Overview

overview

10

Static

static

1

Setup.exe

windows7-x64

10

Setup.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    93s
  • max time network
    161s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/12/2024, 05:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Setup.exe

  • Size

    651.4MB

  • MD5

    8604e4bdf9de6a0ae82aa30e6bb5841e

  • SHA1

    8535e889bc6a0757274081e52fdab90ea2090ae6

  • SHA256

    27196952aca14c796138426eb8f52b0ddafc9f46d0e4c10f750cfee95bf5132c

  • SHA512

    8a0d003df564bedd3b748955b2b2efd6079d03b73ea56ff6e3bb77fd8f54c500e683107fdc64d4df71dfcba90b275066b3d627422bef0a217dbbcfffc5b00ebe

  • SSDEEP

    196608:ZAa/L5xk1ABsdnCdTy9w6wzWvnP4O7NADtV6v+4cU9UryCjh9WmilQDpMVo0hnXy:j/L50mq9w6hvX7

Score
10/10
lummadiscoverystealer

Malware Config

Extracted

Family

lumma

C2

https://reinfomarbke.site/api

https://monopuncdz.site/api

https://unityshootsz.site/api

https://moeventmynz.site/api

https://plaintifuf.site/api

https://honerstyzu.site/api

https://bringlanejk.site/api

https://uppermixturyz.site/api

Signatures

  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Lumma family
    lumma
  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2100
    • C:\Windows\SysWOW64\choice.exe
      C:\Windows\SysWOW64\choice.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:3084
      • C:\Windows\SysWOW64\SearchIndexer.exe
        C:\Windows\SysWOW64\SearchIndexer.exe
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4844

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\13713c7d
    Filesize

    1.0MB

    MD5

    c3df93ace33743680e80ae11c9a3b003

    SHA1

    cf54f6ccd41c963e7f6cb851f7290724b1442fff

    SHA256

    5b602014cdddaa2600d953b12dfb86b2d9dce1f15aab11b9efded56b8ce602fe

    SHA512

    d4a5294be64f564527f73a73acb4194992a97d6af8186fa292f64b3a0911d7f665e7c16f5e7414f55fd7e3f1639e5140816a7139ab923e14732c15e91179f3b3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\16c29343
    Filesize

    1020KB

    MD5

    eaa81794e6cce2abc8d216b434ff336d

    SHA1

    4b9527374cfffa78c12fa796d87281e0dec92658

    SHA256

    0458c11bf7c8776ea49489369579c516f5ed3a0facea2ab086244019c7fc4b09

    SHA512

    0d314e52aea572ddbb1cb46bfe80e72e049b31126bc1768d3df9a2d26ab7d0f8d90b9a5a672a7c1dedfe5e2bb36f237d17f9f40895a72d509e2bd3f44da0f279

    Download Submit

  • memory/2100-9-0x0000000073550000-0x00000000737E1000-memory.dmp

    Filesize

    2.6MB

    Download

  • memory/2100-6-0x0000000073550000-0x00000000737E1000-memory.dmp

    Filesize

    2.6MB

    Download

  • memory/2100-0-0x00000000001F0000-0x0000000000851000-memory.dmp

    Filesize

    6.4MB

    Download

  • memory/2100-8-0x0000000073563000-0x0000000073565000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2100-10-0x0000000073550000-0x00000000737E1000-memory.dmp

    Filesize

    2.6MB

    Download

  • memory/2100-7-0x00007FFDDD330000-0x00007FFDDD525000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3084-14-0x00007FFDDD330000-0x00007FFDDD525000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3084-12-0x0000000073550000-0x00000000737E1000-memory.dmp

    Filesize

    2.6MB

    Download

  • memory/3084-15-0x0000000073550000-0x00000000737E1000-memory.dmp

    Filesize

    2.6MB

    Download

  • memory/3084-16-0x0000000073550000-0x00000000737E1000-memory.dmp

    Filesize

    2.6MB

    Download

  • memory/3084-18-0x0000000073550000-0x00000000737E1000-memory.dmp

    Filesize

    2.6MB

    Download

  • memory/4844-19-0x0000000000AB0000-0x0000000000B09000-memory.dmp

    Filesize

    356KB

    Download

  • memory/4844-20-0x00007FFDDD330000-0x00007FFDDD525000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4844-21-0x0000000000AB0000-0x0000000000B09000-memory.dmp

    Filesize

    356KB

    Download

  • memory/4844-22-0x00000000008DB000-0x00000000008E2000-memory.dmp

    Filesize

    28KB

    Download

  • memory/4844-23-0x0000000000AB0000-0x0000000000B09000-memory.dmp

    Filesize

    356KB

    Download