Analysis
-
max time kernel
147s -
max time network
157s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
30/04/2023, 15:54
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
Setup.exe
Resource
win7-20230220-en
5 signatures
150 seconds
General
-
Target
Setup.exe
-
Size
309.0MB
-
MD5
254d7550e25a597539d67ffd01e3f1bd
-
SHA1
1ea7d651df85cd0e04d8ce3153e01a5cff49af79
-
SHA256
e57cfd368ad71d81543c22d1e12ef620eca6677254556cc00375fda768f2487f
-
SHA512
e77b1631ed6308fcf829f8e1cc89c3f3c0033fe7bca2b7b50068f6817c620d81635483fc99e753df5d63f48a389470ca43a747a5a2eb78ca90a0c04f38dffa5d
-
SSDEEP
98304:yfvj0c99XePv0bCo88ePugdxMuhL400IkaDBZw1NVGQ6K4ll4b0E/fBY:yfL00Z9bi8edvMuhLVJ9BZeIKql4n
Malware Config
Extracted
Family
lumma
C2
77.73.134.68
Signatures
-
Detect Lumma Stealer payload V2 6 IoCs
resource yara_rule behavioral1/memory/1684-59-0x0000000000400000-0x0000000000432000-memory.dmp family_lumma_V2 behavioral1/memory/1684-60-0x0000000000400000-0x0000000000432000-memory.dmp family_lumma_V2 behavioral1/memory/1684-61-0x0000000000400000-0x0000000000432000-memory.dmp family_lumma_V2 behavioral1/memory/1684-63-0x0000000000400000-0x0000000000432000-memory.dmp family_lumma_V2 behavioral1/memory/1684-65-0x0000000000400000-0x0000000000432000-memory.dmp family_lumma_V2 behavioral1/memory/1684-66-0x0000000000400000-0x0000000000432000-memory.dmp family_lumma_V2 -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 748 set thread context of 1684 748 Setup.exe 26 -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 748 wrote to memory of 1684 748 Setup.exe 26 PID 748 wrote to memory of 1684 748 Setup.exe 26 PID 748 wrote to memory of 1684 748 Setup.exe 26 PID 748 wrote to memory of 1684 748 Setup.exe 26 PID 748 wrote to memory of 1684 748 Setup.exe 26 PID 748 wrote to memory of 1684 748 Setup.exe 26 PID 748 wrote to memory of 1684 748 Setup.exe 26 PID 748 wrote to memory of 1684 748 Setup.exe 26 PID 748 wrote to memory of 1684 748 Setup.exe 26 PID 748 wrote to memory of 1684 748 Setup.exe 26 PID 748 wrote to memory of 1684 748 Setup.exe 26 PID 748 wrote to memory of 1684 748 Setup.exe 26 PID 748 wrote to memory of 1684 748 Setup.exe 26 PID 748 wrote to memory of 1684 748 Setup.exe 26
Processes
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:748 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\InstallUtil.exe"2⤵PID:1684
-