Analysis

  • max time kernel
    148s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-05-2024 16:22

General

  • Target

    New Setup File/Setup.exe

  • Size

    1.1MB

  • MD5

    c047ae13fc1e25bc494b17ca10aa179e

  • SHA1

    e293c7815c0eb8fbc44d60a3e9b27bd91b44b522

  • SHA256

    6c30c8a2e827f48fcfc934dd34fb2cb10acb8747fd11faae085d8ad352c01fbf

  • SHA512

    0cfb96d23b043bcb954cc307f85e5bbc349c0c8a0c6eaa335ea9a8fa19ce65b047f30ed0049562d40880400d4f70e3bb28975d6970f3ae4af6da1ba06e36d48c

  • SSDEEP

    12288:a9hZPq27B7+x3dPC4gvgdVwTzDxsVyY4YoUwpf5kpRG6xsfJAYo2R0B5YD5sW91A:STS27B7+x3E4tdS/Dxkd4YoDfZ90gLS

Score
10/10

Malware Config

Extracted

Family

lumma

C2

https://declineforntyuekw.shop/api

https://museumtespaceorsp.shop/api

https://buttockdecarderwiso.shop/api

https://averageaattractiionsl.shop/api

https://femininiespywageg.shop/api

https://employhabragaomlsp.shop/api

https://stalfbaclcalorieeis.shop/api

https://civilianurinedtsraov.shop/api

https://roomabolishsnifftwk.shop/api

Signatures

  • Lumma Stealer

    An infostealer written in C++ first seen in August 2022.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\New Setup File\Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\New Setup File\Setup.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:4908
    • C:\Users\Admin\AppData\Roaming\Quickly_V12\KPKGJESIVQBYL\Setup.exe
      C:\Users\Admin\AppData\Roaming\Quickly_V12\KPKGJESIVQBYL\Setup.exe
      2⤵
      • Executes dropped EXE
      PID:1560
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1560 -s 836
        3⤵
        • Program crash
        PID:4852
    • C:\Windows\SysWOW64\netsh.exe
      C:\Windows\SysWOW64\netsh.exe
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:4720
      • C:\Users\Admin\AppData\Local\Temp\GUF.au3
        C:\Users\Admin\AppData\Local\Temp\GUF.au3
        3⤵
        • Loads dropped DLL
        PID:3624
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1560 -ip 1560
    1⤵
      PID:2524

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\GUF.au3

      Filesize

      872KB

      MD5

      c56b5f0201a3b3de53e561fe76912bfd

      SHA1

      2a4062e10a5de813f5688221dbeb3f3ff33eb417

      SHA256

      237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

      SHA512

      195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

    • C:\Users\Admin\AppData\Local\Temp\a23452b2

      Filesize

      1.9MB

      MD5

      94d8004e93464ddcf94dee8a5bfe166d

      SHA1

      10704a46a2c28e88e727ac5ede79efa31fc8212b

      SHA256

      90123a2f3efb2397f400a76377035043b3e556f459a1c74f74ababb35a0dab9f

      SHA512

      9b042571248e1abf923892b25c5ee062eb8658a1ce3886aab06c1de0d57ac953452f8e38360142a24a28b3e90d3cc86c84bf40abde78dae5a64568bbf204a166

    • C:\Users\Admin\AppData\Roaming\Quickly_V12\KPKGJESIVQBYL\Setup.exe

      Filesize

      111KB

      MD5

      9f262921a7fbd432c3a694a372caf1b9

      SHA1

      dfd75a8835a5553d457f4f702c7fe5785227854f

      SHA256

      56cff82b9e3ee0ed5e74a3e55115e96fd198598be26492cca7b15d9b9023a238

      SHA512

      cabeaef6132444dc06e7a53332eb58446f7046069044c44b7a27693866a1d66aad7b3ebb5fe7bb79b780548a75b206528f176f5505c574b1c7ad3bcc6fc628b8

    • memory/3624-24-0x00007FFCB9910000-0x00007FFCB9B05000-memory.dmp

      Filesize

      2.0MB

    • memory/3624-26-0x0000000000DD0000-0x0000000000E26000-memory.dmp

      Filesize

      344KB

    • memory/4720-15-0x00007FFCB9910000-0x00007FFCB9B05000-memory.dmp

      Filesize

      2.0MB

    • memory/4720-18-0x000000007524E000-0x0000000075250000-memory.dmp

      Filesize

      8KB

    • memory/4720-19-0x0000000075241000-0x000000007524F000-memory.dmp

      Filesize

      56KB

    • memory/4720-22-0x0000000075241000-0x000000007524F000-memory.dmp

      Filesize

      56KB

    • memory/4720-27-0x000000007524E000-0x0000000075250000-memory.dmp

      Filesize

      8KB

    • memory/4908-0-0x00007FFC9B9E0000-0x00007FFC9BB52000-memory.dmp

      Filesize

      1.4MB

    • memory/4908-7-0x00007FFC9B9F8000-0x00007FFC9B9F9000-memory.dmp

      Filesize

      4KB

    • memory/4908-11-0x00007FFC9B9E0000-0x00007FFC9BB52000-memory.dmp

      Filesize

      1.4MB

    • memory/4908-8-0x00007FFC9B9E0000-0x00007FFC9BB52000-memory.dmp

      Filesize

      1.4MB

    • memory/4908-5-0x00007FFC9B9E0000-0x00007FFC9BB52000-memory.dmp

      Filesize

      1.4MB