Overview
overview
10Static
static
3readyfile.zip
windows10-ltsc 2021-x64
10✱SatUp/Setup.exe
windows10-ltsc 2021-x64
10✱SatUp/libvlc.dll
windows10-ltsc 2021-x64
1✱SatUp/l...re.dll
windows10-ltsc 2021-x64
1✱SatUp/pdfium.dll
windows10-ltsc 2021-x64
3✱SatUp/p...in.dll
windows10-ltsc 2021-x64
1✱SatUp/p...in.dll
windows10-ltsc 2021-x64
1✱SatUp/p...in.dll
windows10-ltsc 2021-x64
1✱SatUp/p...in.dll
windows10-ltsc 2021-x64
1✱SatUp/p...in.dll
windows10-ltsc 2021-x64
1✱SatUp/p...in.dll
windows10-ltsc 2021-x64
1✱SatUp/p...in.dll
windows10-ltsc 2021-x64
1✱SatUp/p...in.dll
windows10-ltsc 2021-x64
1✱SatUp/p...in.dll
windows10-ltsc 2021-x64
1✱SatUp/p...in.dll
windows10-ltsc 2021-x64
1Analysis
-
max time kernel
97s -
max time network
154s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241023-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
07/11/2024, 22:33
Static task
static1
Behavioral task
behavioral1
Sample
readyfile.zip
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral2
Sample
✱SatUp/Setup.exe
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral3
Sample
✱SatUp/libvlc.dll
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral4
Sample
✱SatUp/libvlccore.dll
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral5
Sample
✱SatUp/pdfium.dll
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral6
Sample
✱SatUp/plugins/access/libfilesystem_plugin.dll
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral7
Sample
✱SatUp/plugins/access/libimem_plugin.dll
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral8
Sample
✱SatUp/plugins/audio_output/libdirectsound_plugin.dll
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral9
Sample
✱SatUp/plugins/audio_output/libwasapi_plugin.dll
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral10
Sample
✱SatUp/plugins/codec/libavcodec_plugin.dll
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral11
Sample
✱SatUp/plugins/codec/libd3d11va_plugin.dll
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral12
Sample
✱SatUp/plugins/video_output/libdirect3d11_plugin.dll
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral13
Sample
✱SatUp/plugins/video_output/libdirect3d9_plugin.dll
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral14
Sample
✱SatUp/plugins/video_output/libdrawable_plugin.dll
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral15
Sample
✱SatUp/plugins/video_output/libvmem_plugin.dll
Resource
win10ltsc2021-20241023-en
General
-
Target
✱SatUp/Setup.exe
-
Size
8.3MB
-
MD5
b43b96e4483dce09976dc250f87ecf1a
-
SHA1
4290076db1e87a46b73e8391186025f1f5b492bb
-
SHA256
5eaf95ad5163607ea220e439f13e58ae1bd9b408d94e06d5d721e8daca911c12
-
SHA512
383b723d2d547f775a661bf6990e834b0233849822c7cbc3f0aaf0f276b1c05b0f7bde754dae3da133f7a8aae669b31547889495e5370a6617c09a2a3b61c438
-
SSDEEP
98304:U6oBO2RLry08u6KAynv/zT4AMfIrHtFF3jB7WGoITkTYwcEfcknywf7UUz8gEhf/:ZWpRMu6KBv/H4AHdjB7WGef7HfoWBu
Malware Config
Extracted
lumma
https://worddosofrm.shop/api
https://mutterissuen.shop/api
https://standartedby.shop/api
https://nightybinybz.shop/api
https://conceszustyb.shop/api
https://bakedstusteeb.shop/api
https://respectabosiz.shop/api
https://moutheventushz.shop/api
Signatures
-
Lumma family
-
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: uc-browser-6-12909-1603.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3672 set thread context of 3792 3672 Setup.exe 94 -
Executes dropped EXE 3 IoCs
pid Process 4012 uc-browser-6-12909-1603.exe 100 stats_uploader.exe 2256 stats_uploader.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SearchIndexer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uc-browser-6-12909-1603.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language stats_uploader.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language stats_uploader.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language choice.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3672 Setup.exe 3672 Setup.exe 3792 choice.exe 3792 choice.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 3672 Setup.exe 3792 choice.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3672 Setup.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 3672 wrote to memory of 4012 3672 Setup.exe 82 PID 3672 wrote to memory of 4012 3672 Setup.exe 82 PID 3672 wrote to memory of 4012 3672 Setup.exe 82 PID 4012 wrote to memory of 100 4012 uc-browser-6-12909-1603.exe 86 PID 4012 wrote to memory of 100 4012 uc-browser-6-12909-1603.exe 86 PID 4012 wrote to memory of 100 4012 uc-browser-6-12909-1603.exe 86 PID 4012 wrote to memory of 2256 4012 uc-browser-6-12909-1603.exe 88 PID 4012 wrote to memory of 2256 4012 uc-browser-6-12909-1603.exe 88 PID 4012 wrote to memory of 2256 4012 uc-browser-6-12909-1603.exe 88 PID 3672 wrote to memory of 3792 3672 Setup.exe 94 PID 3672 wrote to memory of 3792 3672 Setup.exe 94 PID 3672 wrote to memory of 3792 3672 Setup.exe 94 PID 3672 wrote to memory of 3792 3672 Setup.exe 94 PID 3792 wrote to memory of 3824 3792 choice.exe 97 PID 3792 wrote to memory of 3824 3792 choice.exe 97 PID 3792 wrote to memory of 3824 3792 choice.exe 97 PID 3792 wrote to memory of 3824 3792 choice.exe 97 PID 3792 wrote to memory of 3824 3792 choice.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\✱SatUp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\✱SatUp\Setup.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3672 -
C:\Users\Admin\AppData\Roaming\EHC\XOZATNXRMJJO\uc-browser-6-12909-1603.exeC:\Users\Admin\AppData\Roaming\EHC\XOZATNXRMJJO\uc-browser-6-12909-1603.exe2⤵
- Enumerates connected drives
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4012 -
C:\Users\Admin\AppData\Local\UCBrowser\Online_Downloader\stats_uploader.exe"C:\Users\Admin\AppData\Local\UCBrowser\Online_Downloader\stats_uploader.exe" --normal-stats1=https://i18nmmstat.ucweb.com/lv=1.0&encrypt_data=bTkwAgTMHWj8XflhgiBXu+sD7Y2DSxfnJxZRIwwXe8BgEbXXHaskCLsR6LDL2G9Y7HZJIp2sM/ozfR2GCdTOq3ch6W4eNMNiTCZGno0o2FSCOhL5jl6FVMZt/wlVKe6tU2R5vBZYsuUPMxJP3bT2MMnIoSaR+PFfkMkmhlOHjl8UzFpgFeiHxHiX1YaSn968/tA7ppkwgGu/jV8Bai6rDDST0KMjD7hAYNI6ROl9v5W67X1m8h7yuKq13sc/uko7MuQnIXvPEXxbv3m5igrl3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:100
-
-
C:\Users\Admin\AppData\Local\UCBrowser\Online_Downloader\stats_uploader.exe"C:\Users\Admin\AppData\Local\UCBrowser\Online_Downloader\stats_uploader.exe" --normal-stats1=https://i18nmmstat.ucweb.com/lv=1.0&encrypt_data=bTkwAnvML2Z3XetnGyA5vfkDMbGtS3vrShxXX7UcPJITF/npPKpsGtkYAkZwlQM6qTv8cUv8E7gkLJjTlIVPj5wgVXXRNbPEziPxiHp/oxUBNRziLBPxNi459BG3fcK39mSUpd9Zn91NYGg8x7uP0xmeipkXqKcquY8UqGyH/H+gw7AGp+bvsCDXiLu6mJTDkYluW8s838PJgNwxByrFIm/Da8wYBMhnIM+xdJRnJkr07dfFsB99wEroauF6926wTqDSaTGccXiztXnNC5B0JvaoFTPLpxwZIqeHyYGBafKlnK8=3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2256
-
-
-
C:\Windows\SysWOW64\choice.exeC:\Windows\SysWOW64\choice.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3792 -
C:\Windows\SysWOW64\SearchIndexer.exeC:\Windows\SysWOW64\SearchIndexer.exe3⤵
- System Location Discovery: System Language Discovery
PID:3824
-
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.3MB
MD5d91c2efc799e035e2bf4f9d9afa668d1
SHA15f14510428f898ba34c1d944e4987ab037978775
SHA256500f905d1cebd26b5b496c1a6559960a6c9ae40f99ec9ae241aff754043dc733
SHA512304ad1f53b4029a26750d512088b85555a98b55f38a894d9f2ad1d6a210bf1e7c97ddafd437bd9723e2ddbd92b083dfd1fe98d3ba17b71ef04a9e8f7b5d2f813
-
Filesize
338KB
MD5efdbe75dfe959d5eaa84334d4825adc2
SHA19c7655a1052c2ce0d2e0b9571885e9c898dcb5cf
SHA2565ef424188b952c5aef34f508b13cf422d4c22e1476c3330ee3b729082f7116ee
SHA5124b6ce786ba90635d51e82c4dd7dede3394b5c0f19c394ebc835e182f0d8fd8c898a581b388bb23e348cc0744925b8352bfa3e683d193c5355849c89db9eaea35
-
Filesize
1.3MB
MD5649215a7c140fa697740693cf915d088
SHA1035ccb917c7be1ba40ccdad606ca3c67d127251e
SHA256297bcec264323cd1d6de6286cfa69a572e92552df5a3347856f8bcce8d3e9eb1
SHA512ec123a7f9af0926956d41bc002546a18b7b8b776fd11332f351eac828ac7ec02497f76351f2f5c026075746156583100287e09010269257dcd00cf70fa5a003c