10

Static

static

3

854d267aea...c9.exe

windows7-x64

10

854d267aea...c9.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-06-2024 01:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    854d267aea33e8dc80021ac043b003ab7c6f99061e56e36572cba3548e6882c9.exe

  • Size

    1.8MB

  • MD5

    289f27e7a02f8e76ebf39d2c0c3f09e4

  • SHA1

    fb404a7a85d5fb617436f73832e4716556756d6a

  • SHA256

    854d267aea33e8dc80021ac043b003ab7c6f99061e56e36572cba3548e6882c9

  • SHA512

    38798cc71da6dfd8022dff2be635db8b938ba8d8dc5db8196802af2d9deb26dda145e0e581a6b8eb7022a1e0c33ff34c666cc4817f9f2ac50d1f362f434a75fe

  • SSDEEP

    24576:KuDXTIGaPhEYzUzA0Dz46fMR/6Y/M3pPux8KVzVvu9JDcEL0NLpgjdyWhPOePTnK:9Djlabwz9PHMf/M3BuxbzuDQyBPXam0H

Score
10/10
dcratlummaexecutioninfostealerpersistenceratspywarestealer

Malware Config

Extracted

Family

lumma

C2

https://backcreammykiel.shop/api

https://publicitycharetew.shop/api

https://computerexcudesp.shop/api

https://leafcalfconflcitw.shop/api

https://injurypiggyoewirog.shop/api

https://bargainnygroandjwk.shop/api

https://disappointcredisotw.shop/api

https://doughtdrillyksow.shop/api

https://facilitycoursedw.shop/api

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Lumma Stealer

    An infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\854d267aea33e8dc80021ac043b003ab7c6f99061e56e36572cba3548e6882c9.exe
    "C:\Users\Admin\AppData\Local\Temp\854d267aea33e8dc80021ac043b003ab7c6f99061e56e36572cba3548e6882c9.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4484
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Loader\AntiCheatBypass.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2012
      • C:\Windows\system32\cacls.exe
        "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
        3⤵
          PID:4592
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Loader\AntiCheatBypasss.bat
          3⤵
          • Checks computer location settings
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:2440
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell -Command Add-MpPreference -ExclusionPath 'C:\'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3220
          • C:\Windows\system32\choice.exe
            choice /c y /n /t 10 /d y
            4⤵
              PID:3132
            • C:\Windows\system32\reg.exe
              reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /t REG_SZ /d "C:\WINDOWS\system32\userinit.exe, C:\Users\skeet\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe" /f
              4⤵
              • Modifies WinLogon for persistence
              PID:2760
            • C:\Windows\system32\reg.exe
              reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell /t REG_SZ /d "C:\WINDOWS\system32\explorer.exe, C:\ProgramData\SoftwareDistribution\572stuOQ0pZG2Xj.exe" /f
              4⤵
              • Modifies WinLogon for persistence
              PID:5068
            • C:\Users\Admin\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe
              C:\Users\Admin\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe
              4⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:2560
              • C:\ProgramData\SoftwareDistribution\Bypass.exe
                "C:\ProgramData\SoftwareDistribution\Bypass.exe"
                5⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious behavior: GetForegroundWindowSpam
                • Suspicious use of AdjustPrivilegeToken
                PID:1240
            • C:\Users\Admin\AppData\Local\Temp\Loader\Loader.exe
              C:\Users\Admin\AppData\Local\Temp\Loader\Loader.exe
              4⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious use of WriteProcessMemory
              PID:3344
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                5⤵
                  PID:212
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Loader\vO7REz65fRBWcJa.vbs"
                4⤵
                  PID:4252

          Network

          MITRE ATT&CK Matrix ATT&CK v13

          Initial Access

          Execution

          Command and Scripting Interpreter

          1
          T1059

          PowerShell

          1
          T1059.001

          Persistence

          Boot or Logon Autostart Execution

          1
          T1547

          Winlogon Helper DLL

          1
          T1547.004

          Privilege Escalation

          Boot or Logon Autostart Execution

          1
          T1547

          Winlogon Helper DLL

          1
          T1547.004

          Defense Evasion

          Modify Registry

          1
          T1112

          Credential Access

          Unsecured Credentials

          1
          T1552

          Credentials In Files

          1
          T1552.001

          Discovery

          Query Registry

          1
          T1012

          System Information Discovery

          2
          T1082

          Lateral Movement

          Collection

          Data from Local System

          1
          T1005

          Exfiltration

          Command and Control

          Impact

          Resource Development

          Reconnaissance

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\ProgramData\SoftwareDistribution\Bypass.exe
            Filesize

            1.8MB

            MD5

            93e99fb34ac2cd9d6e867e24dcafb2ab

            SHA1

            c6ee148abc972494c2912e68534512160372f4a6

            SHA256

            8cf7a779191a6b146749de10a52303201d4c72621f04d1336d51f400256d662e

            SHA512

            65ade8226509bdf7b160f04bc6cbb12c790c7a960ddee6776aa0e6094246062f323a80dd2d858a49aafef5cc5db2ade00a8a42d939ff3571029172aa7d34d877

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe
            Filesize

            1.2MB

            MD5

            43af303e1f32ce8c477abbfb07887ea2

            SHA1

            c69b0f73b6219d05cec8258c445af5f39d3313c9

            SHA256

            37493d6b5fd0f186bb2e70edfafe91f28b43938293965461a7eefb5cca4c36bf

            SHA512

            68d0ed901c7aa8bc6de3f8d83fea9c0a362d6582ea54b052941f9a02c25b9bb32b096bd8efe73506985ad7b94eea0757a35cb3924e845d8f69216ce999327774

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\Loader\AntiCheatBypass.bat
            Filesize

            9KB

            MD5

            4c44aab923a5c7719850e5138ecb64c0

            SHA1

            9634bb1db8ed400b033225a849c88c7908d61b3d

            SHA256

            63047a792bde6efb6aab1a6dbb178f55b6ae86317d75cb4470e51dd0ef76be2e

            SHA512

            98fd476c2b48be92a6101ff71514818eca6c7849ad17097b86babbbae9ecc9ff60a0a88c143a6ccbb67f002798531ab3717ad3fd7246de53c49b8daaeebad8f0

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\Loader\AntiCheatBypasss.bat
            Filesize

            8KB

            MD5

            67789813c0d52fa2d7bfbffd5d572e6e

            SHA1

            52389d023f55bda8aba2efdbe82ee48c17f19639

            SHA256

            ab044df54893f5f2e54233fc6ea4ef6dd8a9a0731a893734f287e62eeae0c3cf

            SHA512

            467f875a6bf70a39fcb4918952706d41f92c0166c4c2ad2a9c6b2207c7ac076a155dbc9b7682e65f9f9498c3636bd2b04e2aad5b2b89a185ea22bb6146980527

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\Loader\Loader.exe
            Filesize

            594KB

            MD5

            b6c3c00d7cf6d8d13f20dbc590a675ad

            SHA1

            a36e5c3c94f7abe3cbdfd3418e3ae03e66aa5323

            SHA256

            0021b20ecb3a2d562118bae38f00d1bdffc8facda49c8e1d1995966e1cd7957c

            SHA512

            e6f5165b9678cc6818d0213e84a6fdfb606af69dd6be67ea3db12dbb4a8b3503afcb9dc729a727691bef2374a355ea3ab7d8f8864adcab87d0cfee892c660eba

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\Loader\vO7REz65fRBWcJa.vbs
            Filesize

            1KB

            MD5

            f6c38031293030ef28e5806abb9d072d

            SHA1

            1c5c39f986c9e717d85321536e44541aa3a6f33b

            SHA256

            76166b3a990a0f6606fa9ad1ed52daa04ce37f813865c539e5d1f68da9ebeba1

            SHA512

            8bfbac376e92ce870310926bdf42fbcce4ec10829e508c6e2b546d25da77b78ad8f2b7718c5cc1409962da7214d83f379b3ee6cba6b9849a3a525aa4029035b2

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2y1ix5q0.rjp.ps1
            Filesize

            60B

            MD5

            d17fe0a3f47be24a6453e9ef58c94641

            SHA1

            6ab83620379fc69f80c0242105ddffd7d98d5d9d

            SHA256

            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

            SHA512

            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

            Download Submit
          • memory/212-47-0x0000000000400000-0x0000000000455000-memory.dmp
            Filesize

            340KB

            Download
          • memory/212-39-0x0000000000400000-0x0000000000455000-memory.dmp
            Filesize

            340KB

            Download
          • memory/1240-53-0x000000001B020000-0x000000001B03C000-memory.dmp
            Filesize

            112KB

            Download
          • memory/1240-52-0x0000000000350000-0x000000000051A000-memory.dmp
            Filesize

            1.8MB

            Download
          • memory/1240-55-0x0000000002700000-0x0000000002710000-memory.dmp
            Filesize

            64KB

            Download
          • memory/1240-54-0x000000001B0B0000-0x000000001B100000-memory.dmp
            Filesize

            320KB

            Download
          • memory/1240-57-0x000000001B100000-0x000000001B156000-memory.dmp
            Filesize

            344KB

            Download
          • memory/1240-56-0x000000001B040000-0x000000001B056000-memory.dmp
            Filesize

            88KB

            Download
          • memory/1240-58-0x000000001B060000-0x000000001B06E000-memory.dmp
            Filesize

            56KB

            Download
          • memory/3220-29-0x00007FF94A3F0000-0x00007FF94AEB1000-memory.dmp
            Filesize

            10.8MB

            Download
          • memory/3220-26-0x00007FF94A3F0000-0x00007FF94AEB1000-memory.dmp
            Filesize

            10.8MB

            Download
          • memory/3220-25-0x00007FF94A3F0000-0x00007FF94AEB1000-memory.dmp
            Filesize

            10.8MB

            Download
          • memory/3220-15-0x000001C87F0C0000-0x000001C87F0E2000-memory.dmp
            Filesize

            136KB

            Download
          • memory/3220-14-0x00007FF94A3F3000-0x00007FF94A3F5000-memory.dmp
            Filesize

            8KB

            Download