Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-05-2024 13:18

General

  • Target

    Setup.exe

  • Size

    2.4MB

  • MD5

    9fb4770ced09aae3b437c1c6eb6d7334

  • SHA1

    fe54b31b0db8665aa5b22bed147e8295afc88a03

  • SHA256

    a05b592a971fe5011554013bcfe9a4aaf9cfc633bdd1fe3a8197f213d557b8d3

  • SHA512

    140fee6daf23fe8b7e441b3b4de83554af804f00ecedc421907a385ac79a63164bd9f28b4be061c2ea2262755d85e14d3a8e7dc910547837b664d78d93667256

  • SSDEEP

    49152:Y8UMSn5cV2N9LNwtQ5gRR+moI1axGbYj6QAl4ImDkg7d5lROCDG5yzlC97W+uJUM:QMS5hN9OtQ5gRjoI8xGbYj6QAl4gg7dF

Score
10/10

Malware Config

Extracted

Family

lumma

C2

https://penetratedworrsyw.shop/api

https://acceptabledcooeprs.shop/api

https://obsceneclassyjuwks.shop/api

https://zippyfinickysofwps.shop/api

https://miniaturefinerninewjs.shop/api

https://plaintediousidowsko.shop/api

https://sweetsquarediaslw.shop/api

https://holicisticscrarws.shop/api

https://boredimperissvieos.shop/api

Signatures

  • Lumma Stealer

    An infostealer written in C++ first seen in August 2022.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3948
    • C:\Windows\SysWOW64\netsh.exe
      C:\Windows\SysWOW64\netsh.exe
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:552
      • C:\Windows\SysWOW64\SearchIndexer.exe
        C:\Windows\SysWOW64\SearchIndexer.exe
        3⤵
          PID:1716

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\a0c2303f

      Filesize

      1.0MB

      MD5

      766af7198185b728c5b7d98c3868555a

      SHA1

      5f59de943450d8ac9d7e51cf2a79093da64c560f

      SHA256

      1c498970cdb076855faf2cc43bed2aa933617b4ff27cae5cc6aac1957c102bb4

      SHA512

      000bb5e1c8fd12b411dbadcc0958a60231fb939280dc5aa55c5a2dc383534e6bc1a40aeca4b8ca4a1aaa828f766ba52568fc560dc917acff3901afedca14579a

    • memory/552-12-0x00007FFA932D0000-0x00007FFA934C5000-memory.dmp

      Filesize

      2.0MB

    • memory/552-20-0x000000007300E000-0x0000000073010000-memory.dmp

      Filesize

      8KB

    • memory/552-15-0x0000000073001000-0x000000007300F000-memory.dmp

      Filesize

      56KB

    • memory/552-14-0x0000000073001000-0x000000007300F000-memory.dmp

      Filesize

      56KB

    • memory/552-13-0x000000007300E000-0x0000000073010000-memory.dmp

      Filesize

      8KB

    • memory/552-10-0x0000000073001000-0x000000007300F000-memory.dmp

      Filesize

      56KB

    • memory/1716-17-0x0000000000B90000-0x0000000000BEB000-memory.dmp

      Filesize

      364KB

    • memory/1716-16-0x00007FFA932D0000-0x00007FFA934C5000-memory.dmp

      Filesize

      2.0MB

    • memory/1716-18-0x0000000000FFB000-0x0000000001002000-memory.dmp

      Filesize

      28KB

    • memory/1716-19-0x0000000000B90000-0x0000000000BEB000-memory.dmp

      Filesize

      364KB

    • memory/3948-8-0x0000000073000000-0x000000007317B000-memory.dmp

      Filesize

      1.5MB

    • memory/3948-7-0x0000000073000000-0x000000007317B000-memory.dmp

      Filesize

      1.5MB

    • memory/3948-6-0x0000000073012000-0x0000000073014000-memory.dmp

      Filesize

      8KB

    • memory/3948-0-0x0000000073000000-0x000000007317B000-memory.dmp

      Filesize

      1.5MB

    • memory/3948-1-0x00007FFA932D0000-0x00007FFA934C5000-memory.dmp

      Filesize

      2.0MB