Analysis
-
max time kernel
119s -
max time network
122s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
-
submitted
29-06-2024 16:42
General
-
Target
Cheat.zip
-
Size
50.5MB
-
MD5
d52276dc06c94488225745c77164b851
-
SHA1
1daa41d4a530495e3330cdb02c9c68aecf4851ea
-
SHA256
4da4f79df8c557f7aff954656c0f57de9aa4e612689d416121c9040202e1535c
-
SHA512
3475dd3c4e91811d9549d0805756ce7db6df825c0a2e01999f8d39266cc2fc64ab1d8ce573df456315ee05c17111d1f41dabc99ed8c86bac6fca4b1e71fadde6
-
SSDEEP
1572864:9UgurkcyRRZpcfN22PSXOX+rMSaPWR4yPP1FIrtkYa:9n8kce3cfN2GSXqPWyiUZkB
Score
10/10
Malware Config
Extracted
Family
lumma
C2
https://bitchsafettyudjwu.shop/api
https://potterryisiw.shop/api
https://foodypannyjsud.shop/api
https://contintnetksows.shop/api
https://reinforcedirectorywd.shop/api
Signatures
-
Lumma Stealer
An infostealer written in C++ first seen in August 2022.
-
Suspicious use of SetThreadContext 14 IoCs
-
Program crash 14 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of FindShellTrayWindow 32 IoCs
-
Suspicious use of SendNotifyMessage 31 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Cheat.zip1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Desktop\sa\CheatInjector.exe"C:\Users\Admin\Desktop\sa\CheatInjector.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4124 -s 1522⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4124 -ip 41241⤵
-
C:\Users\Admin\Desktop\sa\CheatInjector.exe"C:\Users\Admin\Desktop\sa\CheatInjector.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 2802⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2100 -ip 21001⤵
-
C:\Users\Admin\Desktop\sa\CheatInjector.exe"C:\Users\Admin\Desktop\sa\CheatInjector.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 2682⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5092 -ip 50921⤵
-
C:\Users\Admin\Desktop\sa\CheatInjector.exe"C:\Users\Admin\Desktop\sa\CheatInjector.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2928 -s 2522⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2928 -ip 29281⤵
-
C:\Users\Admin\Desktop\sa\CheatInjector.exe"C:\Users\Admin\Desktop\sa\CheatInjector.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 2802⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1592 -ip 15921⤵
-
C:\Users\Admin\Desktop\sa\CheatInjector.exe"C:\Users\Admin\Desktop\sa\CheatInjector.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3784 -s 1362⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3784 -ip 37841⤵
-
C:\Users\Admin\Desktop\sa\CheatInjector.exe"C:\Users\Admin\Desktop\sa\CheatInjector.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4528 -s 2442⤵
- Program crash
-
C:\Users\Admin\Desktop\sa\CheatInjector.exe"C:\Users\Admin\Desktop\sa\CheatInjector.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1780 -s 2922⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4528 -ip 45281⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1780 -ip 17801⤵
-
C:\Users\Admin\Desktop\sa\CheatInjector.exe"C:\Users\Admin\Desktop\sa\CheatInjector.exe"1⤵
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4300 -s 2882⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4300 -ip 43001⤵
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\Desktop\sa\CheatInjector.exe"C:\Users\Admin\Desktop\sa\CheatInjector.exe"1⤵
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4940 -s 3002⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4940 -ip 49401⤵
-
C:\Users\Admin\Desktop\sa\CheatInjector.exe"C:\Users\Admin\Desktop\sa\CheatInjector.exe"1⤵
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3232 -s 2882⤵
- Program crash
-
C:\Users\Admin\Desktop\sa\CheatInjector.exe"C:\Users\Admin\Desktop\sa\CheatInjector.exe"1⤵
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3852 -s 1962⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3232 -ip 32321⤵
-
C:\Users\Admin\Desktop\sa\CheatInjector.exe"C:\Users\Admin\Desktop\sa\CheatInjector.exe"1⤵
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 2802⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3852 -ip 38521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2388 -ip 23881⤵
-
C:\Users\Admin\Desktop\sa\CheatInjector.exe"C:\Users\Admin\Desktop\sa\CheatInjector.exe"1⤵
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 3002⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 2196 -ip 21961⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/848-33-0x000001CC766B0000-0x000001CC766B1000-memory.dmpFilesize
4KB
-
memory/848-24-0x000001CC766B0000-0x000001CC766B1000-memory.dmpFilesize
4KB
-
memory/848-31-0x000001CC766B0000-0x000001CC766B1000-memory.dmpFilesize
4KB
-
memory/848-30-0x000001CC766B0000-0x000001CC766B1000-memory.dmpFilesize
4KB
-
memory/848-26-0x000001CC766B0000-0x000001CC766B1000-memory.dmpFilesize
4KB
-
memory/848-32-0x000001CC766B0000-0x000001CC766B1000-memory.dmpFilesize
4KB
-
memory/848-35-0x000001CC766B0000-0x000001CC766B1000-memory.dmpFilesize
4KB
-
memory/848-25-0x000001CC766B0000-0x000001CC766B1000-memory.dmpFilesize
4KB
-
memory/848-36-0x000001CC766B0000-0x000001CC766B1000-memory.dmpFilesize
4KB
-
memory/848-34-0x000001CC766B0000-0x000001CC766B1000-memory.dmpFilesize
4KB
-
memory/1640-9-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/1864-0-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/1864-4-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/1864-3-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/2100-8-0x00000000011C0000-0x00000000011C1000-memory.dmpFilesize
4KB
-
memory/4124-1-0x0000000000D10000-0x0000000000D11000-memory.dmpFilesize
4KB