Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/11/2024, 13:03

General

  • Target

    file.exe

  • Size

    3.0MB

  • MD5

    0203f6b9191cd21d402ee7ca1386cd3f

  • SHA1

    bc2a7018832ed77b3fd94802d3986c903018ad5f

  • SHA256

    54d0a6062d97cb3c494cc2b253a1d8a4636e0260826b60d5a9909e17e625ea7d

  • SHA512

    ea4325f2430a77c9b5035a74a9137be17798b129477d5feeae4840b276924885433dc0f3b9d0b70ccdf55e31c2d81931fbcf215417d46632de2b46a45570aaa0

  • SSDEEP

    49152:GIIYfTVcxT4tKmfH+3oS4B4q9IZXlqikRGhOkOhbTo:GGTV90mfeYS4B4qoQ/RG4hY

Malware Config

Extracted

Family

lumma

C2

https://navygenerayk.store/api

Signatures

  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

  • Lumma family
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    PID:3884

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/3884-0-0x0000000000450000-0x000000000075B000-memory.dmp

          Filesize

          3.0MB

        • memory/3884-1-0x00000000779D4000-0x00000000779D6000-memory.dmp

          Filesize

          8KB

        • memory/3884-2-0x0000000000451000-0x00000000004A9000-memory.dmp

          Filesize

          352KB

        • memory/3884-3-0x0000000000450000-0x000000000075B000-memory.dmp

          Filesize

          3.0MB

        • memory/3884-4-0x0000000000450000-0x000000000075B000-memory.dmp

          Filesize

          3.0MB

        • memory/3884-5-0x0000000000450000-0x000000000075B000-memory.dmp

          Filesize

          3.0MB

        • memory/3884-6-0x0000000000451000-0x00000000004A9000-memory.dmp

          Filesize

          352KB