Analysis
-
max time kernel
61s -
max time network
62s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
30/12/2024, 09:34
General
-
Target
Set-up.exe
-
Size
693KB
-
MD5
97332f205ae41e7c7fbf095e0017d04c
-
SHA1
066c47b8a183ac6369a4551982e5deadee9724a4
-
SHA256
a03587582f849a19f70a195230e93391ce5ac11f1233bb110492ba03888594a3
-
SHA512
8a4ba7b17197199098e9951fdf2dc379701ce4fb249da6e7b48ed7df6c5c81680251d9b84fee35703a7bd122ce627473c97d43af3d634142b0c2b2d9f36d708a
-
SSDEEP
12288:fdy/AXPSrKpD1uDak9t+XokQr44RJvV4tvSKB331MZZ0ot1fnZHNulsqqss2r8no:fUIyKp5jb4Lr44RJ6cA3lM0ot1fZ
Malware Config
Extracted
lumma
https://cloudewahsj.shop/api
https://rabidcowse.shop/api
https://noisycuttej.shop/api
https://tirepublicerj.shop/api
https://framekgirus.shop/api
https://wholersorie.shop/api
https://abruptyopsn.shop/api
https://nearycrepso.shop/api
https://fancywaxxers.shop/api
Extracted
lumma
https://fancywaxxers.shop/api
https://abruptyopsn.shop/api
https://wholersorie.shop/api
https://framekgirus.shop/api
https://tirepublicerj.shop/api
https://noisycuttej.shop/api
https://rabidcowse.shop/api
https://cloudewahsj.shop/api
Signatures
-
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
-
Lumma family
-
Loads dropped DLL 2 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Program crash 2 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 26 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Set-up.exe"C:\Users\Admin\AppData\Local\Temp\Set-up.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3596 -s 10282⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3596 -ip 35961⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\Set-up.exe"C:\Users\Admin\AppData\Local\Temp\Set-up.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 976 -s 10282⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 976 -ip 9761⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
436KB
MD5a617035cbf33cdf5d7d7aebafb0727eb
SHA1b4fa91659aabdd2085e466f3f84eda8394b54d70
SHA2569b0613219037936b4db1373e520203a6af54d5986b4682a28f1d916312a6777e
SHA512d348dc899177daa4a8de5bc7f8a7e5c437431e4e9f2e40b911114f0bf4a804d6dcbf0c484abeb739ca6d162c318a84f9cb1b8730d67a6ebda4e60e6a6f427a6d
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
412KB
-
Filesize
412KB
-
Filesize
412KB
-
Filesize
412KB
-
Filesize
412KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
4KB
-
Filesize
7.7MB
-
Filesize
24KB
-
Filesize
728KB