Analysis

  • max time kernel
    120s
  • max time network
    207s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-07-2024 19:47

General

  • Target

    ##!!SetUp_2244_Pa$sW0rd$$!!/Setup.exe

  • Size

    5.8MB

  • MD5

    c43099511811f8671ec857d05031d3bc

  • SHA1

    6804ff5dd674c4b923a3130dff991695316d682d

  • SHA256

    06d7c8db750907fb33f1c65212750c1a699dfcb78e2ff65c99e3ab40790b58ac

  • SHA512

    eee426dd85bfde98553e0d439587b948cf5532479de2c43ef2e6ec98c14e623d03903c60e056627f0c9551f9563567178f249f0c580de26f7591513c5efb8073

  • SSDEEP

    98304:bp4ssheeWLUbdF4+qtMSsFISWnNoyF9Vy/Yez+32efVjPCANwlwV34jJuKYVLH7F:bpDshe2b/hqtMSsFILj9ACpfVjPbN2wp

Score
10/10

Malware Config

Extracted

Family

lumma

C2

https://bittercoldzzdwu.shop/api

https://bouncedgowp.shop/api

https://bannngwko.shop/api

https://bargainnykwo.shop/api

https://affecthorsedpo.shop/api

https://radiationnopp.shop/api

https://answerrsdo.shop/api

https://publicitttyps.shop/api

https://benchillppwo.shop/api

https://reinforcedirectorywd.shop/api

Signatures

  • Lumma Stealer

    An infostealer written in C++ first seen in August 2022.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 27 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\##!!SetUp_2244_Pa$sW0rd$$!!\Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\##!!SetUp_2244_Pa$sW0rd$$!!\Setup.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4504
    • C:\Users\Admin\AppData\Local\Temp\iTopDataRecovery.exe
      "C:\Users\Admin\AppData\Local\Temp\iTopDataRecovery.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4760
      • C:\Users\Admin\AppData\Roaming\SGP\iTopDataRecovery.exe
        C:\Users\Admin\AppData\Roaming\SGP\iTopDataRecovery.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:4964
        • C:\Windows\SysWOW64\more.com
          C:\Windows\SysWOW64\more.com
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:4688
          • C:\Windows\SysWOW64\SearchIndexer.exe
            C:\Windows\SysWOW64\SearchIndexer.exe
            5⤵
              PID:5032

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\53d56564

      Filesize

      1.1MB

      MD5

      eb0cbdd7068e206d8217ef85361de801

      SHA1

      046a62486954898cec3aade62cc9001b1327fafe

      SHA256

      6b44a1abb191730b51b14122943190cba632948dab06dc9bfe4f0f6db1775508

      SHA512

      cba594433749e0faac07b94d22378bdee4035f12ef7ffd872f54401a130ded6d828809214dc44e63015d29af30b659385ce7e8d502c52ee9d1c88aa100c88a8b

    • C:\Users\Admin\AppData\Local\Temp\charr.dbf

      Filesize

      62KB

      MD5

      9424382dbaeb4890c9c1a52fc90f712a

      SHA1

      6f4d7fe82fbd617b7bea45e9f18a195ebfbd3042

      SHA256

      7ae3088de2f2b20ef4644b42d2ba4f55e29861bfeb19960a5ada00e621a77168

      SHA512

      138b16a0ae8b5af42dd805a01b60737bdefe9445a699a7dbd7967a25d0e6284e66866695575f670167d324d9f60960c9b8c99588bcb41a77c9e699048c2bf949

    • C:\Users\Admin\AppData\Local\Temp\datastate.dll

      Filesize

      75KB

      MD5

      626dd52ec6cf2e1e00948586b649cb2a

      SHA1

      b8aaee43554ec9eb6d0d05a81cf186b330390745

      SHA256

      4696b31b9efef6eb60464d0a18abc398338f3616d7189dbd8555937cb85645fd

      SHA512

      e1e3537d9782cb344bc9925fcea42ffc8125a753caaf713c1fdd521cda36a0513ac89634b3de93ed732557a5649ef3eac2fc9f365bdefdc615d466275788883b

    • C:\Users\Admin\AppData\Local\Temp\iTopDataRecovery.exe

      Filesize

      4.0MB

      MD5

      95387cc85dacad60b3e10665b43602e6

      SHA1

      d9aafd45fe3ad10d28716d6289fe76b4fdce1869

      SHA256

      3c317dbab70d3ab4fce944c92532d111f69fd71dca5c7f7c7b8d57e657f26a1a

      SHA512

      82cb0983739a76d15beacbc50f1bf7fa5cca1650b18444c204a3e6a6656aaba5ac94341fa394aaad78b3ff2d51f17c6623f0a882692881d6506af5dae544a02b

    • C:\Users\Admin\AppData\Local\Temp\madBasic_.bpl

      Filesize

      209KB

      MD5

      dc6655a38ffdc3c349f13828fc8ec36e

      SHA1

      95db71ef7bff8c16ce955c760292bad9f09bb06d

      SHA256

      16126ff5daa3787a159cf4a39aa040b8050ebb66ab90dbb97c503110ef72824a

      SHA512

      84b85f2aaad773cbe039022db3d0c35263343243f0d021d7aa3086904b80dd309e6d2a93613cc774b5db27335f4d2850151e2bc8f4648b0065f66bd3722c3d69

    • C:\Users\Admin\AppData\Local\Temp\maddisAsm_.bpl

      Filesize

      61KB

      MD5

      84bc072f8ea30746f0982afbda3c638f

      SHA1

      f39343933ff3fc7934814d6d3b7b098bc92540a0

      SHA256

      52019f47f96ca868fa4e747c3b99cba1b7aa57317bf8ebf9fcbf09aa576fe006

      SHA512

      6e7648194738e8e49e48c2450eef1d482473cd4e5c0e83f292ac9174488f3f22a3b6ba96f07e024c2ab96613d9db1a97084ca0b3973ed5d88502e0d28e120ef5

    • C:\Users\Admin\AppData\Local\Temp\madexcept_.bpl

      Filesize

      435KB

      MD5

      21068dfd733435c866312d35b9432733

      SHA1

      3d5336c676d3dd94500d0d2fe853b9de457f10fd

      SHA256

      835f1141ece59c36b18e76927572d229136aeb12eff44cb4ba98d7808257c299

      SHA512

      54664a9e60e5a0b148fc4684125b7eac9cfc57d0bc5838204ed587d62e44c3347c0bae3192d5c375b6a74335b4fed4fc53248ba542c59022e9761872e09e3ee7

    • C:\Users\Admin\AppData\Local\Temp\pdf2bmp.dll

      Filesize

      278KB

      MD5

      f65c3b116281fd23e5748ad73e9501cf

      SHA1

      ebda8a741833c4fcbfcb72591a7c173d69a01ebd

      SHA256

      eb48e0e36be7b0a89a0b8cc129a3b004a8525e5f60445e5ca48a7810d9d93725

      SHA512

      78ec4ade61c6abf87283d5858ffe119e10d119bcaa2c678d20cb7d45bb1d244a9aaf70b50ab365509b615e7323081292bae156d665a471990863c83a8b233cbc

    • C:\Users\Admin\AppData\Local\Temp\pdfium.dll

      Filesize

      4.3MB

      MD5

      65a63bd3e6c4ce54299bf494582304f3

      SHA1

      e6f63f69388dd5a3cda90403711b78fe5c667981

      SHA256

      5b8d7269ed5ca414208ff017f52ee65f14d4d8a707a39a7dc3f9879c0c0ce335

      SHA512

      f8ff930aa55222478967b7865465c3f75138b9ff172fdcc1aab47a0172641c5a790e73b5d98bf47fc772002437ad2153846dec626e020408c8d6daee0c630b59

    • C:\Users\Admin\AppData\Local\Temp\rebbe.pkg

      Filesize

      851KB

      MD5

      3456f0fe789f38cf5d58b359ac1e8727

      SHA1

      5b39e9e71a07102036386bdd0651dcc267400723

      SHA256

      c6e43d099efea12aabe41fdfe7c6201c94b44fe79fa3d802944e30c019e29e65

      SHA512

      bc2c941019d27f0b2bee5be1ecf5e497c546f9862cc615e18b7ea8fff799bfdaeec2bc05cb17035f44fb1dde16899f21ea9a129a0c3a22a83200d6697c4b4aed

    • C:\Users\Admin\AppData\Local\Temp\rtl120.bpl

      Filesize

      1.1MB

      MD5

      630991830afe0b969bd0995e697ab16e

      SHA1

      feda243d83fba15b23d654513dc1f0d70787ba18

      SHA256

      b1fcb0339b9ef4860bb1ed1e5ba0e148321be64696af64f3b1643d1311028cb3

      SHA512

      2f2bf30be615f44e56ecca972a9fcbe27187045e13c468d039645e5cc6d01f990cde32b322965f245bc8fccfd0920f09a0afa1d4de0748ed01dd9ffc1bd24692

    • C:\Users\Admin\AppData\Local\Temp\vcl120.bpl

      Filesize

      1.9MB

      MD5

      849070ebd34cbaedc525599d6c3f8914

      SHA1

      b0543d13f4d0cb787abdaaf1d3c9a5af17c87afa

      SHA256

      b6f321a48812dc922b26953020c9a60949ec429a921033cfaf1e9f7d088ee628

      SHA512

      f2ca685b01be9d1b77d8d924e0097ddacee7628cc1aad8a87d8b18a699558d38a7851e6cff8bb2b8ae1980824588af5c3ac75b7b4198b620144dff61611f3aeb

    • C:\Users\Admin\AppData\Local\Temp\vclx120.bpl

      Filesize

      220KB

      MD5

      7daa2b7fe529b45101a399b5ebf0a416

      SHA1

      fd73f3561d0cebe341a6c380681fb08841fa5ce6

      SHA256

      2bdf023c439010ce0a786ec75d943a80a8f01363712bbf69afc29d3e2b5306ed

      SHA512

      8e9ec71943c412fe95563e488d91e6ef0041c16a08654ff14b11953f134007657d1e6ec95952f6b9c8b8567a35368840618db06e5cd99abc43ae495a3fbc6b96

    • memory/4688-120-0x00007FFD87230000-0x00007FFD87425000-memory.dmp

      Filesize

      2.0MB

    • memory/4688-121-0x00000000749C0000-0x00000000749D4000-memory.dmp

      Filesize

      80KB

    • memory/4760-58-0x0000000072CC0000-0x0000000072CD4000-memory.dmp

      Filesize

      80KB

    • memory/4760-80-0x0000000050310000-0x0000000050349000-memory.dmp

      Filesize

      228KB

    • memory/4760-75-0x0000000050000000-0x0000000050116000-memory.dmp

      Filesize

      1.1MB

    • memory/4760-79-0x0000000050120000-0x000000005030D000-memory.dmp

      Filesize

      1.9MB

    • memory/4760-78-0x0000000057800000-0x0000000057812000-memory.dmp

      Filesize

      72KB

    • memory/4760-77-0x0000000057000000-0x000000005703F000-memory.dmp

      Filesize

      252KB

    • memory/4760-76-0x0000000059800000-0x000000005986E000-memory.dmp

      Filesize

      440KB

    • memory/4760-74-0x0000000000400000-0x0000000000845000-memory.dmp

      Filesize

      4.3MB

    • memory/4760-59-0x00007FFD87230000-0x00007FFD87425000-memory.dmp

      Filesize

      2.0MB

    • memory/4964-107-0x00000000749C0000-0x00000000749D4000-memory.dmp

      Filesize

      80KB

    • memory/4964-117-0x0000000050310000-0x0000000050349000-memory.dmp

      Filesize

      228KB

    • memory/4964-111-0x0000000000400000-0x0000000000845000-memory.dmp

      Filesize

      4.3MB

    • memory/4964-116-0x0000000050120000-0x000000005030D000-memory.dmp

      Filesize

      1.9MB

    • memory/4964-114-0x0000000059800000-0x000000005986E000-memory.dmp

      Filesize

      440KB

    • memory/4964-112-0x0000000050000000-0x0000000050116000-memory.dmp

      Filesize

      1.1MB

    • memory/4964-109-0x00000000749C0000-0x00000000749D4000-memory.dmp

      Filesize

      80KB

    • memory/4964-108-0x00007FFD87230000-0x00007FFD87425000-memory.dmp

      Filesize

      2.0MB

    • memory/5032-123-0x00007FFD87230000-0x00007FFD87425000-memory.dmp

      Filesize

      2.0MB

    • memory/5032-124-0x0000000001200000-0x0000000001269000-memory.dmp

      Filesize

      420KB

    • memory/5032-127-0x0000000001200000-0x0000000001269000-memory.dmp

      Filesize

      420KB