Analysis

  • max time kernel
    145s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240704-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-07-2024 13:19

General

  • Target

    Setup_Files/Setup.exe

  • Size

    662.5MB

  • MD5

    59839dad3c13480e4f29ad32afdc8fb1

  • SHA1

    2d66cf175875f98784f9be66d832dee8cbad5a69

  • SHA256

    002f5b2aa14a46544ac266bc78a348d71480c474fd00bc01708ce1dcba1291ee

  • SHA512

    3ae89c0f7c0fba2f0b6f6db95abc12ba4f628a3615ae1fb4a8a402dfa7bc875890eb8c708bb68303eb9dde835572cef2ca45cdd93ff20d279525ba9b8514477e

  • SSDEEP

    196608:Dpcugy7TlXNdj+P64+S+rt7hOD6ZJHXg4nhVUGbP4X3bOq2JRuwt:Dpcu7k6FkAZL

Score
10/10

Malware Config

Extracted

Family

lumma

C2

https://absentjuks.shop/api

Signatures

  • Lumma Stealer

    An infostealer written in C++ first seen in August 2022.

  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Windows directory 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Setup_Files\Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\Setup_Files\Setup.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:5048
    • C:\Windows\SysWOW64\comp.exe
      C:\Windows\SysWOW64\comp.exe
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:1128
      • C:\Windows\SysWOW64\SearchIndexer.exe
        C:\Windows\SysWOW64\SearchIndexer.exe
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2304
        • C:\Users\Admin\AppData\Local\Temp\624OHNX8HXG7UC98X3MR1NHY.exe
          "C:\Users\Admin\AppData\Local\Temp\624OHNX8HXG7UC98X3MR1NHY.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:2228
          • C:\Windows\SysWOW64\more.com
            C:\Windows\SysWOW64\more.com
            5⤵
            • Suspicious use of SetThreadContext
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of WriteProcessMemory
            PID:1632
            • C:\Windows\SysWOW64\regsvr32.exe
              C:\Windows\SysWOW64\regsvr32.exe
              6⤵
                PID:1244

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\49708f43

      Filesize

      1.1MB

      MD5

      29dee515f896949f1dc956e850cbd39a

      SHA1

      eabef7d2f1974139a095adb800df9595c0a57807

      SHA256

      48ba661aba5fe6491681f563e803accbfe0c9da7425bacd9aa2b35724c73892e

      SHA512

      5e765d800f56bfb0d8c1e2ca0787b7178e5633e8d20fae048dc59e4e15eb6a2cc59e6a2e90313082588d45675e68f52597c821618edf7e1db8ef48ad6d04024c

    • C:\Users\Admin\AppData\Local\Temp\4b26e9e7

      Filesize

      1.1MB

      MD5

      7a7c870fc189b757bf6ca20adb1a6123

      SHA1

      af80548436f8fcbeeeba729f698b7fbdf489e0cc

      SHA256

      f851c9b73bdd184e02336c8420039b0513596a31ea2db7aa2ab24e93ce4f1b31

      SHA512

      1e4f3012f429d0a2f26c2f60e3f7742cfb05dcd46bdc43ca51c061f85e3dc89e80f281c9f669fa53ecacd79ea378197dc5a76cfcc5172b9528b744a9b5b56525

    • C:\Users\Admin\AppData\Local\Temp\5c3885e3

      Filesize

      955KB

      MD5

      e0d9f835bdb67e0e2c96fd66d64d145b

      SHA1

      fdd5fbbd361dcde42df1917d2e8be85e4ff62c19

      SHA256

      77fb8d12be6343177dd32614d0eba28085b39f58769a608c9aa9b8a9e6054b63

      SHA512

      15a9cadc9918965a8de775499e04900d820b9b022a96d8653da662ebc49033fbaa7b1403fccf7568967d4cff4faa00f6996ee5284f4d10d78eca420d48faa58b

    • C:\Users\Admin\AppData\Local\Temp\5e74bb30

      Filesize

      1008KB

      MD5

      f9f8af7cfcbd44d4fa31ec7e3816d71c

      SHA1

      1b4df87c4da9e000fc0e5f44a141b2a2696ab72e

      SHA256

      2af2b79cea23e7f82ff4c6468ed804aef90e1b7e65ff54c0b17953ea1b9eeda3

      SHA512

      ce76cd7cd21a146f02308ee83fa8d9f51812b9d5648d652c5edaf527244fac9e51247b5d44c10fef63b81ec4eaec4074867e400015c6b47734e1ad287d7158e6

    • C:\Users\Admin\AppData\Local\Temp\624OHNX8HXG7UC98X3MR1NHY.exe

      Filesize

      5.8MB

      MD5

      1f31ec7d48dad631f1c3ae57998502b3

      SHA1

      3d1283396a65451a9f6815a9323fe66d90cfe3e7

      SHA256

      7d4ece486621820c25c4f13350c9b5cf7e1b4d54112782f93c629b606df60777

      SHA512

      ff905644efee747e43fd6950e0a05f8f328528d2822216536664581611ea9cb2a524f00e0ef1b42bae9767c5c1441b74000cbfb515c0a4b3252e9caea8cc7aa7

    • memory/1128-19-0x0000000073C60000-0x0000000073C74000-memory.dmp

      Filesize

      80KB

    • memory/1128-13-0x0000000073C60000-0x0000000073C74000-memory.dmp

      Filesize

      80KB

    • memory/1128-15-0x00007FF85F890000-0x00007FF85FA85000-memory.dmp

      Filesize

      2.0MB

    • memory/1128-16-0x0000000073C60000-0x0000000073C74000-memory.dmp

      Filesize

      80KB

    • memory/1128-17-0x0000000073C60000-0x0000000073C74000-memory.dmp

      Filesize

      80KB

    • memory/1244-47-0x00000000728D0000-0x0000000073B24000-memory.dmp

      Filesize

      18.3MB

    • memory/1244-48-0x00007FF85F890000-0x00007FF85FA85000-memory.dmp

      Filesize

      2.0MB

    • memory/1244-49-0x0000000001240000-0x00000000012A8000-memory.dmp

      Filesize

      416KB

    • memory/1244-52-0x0000000001240000-0x00000000012A8000-memory.dmp

      Filesize

      416KB

    • memory/1632-45-0x0000000074EF0000-0x000000007506B000-memory.dmp

      Filesize

      1.5MB

    • memory/1632-40-0x0000000074EF0000-0x000000007506B000-memory.dmp

      Filesize

      1.5MB

    • memory/1632-39-0x00007FF85F890000-0x00007FF85FA85000-memory.dmp

      Filesize

      2.0MB

    • memory/2228-35-0x00007FF841BA0000-0x00007FF841D12000-memory.dmp

      Filesize

      1.4MB

    • memory/2228-29-0x00007FF7AA370000-0x00007FF7AA949000-memory.dmp

      Filesize

      5.8MB

    • memory/2228-36-0x00007FF841BA0000-0x00007FF841D12000-memory.dmp

      Filesize

      1.4MB

    • memory/2304-20-0x00007FF85F890000-0x00007FF85FA85000-memory.dmp

      Filesize

      2.0MB

    • memory/2304-23-0x0000000000CE0000-0x0000000000D37000-memory.dmp

      Filesize

      348KB

    • memory/2304-27-0x0000000000CE0000-0x0000000000D37000-memory.dmp

      Filesize

      348KB

    • memory/2304-22-0x000000000090B000-0x0000000000912000-memory.dmp

      Filesize

      28KB

    • memory/2304-21-0x0000000000CE0000-0x0000000000D37000-memory.dmp

      Filesize

      348KB

    • memory/5048-0-0x0000000000790000-0x000000000141D000-memory.dmp

      Filesize

      12.6MB

    • memory/5048-10-0x0000000073C60000-0x0000000073C74000-memory.dmp

      Filesize

      80KB

    • memory/5048-9-0x0000000073C60000-0x0000000073C74000-memory.dmp

      Filesize

      80KB

    • memory/5048-8-0x0000000073C72000-0x0000000073C74000-memory.dmp

      Filesize

      8KB

    • memory/5048-7-0x00007FF85F890000-0x00007FF85FA85000-memory.dmp

      Filesize

      2.0MB

    • memory/5048-6-0x0000000073C60000-0x0000000073C74000-memory.dmp

      Filesize

      80KB