Overview

overview

10

Static

static

3

Renz Client.exe

windows7-x64

3

Renz Client.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    256s
  • max time network
    202s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-07-2024 07:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Renz Client.exe

  • Size

    950KB

  • MD5

    d558d404080f9d44ce440d6783140f54

  • SHA1

    614b2ef8b9ae235281361033263f3c105b0fa250

  • SHA256

    28d1fde37c29dffc998ae4b22da6fe8dababe746b440aa17cdae45a6372ab16c

  • SHA512

    f732bbb2c0644797509905e56aff2d7840af7fd190818531d2d7ba61c10e2f97eb9c0825e4c8d9b64035bfba39de072f5389b5ffa1d972c4316096958f05033e

  • SSDEEP

    24576:5KdodQCtwExZxOFyyUF73GE7mRSSUQH5np1eOURJ8sGUM:dwExZxOFVXMmR9rnfEYsnM

Score
10/10
lummastealer

Malware Config

Extracted

Family

lumma

C2

https://piedsiggnycliquieaw.shop/api

https://potterryisiw.shop/api

https://foodypannyjsud.shop/api

https://contintnetksows.shop/api

https://reinforcedirectorywd.shop/api

Signatures

  • Lumma Stealer

    An infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Renz Client.exe
    "C:\Users\Admin\AppData\Local\Temp\Renz Client.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4776
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      2⤵
        PID:2300
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        2⤵
          PID:2276
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4776 -s 280
          2⤵
          • Program crash
          PID:4524
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4776 -ip 4776
        1⤵
          PID:3432
        • C:\Windows\system32\taskmgr.exe
          "C:\Windows\system32\taskmgr.exe" /7
          1⤵
          • Checks SCSI registry key(s)
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          PID:2540

        Network

        MITRE ATT&CK Matrix ATT&CK v13

        Initial Access

        Execution

        Persistence

        Privilege Escalation

        Defense Evasion

        Credential Access

        Discovery

        Query Registry

        1
        T1012

        Peripheral Device Discovery

        1
        T1120

        System Information Discovery

        1
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Resource Development

        Reconnaissance

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/2276-4-0x0000000000400000-0x000000000045A000-memory.dmp
          Filesize

          360KB

          Download
        • memory/2276-1-0x0000000000400000-0x000000000045A000-memory.dmp
          Filesize

          360KB

          Download
        • memory/2276-3-0x0000000000400000-0x000000000045A000-memory.dmp
          Filesize

          360KB

          Download
        • memory/2540-5-0x0000023C2B3C0000-0x0000023C2B3C1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2540-6-0x0000023C2B3C0000-0x0000023C2B3C1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2540-7-0x0000023C2B3C0000-0x0000023C2B3C1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2540-11-0x0000023C2B3C0000-0x0000023C2B3C1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2540-17-0x0000023C2B3C0000-0x0000023C2B3C1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2540-16-0x0000023C2B3C0000-0x0000023C2B3C1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2540-15-0x0000023C2B3C0000-0x0000023C2B3C1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2540-14-0x0000023C2B3C0000-0x0000023C2B3C1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2540-13-0x0000023C2B3C0000-0x0000023C2B3C1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2540-12-0x0000023C2B3C0000-0x0000023C2B3C1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/4776-0-0x0000000000590000-0x0000000000591000-memory.dmp
          Filesize

          4KB

          Download