Overview

overview

10

Static

static

3

Setup.exe

windows10-2004-x64

10

Setup.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    61s
  • max time network
    69s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/10/2024, 02:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Setup.exe

  • Size

    782.9MB

  • MD5

    89203f641d704105f31c783558cd7326

  • SHA1

    72f3ee9ffe95ae9a77d95e43bfdb9e0f42be5722

  • SHA256

    fda1c801606fe96db059024e436e971c49adfa4e1c24590e0ab4970628944ca2

  • SHA512

    d9cd00e35cb3a1c7b72d468b9aca8ac505b2dfcf6eef36acd4a5ea702d12a6f9a1da98e3111a75bd5fa785ef235679805f9e04a3fa41fb692e506ef5a5877891

  • SSDEEP

    98304:JPcuuktQEMDcYc9cZcYc9cZcYc9cZcYc9cZcYc9cZcYc9cZcYc9cZcYc9cZcYc94:1PqEMT

Score
10/10
lummadiscoverystealer

Malware Config

Extracted

Family

lumma

C2

https://wickedneatr.sbs

https://invinjurhey.sbs

https://laddyirekyi.sbs

https://exilepolsiy.sbs

https://bemuzzeki.sbs

https://exemplarou.sbs

https://isoplethui.sbs

https://frizzettei.sbs

https://beerishint.sbs

Signatures

  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Enumerates processes with tasklist 1 TTPs 4 IoCs
    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 24 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SendNotifyMessage 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3508
      • C:\Users\Admin\AppData\Local\Temp\Setup.exe
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        2⤵
        • Checks computer location settings
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:116
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c move Configure Configure.bat & Configure.bat
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4760
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist
            4⤵
            • Enumerates processes with tasklist
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:1388
          • C:\Windows\SysWOW64\findstr.exe
            findstr /I "wrsa opssvc"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:4640
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist
            4⤵
            • Enumerates processes with tasklist
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:1536
          • C:\Windows\SysWOW64\findstr.exe
            findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:2428
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c md 634333
            4⤵
            • System Location Discovery: System Language Discovery
            PID:3612
          • C:\Windows\SysWOW64\findstr.exe
            findstr /V "LegendAssetFriendlyDurham" All
            4⤵
            • System Location Discovery: System Language Discovery
            PID:684
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c copy /b ..\Cancelled + ..\Journal + ..\Expiration + ..\Korean + ..\Gratis + ..\Apparatus + ..\Concepts H
            4⤵
            • System Location Discovery: System Language Discovery
            PID:696
          • C:\Users\Admin\AppData\Local\Temp\634333\Gotta.pif
            Gotta.pif H
            4⤵
            • Suspicious use of NtCreateUserProcessOtherParentProcess
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of WriteProcessMemory
            PID:2556
            • C:\Windows\SysWOW64\nslookup.exe
              C:\Windows\SysWOW64\nslookup.exe
              5⤵
              • System Location Discovery: System Language Discovery
              PID:5024
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 5024 -s 1232
                6⤵
                • Program crash
                PID:1320
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 5024 -s 1212
                6⤵
                • Program crash
                PID:764
          • C:\Windows\SysWOW64\choice.exe
            choice /d y /t 5
            4⤵
            • System Location Discovery: System Language Discovery
            PID:64
      • C:\Windows\SysWOW64\cmd.exe
        cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ElephantFlow.url" & echo URL="C:\Users\Admin\AppData\Local\NeuraMind Innovations\ElephantFlow.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ElephantFlow.url" & exit
        2⤵
        • Drops startup file
        • System Location Discovery: System Language Discovery
        PID:1664
      • C:\Windows\System32\NOTEPAD.EXE
        "C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Configure.bat
        2⤵
        • Opens file in notepad (likely ransom note)
        PID:916
      • C:\Users\Admin\AppData\Local\Temp\Setup.exe
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        2⤵
        • Checks computer location settings
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1920
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c move Configure Configure.bat & Configure.bat
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1116
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist
            4⤵
            • Enumerates processes with tasklist
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:1864
          • C:\Windows\SysWOW64\findstr.exe
            findstr /I "wrsa opssvc"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:2448
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist
            4⤵
            • Enumerates processes with tasklist
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:1808
          • C:\Windows\SysWOW64\findstr.exe
            findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:4824
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c md 634333
            4⤵
            • System Location Discovery: System Language Discovery
            PID:1072
          • C:\Windows\SysWOW64\findstr.exe
            findstr /V "LegendAssetFriendlyDurham" All
            4⤵
            • System Location Discovery: System Language Discovery
            PID:1148
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c copy /b ..\Cancelled + ..\Journal + ..\Expiration + ..\Korean + ..\Gratis + ..\Apparatus + ..\Concepts H
            4⤵
            • System Location Discovery: System Language Discovery
            PID:2968
          • C:\Users\Admin\AppData\Local\Temp\634333\Gotta.pif
            Gotta.pif H
            4⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            PID:2932
          • C:\Windows\SysWOW64\choice.exe
            choice /d y /t 5
            4⤵
            • System Location Discovery: System Language Discovery
            PID:1896
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 5024 -ip 5024
      1⤵
        PID:3028
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5024 -ip 5024
        1⤵
          PID:3704
        • C:\Windows\System32\rundll32.exe
          C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
          1⤵
            PID:372

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\634333\Gotta.pif
            Filesize

            872KB

            MD5

            18ce19b57f43ce0a5af149c96aecc685

            SHA1

            1bd5ca29fc35fc8ac346f23b155337c5b28bbc36

            SHA256

            d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd

            SHA512

            a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\634333\H
            Filesize

            545KB

            MD5

            4bfc1ff07adc2ecd6e7b308217e5c952

            SHA1

            720ad1678be8df72cd0357f64f48e524d8f70b36

            SHA256

            c93a2d3016f711a074229c7c6f918526203d481e193e88d0821839563acfae3d

            SHA512

            8068160432191a6ea7f897a9ad12723c514d9512e48d317584c5e23960b085950d64bb03d95d49d5dc55c8e799d988c4bf25ca587134baefe63a4600caafb9b2

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\All
            Filesize

            6KB

            MD5

            7923400ed79edef9a790f17496b0f436

            SHA1

            d82930914ba5ba880713b5d91efff4181ff2e6a5

            SHA256

            11b44d0319e9a1c0d469c84d7a7d30206647945c3b2ca5442ec662d550c04f5a

            SHA512

            e3f3adadb8994fab749823f09e06d8e4b50085ac2eab07f0195d0ae80654d736aa7819c4d50ee95b55a2a35989d5addc996afe7823d520e1d18f0865121217fe

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Apparatus
            Filesize

            99KB

            MD5

            d101c6ab7b838d285d658f68e5a2b468

            SHA1

            b27e8c42d7816108534a4fbdd8b464d56df40525

            SHA256

            70d31a6946db5a890668802ef5ea65ee03cc059482adbc359643cd06063ea34c

            SHA512

            e000c329d2ac3eeca817f68447e72d332191e99b25e43308b1d7c5bb18dcb5c6b40b045201887e423526b1d1d7b6b1043abd1b0f406938f94499dc7dd1ea52a8

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Cancelled
            Filesize

            84KB

            MD5

            8bfc079d9eee3968b0765a50e0b216d9

            SHA1

            c0beb6f9ff8637b3a6fe0d8b7e3bc9480f26eb17

            SHA256

            10b5e576f76ecb8569be266aa3d3325f61c6d861506b7b5211428d7a0d884d4d

            SHA512

            8e35e9f539f7d693044d83adad9ab8840ac87b81ec6a634853804190e9d4defd1715a8138b0879d6920a6d7f2cd7e5cd12fbd5e41a04a64eb058b2f81dafd1b6

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Concepts
            Filesize

            22KB

            MD5

            3d045df92241bb275343536b43d7ee9a

            SHA1

            9d8ec1c8a8f738fbecd9e6bdb0cfae7858e1ec54

            SHA256

            c2a9baed3b438019bcc67ee851c162b4f2ab4f0f4faa794c987a4c45e0080a05

            SHA512

            21fddfb1fcad7080f60b041470c582ea60a381b0b14ef4586e9f1b0712a74bddcc71f2a161cc0202dba34c2125a9d949e9954bcb63e19fb46d74cc8b12714f42

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Configure
            Filesize

            7KB

            MD5

            ba3a52bb1c1306919010e4ad2e9c2d5a

            SHA1

            d283cb0182dd0fa3f082da33172876107dad9a13

            SHA256

            6be4eaf84228d38b614f0cddcd1befe979fb2f7646ed6eba7116be1b8916114c

            SHA512

            15d5920acfa52fa7dca90b6a73b8a075c4e902ee9e5e276e9ace54ed3d1fe2ca8126c84e56ad8cbd13bf5617297c63965b1abfbe139e218e17e43f4461ca2128

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Expiration
            Filesize

            65KB

            MD5

            46d9433e4c60f38d0cfb5e1957c73ebf

            SHA1

            0967821db25d2765f50757ae2f99cd9683a91a2a

            SHA256

            23ef399092377747c9e6e329edc200afecac9f8ec395e0a4c199fa7d308e2d97

            SHA512

            6ffb447dd1d8fc610a9f925fa5204da30ae617ad52f98dd5b74788abab63ce7c2a5a4ab23e0a472de0e2bdc3558160c4043cdd35d35b72e8dfe273fbe6fe022c

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Gratis
            Filesize

            89KB

            MD5

            28426a3a3a3020f053fa314fb9ac4abe

            SHA1

            abe237df56b7b33206ab0b6bcd586c0cc8924a00

            SHA256

            8127841f4fbe7862bd709da5be0a88e2a331f5f189cad13652f3fc123c9c4f9b

            SHA512

            4f3adf58da7d6c78b94e5fbc32f44f86c317d4ee71589607a11c3d2b945caf476b70e0fae71b447f324e187da7e223442970a1adb1c2818cc1a70f778a95e781

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Journal
            Filesize

            87KB

            MD5

            f50a27e688dfe8a350ea971f9d752bb1

            SHA1

            16f8e8b39e01c07db868fd980ace99707a16c79d

            SHA256

            01b737d5d737dcd7d1e14894ed0bd9f93a3f52b2489525339280ea45efec13ed

            SHA512

            6d090551c5890735246743a280e35cee175edefa6bb5c87a8d4426d51b963de61a1bb43bee41aa74b72edf9d81cef13bf6098a4ad9e61ea0fee1c8c4bed8feb9

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Korean
            Filesize

            99KB

            MD5

            1c884f6a09e12842911bd0eac9a8f0a7

            SHA1

            f65c322b49b34171ca896e0bb61c74f787e6e7a9

            SHA256

            f52df94d20a0c9a8289f04646f1d248464b10d4905609bba42285f52f736047a

            SHA512

            5b9fb685612292e1a829d4561d56f026fa902a7ab1d1fea90ff1aa85e47eadac354861ae2b5ab1ac1979f7c6c2e11d5bb76b0677cfd40a400ceec25f62bf6bf6

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Pts
            Filesize

            866KB

            MD5

            268a68798e7980500e922521230100b4

            SHA1

            e2186ed69d61236f4b7dfff389e5bcd71b5d6260

            SHA256

            02f4771d6367adbd45a6c6459cb62613be22c17120e6b8406bc8f7a141992fd9

            SHA512

            7407f488d5aa1be17109f2744cc0af289230fa3966679c24b07359c0bf01f58a7ed31edfdc84ed2acbe21058d3be1a78da80d79756ba7fc035470f64c15ad5b5

            Download Submit

          • memory/5024-33-0x0000000000640000-0x00000000006A3000-memory.dmp

            Filesize

            396KB

            Download

          • memory/5024-34-0x0000000000640000-0x00000000006A3000-memory.dmp

            Filesize

            396KB

            Download

          • memory/5024-35-0x0000000000640000-0x00000000006A3000-memory.dmp

            Filesize

            396KB

            Download