Resubmissions

10-07-2024 23:37

240710-3mj98syeqb 10

10-07-2024 23:31

240710-3hybaswcqj 10

10-07-2024 23:21

240710-3b5f2awall 10

Analysis

  • max time kernel
    431s
  • max time network
    496s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-07-2024 23:37

General

  • Target

    !~!SetUp_2025_Pa$$W0rd$s!!%!~.zip

  • Size

    2.7MB

  • MD5

    0bceb88aed8c6bb2f5d20c050af530b3

  • SHA1

    6ec563e2cc84bd115ca4c325f25860d9c7a57149

  • SHA256

    edef6777be8dbb15748bcf1332c0a7e49e5d8b8793ff23ccfb41da2d3ff1c0cc

  • SHA512

    eb3c3d5622684fa4f2d55b8307d6fef898404382a7fc8f2dc350bf6633cb700e5cae778d3315367f88d2b605ebe71a6d691bfd10b9432ce4c164ada9c85842f4

  • SSDEEP

    49152:c6B7KXGRde2dWchGri7yFjqsh+/Kq6AO96P2up7mnEhyha/h8:c6hKmdPWAx7DK+l6Q6EQX

Score
10/10

Malware Config

Extracted

Family

lumma

C2

https://bittercoldzzdwu.shop/api

https://bouncedgowp.shop/api

https://bannngwko.shop/api

https://bargainnykwo.shop/api

https://affecthorsedpo.shop/api

https://radiationnopp.shop/api

https://answerrsdo.shop/api

https://publicitttyps.shop/api

https://benchillppwo.shop/api

https://reinforcedirectorywd.shop/api

Signatures

  • Lumma Stealer

    An infostealer written in C++ first seen in August 2022.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\Explorer.exe
    C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\!~!SetUp_2025_Pa$$W0rd$s!!%!~.zip
    1⤵
      PID:3216
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:4788
      • C:\Users\Admin\Desktop\!~!SetUp_2025_Pa$$W0rd$s!!%!~\!~!SetUp_2025_Pa$$W0rd$s!!%!~\Setup.exe
        "C:\Users\Admin\Desktop\!~!SetUp_2025_Pa$$W0rd$s!!%!~\!~!SetUp_2025_Pa$$W0rd$s!!%!~\Setup.exe"
        1⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:368
        • C:\Windows\SysWOW64\more.com
          C:\Windows\SysWOW64\more.com
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:1416
          • C:\Windows\SysWOW64\SearchIndexer.exe
            C:\Windows\SysWOW64\SearchIndexer.exe
            3⤵
              PID:2760

        Network

        MITRE ATT&CK Matrix

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\c8d0d645

          Filesize

          1.1MB

          MD5

          aaf4e828d55d05dfe071afe3381e9bd0

          SHA1

          c3e80d9ca0c69b45a5d7983f162de4f200e34515

          SHA256

          fbc8b61b5c3963cb9f31f3055813cadd3103d478208e84ad118418924fa9d33b

          SHA512

          921f690ce51ac619ffd1c432a558f385493122d23d50c485bb8504f0600cbec3a0f492125bfbb6c66889d88f17f304718ddccf0ce8395450d4dc0782fb019093

        • memory/368-5-0x0000000074502000-0x0000000074504000-memory.dmp

          Filesize

          8KB

        • memory/368-6-0x00000000744F0000-0x0000000074504000-memory.dmp

          Filesize

          80KB

        • memory/368-0-0x00000000744F0000-0x0000000074504000-memory.dmp

          Filesize

          80KB

        • memory/368-7-0x00000000744F0000-0x0000000074504000-memory.dmp

          Filesize

          80KB

        • memory/368-1-0x00007FF9E4430000-0x00007FF9E4625000-memory.dmp

          Filesize

          2.0MB

        • memory/1416-10-0x00000000744F0000-0x0000000074504000-memory.dmp

          Filesize

          80KB

        • memory/1416-12-0x00007FF9E4430000-0x00007FF9E4625000-memory.dmp

          Filesize

          2.0MB

        • memory/1416-13-0x00000000744F0000-0x0000000074504000-memory.dmp

          Filesize

          80KB

        • memory/1416-16-0x00000000744F0000-0x0000000074504000-memory.dmp

          Filesize

          80KB

        • memory/2760-15-0x00007FF9E4430000-0x00007FF9E4625000-memory.dmp

          Filesize

          2.0MB

        • memory/2760-17-0x0000000000BA0000-0x0000000000C0B000-memory.dmp

          Filesize

          428KB

        • memory/2760-18-0x0000000000BA0000-0x0000000000C0B000-memory.dmp

          Filesize

          428KB