Overview

overview

10

Static

static

1

Roarland_Setup.exe

windows7-x64

3

Roarland_Setup.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    91s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/12/2024, 05:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Roarland_Setup.exe

  • Size

    689.9MB

  • MD5

    fd73cdaf9630ac3a86320de4d831d994

  • SHA1

    e03a791836dbf283fbc47e257c9aa8ec8d26f0a6

  • SHA256

    450fb432284ba2ee08c2cb3464286aaee9826fc23b1bfe72d7731c6aced05cb6

  • SHA512

    b10a3217e73eed2851b2ac071f47f76d5e86cd21d7b9e1565b0a3d0e2d82bd9983cb91fec6008306811d2af35d453363962f377dc2a53d57e625568bc1330a12

  • SSDEEP

    196608:eUWlPBFhD0f4P43aWKbFFM6oFPGMTjctr47i+tsYGC0t1JCbfJmYLTXzGf48o1cY:qPBFhD0f4P4t+FFMLnjcC7i+tk

Score
10/10
lummadiscoverystealer

Malware Config

Extracted

Family

lumma

C2

https://drawwyobstacw.sbs/api

https://condifendteu.sbs/api

https://ehticsprocw.sbs/api

https://vennurviot.sbs/api

https://resinedyw.sbs/api

https://enlargkiw.sbs/api

https://allocatinow.sbs/api

https://mathcucom.sbs/api

https://ensuderowmn.biz/api

Signatures

  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Lumma family
    lumma
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Roarland_Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\Roarland_Setup.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:4332
    • C:\Users\Admin\AppData\Roaming\TIQ\LKNAVQRNITREE\Roarland_Setup.exe
      C:\Users\Admin\AppData\Roaming\TIQ\LKNAVQRNITREE\Roarland_Setup.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1028
      • C:\Users\Admin\AppData\Local\Temp\is-84JC9.tmp\Roarland_Setup.tmp
        "C:\Users\Admin\AppData\Local\Temp\is-84JC9.tmp\Roarland_Setup.tmp" /SL5="$4022C,827558,798208,C:\Users\Admin\AppData\Roaming\TIQ\LKNAVQRNITREE\Roarland_Setup.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:1036
        • C:\Users\Admin\AppData\Local\Programs\Roarland\MyProg-x64.exe
          "C:\Users\Admin\AppData\Local\Programs\Roarland\MyProg-x64.exe"
          4⤵
          • Executes dropped EXE
          PID:1944
    • C:\Windows\SysWOW64\more.com
      C:\Windows\SysWOW64\more.com
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:4764
      • C:\Users\Admin\AppData\Roaming\AutoIt3.exe
        C:\Users\Admin\AppData\Roaming\AutoIt3.exe
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:388

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Programs\Roarland\MyProg-x64.exe
    Filesize

    83KB

    MD5

    5e228e133980d70be45102bdebb200ce

    SHA1

    59556ba5fc259c84dbcb57f182b722c7b31f6257

    SHA256

    39da6b9d4f23e879e31d698d14c21e0644c9256505c22a68577cd513f6afcab9

    SHA512

    c9348b22b6f96c2104e1c440df99c7d3340661064b58934f21e0e8e8307c34d301a3f05f3189c5f3e80bfcd8352003dd6fa4d9db1847884939b3a098693fac87

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\22e30443
    Filesize

    3.8MB

    MD5

    b22d20e2985f86d2d6fd235b266805d2

    SHA1

    43eaa994e7713f32784d0912b620696d3f1cf2af

    SHA256

    88f7f7af574a9cf65f757de2310dad2844bd4d3070e7f42b33129977512bad4c

    SHA512

    eb49abb9001f74e2461ee7ea6d275c6a1e11fefafbd9b696904d95c01a2c5391c61bc1eddfdaf36df336b2d98a86a0b5ae2c594b6cdb40565cd3a53ae97d9ba3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\2d01ba7d
    Filesize

    3.7MB

    MD5

    49bb5ea4cb43f5b5c411be1023b350d6

    SHA1

    c65683d3bf137951196148f2f6a31afd6abff2be

    SHA256

    26f98bfbeaf33dd02d8b51a57e8692eab431db495e93abb3ae72b8c4efb16f02

    SHA512

    ead5fe3fd0dfead2be0d6454e89478e8e4157de61477cb41595f12b63c5416135649d66233c12e82c034a249723e9ed26ba14c8ca0b5146728c60c0cd1c264ec

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\is-84JC9.tmp\Roarland_Setup.tmp
    Filesize

    3.1MB

    MD5

    a38f4a5b9e2df6ff5418f8bbf5dbb68d

    SHA1

    9395b1cd44160ce832cbbe8988ae347f1d5e89be

    SHA256

    5ec505d890e62b3c85ed26f8a1536fb632eefbe87758b91ad67548f105e2051b

    SHA512

    6c1beef0a6b2ef38397e6d4f064536a213d81d01a111e5144ced4173576e339c962e024ede1d0a37e8b7f42c9809cb9cf6ac46c487d57cb4def1090f73aac3d7

    Download Submit

  • C:\Users\Admin\AppData\Roaming\AutoIt3.exe
    Filesize

    921KB

    MD5

    3f58a517f1f4796225137e7659ad2adb

    SHA1

    e264ba0e9987b0ad0812e5dd4dd3075531cfe269

    SHA256

    1da298cab4d537b0b7b5dabf09bff6a212b9e45731e0cc772f99026005fb9e48

    SHA512

    acf740aafce390d06c6a76c84e7ae7c0f721731973aadbe3e57f2eb63241a01303cc6bf11a3f9a88f8be0237998b5772bdaf569137d63ba3d0f877e7d27fc634

    Download Submit

  • C:\Users\Admin\AppData\Roaming\TIQ\LKNAVQRNITREE\Roarland_Setup.exe
    Filesize

    1.7MB

    MD5

    868fd620a4c6d7dccc3e157137519051

    SHA1

    755f483cff943f983fbbc44579fd0e202345877b

    SHA256

    f0e984808ee1d0d4a06a6c3445b508d457d174c3064c82c131b41f46bf0a0aaa

    SHA512

    94c5a152ea1505171de13ea12c0e2e80a9ff5bcec19bea53e0ef722e4de2352ca0fb915d17e958cdc8c121767b4df58eccdebff13b078b66d5431f2b93465cb0

    Download Submit

  • memory/388-70-0x00007FF969ED0000-0x00007FF96A0C5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/388-69-0x0000000000C00000-0x0000000000C7A000-memory.dmp

    Filesize

    488KB

    Download

  • memory/388-72-0x0000000000C00000-0x0000000000C7A000-memory.dmp

    Filesize

    488KB

    Download

  • memory/1028-60-0x0000000000F10000-0x0000000000FE1000-memory.dmp

    Filesize

    836KB

    Download

  • memory/1028-61-0x0000000076A10000-0x0000000076FC3000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1028-21-0x0000000000F10000-0x0000000000FE1000-memory.dmp

    Filesize

    836KB

    Download

  • memory/1028-24-0x0000000076A10000-0x0000000076FC3000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1028-35-0x0000000000F10000-0x0000000000FE1000-memory.dmp

    Filesize

    836KB

    Download

  • memory/1036-34-0x0000000076A10000-0x0000000076FC3000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1036-36-0x0000000000040000-0x0000000000370000-memory.dmp

    Filesize

    3.2MB

    Download

  • memory/1036-59-0x0000000076A10000-0x0000000076FC3000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1036-58-0x0000000000040000-0x0000000000370000-memory.dmp

    Filesize

    3.2MB

    Download

  • memory/1036-54-0x0000000000040000-0x0000000000370000-memory.dmp

    Filesize

    3.2MB

    Download

  • memory/1036-28-0x0000000076A10000-0x0000000076FC3000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4332-19-0x0000000076A10000-0x0000000076FC3000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4332-32-0x0000000076A23000-0x0000000076A24000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4332-6-0x0000000000400000-0x0000000000E04000-memory.dmp

    Filesize

    10.0MB

    Download

  • memory/4332-12-0x0000000076A10000-0x0000000076FC3000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4332-0-0x0000000002E60000-0x0000000002E61000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4332-30-0x0000000000400000-0x0000000000E04000-memory.dmp

    Filesize

    10.0MB

    Download

  • memory/4332-33-0x0000000076A10000-0x0000000076FC3000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4332-31-0x0000000002E60000-0x0000000002E61000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4332-17-0x0000000076A10000-0x0000000076FC3000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4332-16-0x0000000076A10000-0x0000000076FC3000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4332-13-0x00007FF969ED0000-0x00007FF96A0C5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4332-14-0x0000000076A23000-0x0000000076A24000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4764-63-0x0000000076A10000-0x0000000076FC3000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4764-52-0x00007FF969ED0000-0x00007FF96A0C5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4764-42-0x0000000076A10000-0x0000000076FC3000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4764-73-0x0000000076A10000-0x0000000076FC3000-memory.dmp

    Filesize

    5.7MB

    Download