Analysis

  • max time kernel
    134s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-11-2024 03:35

General

  • Target

    ec3ec6568b2f15f13b7316416fc6354c33bb02f253cb91d507fab4bd6e743f71.exe

  • Size

    4.8MB

  • MD5

    e7b48ac6d0a0e919d7956b7c4ecfd0b1

  • SHA1

    9906bd40b328778bc7eac72e9e84d4e497d9d1fa

  • SHA256

    ec3ec6568b2f15f13b7316416fc6354c33bb02f253cb91d507fab4bd6e743f71

  • SHA512

    46a8daec5552a5a5e6535fa25e3ac848176fe9f63a7a5473591d2aaf7789fb776984c3cb9ee6734185de8b46652c8afc3f958a12682c7ca608d717a933bf34c2

  • SSDEEP

    49152:rcpR6LtEgo9HCUtjaCT71fVdzNYyRPjzs3zb:8godnRVljrQP

Score
10/10

Malware Config

Extracted

Family

lumma

C2

https://clearancek.site

https://licendfilteo.site

https://spirittunek.store

https://bathdoomgaz.store

https://studennotediw.store

https://dissapoiznw.store

https://eaglepawnoy.store

https://mobbipenju.store

https://mixturehari.store

Signatures

  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

  • Lumma family
  • Suspicious use of SetThreadContext 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ec3ec6568b2f15f13b7316416fc6354c33bb02f253cb91d507fab4bd6e743f71.exe
    "C:\Users\Admin\AppData\Local\Temp\ec3ec6568b2f15f13b7316416fc6354c33bb02f253cb91d507fab4bd6e743f71.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3672
    • C:\Users\Admin\AppData\Local\Temp\BaVujOncHw
      "C:\Users\Admin\AppData\Local\Temp\BaVujOncHw"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2188
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2188 -s 420
        3⤵
        • Program crash
        PID:2152
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2188 -ip 2188
    1⤵
      PID:3208

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\BaVujOncHw

      Filesize

      38KB

      MD5

      3992f464696b0eeff236aef93b1fdbd5

      SHA1

      8dddabaea6b342efc4f5b244420a0af055ae691e

      SHA256

      0d1a8457014f2eb2563a91d1509dba38f6c418fedf5f241d8579d15a93e40e14

      SHA512

      27a63b43dc50faf4d9b06e10daa15e83dfb3f3be1bd3af83ea6990bd8ae6d3a6a7fc2f928822db972aaf1305970f4587d768d68cd7e1124bc8f710c1d3ee19a6

    • memory/2188-2-0x0000000000400000-0x0000000000463000-memory.dmp

      Filesize

      396KB

    • memory/2188-6-0x0000000000400000-0x0000000000463000-memory.dmp

      Filesize

      396KB

    • memory/2188-8-0x0000000000400000-0x0000000000463000-memory.dmp

      Filesize

      396KB