Resubmissions

10-07-2024 23:37

240710-3mj98syeqb 10

10-07-2024 23:31

240710-3hybaswcqj 10

10-07-2024 23:21

240710-3b5f2awall 10

Analysis

  • max time kernel
    418s
  • max time network
    454s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-es
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-eslocale:es-esos:windows10-2004-x64systemwindows
  • submitted
    10-07-2024 23:31

General

  • Target

    !~!SetUp_2025_Pa$$W0rd$s!!%!~.zip

  • Size

    2.7MB

  • MD5

    0bceb88aed8c6bb2f5d20c050af530b3

  • SHA1

    6ec563e2cc84bd115ca4c325f25860d9c7a57149

  • SHA256

    edef6777be8dbb15748bcf1332c0a7e49e5d8b8793ff23ccfb41da2d3ff1c0cc

  • SHA512

    eb3c3d5622684fa4f2d55b8307d6fef898404382a7fc8f2dc350bf6633cb700e5cae778d3315367f88d2b605ebe71a6d691bfd10b9432ce4c164ada9c85842f4

  • SSDEEP

    49152:c6B7KXGRde2dWchGri7yFjqsh+/Kq6AO96P2up7mnEhyha/h8:c6hKmdPWAx7DK+l6Q6EQX

Score
10/10

Malware Config

Extracted

Family

lumma

C2

https://bittercoldzzdwu.shop/api

https://bouncedgowp.shop/api

https://bannngwko.shop/api

https://bargainnykwo.shop/api

https://affecthorsedpo.shop/api

https://radiationnopp.shop/api

https://answerrsdo.shop/api

https://publicitttyps.shop/api

https://benchillppwo.shop/api

https://reinforcedirectorywd.shop/api

Signatures

  • Lumma Stealer

    An infostealer written in C++ first seen in August 2022.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\Explorer.exe
    C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\!~!SetUp_2025_Pa$$W0rd$s!!%!~.zip
    1⤵
      PID:4596
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:3724
      • C:\Users\Admin\Desktop\!~!SetUp_2025_Pa$$W0rd$s!!%!~\!~!SetUp_2025_Pa$$W0rd$s!!%!~\Setup.exe
        "C:\Users\Admin\Desktop\!~!SetUp_2025_Pa$$W0rd$s!!%!~\!~!SetUp_2025_Pa$$W0rd$s!!%!~\Setup.exe"
        1⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:4352
        • C:\Windows\SysWOW64\more.com
          C:\Windows\SysWOW64\more.com
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:3284
          • C:\Windows\SysWOW64\SearchIndexer.exe
            C:\Windows\SysWOW64\SearchIndexer.exe
            3⤵
              PID:2548

        Network

        MITRE ATT&CK Matrix

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\21895147

          Filesize

          1.1MB

          MD5

          06e5d82d606ca173573c88546118bb66

          SHA1

          050ab740c6461e24c58d32b7368dbaecfd751a5a

          SHA256

          2aa98fcdd9104ac8747f6cbb6f85d6baad14ae7231d8b22d444dfa0ccfbe00fd

          SHA512

          1070c17cccbf4f437583e3f0fcf7a5cb53ac8803d3b60cd1d52099b13c2d86bde91bd9a019415f32ce077580e6355ca25d0bd26200e1d7da4e4af17671d7ad5c

        • memory/2548-15-0x00007FFD19290000-0x00007FFD19485000-memory.dmp

          Filesize

          2.0MB

        • memory/2548-17-0x0000000000590000-0x00000000005FB000-memory.dmp

          Filesize

          428KB

        • memory/2548-18-0x0000000000590000-0x00000000005FB000-memory.dmp

          Filesize

          428KB

        • memory/3284-10-0x00000000742D0000-0x00000000742E4000-memory.dmp

          Filesize

          80KB

        • memory/3284-12-0x00007FFD19290000-0x00007FFD19485000-memory.dmp

          Filesize

          2.0MB

        • memory/3284-13-0x00000000742D0000-0x00000000742E4000-memory.dmp

          Filesize

          80KB

        • memory/3284-16-0x00000000742D0000-0x00000000742E4000-memory.dmp

          Filesize

          80KB

        • memory/4352-5-0x00000000742E2000-0x00000000742E4000-memory.dmp

          Filesize

          8KB

        • memory/4352-6-0x00000000742D0000-0x00000000742E4000-memory.dmp

          Filesize

          80KB

        • memory/4352-7-0x00000000742D0000-0x00000000742E4000-memory.dmp

          Filesize

          80KB

        • memory/4352-1-0x00007FFD19290000-0x00007FFD19485000-memory.dmp

          Filesize

          2.0MB

        • memory/4352-0-0x00000000742D0000-0x00000000742E4000-memory.dmp

          Filesize

          80KB