Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-05-2024 16:40

General

  • Target

    New Setup File/Setup.exe

  • Size

    1.1MB

  • MD5

    c047ae13fc1e25bc494b17ca10aa179e

  • SHA1

    e293c7815c0eb8fbc44d60a3e9b27bd91b44b522

  • SHA256

    6c30c8a2e827f48fcfc934dd34fb2cb10acb8747fd11faae085d8ad352c01fbf

  • SHA512

    0cfb96d23b043bcb954cc307f85e5bbc349c0c8a0c6eaa335ea9a8fa19ce65b047f30ed0049562d40880400d4f70e3bb28975d6970f3ae4af6da1ba06e36d48c

  • SSDEEP

    12288:a9hZPq27B7+x3dPC4gvgdVwTzDxsVyY4YoUwpf5kpRG6xsfJAYo2R0B5YD5sW91A:STS27B7+x3E4tdS/Dxkd4YoDfZ90gLS

Score
10/10

Malware Config

Extracted

Family

lumma

C2

https://declineforntyuekw.shop/api

https://museumtespaceorsp.shop/api

https://buttockdecarderwiso.shop/api

https://averageaattractiionsl.shop/api

https://femininiespywageg.shop/api

https://employhabragaomlsp.shop/api

https://stalfbaclcalorieeis.shop/api

https://civilianurinedtsraov.shop/api

https://roomabolishsnifftwk.shop/api

Signatures

  • Lumma Stealer

    An infostealer written in C++ first seen in August 2022.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 11 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 2 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 22 IoCs
  • Suspicious use of FindShellTrayWindow 26 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\New Setup File\Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\New Setup File\Setup.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:2324
    • C:\Users\Admin\AppData\Roaming\Quickly_V12\JMFGMWUVPOFNHLUSAK\Setup.exe
      C:\Users\Admin\AppData\Roaming\Quickly_V12\JMFGMWUVPOFNHLUSAK\Setup.exe
      2⤵
      • Executes dropped EXE
      PID:2664
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2664 -s 836
        3⤵
        • Program crash
        PID:1796
    • C:\Windows\SysWOW64\netsh.exe
      C:\Windows\SysWOW64\netsh.exe
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:4084
      • C:\Users\Admin\AppData\Local\Temp\GUF.au3
        C:\Users\Admin\AppData\Local\Temp\GUF.au3
        3⤵
        • Loads dropped DLL
        PID:2012
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2664 -ip 2664
    1⤵
      PID:4512
    • C:\Windows\system32\mspaint.exe
      "C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\ResumeCompare.jpe" /ForceBootstrapPaint3D
      1⤵
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:3972
    • C:\Windows\System32\svchost.exe
      C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc
      1⤵
      • Drops file in System32 directory
      PID:1732
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
      • Suspicious use of SetWindowsHookEx
      PID:1628
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:3096
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe"
        1⤵
        • Enumerates system info in registry
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:4112
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff9f89dab58,0x7ff9f89dab68,0x7ff9f89dab78
          2⤵
            PID:3700
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1680 --field-trial-handle=1912,i,3743096852069024395,11215886155230791398,131072 /prefetch:2
            2⤵
              PID:2176
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 --field-trial-handle=1912,i,3743096852069024395,11215886155230791398,131072 /prefetch:8
              2⤵
                PID:2316
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2320 --field-trial-handle=1912,i,3743096852069024395,11215886155230791398,131072 /prefetch:8
                2⤵
                  PID:1544
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3024 --field-trial-handle=1912,i,3743096852069024395,11215886155230791398,131072 /prefetch:1
                  2⤵
                    PID:452
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3032 --field-trial-handle=1912,i,3743096852069024395,11215886155230791398,131072 /prefetch:1
                    2⤵
                      PID:2460
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4388 --field-trial-handle=1912,i,3743096852069024395,11215886155230791398,131072 /prefetch:1
                      2⤵
                        PID:764
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4568 --field-trial-handle=1912,i,3743096852069024395,11215886155230791398,131072 /prefetch:8
                        2⤵
                          PID:4912
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4692 --field-trial-handle=1912,i,3743096852069024395,11215886155230791398,131072 /prefetch:8
                          2⤵
                            PID:1588
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3632 --field-trial-handle=1912,i,3743096852069024395,11215886155230791398,131072 /prefetch:8
                            2⤵
                              PID:2652
                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4956 --field-trial-handle=1912,i,3743096852069024395,11215886155230791398,131072 /prefetch:8
                              2⤵
                                PID:2872
                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5008 --field-trial-handle=1912,i,3743096852069024395,11215886155230791398,131072 /prefetch:8
                                2⤵
                                  PID:2596
                              • C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
                                "C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
                                1⤵
                                  PID:3280

                                Network

                                MITRE ATT&CK Enterprise v15

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

                                  Filesize

                                  2B

                                  MD5

                                  d751713988987e9331980363e24189ce

                                  SHA1

                                  97d170e1550eee4afc0af065b78cda302a97674c

                                  SHA256

                                  4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                                  SHA512

                                  b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

                                  Filesize

                                  356B

                                  MD5

                                  288188033ffd2f4f1a965681bb277b9d

                                  SHA1

                                  05211ad4f317bcdc25dcfe3ae57c79d86240d8c4

                                  SHA256

                                  9a381714c2cd8e355cb7f6c61c5b304f5f4914e0a614ca1b65c8908513f30cc1

                                  SHA512

                                  2449a64dc786aed7fe6b3be39087581a4c2dbeb6dd4282f7496a5d2ba7551bd2f750c59a31f579fa175c518a406271557bcdc69048dce896dd5efab8ac6c4b59

                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                  Filesize

                                  6KB

                                  MD5

                                  8d78e2442aff66bef5041a0ede5fd1ca

                                  SHA1

                                  2a14d940dda1a55426699c802b69130da2a83737

                                  SHA256

                                  b171dafd12b550dd8c5a3bc10c765018027e1d98bb3acf3eab8bc3d9100cd6d8

                                  SHA512

                                  af9edf122897fd26c5fdd6d1233ded8ed5c36dc7895b36406438e9291149684203a09be1c0804637fd84d7d3d3585409c5624cae5b3b24ec33e7031f2508e1e5

                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                                  Filesize

                                  262KB

                                  MD5

                                  f8629652dbffd09a1d2e3f384d502907

                                  SHA1

                                  fbce46c334e1e306a930841963b676406e2a1645

                                  SHA256

                                  be3d780779cb3ed8209c6dd85829ec682ade921f4608f1c0d6cc1fa90ab8e570

                                  SHA512

                                  6fd2fedbe5bd850a945e4b3619e29dd5182dbcc8800d2440de7b5ec0d4d2ec781a8d6d440c4e009f9cc1c6eb6f924b57e9c536eab25c3e8b7cfd9787ce071747

                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                                  Filesize

                                  257KB

                                  MD5

                                  076479982ac8f0e9596ac7664ccbe669

                                  SHA1

                                  25529f1d2b7a20bd767c53fa4517f50fd74fe957

                                  SHA256

                                  997a6a953e67cbe95553faff9fb50a14fc22d6cc8c9d8b1694850c06c9d1703b

                                  SHA512

                                  14b90a555ec176621869cf1cd0a80728e7fea2402f9a06f2198fd08ca3ea1708abed33e432e40f18e0cdb1b4973cebd32e85b8aeaf93828b714857783a2ebc2b

                                • C:\Users\Admin\AppData\Local\Temp\GUF.au3

                                  Filesize

                                  872KB

                                  MD5

                                  c56b5f0201a3b3de53e561fe76912bfd

                                  SHA1

                                  2a4062e10a5de813f5688221dbeb3f3ff33eb417

                                  SHA256

                                  237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

                                  SHA512

                                  195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

                                • C:\Users\Admin\AppData\Local\Temp\c542d404

                                  Filesize

                                  1.9MB

                                  MD5

                                  276ea4fb37ad0ab34316e72e72ccb789

                                  SHA1

                                  4f9f9bab9e6b0d5db0917cbb4336d5bc4fe01961

                                  SHA256

                                  917893f6c9d9ad7644a436a43f0b6e98f053413c71af6dbbef6708f8422c3f58

                                  SHA512

                                  1cf2fed49c1f90376c1457558cb600f95accd4545902811a53bb85970ab113d6e35672b5dfcf538c75e206cc3fe3eea1ae03c724c2d78a5f68f882ad4b963b8e

                                • C:\Users\Admin\AppData\Roaming\Quickly_V12\JMFGMWUVPOFNHLUSAK\Setup.exe

                                  Filesize

                                  111KB

                                  MD5

                                  9f262921a7fbd432c3a694a372caf1b9

                                  SHA1

                                  dfd75a8835a5553d457f4f702c7fe5785227854f

                                  SHA256

                                  56cff82b9e3ee0ed5e74a3e55115e96fd198598be26492cca7b15d9b9023a238

                                  SHA512

                                  cabeaef6132444dc06e7a53332eb58446f7046069044c44b7a27693866a1d66aad7b3ebb5fe7bb79b780548a75b206528f176f5505c574b1c7ad3bcc6fc628b8

                                • \??\pipe\crashpad_4112_NYAXLCWKDQNWOAFF

                                  MD5

                                  d41d8cd98f00b204e9800998ecf8427e

                                  SHA1

                                  da39a3ee5e6b4b0d3255bfef95601890afd80709

                                  SHA256

                                  e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                  SHA512

                                  cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                • memory/1732-49-0x000001DC752C0000-0x000001DC752C1000-memory.dmp

                                  Filesize

                                  4KB

                                • memory/1732-48-0x000001DC752C0000-0x000001DC752C1000-memory.dmp

                                  Filesize

                                  4KB

                                • memory/1732-41-0x000001DC751A0000-0x000001DC751A1000-memory.dmp

                                  Filesize

                                  4KB

                                • memory/1732-47-0x000001DC752B0000-0x000001DC752B1000-memory.dmp

                                  Filesize

                                  4KB

                                • memory/1732-46-0x000001DC752B0000-0x000001DC752B1000-memory.dmp

                                  Filesize

                                  4KB

                                • memory/1732-45-0x000001DC75220000-0x000001DC75221000-memory.dmp

                                  Filesize

                                  4KB

                                • memory/1732-43-0x000001DC75220000-0x000001DC75221000-memory.dmp

                                  Filesize

                                  4KB

                                • memory/1732-34-0x000001DC6CEB0000-0x000001DC6CEC0000-memory.dmp

                                  Filesize

                                  64KB

                                • memory/1732-30-0x000001DC6CE70000-0x000001DC6CE80000-memory.dmp

                                  Filesize

                                  64KB

                                • memory/2012-27-0x0000000000620000-0x0000000000676000-memory.dmp

                                  Filesize

                                  344KB

                                • memory/2012-25-0x00007FFA16BD0000-0x00007FFA16DC5000-memory.dmp

                                  Filesize

                                  2.0MB

                                • memory/2012-24-0x0000000000620000-0x0000000000676000-memory.dmp

                                  Filesize

                                  344KB

                                • memory/2324-0-0x00007FFA086A0000-0x00007FFA08812000-memory.dmp

                                  Filesize

                                  1.4MB

                                • memory/2324-11-0x00007FFA086A0000-0x00007FFA08812000-memory.dmp

                                  Filesize

                                  1.4MB

                                • memory/2324-6-0x00007FFA086B8000-0x00007FFA086B9000-memory.dmp

                                  Filesize

                                  4KB

                                • memory/2324-7-0x00007FFA086A0000-0x00007FFA08812000-memory.dmp

                                  Filesize

                                  1.4MB

                                • memory/2324-5-0x00007FFA086A0000-0x00007FFA08812000-memory.dmp

                                  Filesize

                                  1.4MB

                                • memory/4084-29-0x000000007587E000-0x0000000075880000-memory.dmp

                                  Filesize

                                  8KB

                                • memory/4084-22-0x0000000075871000-0x000000007587F000-memory.dmp

                                  Filesize

                                  56KB

                                • memory/4084-18-0x0000000075871000-0x000000007587F000-memory.dmp

                                  Filesize

                                  56KB

                                • memory/4084-17-0x000000007587E000-0x0000000075880000-memory.dmp

                                  Filesize

                                  8KB

                                • memory/4084-15-0x00007FFA16BD0000-0x00007FFA16DC5000-memory.dmp

                                  Filesize

                                  2.0MB