Analysis

  • max time kernel
    93s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-11-2024 17:45

General

  • Target

    857270428d9d88c5da6d8b9d33059d4e29347637879a17975631408c5359b623.exe

  • Size

    6.8MB

  • MD5

    9cf2fcabd10ee683a3652815014b368c

  • SHA1

    f49914f1cf2b7fbba812eb8fd807b19065008b23

  • SHA256

    857270428d9d88c5da6d8b9d33059d4e29347637879a17975631408c5359b623

  • SHA512

    8dcf40e92d40627fb79413c6662e43e87d1dcd23e2825aa87a96e09706cff25e5e894376fdf5570d0e8470c36a4574810fc8afea3c720595fac07b93d0904117

  • SSDEEP

    196608:e741InG5lNniIbZg4TYc1vR31A4zur5MOjjDDTTVCjE/gsOt0G1:e741ZbPH1AJCY/Ur

Score
10/10

Malware Config

Extracted

Family

lumma

C2

https://drawwyobstacw.sbs

https://condifendteu.sbs

https://ehticsprocw.sbs

https://vennurviot.sbs

https://resinedyw.sbs

https://enlargkiw.sbs

https://allocatinow.sbs

https://mathcucom.sbs

https://droppyrelivei.cfd

Signatures

  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

  • Lumma family
  • Loads dropped DLL 9 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\857270428d9d88c5da6d8b9d33059d4e29347637879a17975631408c5359b623.exe
    "C:\Users\Admin\AppData\Local\Temp\857270428d9d88c5da6d8b9d33059d4e29347637879a17975631408c5359b623.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3380
    • C:\Users\Admin\AppData\Local\Temp\857270428d9d88c5da6d8b9d33059d4e29347637879a17975631408c5359b623.exe
      "C:\Users\Admin\AppData\Local\Temp\857270428d9d88c5da6d8b9d33059d4e29347637879a17975631408c5359b623.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:432
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
        C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\ngentask.exe
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4416

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_MEI33802\VCRUNTIME140.dll

    Filesize

    74KB

    MD5

    31ce620cb32ac950d31e019e67efc638

    SHA1

    eaf02a203bc11d593a1adb74c246f7a613e8ef09

    SHA256

    1e0f8f7f13502f5cee17232e9bebca7b44dd6ec29f1842bb61033044c65b2bbf

    SHA512

    603e8dceda4cb5b3317020e71f1951d01ace045468eaf118b422f4f44b8b6b2794f5002ea2e3fe9107c222e4cb55b932ed0d897a1871976d75f8ee10d5d12374

  • C:\Users\Admin\AppData\Local\Temp\_MEI33802\_ctypes.pyd

    Filesize

    114KB

    MD5

    de2f88b18fabe8586c38074b6fb80873

    SHA1

    cf4b533ffeb9792b33516ec05d3375260ff32b98

    SHA256

    f5480114cf3118e561c4dc55cb733f9d06fae897875d91bb324263b4aedd31b9

    SHA512

    3d89ccc9f9d6bca35f2ce5dbdaff2fd571c3e4c89056aec4de97466aea49d5bd9c7de0a0d345f249f1a33b43597f9c3a1687da246f6c832434391638a10dcd04

  • C:\Users\Admin\AppData\Local\Temp\_MEI33802\_hashlib.pyd

    Filesize

    51KB

    MD5

    3ad5e39cbe6354bb1ce82e29d4b2c072

    SHA1

    c4a18ce9e803ca6a7e33f1bef422f5006df651ff

    SHA256

    eddeedd5fd8a1c49ecaab51ff5117d9fb1fed5637e8ca31f35698bc6d68ca39d

    SHA512

    a9ecab892469c79b50b7c1c79394bb96fcb10beab03114961be5c0c05622765c0f105856065988ed31a7d21911d91c7a5fcdf4a9d33ac35ab99ba5550e91a823

  • C:\Users\Admin\AppData\Local\Temp\_MEI33802\_socket.pyd

    Filesize

    70KB

    MD5

    6ba36034bc861f44e90f547c667da40a

    SHA1

    7fc6d70ac9c80e600b14760b47396369f1c3d9be

    SHA256

    5a3e41a8c91eb5d81ac9d4a7477461414d5431754ffb9d6ad49369238d25fdd4

    SHA512

    ad49ebe8b11592088ccfda6813de3629c1c0ef6663d56724b6db8f5b6b827b8cf28ef71dd7154c223f836059029cd25ff48e57edb3d9b665157716172443b59f

  • C:\Users\Admin\AppData\Local\Temp\_MEI33802\_uuid.pyd

    Filesize

    20KB

    MD5

    2c4dbaa2151c458c8eea5f37b2cfe673

    SHA1

    72aeb5de5e25e67f8f798aed198718b9c4a5cd97

    SHA256

    99dd17fe2d43ed007b301aa5ce80364f2c7d9bbd033e4ce0166defb23140db38

    SHA512

    399491b8d9736732e404640216c8ece073795f9966ae6d2acfd6d64b7c6b35ab63c03287751c0ab46593b072c778e1d4051d667ba693adbafe0a15ae6e6019aa

  • C:\Users\Admin\AppData\Local\Temp\_MEI33802\base_library.zip

    Filesize

    781KB

    MD5

    a6277edd815f1d33215c41309aa0a3b4

    SHA1

    0522d880992f2bb46571e27610410a9d99b69984

    SHA256

    a6e24deab93ca92bb3118081e10987fb7078b0d249e38911bd0c429563941317

    SHA512

    ae83607b951996cc61bfc07aa6946bc8e6b409bc504aa92355c762420ece2d69c2e11bb6c88d4ce81c8d0136ac82e1e04157ed02cdca5b7d945d939d36c4ae39

  • C:\Users\Admin\AppData\Local\Temp\_MEI33802\libcrypto-1_1.dll

    Filesize

    2.2MB

    MD5

    31c2130f39942ac41f99c77273969cd7

    SHA1

    540edcfcfa75d0769c94877b451f5d0133b1826c

    SHA256

    dd55258272eeb8f2b91a85082887463d0596e992614213730000b2dbc164bcad

    SHA512

    cb4e0b90ea86076bd5c904b46f6389d0fd4afffe0bd3a903c7ff0338c542797063870498e674f86d58764cdbb73b444d1df4b4aa64f69f99b224e86ddaf74bb5

  • C:\Users\Admin\AppData\Local\Temp\_MEI33802\libffi-7.dll

    Filesize

    28KB

    MD5

    bc20614744ebf4c2b8acd28d1fe54174

    SHA1

    665c0acc404e13a69800fae94efd69a41bdda901

    SHA256

    0c7ec6de19c246a23756b8550e6178ac2394b1093e96d0f43789124149486f57

    SHA512

    0c473e7070c72d85ae098d208b8d128b50574abebba874dda2a7408aea2aabc6c4b9018801416670af91548c471b7dd5a709a7b17e3358b053c37433665d3f6b

  • C:\Users\Admin\AppData\Local\Temp\_MEI33802\python39.dll

    Filesize

    4.3MB

    MD5

    5bafe23107e6df19de8f7ac9068ed26e

    SHA1

    d2a88beaf959bd5331948b03330c98fe8fa85c7c

    SHA256

    c1e5a847ae6aa9d9f42b482c7a20dcdc9dfe225f7186b0b01924225aa4e5e581

    SHA512

    1c2372debc0e2e53ea281798f15243294430e4e7e4d3b82e4ab998a1b7c77cad68d50e196e37c6ff7ba83b08a12286af5d2797bfa707af5dad180862cce7efc7

  • C:\Users\Admin\AppData\Local\Temp\_MEI33802\select.pyd

    Filesize

    24KB

    MD5

    e03b622acba9d02dc5a10364824ede8c

    SHA1

    40db1a1a0d81c5d165d043502b1205b22bc238a4

    SHA256

    de914028bfddf19ef7279f04c92ef118c59b1ba8b5e27c76a7932e086bbc7978

    SHA512

    02abe8c060a2e046e92db4fdf5efdeaf6a870703ad313d14d3e8a3a308cca032c1d7b7ac40b0c346c0d8bf3193c42dfc69bf50450c9545d6bb6704fc0f5d3d5b

  • memory/4416-40-0x0000000000400000-0x000000000045D000-memory.dmp

    Filesize

    372KB

  • memory/4416-42-0x0000000000400000-0x000000000045D000-memory.dmp

    Filesize

    372KB

  • memory/4416-54-0x0000000000400000-0x000000000045D000-memory.dmp

    Filesize

    372KB

  • memory/4416-55-0x0000000000400000-0x000000000045D000-memory.dmp

    Filesize

    372KB