Analysis

  • max time kernel
    64s
  • max time network
    67s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-07-2024 23:42

General

  • Target

    Setup.exe

  • Size

    455KB

  • MD5

    c544a0e2e173c94fa9069c73e7af6367

  • SHA1

    1b8040c145d6cb2af6d1d9c1dc6878d51820e53b

  • SHA256

    9d8547266c90cae7e2f5f5a81af27fb6bc6ade56a798b429cdb6588a89cec874

  • SHA512

    f47694025fad1c67b727c9836d3663fa0f251a46e855e78e4c323beac1d82d13632e10d16e06e0d81718953ed6e06ee5e918195268ba988f3e555b432f1784a7

  • SSDEEP

    3072:JrD9fI1D2oKZrGp4Lczp9+fOZveTHdHZ0Cp2Sb0Q0F:U1D2XGp4LczSOle5Zzp2Wg

Score
10/10

Malware Config

Extracted

Family

lumma

C2

https://unwielldyzpwo.shop/api

https://bouncedgowp.shop/api

https://bannngwko.shop/api

https://bargainnykwo.shop/api

https://affecthorsedpo.shop/api

https://radiationnopp.shop/api

https://answerrsdo.shop/api

https://publicitttyps.shop/api

https://benchillppwo.shop/api

https://reinforcedirectorywd.shop/api

Signatures

  • Lumma Stealer

    An infostealer written in C++ first seen in August 2022.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:220
    • C:\Windows\SysWOW64\more.com
      C:\Windows\SysWOW64\more.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:800
      • C:\Windows\SysWOW64\SearchIndexer.exe
        C:\Windows\SysWOW64\SearchIndexer.exe
        3⤵
          PID:4876

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\49624d85

      Filesize

      1.0MB

      MD5

      ae5dbebf5a8ebe14cec80907b9021963

      SHA1

      f12f075f74540372f7a644bd57ec9f140fbc424f

      SHA256

      9d609f2557e519c61e49f0626d7ee51955912e08a1485409208cc6f322cb26af

      SHA512

      8738f9fb65a76b069932fdd0188d09e9d27be3c3b34eb55e1835c89e1419492cd75843513ee2d6bb450e163f293d39d06620d5489d34bfc00fa873b139138420

    • memory/220-0-0x00007FFA7B4C0000-0x00007FFA7B932000-memory.dmp

      Filesize

      4.4MB

    • memory/220-10-0x00007FFA7B4D8000-0x00007FFA7B4D9000-memory.dmp

      Filesize

      4KB

    • memory/220-11-0x00007FFA7B4C0000-0x00007FFA7B932000-memory.dmp

      Filesize

      4.4MB

    • memory/220-12-0x00007FFA7B4C0000-0x00007FFA7B932000-memory.dmp

      Filesize

      4.4MB

    • memory/800-17-0x0000000076BBE000-0x0000000076BC0000-memory.dmp

      Filesize

      8KB

    • memory/800-15-0x00007FFA7BC90000-0x00007FFA7BE85000-memory.dmp

      Filesize

      2.0MB

    • memory/800-16-0x0000000076BB0000-0x0000000076FEC000-memory.dmp

      Filesize

      4.2MB

    • memory/800-18-0x0000000076BB0000-0x0000000076FEC000-memory.dmp

      Filesize

      4.2MB

    • memory/800-20-0x0000000076BB0000-0x0000000076FEC000-memory.dmp

      Filesize

      4.2MB

    • memory/800-25-0x0000000076BBE000-0x0000000076BC0000-memory.dmp

      Filesize

      8KB

    • memory/4876-21-0x00007FFA7BC90000-0x00007FFA7BE85000-memory.dmp

      Filesize

      2.0MB

    • memory/4876-22-0x0000000000830000-0x0000000000897000-memory.dmp

      Filesize

      412KB

    • memory/4876-23-0x00000000001FB000-0x0000000000202000-memory.dmp

      Filesize

      28KB

    • memory/4876-24-0x0000000000830000-0x0000000000897000-memory.dmp

      Filesize

      412KB