Overview

overview

10

Static

static

3

✪OPEN✵...up.exe

windows7-x64

10

✪OPEN✵...up.exe

windows10-2004-x64

10

✪OPEN✵...ig.exe

windows7-x64

1

✪OPEN✵...ig.exe

windows10-2004-x64

3

✪OPEN✵...64.exe

windows7-x64

1

✪OPEN✵...64.exe

windows10-2004-x64

1

✪OPEN✵...20.dll

windows7-x64

3

✪OPEN✵...20.dll

windows10-2004-x64

3

✪OPEN✵...iz.exe

windows7-x64

3

✪OPEN✵...iz.exe

windows10-2004-x64

3

✪OPEN✵...20.dll

windows7-x64

3

✪OPEN✵...20.dll

windows10-2004-x64

3

✪OPEN✵...20.dll

windows7-x64

3

✪OPEN✵...20.dll

windows10-2004-x64

3

✪OPEN✵...64.dll

windows7-x64

1

✪OPEN✵...64.dll

windows10-2004-x64

1

✪OPEN✵...ts.dll

windows7-x64

1

✪OPEN✵...ts.dll

windows10-2004-x64

1

✪OPEN✵...-1.dll

windows10-2004-x64

1

✪OPEN✵...-0.dll

windows10-2004-x64

1

✪OPEN✵...-0.dll

windows10-2004-x64

1

✪OPEN✵...-0.dll

windows10-2004-x64

1

✪OPEN✵...-0.dll

windows10-2004-x64

1

✪OPEN✵...-0.dll

windows10-2004-x64

1

✪OPEN✵...-0.dll

windows10-2004-x64

1

✪OPEN✵...-0.dll

windows10-2004-x64

1

✪OPEN✵...-0.dll

windows10-2004-x64

1

✪OPEN✵...-0.dll

windows10-2004-x64

1

✪OPEN✵...-0.dll

windows10-2004-x64

1

✪OPEN✵...-0.dll

windows10-2004-x64

1

✪OPEN✵...-0.dll

windows10-2004-x64

1

✪OPEN✵...-0.dll

windows10-2004-x64

1

Analysis

  • max time kernel
    120s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    29/08/2024, 09:25 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ✪OPEN✵FILE✪✓/Setup.exe

  • Size

    1.3MB

  • MD5

    58717509c1521eacfcc7cda39e6bd45c

  • SHA1

    5102dc3a82e8a2710ac67521f85f43f5296b5045

  • SHA256

    d76d0650b630fdb70756a446e0a43672b5da1c2a74014118b02133923305da9a

  • SHA512

    c637c2960b8a0bc111b408af05a0879d9a10f05d802ee7b8b9f115cb54606f76f4475375cecfa9fdb0518be0340b2c5bd23f8fe100dc21db88287a9227c0e69f

  • SSDEEP

    24576:NpzWZ5CkBgB9IxAr7BptfYfG1inqCi2BZbqvWmAUlddWdBMTvNisj273HY:85CkyBbr7vbgHi2HAYwT1H274

Score
10/10
lummadiscoverystealer

Malware Config

Extracted

Family

lumma

C2

https://glisteniingwiw.shop/api

https://locatedblsoqp.shop/api

https://traineiwnqo.shop/api

Signatures

  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Suspicious use of SetThreadContext 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\✪OPEN✵FILE✪✓\Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\✪OPEN✵FILE✪✓\Setup.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:2384
    • C:\Users\Admin\AppData\Roaming\Ggw\QEMDMJYZOURYLRSMY\StrCmp.exe
      C:\Users\Admin\AppData\Roaming\Ggw\QEMDMJYZOURYLRSMY\StrCmp.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:2428
    • C:\Windows\SysWOW64\more.com
      C:\Windows\SysWOW64\more.com
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:2216
      • C:\Windows\SysWOW64\SearchIndexer.exe
        C:\Windows\SysWOW64\SearchIndexer.exe
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2920

Network

  • flag-us
    DNS
    glisteniingwiw.shop
    SearchIndexer.exe
    Remote address:
    8.8.8.8:53
    Request
    glisteniingwiw.shop
    IN A
    Response
    glisteniingwiw.shop
    IN A
    188.114.97.0
    glisteniingwiw.shop
    IN A
    188.114.96.0
  • flag-us
    POST
    https://glisteniingwiw.shop/api
    SearchIndexer.exe
    Remote address:
    188.114.97.0:443
    Request
    POST /api HTTP/1.1
    Connection: Keep-Alive
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
    Content-Length: 8
    Host: glisteniingwiw.shop
    Response
    HTTP/1.1 200 OK
    Date: Thu, 29 Aug 2024 09:25:53 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Set-Cookie: PHPSESSID=k4shottcl0pljg1g0kocin6q6n; expires=Mon, 23-Dec-2024 03:12:32 GMT; Max-Age=9999999; path=/
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate
    Pragma: no-cache
    CF-Cache-Status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DDWKeMVHZz1xjQvaUri7FvlSCODjJy0ORVy522ZNr9lFzhswaId%2FnoEpXduC5h%2FpDb0agSv1T1lhFhVYk0Dp30pF7SvZNzmfqFrLG3EeMVkN9hFIkEDmj9FlGarTU0vH%2Fk4ZlaKK"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8bab7f0ebe419498-LHR
    alt-svc: h3=":443"; ma=86400
  • flag-us
    DNS
    locatedblsoqp.shop
    SearchIndexer.exe
    Remote address:
    8.8.8.8:53
    Request
    locatedblsoqp.shop
    IN A
    Response
    locatedblsoqp.shop
    IN A
    188.114.97.0
    locatedblsoqp.shop
    IN A
    188.114.96.0
  • flag-us
    POST
    https://locatedblsoqp.shop/api
    SearchIndexer.exe
    Remote address:
    188.114.97.0:443
    Request
    POST /api HTTP/1.1
    Connection: Keep-Alive
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
    Content-Length: 8
    Host: locatedblsoqp.shop
    Response
    HTTP/1.1 200 OK
    Date: Thu, 29 Aug 2024 09:25:53 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Set-Cookie: PHPSESSID=gqvfdcjonhufu25u0requsj57m; expires=Mon, 23-Dec-2024 03:12:32 GMT; Max-Age=9999999; path=/
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate
    Pragma: no-cache
    CF-Cache-Status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=iZMe8G9F6Yu4rz6t779%2B7h0C674IKTXprs9T6SmmW4uL6nZI4lT7Ra6y1i9XsD3GIxYpI%2FoF90hIub7ep4nHLt7EUXaR91Xwz%2BUjJ783rtC6KD9V5TR4fVPMXKCfh6uV4DjfAqs%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8bab7f11fbea732a-LHR
    alt-svc: h3=":443"; ma=86400
  • flag-us
    DNS
    traineiwnqo.shop
    SearchIndexer.exe
    Remote address:
    8.8.8.8:53
    Request
    traineiwnqo.shop
    IN A
    Response
    traineiwnqo.shop
    IN A
    188.114.97.0
    traineiwnqo.shop
    IN A
    188.114.96.0
  • flag-us
    POST
    https://traineiwnqo.shop/api
    SearchIndexer.exe
    Remote address:
    188.114.97.0:443
    Request
    POST /api HTTP/1.1
    Connection: Keep-Alive
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
    Content-Length: 8
    Host: traineiwnqo.shop
    Response
    HTTP/1.1 200 OK
    Date: Thu, 29 Aug 2024 09:25:54 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    X-Frame-Options: SAMEORIGIN
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vq%2BIqX2qDYX4D648w%2BZQQa86MVAxdphKnkWLhLdOZhkEvCNfKwE%2FOSzHMcHwQhhPmxawev6dA33fYEltlgKhWh6bQ4GY0LJ0xY8VxqgosrK4ZlWGncFPMeWaZ4UMRHYkm4Kp"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8bab7f152aaf7773-LHR
  • flag-us
    POST
    https://traineiwnqo.shop/api
    SearchIndexer.exe
    Remote address:
    188.114.97.0:443
    Request
    POST /api HTTP/1.1
    Connection: Keep-Alive
    Content-Type: application/x-www-form-urlencoded
    Cookie: __cf_mw_byp=OZl.57.IANMuXXLfsyBjnWzKj4yxI4V7KyNIqEuzTDg-1724923554-0.0.1.1-/api
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
    Content-Length: 80
    Host: traineiwnqo.shop
    Response
    HTTP/1.1 200 OK
    Date: Thu, 29 Aug 2024 09:25:54 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Set-Cookie: PHPSESSID=24gnj9bbnb8k2ion9qf79868aa; expires=Mon, 23-Dec-2024 03:12:33 GMT; Max-Age=9999999; path=/
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate
    Pragma: no-cache
    cf-cache-status: DYNAMIC
    vary: accept-encoding
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FaQlmqDGRMIND40liHkmc3XJQKzzHB9ENbGprNUnBo%2BtuDz5oS1RnE942ZXpX754zwhu75O%2FAL30xV6mHtY5CL0dm7F6Wv9npIz7vdVk0Hp%2FccbdI8mGXsX%2FXGqdMvH0Obdz"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8bab7f17cdaa7773-LHR
    alt-svc: h3=":443"; ma=86400
  • 188.114.97.0:443
    https://glisteniingwiw.shop/api
    tls, http
    SearchIndexer.exe
    983 B
     4.1kB
     9
    8

    HTTP Request

    POST https://glisteniingwiw.shop/api

    HTTP Response

    200
  • 188.114.97.0:443
    https://locatedblsoqp.shop/api
    tls, http
    SearchIndexer.exe
    982 B
     4.1kB
     9
    9

    HTTP Request

    POST https://locatedblsoqp.shop/api

    HTTP Response

    200
  • 188.114.97.0:443
    https://traineiwnqo.shop/api
    tls, http
    SearchIndexer.exe
    1.7kB
     9.6kB
     14
    17

    HTTP Request

    POST https://traineiwnqo.shop/api

    HTTP Response

    200

    HTTP Request

    POST https://traineiwnqo.shop/api

    HTTP Response

    200
  • 8.8.8.8:53
    glisteniingwiw.shop
    dns
    SearchIndexer.exe
    65 B
     97 B
     1
    1

    DNS Request

    glisteniingwiw.shop

    DNS Response

    188.114.97.0
    188.114.96.0

  • 8.8.8.8:53
    locatedblsoqp.shop
    dns
    SearchIndexer.exe
    64 B
     96 B
     1
    1

    DNS Request

    locatedblsoqp.shop

    DNS Response

    188.114.97.0
    188.114.96.0

  • 8.8.8.8:53
    traineiwnqo.shop
    dns
    SearchIndexer.exe
    62 B
     94 B
     1
    1

    DNS Request

    traineiwnqo.shop

    DNS Response

    188.114.97.0
    188.114.96.0

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\982a7c8c
    Filesize

    1.1MB

    MD5

    a80d02b17d33b43956959a540511c9d8

    SHA1

    a55540b909a24080dc07b77e8a505014bd04ca1d

    SHA256

    6442d06a4b18f79e5b4d99332f7503a451927deaa81c5d35d537c736cac7ba96

    SHA512

    09280c803a40b2ed10c8a8757c0114c23e16f521d31a5cc1832519d0e54f454b6c51ce91531177b721449e1a156c23ebb3c6fa303761f259f35fa763c176a5d4

    Download Submit

  • \Users\Admin\AppData\Roaming\Ggw\QEMDMJYZOURYLRSMY\StrCmp.exe
    Filesize

    47KB

    MD5

    916d7425a559aaa77f640710a65f9182

    SHA1

    23d25052aef9ba71ddeef7cfa86ee43d5ba1ea13

    SHA256

    118de01fb498e81eab4ade980a621af43b52265a9fcbae5dedc492cdf8889f35

    SHA512

    d0c260a0347441b4e263da52feb43412df217c207eba594d59c10ee36e47e1a098b82ce633851c16096b22f4a4a6f8282bdd23d149e337439fe63a77ec7343bc

    Download Submit

  • memory/2216-29-0x0000000073EA0000-0x0000000074014000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/2216-38-0x0000000073EA0000-0x0000000074014000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/2216-33-0x0000000073EA0000-0x0000000074014000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/2216-34-0x0000000073EA0000-0x0000000074014000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/2216-31-0x0000000076D80000-0x0000000076F29000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/2384-10-0x0000000073EA0000-0x0000000074014000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/2384-11-0x0000000073EA0000-0x0000000074014000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/2384-26-0x0000000050000000-0x0000000050116000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2384-28-0x0000000050310000-0x0000000050349000-memory.dmp

    Filesize

    228KB

    Download

  • memory/2384-27-0x0000000050120000-0x000000005030D000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/2384-22-0x0000000073EA0000-0x0000000074014000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/2384-0-0x0000000073EA0000-0x0000000074014000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/2384-25-0x0000000000400000-0x0000000000585000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/2384-7-0x0000000073EB3000-0x0000000073EB4000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2384-9-0x0000000073EA0000-0x0000000074014000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/2384-1-0x0000000076D80000-0x0000000076F29000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/2920-37-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2920-36-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2920-39-0x0000000076D80000-0x0000000076F29000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/2920-40-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.