General

  • Target

    UnivMenu_1.16.rar

  • Size

    9.2MB

  • Sample

    240710-sztz4avhrq

  • MD5

    4014aa6bc9b7eebbff04120d7fb5bb81

  • SHA1

    72d5995363532cc1ed941ea171f7c253f3b4d0c1

  • SHA256

    bd2983e3549c1a8a9a065579a17f371c7833ed660575be87ef55a274c2c9f2be

  • SHA512

    f31c456dfab8413c8db19108724f844ae02d3be3a048fe9b744a8a2b012ed56787e44c5f251d340ea1534da3ca9f9c8b34514eab89950afcc11567ad812a870c

  • SSDEEP

    196608:v4iPkx7RA/kGxLyCYGKGfi+dEgn1U1mWbAB7sERdCoohDpMJSn3JKL3:viVRA7LyvGKEiWEmaxA5sERdjo2S3MD

Malware Config

Extracted

Family

lumma

C2

https://extorteauhhwigw.shop/api

https://bouncedgowp.shop/api

https://bannngwko.shop/api

https://bargainnykwo.shop/api

https://affecthorsedpo.shop/api

https://radiationnopp.shop/api

https://answerrsdo.shop/api

https://publicitttyps.shop/api

https://benchillppwo.shop/api

https://reinforcedirectorywd.shop/api

Targets

    • Target

      Loader.com

    • Size

      1023.9MB

    • MD5

      b60f959d4def50604d09ca6453f109bd

    • SHA1

      0dbd10233629917c5df6d5ca3fe905a7ad190fbc

    • SHA256

      b5dc54c75d4472de9f71272a54e69ce339fb916cac1ed608d2aa3abf6e2cf1e2

    • SHA512

      859d8fb09ae57c45b656030984ec53e1ee344f7c06792e50093e1d51479dc458b50e7a1f0606211c67a184124bc7c470f650caeb6b2088c3d28155e078f5e6df

    • SSDEEP

      196608:TWFUva025nAxz4hixEofY1INseWRq9Jqf2tlN9xNpN:TWF6UnGMhscRRMjzNHNpN

    • Lumma Stealer

      An infostealer written in C++ first seen in August 2022.

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner payload

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Creates new service(s)

    • Stops running service(s)

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Power Settings

      powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks