Analysis

  • max time kernel
    147s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-02-2024 07:10

General

  • Target

    Setup.exe

  • Size

    202KB

  • MD5

    64179e64675e822559cac6652298bdfc

  • SHA1

    cceed3b2441146762512918af7bf7f89fb055583

  • SHA256

    c26db97858c427d92e393396f7cb7f9e7ed8f9ce616adcc123d0ec6b055b99c9

  • SHA512

    ef740b35ea5190f8ee47776af1f15ebdd54d39c84da5665e64f67ae6dd0f4b181e955e9a35319a5d0bd764972562e8f2bc44dbdf83c3bedf05674eae902e7280

  • SSDEEP

    3072:EMtKztOp6KfOQqoY3ltdNjlcwsSdplkrxf+Uyecgw:ELKfOQLY3l9jlcwnlUf+z7gw

Score
10/10

Malware Config

Extracted

Family

lumma

C2

https://qualifiedbehaviorrykej.site/api

Signatures

  • Lumma Stealer

    An infostealer written in C++ first seen in August 2022.

  • Blocklisted process makes network request 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:2912
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\SysWOW64\cmd.exe
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      PID:2156
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 1220
        3⤵
        • Program crash
        PID:4024
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 1168
        3⤵
        • Program crash
        PID:2064
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 1204
        3⤵
        • Program crash
        PID:1876
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2156 -ip 2156
    1⤵
      PID:5092
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2156 -ip 2156
      1⤵
        PID:1708
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2156 -ip 2156
        1⤵
          PID:828

        Network

        MITRE ATT&CK Matrix

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\1917e84d

          Filesize

          1.2MB

          MD5

          246c235905bcb7988fa43f44f74eea82

          SHA1

          e82e8d56a377555ec6d051fa6fda26251df00b63

          SHA256

          233183408da64f55984e5d25f4ee9c3b4718f96887326ff9e51e066e89d0ea36

          SHA512

          ff888a032726c6bdb14b7b3adc612671f8d9635193b37eea3c982582aec568d363865cfef4a1761532e1f59de963ce65e37275c49a8792bfb727c9b0b45e4990

        • memory/2156-13-0x0000000074750000-0x00000000748CB000-memory.dmp

          Filesize

          1.5MB

        • memory/2156-15-0x00007FFD48330000-0x00007FFD48525000-memory.dmp

          Filesize

          2.0MB

        • memory/2156-16-0x00000000731F0000-0x0000000074444000-memory.dmp

          Filesize

          18.3MB

        • memory/2156-20-0x0000000074750000-0x00000000748CB000-memory.dmp

          Filesize

          1.5MB

        • memory/2156-21-0x0000000000EB0000-0x0000000000EB1000-memory.dmp

          Filesize

          4KB

        • memory/2156-22-0x00000000731F0000-0x0000000074444000-memory.dmp

          Filesize

          18.3MB

        • memory/2156-24-0x0000000000EB0000-0x0000000000EB1000-memory.dmp

          Filesize

          4KB

        • memory/2912-0-0x0000000074750000-0x00000000748CB000-memory.dmp

          Filesize

          1.5MB

        • memory/2912-1-0x00007FFD48330000-0x00007FFD48525000-memory.dmp

          Filesize

          2.0MB

        • memory/2912-10-0x0000000074750000-0x00000000748CB000-memory.dmp

          Filesize

          1.5MB

        • memory/2912-11-0x0000000074750000-0x00000000748CB000-memory.dmp

          Filesize

          1.5MB