Overview

overview

10

Static

static

3

1714654664...up.exe

windows10-1703-x64

10

1714654664...up.exe

windows10-2004-x64

1714654664...up.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    316s
  • max time network
    481s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    02-05-2024 12:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1714654664.9576216_setup.exe

  • Size

    3.5MB

  • MD5

    9c773ca35120d278e934beaa281ee353

  • SHA1

    b9d6b488006eb05f85d790b12144309ab2d4be67

  • SHA256

    7ced2a74467a6c893720a90362b09991fea0eba0f682556fd15f08a9fd7a9ac9

  • SHA512

    9a33b36ca3215dbd2e37ad343bb627173f3985bc44162552354b5eec5f725fac0b1db985a7df2fef7fcf046f2b3b2e5473c377344470395e4f1284f4e2c6bebf

  • SSDEEP

    98304:42b6HbvKrNUkWvjPJ6taLV18tRN8dru7C3mXWVwnw:42OHbSrikO12aX8twdeC3Vo

Score
10/10
lummaevasionspywarestealer

Malware Config

Extracted

Family

lumma

C2

https://shatterbreathepsw.shop/api

https://productivelookewr.shop/api

https://tolerateilusidjukl.shop/api

https://shortsvelventysjo.shop/api

https://incredibleextedwj.shop/api

https://alcojoldwograpciw.shop/api

https://liabilitynighstjsko.shop/api

https://demonstationfukewko.shop/api

Signatures

  • Lumma Stealer

    An infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Modifies firewall policy service 2 TTPs 1 IoCs
    evasion
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 4 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 4 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1714654664.9576216_setup.exe
    "C:\Users\Admin\AppData\Local\Temp\1714654664.9576216_setup.exe"
    1⤵
    • Modifies firewall policy service
    • Checks computer location settings
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:4372
    • C:\Users\Admin\Documents\SimpleAdobe\9WfGoiso18ihLwttuoWWB4RE.exe
      C:\Users\Admin\Documents\SimpleAdobe\9WfGoiso18ihLwttuoWWB4RE.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:592
      • C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
        C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
        3⤵
          PID:1128
    • \??\c:\windows\system32\svchost.exe
      c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
      1⤵
        PID:2072
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
        1⤵
          PID:4652

        Network

        MITRE ATT&CK Matrix ATT&CK v13

        Initial Access

        Execution

        Persistence

        Create or Modify System Process

        1
        T1543

        Windows Service

        1
        T1543.003

        Privilege Escalation

        Create or Modify System Process

        1
        T1543

        Windows Service

        1
        T1543.003

        Defense Evasion

        Modify Registry

        1
        T1112

        Credential Access

        Unsecured Credentials

        1
        T1552

        Credentials In Files

        1
        T1552.001

        Discovery

        Query Registry

        1
        T1012

        System Information Discovery

        1
        T1082

        Lateral Movement

        Collection

        Data from Local System

        1
        T1005

        Exfiltration

        Command and Control

        Web Service

        1
        T1102

        Impact

        Resource Development

        Reconnaissance

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\Documents\SimpleAdobe\9WfGoiso18ihLwttuoWWB4RE.exe
          Filesize

          8.6MB

          MD5

          7e37f8c945d005226870e60aa2baea93

          SHA1

          d8a457a032ead8cc0d692efd497914e8cc69e8a4

          SHA256

          d130f492c40697a34e2d1e7b1e9a5e3ba37c7f6b4271271fba6b5c1e9048af8b

          SHA512

          d6dfcbd1f7bca1e712bdb184a27c5a06eb1073f03529fd6be9ed2cd231e4906edf9c7bb6fd89453a7e062cc317e4655b19825fdbf7a32d0f2c3ac3ef4bc2f8d6

          Download Submit
        • memory/592-32-0x00007FF672850000-0x00007FF67318E000-memory.dmp
          Filesize

          9.2MB

          Download
        • memory/592-36-0x00007FF672850000-0x00007FF67318E000-memory.dmp
          Filesize

          9.2MB

          Download
        • memory/1128-35-0x0000000000800000-0x000000000085B000-memory.dmp
          Filesize

          364KB

          Download
        • memory/1128-37-0x0000000000800000-0x000000000085B000-memory.dmp
          Filesize

          364KB

          Download
        • memory/4372-0-0x0000000140000000-0x0000000140547000-memory.dmp
          Filesize

          5.3MB

          Download
        • memory/4372-1-0x0000000140509000-0x000000014050A000-memory.dmp
          Filesize

          4KB

          Download
        • memory/4372-28-0x0000000140000000-0x0000000140547000-memory.dmp
          Filesize

          5.3MB

          Download
        • memory/4372-29-0x0000000140000000-0x0000000140547000-memory.dmp
          Filesize

          5.3MB

          Download