Overview

overview

10

Static

static

1

lSetup.exe

windows7-x64

5

lSetup.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    22s
  • max time network
    25s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-02-2024 18:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    lSetup.exe

  • Size

    202KB

  • MD5

    64179e64675e822559cac6652298bdfc

  • SHA1

    cceed3b2441146762512918af7bf7f89fb055583

  • SHA256

    c26db97858c427d92e393396f7cb7f9e7ed8f9ce616adcc123d0ec6b055b99c9

  • SHA512

    ef740b35ea5190f8ee47776af1f15ebdd54d39c84da5665e64f67ae6dd0f4b181e955e9a35319a5d0bd764972562e8f2bc44dbdf83c3bedf05674eae902e7280

  • SSDEEP

    3072:EMtKztOp6KfOQqoY3ltdNjlcwsSdplkrxf+Uyecgw:ELKfOQLY3l9jlcwnlUf+z7gw

Score
10/10
lummastealer

Malware Config

Extracted

Family

lumma

C2

https://qualifiedbehaviorrykej.site/api

Signatures

  • Lumma Stealer

    An infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Blocklisted process makes network request 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\lSetup.exe
    "C:\Users\Admin\AppData\Local\Temp\lSetup.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:1656
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\SysWOW64\cmd.exe
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      PID:5012
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 5012 -s 1168
        3⤵
        • Program crash
        PID:1240
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 5012 -s 756
        3⤵
        • Program crash
        PID:4020
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 5012 -s 756
        3⤵
        • Program crash
        PID:3956
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 5012 -s 1160
        3⤵
        • Program crash
        PID:4636
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5012 -ip 5012
    1⤵
      PID:4664
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 5012 -ip 5012
      1⤵
        PID:772
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 5012 -ip 5012
        1⤵
          PID:1740
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5012 -ip 5012
          1⤵
            PID:1412

          Network

          MITRE ATT&CK Matrix

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\9a9010fd
            Filesize

            1.2MB

            MD5

            c4c3d0b4829295701801a5c7036bc640

            SHA1

            adb70cb0264a8dee1850f05a964118cc14e5c12c

            SHA256

            41bbaa38832596440e402ff5f4d6ef0b0bc1738711756e9910ecc5af30029554

            SHA512

            9126c8737575553fb912ae666909280c220bc24434813dab1574429d04f36cc8afbcc9b65a5c458f39f3efca03fed7cfb731f7c513d4d58be2afa90e94a71493

            Download Submit

          • memory/1656-1-0x00007FFBCC130000-0x00007FFBCC325000-memory.dmp

            Filesize

            2.0MB

            Download

          • memory/1656-10-0x0000000074C50000-0x0000000074DCB000-memory.dmp

            Filesize

            1.5MB

            Download

          • memory/1656-11-0x0000000074C50000-0x0000000074DCB000-memory.dmp

            Filesize

            1.5MB

            Download

          • memory/1656-0-0x0000000074C50000-0x0000000074DCB000-memory.dmp

            Filesize

            1.5MB

            Download

          • memory/5012-15-0x00007FFBCC130000-0x00007FFBCC325000-memory.dmp

            Filesize

            2.0MB

            Download

          • memory/5012-13-0x0000000074C50000-0x0000000074DCB000-memory.dmp

            Filesize

            1.5MB

            Download

          • memory/5012-16-0x00000000736F0000-0x0000000074944000-memory.dmp

            Filesize

            18.3MB

            Download

          • memory/5012-20-0x00000000736F0000-0x0000000074944000-memory.dmp

            Filesize

            18.3MB

            Download

          • memory/5012-21-0x0000000074C50000-0x0000000074DCB000-memory.dmp

            Filesize

            1.5MB

            Download

          • memory/5012-23-0x0000000000BF0000-0x0000000000C22000-memory.dmp

            Filesize

            200KB

            Download

          • memory/5012-22-0x0000000000BF0000-0x0000000000C22000-memory.dmp

            Filesize

            200KB

            Download

          • memory/5012-24-0x00000000736F0000-0x0000000074944000-memory.dmp

            Filesize

            18.3MB

            Download