Analysis

  • max time kernel
    134s
  • max time network
    131s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-05-2024 08:59

General

  • Target

    Main_Satup/Setup.exe

  • Size

    1.1MB

  • MD5

    c047ae13fc1e25bc494b17ca10aa179e

  • SHA1

    e293c7815c0eb8fbc44d60a3e9b27bd91b44b522

  • SHA256

    6c30c8a2e827f48fcfc934dd34fb2cb10acb8747fd11faae085d8ad352c01fbf

  • SHA512

    0cfb96d23b043bcb954cc307f85e5bbc349c0c8a0c6eaa335ea9a8fa19ce65b047f30ed0049562d40880400d4f70e3bb28975d6970f3ae4af6da1ba06e36d48c

  • SSDEEP

    12288:a9hZPq27B7+x3dPC4gvgdVwTzDxsVyY4YoUwpf5kpRG6xsfJAYo2R0B5YD5sW91A:STS27B7+x3E4tdS/Dxkd4YoDfZ90gLS

Score
10/10

Malware Config

Extracted

Family

lumma

C2

https://tubewelfaredopw.shop/api

https://museumtespaceorsp.shop/api

https://buttockdecarderwiso.shop/api

https://averageaattractiionsl.shop/api

https://femininiespywageg.shop/api

https://employhabragaomlsp.shop/api

https://stalfbaclcalorieeis.shop/api

https://civilianurinedtsraov.shop/api

https://roomabolishsnifftwk.shop/api

Signatures

  • Lumma Stealer

    An infostealer written in C++ first seen in August 2022.

  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 38 IoCs
  • Suspicious use of SendNotifyMessage 38 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Main_Satup\Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\Main_Satup\Setup.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:1808
    • C:\Windows\SysWOW64\more.com
      C:\Windows\SysWOW64\more.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:3000
      • C:\Users\Admin\AppData\Local\Temp\Uhzi.au3
        C:\Users\Admin\AppData\Local\Temp\Uhzi.au3
        3⤵
        • Loads dropped DLL
        PID:3212
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1036
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
    1⤵
      PID:3560

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\9ee43617

      Filesize

      1.8MB

      MD5

      dab8ad449fa107af11069be9181f3136

      SHA1

      c4bb7f8ff07f21786c352450edde3e5d11362211

      SHA256

      066817cc59d7783b02fdafb3c971ee12893fc1affacc58ae06298dfce3738c60

      SHA512

      1f20b1f0bb52fc85af4481216e399639940511413c2b7c129f22ef7394c140597127303b6767dc6b2b7a11bd110ceca54106988dbe7b384c6be9550256185546

    • C:\Users\Admin\AppData\Local\Temp\Uhzi.au3

      Filesize

      872KB

      MD5

      c56b5f0201a3b3de53e561fe76912bfd

      SHA1

      2a4062e10a5de813f5688221dbeb3f3ff33eb417

      SHA256

      237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

      SHA512

      195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

    • memory/1036-31-0x000002AA59010000-0x000002AA59011000-memory.dmp

      Filesize

      4KB

    • memory/1036-34-0x000002AA59010000-0x000002AA59011000-memory.dmp

      Filesize

      4KB

    • memory/1036-23-0x000002AA59010000-0x000002AA59011000-memory.dmp

      Filesize

      4KB

    • memory/1036-29-0x000002AA59010000-0x000002AA59011000-memory.dmp

      Filesize

      4KB

    • memory/1036-24-0x000002AA59010000-0x000002AA59011000-memory.dmp

      Filesize

      4KB

    • memory/1036-30-0x000002AA59010000-0x000002AA59011000-memory.dmp

      Filesize

      4KB

    • memory/1036-35-0x000002AA59010000-0x000002AA59011000-memory.dmp

      Filesize

      4KB

    • memory/1036-32-0x000002AA59010000-0x000002AA59011000-memory.dmp

      Filesize

      4KB

    • memory/1036-25-0x000002AA59010000-0x000002AA59011000-memory.dmp

      Filesize

      4KB

    • memory/1036-33-0x000002AA59010000-0x000002AA59011000-memory.dmp

      Filesize

      4KB

    • memory/1808-6-0x00007FFF4AD20000-0x00007FFF4AE92000-memory.dmp

      Filesize

      1.4MB

    • memory/1808-4-0x00007FFF4AD38000-0x00007FFF4AD39000-memory.dmp

      Filesize

      4KB

    • memory/1808-0-0x00007FFF4AD20000-0x00007FFF4AE92000-memory.dmp

      Filesize

      1.4MB

    • memory/1808-5-0x00007FFF4AD20000-0x00007FFF4AE92000-memory.dmp

      Filesize

      1.4MB

    • memory/3000-11-0x00000000752E0000-0x000000007545B000-memory.dmp

      Filesize

      1.5MB

    • memory/3000-18-0x00000000752E0000-0x000000007545B000-memory.dmp

      Filesize

      1.5MB

    • memory/3000-12-0x00000000752EE000-0x00000000752F0000-memory.dmp

      Filesize

      8KB

    • memory/3000-13-0x00000000752E0000-0x000000007545B000-memory.dmp

      Filesize

      1.5MB

    • memory/3000-9-0x00007FFF68BB0000-0x00007FFF68DA5000-memory.dmp

      Filesize

      2.0MB

    • memory/3000-36-0x00000000752EE000-0x00000000752F0000-memory.dmp

      Filesize

      8KB

    • memory/3212-22-0x00000000009E0000-0x0000000000A3A000-memory.dmp

      Filesize

      360KB

    • memory/3212-20-0x00007FFF68BB0000-0x00007FFF68DA5000-memory.dmp

      Filesize

      2.0MB