| File name: | XWorm.exe |
| Full analysis: | https://app.any.run/tasks/93212d8c-d03e-45b3-912a-a701057844e9 |
| Verdict: | Malicious activity |
| Threats: | Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat. |
| Analysis date: | October 05, 2024, 10:21:49 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5: | 4F95DB5DA88D844D1E80AC3CF9B820E3 |
| SHA1: | 943FE5036CEEC493FE11227E43EE02267140F06C |
| SHA256: | 8ECA237496B3B1B752960530A7B2B5244C210A0D0B9FDAF1C9A4570C82F40A61 |
| SSDEEP: | 12288:OMViGOl49wvCks08QFGV9upd9qYEjv4VkP9kqW4LP3VXyj:NV0l49wvJoV9uroYEjv4VkPT1LP3VXw |
MALICIOUS
LUMMA has been detected (YARA)
- MSBuild.exe (PID: 6252)
LUMMA has been detected (SURICATA)
- svchost.exe (PID: 2256)
- MSBuild.exe (PID: 6252)
Connects to the CnC server
- svchost.exe (PID: 2256)
SUSPICIOUS
Process drops legitimate windows executable
- XWorm.exe (PID: 2400)
Starts a Microsoft application from unusual location
- XWorm.exe (PID: 2400)
Executes application which crashes
- XWorm.exe (PID: 2400)
Contacting a server suspected of hosting an CnC
- svchost.exe (PID: 2256)
- MSBuild.exe (PID: 6252)
INFO
Reads the computer name
- MSBuild.exe (PID: 6252)
Checks supported languages
- MSBuild.exe (PID: 6252)
- XWorm.exe (PID: 2400)
Reads the machine GUID from the registry
- MSBuild.exe (PID: 6252)
Creates files or folders in the user directory
- WerFault.exe (PID: 5916)
Checks proxy server information
- WerFault.exe (PID: 5916)
Reads the software policy settings
- MSBuild.exe (PID: 6252)
- WerFault.exe (PID: 5916)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
Lumma
(PID) Process(6252) MSBuild.exe
C2 (9)mobbipenju.store
eaglepawnoy.store
crusthdisow.store
bathdoomgaz.store
licendfilteo.site
studennotediw.store
dissapoiznw.store
spirittunek.store
clearancek.site
TRiD
| .exe | | | Win64 Executable (generic) (64.6) |
|---|---|---|
| .dll | | | Win32 Dynamic Link Library (generic) (15.4) |
| .exe | | | Win32 Executable (generic) (10.5) |
| .exe | | | Generic Win/DOS Executable (4.6) |
| .exe | | | DOS Executable Generic (4.6) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2024:10:05 07:01:38+00:00 |
| ImageFileCharacteristics: | Executable, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 14.41 |
| CodeSize: | 117248 |
| InitializedDataSize: | 419840 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x6f48 |
| OSVersion: | 6 |
| ImageVersion: | - |
| SubsystemVersion: | 6 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 10.0.19041.3636 |
| ProductVersionNumber: | 10.0.19041.3636 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Windows NT 32-bit |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | English (U.S.) |
| CharacterSet: | Unicode |
| CompanyName: | Microsoft Corporation |
| FileDescription: | WinRTNet MUA HostServer EXE |
| FileVersion: | 10.0.19041.3636 (WinBuild.160101.0800) |
| InternalName: | WinRTNetMUAHostServer EXE |
| LegalCopyright: | © Microsoft Corporation. All rights reserved. |
| OriginalFileName: | WinRTNetMUAHostServer.exe |
| ProductName: | Microsoft® Windows® Operating System |
| ProductVersion: | 10.0.19041.3636 |
Total processes
124
Monitored processes
4
Malicious processes
3
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2256 | C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s Dnscache | C:\Windows\System32\svchost.exe | services.exe | ||||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: Host Process for Windows Services Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2400 | "C:\Users\admin\Desktop\XWorm.exe" | C:\Users\admin\Desktop\XWorm.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: WinRTNet MUA HostServer EXE Exit code: 3221225477 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5916 | C:\WINDOWS\SysWOW64\WerFault.exe -u -p 2400 -s 308 | C:\Windows\SysWOW64\WerFault.exe | XWorm.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Problem Reporting Exit code: 0 Version: 10.0.19041.3996 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6252 | "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | XWorm.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: MSBuild.exe Exit code: 0 Version: 4.8.9037.0 built by: NET481REL1 Modules
Lumma(PID) Process(6252) MSBuild.exe C2 (9)mobbipenju.store eaglepawnoy.store crusthdisow.store bathdoomgaz.store licendfilteo.site studennotediw.store dissapoiznw.store spirittunek.store clearancek.site | |||||||||||||||
Total events
9 249
Read events
9 249
Write events
0
Delete events
0
Modification events
Executable files
0
Suspicious files
2
Text files
2
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 5916 | WerFault.exe | C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_XWorm.exe_3c5d8fb6cf232dd382132e9caea145ef2a9143_93b2fe73_af4d60b3-1362-485f-8c75-621d0c687f9f\Report.wer | — | |
MD5:— | SHA256:— | |||
| 5916 | WerFault.exe | C:\ProgramData\Microsoft\Windows\WER\Temp\WER6BC8.tmp.WERInternalMetadata.xml | xml | |
MD5:3CE27DD7B7E26CEFECDAD843FB9EF34B | SHA256:2B73F0F0A4E38C253E80C14E7A7A7761FD83DCE01A205EF14851AEEB522A6711 | |||
| 5916 | WerFault.exe | C:\ProgramData\Microsoft\Windows\WER\Temp\WER6C36.tmp.xml | xml | |
MD5:BC85D3E75F7246E6B6B98C5103367E17 | SHA256:72FC4A3A489ED7E76887C5E4B7DF66EC8BD91A1976168936C9DC717D69A2B136 | |||
| 5916 | WerFault.exe | C:\ProgramData\Microsoft\Windows\WER\Temp\WER6B2B.tmp.dmp | binary | |
MD5:61EFC328B601930534D7B9842FDC7422 | SHA256:AC64F708524AF69F676A1F9D0DD4456EF3932F50A31B61395724F11D92136D3C | |||
| 5916 | WerFault.exe | C:\Users\admin\AppData\Local\CrashDumps\XWorm.exe.2400.dmp | binary | |
MD5:86E605F51339A1FDDD1A7C0929CEEACE | SHA256:32E6FF7669B2909A061986B7C3F5D4272A09C4A09C83E546A6C5CD878824DF31 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
35
DNS requests
8
Threats
17
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
6588 | svchost.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
3888 | svchost.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
6588 | svchost.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
— | — | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
6252 | MSBuild.exe | 104.21.69.130:443 | mobbipenju.store | CLOUDFLARENET | — | malicious |
5916 | WerFault.exe | 13.89.179.12:443 | watson.events.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
6588 | svchost.exe | 184.30.21.171:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
crusthdisow.store |
| unknown |
mobbipenju.store |
| malicious |
watson.events.data.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
2256 | svchost.exe | Domain Observed Used for C2 Detected | ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mobbipenju .store) |
6252 | MSBuild.exe | Domain Observed Used for C2 Detected | ET MALWARE Observed Win32/Lumma Stealer Related Domain (mobbipenju .store in TLS SNI) |
— | — | A Network Trojan was detected | ET MALWARE Lumma Stealer Related Activity |
— | — | A Network Trojan was detected | ET MALWARE Lumma Stealer CnC Host Checkin |
— | — | A Network Trojan was detected | ET MALWARE Lumma Stealer Related Activity M2 |
— | — | Malware Command and Control Activity Detected | STEALER [ANY.RUN] Win32/Lumma Stealer Check-In |
— | — | A Network Trojan was detected | ET MALWARE Lumma Stealer CnC Host Checkin |
— | — | Malware Command and Control Activity Detected | ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration |
— | — | Malware Command and Control Activity Detected | STEALER [ANY.RUN] Win32/Lumma Stealer Exfiltration |
6252 | MSBuild.exe | Domain Observed Used for C2 Detected | ET MALWARE Observed Win32/Lumma Stealer Related Domain (mobbipenju .store in TLS SNI) |
1 ETPRO signatures available at the full report