Analysis
-
max time kernel
40s -
max time network
46s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
28-06-2024 13:21
General
-
Target
9.7.6/9.7.6.lnk
-
Size
1KB
-
MD5
e1a00ff52e4d478249296f61b03f8058
-
SHA1
65ae2d5d15cafc30f29684a68e6fd77aff94f138
-
SHA256
ff9d3aa1b5ba533768b7b4d30e6f42d27edd12461b83a19802889276b0a4237c
-
SHA512
d6157c327162da38647b8c5aeeac88a9042fd73ffb7606f8dc5b9981d27defcf127f7f34d2ed937988ce35c1ecd7b713c6378d96c1c1714ddd1702deeace49d8
Malware Config
Extracted
Protocol: ftp- Host:
94.156.8.173 - Port:
21 - Username:
anonymous - Password:
anonymous@
Extracted
lumma
https://foodypannyjsud.shop/api
https://potterryisiw.shop/api
https://contintnetksows.shop/api
https://reinforcedirectorywd.shop/api
Signatures
-
Lumma Stealer
An infostealer written in C++ first seen in August 2022.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 22 IoCs
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\9.7.6\9.7.6.lnk1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\9.7.6\test.dist\test.exe"C:\Users\Admin\AppData\Local\Temp\9.7.6\test.dist\test.exe"2⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmp7fu3ohmh\update.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tmp7fu3ohmh\update.exeC:\Users\Admin\AppData\Local\Temp\tmp7fu3ohmh\update.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"5⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"5⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 3285⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4592 -ip 45921⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp7fu3ohmh\update.exeFilesize
520KB
MD5d4f63513d2b56e6185436de3d4f01540
SHA105bc1e772f50df2c9304a6c8c62f1686a7c44e32
SHA256d3b5d0061fad4b8d09eeffdba62a4f662f64c36cd1862002a05197f76cace4c6
SHA5126f00b734e0cc0c92406c727471eae977b187e45571ca3ad17f797d8a2a079c25384b1d4fef802cc36da7537c893b32bca89de16586317a66db5ebe83f14532a0
-
memory/1356-12-0x0000000000400000-0x0000000000459000-memory.dmpFilesize
356KB
-
memory/1356-13-0x0000000000400000-0x0000000000459000-memory.dmpFilesize
356KB
-
memory/4864-5-0x00007FFEF7EB0000-0x00007FFEF7EDA000-memory.dmpFilesize
168KB
-
memory/4864-4-0x00007FF6CAEB0000-0x00007FF6CCD5F000-memory.dmpFilesize
30.7MB
-
memory/4864-15-0x00007FF6CAEB0000-0x00007FF6CCD5F000-memory.dmpFilesize
30.7MB
-
memory/4864-18-0x00007FFEF7EB0000-0x00007FFEF7EDA000-memory.dmpFilesize
168KB
-
memory/4864-17-0x00007FF6CAEB0000-0x00007FF6CCD5F000-memory.dmpFilesize
30.7MB