Analysis

  • max time kernel
    133s
  • max time network
    150s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    21/10/2024, 13:41

General

  • Target

  • Size

    72.3MB

  • MD5

    3e92a58328c53b6b6e18c11ea7e5ece7

  • SHA1

    287904b6386b1ff67a161454e3b77dea33461017

  • SHA256

    70ecfdcd8667bc24ade095f8c9c0d562be1bf31dc8851977a49773b316d83bfd

  • SHA512

    1b9b7be4843a39b1a86960482d26fab55ae83aaec8ad91101950153039ea73358a7f2558b9910305bbc40de2ebf16192a138dd4845264455a5023c3a46adf5f9

  • SSDEEP

    1572864:ftuz/AgG2Lcnvac+lbxCoSX0HHvtDE9rCtxjJ3YA2GlD43qZVpV:ftELLaF4xCV0nvtD4r4JJoVG63OVpV

Malware Config

Extracted

Family

lumma

C2

https://snailyeductyi.sbs

https://ferrycheatyk.sbs

https://deepymouthi.sbs

https://wrigglesight.sbs

https://captaitwik.sbs

https://sidercotay.sbs

https://heroicmint.sbs

https://monstourtu.sbs

Signatures

  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Suspicious use of SetThreadContext 2 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 54 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\-(1885)[email protected]"
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:4616
  • C:\Users\Admin\Desktop\installer.exe
    "C:\Users\Admin\Desktop\installer.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1428
    • C:\Users\Admin\Desktop\installer.exe
      "C:\Users\Admin\Desktop\installer.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4756
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 248
      2⤵
      • Program crash
      PID:2100
  • C:\Users\Admin\Desktop\installer.exe
    "C:\Users\Admin\Desktop\installer.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1092
    • C:\Users\Admin\Desktop\installer.exe
      "C:\Users\Admin\Desktop\installer.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:684
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1092 -s 216
      2⤵
      • Program crash
      PID:4700
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\StopExpand.xht
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2476
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2476 CREDAT:82945 /prefetch:2
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:4236

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

          Filesize

          4KB

          MD5

          1bfe591a4fe3d91b03cdf26eaacd8f89

          SHA1

          719c37c320f518ac168c86723724891950911cea

          SHA256

          9cf94355051bf0f4a45724ca20d1cc02f76371b963ab7d1e38bd8997737b13d8

          SHA512

          02f88da4b610678c31664609bcfa9d61db8d0b0617649981af948f670f41a6207b4ec19fecce7385a24e0c609cbbf3f2b79a8acaf09a03c2c432cc4dce75e9db

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

          Filesize

          471B

          MD5

          b909bfd2e03c49d34587e9cdb145c04b

          SHA1

          15db2aad70670817c64517672f68195503395aa4

          SHA256

          827c003c6df276ce196f529c9eec8e8e9432a77d7fbf305bf4610b958ab0cc62

          SHA512

          a89285a7493a5e06117c06b68849e9652e9f1a92c13ff9268c6a718369236637d557ec4f97edf36bb655d155e3f15756834fde9bb4f08b43e135e90b25e9c72e

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

          Filesize

          338B

          MD5

          068487c83bbcec00a2b1895bdb9e1931

          SHA1

          e8664385e98131dd832442f1cfc4945f22f37439

          SHA256

          af0dd13899a905b11683dcd2a29890b5e31bb4de64a4bce084e897ea0ea9eb7f

          SHA512

          2c743dc95b3744884102124a7e335f9c060cf15dd25bf863c674fc071786543fddd7f119eae75d87ef81d61a12deb9cd8366f700f92df94cf58c14c205745e82

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

          Filesize

          404B

          MD5

          32e44ad206b2cf8078239e55b6f3d4a1

          SHA1

          0ab2ea47a607b5a8b6d0ea9287e989ccd81280d2

          SHA256

          07ce8296e3001ae9e3b1d6a3d648d27c44287c16268e9aff605b30884d4e5d92

          SHA512

          c6f4636455d83cac68adfcf4d1cfede25b1cd2b313bf7ebf595abfd3dd264e73e8d268ceeaeedbafd38328432e90f131de0a1ae9af6c68575ec0ea0ec28954e3

        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver5C63.tmp

          Filesize

          15KB

          MD5

          1a545d0052b581fbb2ab4c52133846bc

          SHA1

          62f3266a9b9925cd6d98658b92adec673cbe3dd3

          SHA256

          557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

          SHA512

          bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\V28C7N3J\suggestions[1].en-US

          Filesize

          17KB

          MD5

          5a34cb996293fde2cb7a4ac89587393a

          SHA1

          3c96c993500690d1a77873cd62bc639b3a10653f

          SHA256

          c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

          SHA512

          e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\8F548OR5.cookie

          Filesize

          545B

          MD5

          6a58837d00ed8892c3ddce09d419a260

          SHA1

          f578a542fa55a0fc638220340617337eb37e6716

          SHA256

          7ce2216dca140d967ee4387a2a4f0ff79fdb8c7458c71d71c009c672264d3463

          SHA512

          19d71661249bf3b15dcf2d78f9745a3bd4efa1cad2171d4140f445ca5ffb4d608b1adf9ed85283f1c199978847056bbf09843238f1565585d97efdb023bdc0e4

        • C:\Users\Admin\Desktop\-Password-1885.txt

          Filesize

          1KB

          MD5

          4455ccee1fd4d896acf27e8d8601ce00

          SHA1

          58fc7e67bc0b69d0b96f5263dd3b46123bb25137

          SHA256

          94d6b7f986fa5a4429c1e91bcd3dd44de9903dd330117a1c89a2ab2d57f7749c

          SHA512

          dd70bf8003ba2b5c1ca48c5662204ebb80e4e829e095e05a251f142159acdf37cbaee0ecb840ce9c4c7805e77f5af6c5c981836e543add185d658109c0039518

        • C:\Users\Admin\Desktop\installer.exe

          Filesize

          550KB

          MD5

          baa49579fe5b7ca9c12de5dfd4a23f39

          SHA1

          c7476ceb3d586e93e2fdee7d29226923b80fa642

          SHA256

          644b45fa0d076c6a9cfe6a966948085aefadc31ed454fee09cf583b41c7e92eb

          SHA512

          473e02dded86b15dfed5d7cd6b82188ff6610a246143cb911f03b244961e1dd6a4faf19ac4062d2d66941d94bc7d2ef77196e51959b424d8217f3a22d8486c04

        • memory/1428-12-0x0000000000F20000-0x0000000000F22000-memory.dmp

          Filesize

          8KB

        • memory/4756-17-0x0000000000EA0000-0x0000000000F2D000-memory.dmp

          Filesize

          564KB

        • memory/4756-16-0x0000000000400000-0x0000000000461000-memory.dmp

          Filesize

          388KB

        • memory/4756-13-0x0000000000400000-0x0000000000461000-memory.dmp

          Filesize

          388KB