Analysis

  • max time kernel
    97s
  • max time network
    154s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241023-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    07/11/2024, 22:33

General

  • Target

    ✱SatUp/Setup.exe

  • Size

    8.3MB

  • MD5

    b43b96e4483dce09976dc250f87ecf1a

  • SHA1

    4290076db1e87a46b73e8391186025f1f5b492bb

  • SHA256

    5eaf95ad5163607ea220e439f13e58ae1bd9b408d94e06d5d721e8daca911c12

  • SHA512

    383b723d2d547f775a661bf6990e834b0233849822c7cbc3f0aaf0f276b1c05b0f7bde754dae3da133f7a8aae669b31547889495e5370a6617c09a2a3b61c438

  • SSDEEP

    98304:U6oBO2RLry08u6KAynv/zT4AMfIrHtFF3jB7WGoITkTYwcEfcknywf7UUz8gEhf/:ZWpRMu6KBv/H4AHdjB7WGef7HfoWBu

Malware Config

Extracted

Family

lumma

C2

https://worddosofrm.shop/api

https://mutterissuen.shop/api

https://standartedby.shop/api

https://nightybinybz.shop/api

https://conceszustyb.shop/api

https://bakedstusteeb.shop/api

https://respectabosiz.shop/api

https://moutheventushz.shop/api

Signatures

  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

  • Lumma family
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\✱SatUp\Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\✱SatUp\Setup.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3672
    • C:\Users\Admin\AppData\Roaming\EHC\XOZATNXRMJJO\uc-browser-6-12909-1603.exe
      C:\Users\Admin\AppData\Roaming\EHC\XOZATNXRMJJO\uc-browser-6-12909-1603.exe
      2⤵
      • Enumerates connected drives
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4012
      • C:\Users\Admin\AppData\Local\UCBrowser\Online_Downloader\stats_uploader.exe
        "C:\Users\Admin\AppData\Local\UCBrowser\Online_Downloader\stats_uploader.exe" --normal-stats1=https://i18nmmstat.ucweb.com/lv=1.0&encrypt_data=bTkwAgTMHWj8XflhgiBXu+sD7Y2DSxfnJxZRIwwXe8BgEbXXHaskCLsR6LDL2G9Y7HZJIp2sM/ozfR2GCdTOq3ch6W4eNMNiTCZGno0o2FSCOhL5jl6FVMZt/wlVKe6tU2R5vBZYsuUPMxJP3bT2MMnIoSaR+PFfkMkmhlOHjl8UzFpgFeiHxHiX1YaSn968/tA7ppkwgGu/jV8Bai6rDDST0KMjD7hAYNI6ROl9v5W67X1m8h7yuKq13sc/uko7MuQnIXvPEXxbv3m5igrl
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:100
      • C:\Users\Admin\AppData\Local\UCBrowser\Online_Downloader\stats_uploader.exe
        "C:\Users\Admin\AppData\Local\UCBrowser\Online_Downloader\stats_uploader.exe" --normal-stats1=https://i18nmmstat.ucweb.com/lv=1.0&encrypt_data=bTkwAnvML2Z3XetnGyA5vfkDMbGtS3vrShxXX7UcPJITF/npPKpsGtkYAkZwlQM6qTv8cUv8E7gkLJjTlIVPj5wgVXXRNbPEziPxiHp/oxUBNRziLBPxNi459BG3fcK39mSUpd9Zn91NYGg8x7uP0xmeipkXqKcquY8UqGyH/H+gw7AGp+bvsCDXiLu6mJTDkYluW8s838PJgNwxByrFIm/Da8wYBMhnIM+xdJRnJkr07dfFsB99wEroauF6926wTqDSaTGccXiztXnNC5B0JvaoFTPLpxwZIqeHyYGBafKlnK8=
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2256
    • C:\Windows\SysWOW64\choice.exe
      C:\Windows\SysWOW64\choice.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:3792
      • C:\Windows\SysWOW64\SearchIndexer.exe
        C:\Windows\SysWOW64\SearchIndexer.exe
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3824

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\4eac24ea

          Filesize

          2.3MB

          MD5

          d91c2efc799e035e2bf4f9d9afa668d1

          SHA1

          5f14510428f898ba34c1d944e4987ab037978775

          SHA256

          500f905d1cebd26b5b496c1a6559960a6c9ae40f99ec9ae241aff754043dc733

          SHA512

          304ad1f53b4029a26750d512088b85555a98b55f38a894d9f2ad1d6a210bf1e7c97ddafd437bd9723e2ddbd92b083dfd1fe98d3ba17b71ef04a9e8f7b5d2f813

        • C:\Users\Admin\AppData\Local\UCBrowser\Online_Downloader\stats_uploader.exe

          Filesize

          338KB

          MD5

          efdbe75dfe959d5eaa84334d4825adc2

          SHA1

          9c7655a1052c2ce0d2e0b9571885e9c898dcb5cf

          SHA256

          5ef424188b952c5aef34f508b13cf422d4c22e1476c3330ee3b729082f7116ee

          SHA512

          4b6ce786ba90635d51e82c4dd7dede3394b5c0f19c394ebc835e182f0d8fd8c898a581b388bb23e348cc0744925b8352bfa3e683d193c5355849c89db9eaea35

        • C:\Users\Admin\AppData\Roaming\EHC\XOZATNXRMJJO\uc-browser-6-12909-1603.exe

          Filesize

          1.3MB

          MD5

          649215a7c140fa697740693cf915d088

          SHA1

          035ccb917c7be1ba40ccdad606ca3c67d127251e

          SHA256

          297bcec264323cd1d6de6286cfa69a572e92552df5a3347856f8bcce8d3e9eb1

          SHA512

          ec123a7f9af0926956d41bc002546a18b7b8b776fd11332f351eac828ac7ec02497f76351f2f5c026075746156583100287e09010269257dcd00cf70fa5a003c

        • memory/3672-16-0x0000000000400000-0x0000000000C88000-memory.dmp

          Filesize

          8.5MB

        • memory/3672-19-0x0000000074240000-0x00000000744DA000-memory.dmp

          Filesize

          2.6MB

        • memory/3672-8-0x0000000074240000-0x00000000744DA000-memory.dmp

          Filesize

          2.6MB

        • memory/3672-6-0x0000000074240000-0x00000000744DA000-memory.dmp

          Filesize

          2.6MB

        • memory/3672-3-0x0000000074253000-0x0000000074254000-memory.dmp

          Filesize

          4KB

        • memory/3672-2-0x00007FFFE3270000-0x00007FFFE3468000-memory.dmp

          Filesize

          2.0MB

        • memory/3672-17-0x0000000000FE0000-0x0000000000FE1000-memory.dmp

          Filesize

          4KB

        • memory/3672-0-0x0000000000FE0000-0x0000000000FE1000-memory.dmp

          Filesize

          4KB

        • memory/3672-18-0x0000000074253000-0x0000000074254000-memory.dmp

          Filesize

          4KB

        • memory/3672-5-0x0000000074240000-0x00000000744DA000-memory.dmp

          Filesize

          2.6MB

        • memory/3672-1-0x0000000074240000-0x00000000744DA000-memory.dmp

          Filesize

          2.6MB

        • memory/3792-25-0x00007FFFE3270000-0x00007FFFE3468000-memory.dmp

          Filesize

          2.0MB

        • memory/3792-26-0x0000000074240000-0x00000000744DA000-memory.dmp

          Filesize

          2.6MB

        • memory/3824-28-0x00007FFFE3270000-0x00007FFFE3468000-memory.dmp

          Filesize

          2.0MB

        • memory/3824-29-0x0000000000F40000-0x0000000000FA0000-memory.dmp

          Filesize

          384KB

        • memory/3824-30-0x0000000000F40000-0x0000000000FA0000-memory.dmp

          Filesize

          384KB

        • memory/3824-31-0x0000000000F40000-0x0000000000FA0000-memory.dmp

          Filesize

          384KB