Analysis
-
max time kernel
155s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
30/04/2023, 15:54
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
Setup.exe
Resource
win7-20230220-en
5 signatures
150 seconds
General
-
Target
Setup.exe
-
Size
309.0MB
-
MD5
254d7550e25a597539d67ffd01e3f1bd
-
SHA1
1ea7d651df85cd0e04d8ce3153e01a5cff49af79
-
SHA256
e57cfd368ad71d81543c22d1e12ef620eca6677254556cc00375fda768f2487f
-
SHA512
e77b1631ed6308fcf829f8e1cc89c3f3c0033fe7bca2b7b50068f6817c620d81635483fc99e753df5d63f48a389470ca43a747a5a2eb78ca90a0c04f38dffa5d
-
SSDEEP
98304:yfvj0c99XePv0bCo88ePugdxMuhL400IkaDBZw1NVGQ6K4ll4b0E/fBY:yfL00Z9bi8edvMuhLVJ9BZeIKql4n
Malware Config
Extracted
Family
lumma
C2
77.73.134.68
Signatures
-
Detect Lumma Stealer payload V2 4 IoCs
resource yara_rule behavioral2/memory/2896-134-0x0000000000400000-0x0000000000432000-memory.dmp family_lumma_V2 behavioral2/memory/2896-136-0x0000000000400000-0x0000000000432000-memory.dmp family_lumma_V2 behavioral2/memory/2896-137-0x0000000000400000-0x0000000000432000-memory.dmp family_lumma_V2 behavioral2/memory/2896-138-0x0000000000400000-0x0000000000432000-memory.dmp family_lumma_V2 -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3260 set thread context of 2896 3260 Setup.exe 84 -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 3260 wrote to memory of 2896 3260 Setup.exe 84 PID 3260 wrote to memory of 2896 3260 Setup.exe 84 PID 3260 wrote to memory of 2896 3260 Setup.exe 84 PID 3260 wrote to memory of 2896 3260 Setup.exe 84 PID 3260 wrote to memory of 2896 3260 Setup.exe 84 PID 3260 wrote to memory of 2896 3260 Setup.exe 84 PID 3260 wrote to memory of 2896 3260 Setup.exe 84 PID 3260 wrote to memory of 2896 3260 Setup.exe 84 PID 3260 wrote to memory of 2896 3260 Setup.exe 84 PID 3260 wrote to memory of 2896 3260 Setup.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3260 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\InstallUtil.exe"2⤵PID:2896
-