Analysis
-
max time kernel
134s -
max time network
161s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
14-11-2024 08:58
General
-
Target
Inbreukmakend document verstrekt door BMG Benelux - De Brauw Blackstone Westbroek DH29.exe
-
Size
6.1MB
-
MD5
4864a55cff27f686023456a22371e790
-
SHA1
6ed30c0371fe167d38411bfa6d720fcdcacc4f4c
-
SHA256
08c7fb6067acc8ac207d28ab616c9ea5bc0d394956455d6a3eecb73f8010f7a2
-
SHA512
4bd3a16435cca6ce7a7aa829eb967619a8b7c02598474e634442cffc55935870d54d844a04496bf9c7e8c29c40fae59ac6eb39c8550c091d06a28211491d0bfb
-
SSDEEP
98304:VZQIM+/nv/CDoAkYwpAa5ge1zZ/jtdZwUkQ:bJCKlA2VKUz
Malware Config
Extracted
lumma
https://tamedgeesy.sbs
https://relalingj.sbs
https://rottieud.sbs
https://brownieyuz.sbs
https://explainvees.sbs
https://ducksringjk.sbs
https://thinkyyokej.sbs
https://repostebhu.sbs
https://manuejcruwhj.cyou
Extracted
lumma
https://manuejcruwhj.cyou/api
Signatures
-
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
-
Lumma family
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Inbreukmakend document verstrekt door BMG Benelux - De Brauw Blackstone Westbroek DH29.exe"C:\Users\Admin\AppData\Local\Temp\Inbreukmakend document verstrekt door BMG Benelux - De Brauw Blackstone Westbroek DH29.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Inbreukmakend document verstrekt door BMG Benelux - De Brauw Blackstone Westbroek DH29.exe"C:\Users\Admin\AppData\Local\Temp\Inbreukmakend document verstrekt door BMG Benelux - De Brauw Blackstone Westbroek DH29.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\P4ISB81ZZVVFFVVVVVVVVV.exe"C:\Users\Admin\AppData\Local\Temp\P4ISB81ZZVVFFVVVVVVVVV.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9.0MB
MD56add6e737cc848a5074813fdd083410d
SHA16ca1b060674c617575d7d6b677dd07c609d11e60
SHA256f8f23912d82d82ac17a70de13d88b28382eef04d2abf83c7db7326801fc2d840
SHA512de024cb0f5c141ba8e6645780d1963f1dbb5ff7b8218cfc66fc0453bb216ebe78fdd610d46cf0fb73cb58141d1b450a8f19dcc93b43c9d7c010e413e31c92e14
-
Filesize
356KB
-
Filesize
356KB
-
Filesize
356KB
-
Filesize
9.0MB
-
Filesize
16.0MB