Overview

overview

10

Static

static

3

CheatInjector.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    445s
  • max time network
    1181s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-fr
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-frlocale:fr-fros:windows10-2004-x64systemwindows
  • submitted
    29-06-2024 16:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    CheatInjector.exe

  • Size

    507KB

  • MD5

    74fc9ce1b489f3817b04bb3332162450

  • SHA1

    01158dfdec93914f4f72ff59da271a9b89ba9c89

  • SHA256

    b2d867a161a63c67631ed8fe41c64990975627400ac0907862e4e8dad8018ad1

  • SHA512

    51b24b45b07711e9c8651dbc1cd5660704b08dd78ec4bd2afb30f3abc28a897ba1b1e867ae6ba265d16358a19403036661e80d6c987c5f51d66fb00ac70d48a8

  • SSDEEP

    12288:0G0NNkaifcy3CqcNB6PLi2764VOg4l983MdNYgq8aqe:0jyaCcyPWi64VFYHdNDta

Score
10/10
lummastealer

Malware Config

Extracted

Family

lumma

C2

https://bitchsafettyudjwu.shop/api

https://potterryisiw.shop/api

https://foodypannyjsud.shop/api

https://contintnetksows.shop/api

https://reinforcedirectorywd.shop/api

Signatures

  • Lumma Stealer

    An infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 40 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\CheatInjector.exe
    "C:\Users\Admin\AppData\Local\Temp\CheatInjector.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4032
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      2⤵
        PID:4480
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 308
        2⤵
        • Program crash
        PID:1652
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4032 -ip 4032
      1⤵
        PID:1436
      • C:\Windows\system32\taskmgr.exe
        "C:\Windows\system32\taskmgr.exe" /4
        1⤵
        • Checks SCSI registry key(s)
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:4020
      • C:\Windows\System32\rundll32.exe
        C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
        1⤵
          PID:2024
        • C:\Windows\System32\fruvan.exe
          "C:\Windows\System32\fruvan.exe"
          1⤵
            PID:2652

          Network

          MITRE ATT&CK Matrix ATT&CK v13

          Initial Access

          Execution

          Persistence

          Privilege Escalation

          Defense Evasion

          Credential Access

          Discovery

          Query Registry

          1
          T1012

          Peripheral Device Discovery

          1
          T1120

          System Information Discovery

          1
          T1082

          Lateral Movement

          Collection

          Exfiltration

          Command and Control

          Impact

          Resource Development

          Reconnaissance

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/4020-15-0x0000016DFFB60000-0x0000016DFFB61000-memory.dmp
            Filesize

            4KB

            Download
          • memory/4020-7-0x0000016DFFB60000-0x0000016DFFB61000-memory.dmp
            Filesize

            4KB

            Download
          • memory/4020-11-0x0000016DFFB60000-0x0000016DFFB61000-memory.dmp
            Filesize

            4KB

            Download
          • memory/4020-12-0x0000016DFFB60000-0x0000016DFFB61000-memory.dmp
            Filesize

            4KB

            Download
          • memory/4020-5-0x0000016DFFB60000-0x0000016DFFB61000-memory.dmp
            Filesize

            4KB

            Download
          • memory/4020-6-0x0000016DFFB60000-0x0000016DFFB61000-memory.dmp
            Filesize

            4KB

            Download
          • memory/4020-13-0x0000016DFFB60000-0x0000016DFFB61000-memory.dmp
            Filesize

            4KB

            Download
          • memory/4020-17-0x0000016DFFB60000-0x0000016DFFB61000-memory.dmp
            Filesize

            4KB

            Download
          • memory/4020-14-0x0000016DFFB60000-0x0000016DFFB61000-memory.dmp
            Filesize

            4KB

            Download
          • memory/4020-16-0x0000016DFFB60000-0x0000016DFFB61000-memory.dmp
            Filesize

            4KB

            Download
          • memory/4032-0-0x0000000000540000-0x0000000000541000-memory.dmp
            Filesize

            4KB

            Download
          • memory/4480-1-0x0000000000400000-0x0000000000458000-memory.dmp
            Filesize

            352KB

            Download
          • memory/4480-4-0x0000000000400000-0x0000000000458000-memory.dmp
            Filesize

            352KB

            Download
          • memory/4480-3-0x0000000000400000-0x0000000000458000-memory.dmp
            Filesize

            352KB

            Download