Analysis
-
max time kernel
106s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
01-01-2025 20:49
General
-
Target
Set-up.exe
-
Size
800.0MB
-
MD5
789f5d29d14845fcd589b2fc0b851334
-
SHA1
94a07132472f16b411333111c2d0f6057329088f
-
SHA256
fdcae90a93bc31967bfefa7ccbb093e2bd084e94959d72d3676c48fa7108d697
-
SHA512
36666deae33a8e1838183ee7100e8fdd56b7ef67eae0922fe4286d789ede47cd0cffaf46a953f3a212bfef4435e00ee59e73518530c8fc6b1a09dda74de35397
-
SSDEEP
24576:oJyQxTjqSG9r9B4Qr26l3jHxJ6Bb92rNJUoF72SauEEO7b9yHh3H:2bqSKnxl3jHSMl1EjMX
Malware Config
Extracted
lumma
https://cloudewahsj.shop/api
https://rabidcowse.shop/api
https://noisycuttej.shop/api
https://tirepublicerj.shop/api
https://framekgirus.shop/api
https://wholersorie.shop/api
https://abruptyopsn.shop/api
https://nearycrepso.shop/api
Extracted
lumma
https://abruptyopsn.shop/api
https://wholersorie.shop/api
https://framekgirus.shop/api
https://tirepublicerj.shop/api
https://noisycuttej.shop/api
https://rabidcowse.shop/api
https://cloudewahsj.shop/api
Signatures
-
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
-
Lumma family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Enumerates processes with tasklist 1 TTPs 2 IoCs
-
Drops file in Windows directory 6 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 13 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 44 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 7 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 36 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Set-up.exe"C:\Users\Admin\AppData\Local\Temp\Set-up.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c move Motel Motel.cmd & Motel.cmd2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "opssvc wrsa"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 3128753⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\extrac32.exeextrac32 /Y /E Memorial3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V "Direct" Reception3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b 312875\Tracked.com + Pike + Propecia + Bite + Kit + Encoding + Epinions + Bool + Back + Halfcom + Remind + Patient 312875\Tracked.com3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Ingredients + ..\Dying + ..\Postage + ..\Inner + ..\Efficient + ..\Browse + ..\Riding I3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\312875\Tracked.comTracked.com I3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 53⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /71⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\System32\NOTEPAD.EXE"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\ResumeUnregister.bat1⤵
- Opens file in notepad (likely ransom note)
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\UnprotectWrite.wma"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\ResizeRestart.mp3"1⤵
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\ResizeRestart.mp3"1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
493KB
MD52b4d1db384602401d735c6905423079f
SHA17f9f42c963f689742f71fad001572f65a6f37f78
SHA2560d0795b6da3c9b2c17e1fadd183dff36739118e222a0825d5084e1970ebfab50
SHA512dab02f1e1d7689da73cf6b3a4b34f7afadfdf6e96de05a423948224c18704b5c02a7be60c4ce59f2298790cc668a7835672ad7bf48b529c23c7e8242c49b46c4
-
Filesize
157KB
MD57cae1b21a3a5ded4949fb64f74372b73
SHA13ecb504113c489cc88843c67a5d2774a411c3b93
SHA25649e76cb2aabc1c0d0501d00f4ee8c6d9f272729b18a69d302a1fa4dac6551f61
SHA5126a042476bdc6c36f7181f922526fc842e653639149585ae9ff4690f5656597b302c8d9dfa764895bb321b5e8319d31faa84b323b5271538d37669b9981c0d185
-
Filesize
925KB
MD562d09f076e6e0240548c2f837536a46a
SHA126bdbc63af8abae9a8fb6ec0913a307ef6614cf2
SHA2561300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49
SHA51232de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f
-
Filesize
88KB
MD523d6c3e976d447f6d1e7b2d3596f4131
SHA113a95e867e16b9b7d70f2a0364047c22fd83037e
SHA25689d61b14665d159a9e048e9d190c62aa435b0a19f855477ac5c411de25377fb7
SHA512fbc7f09857ad43edf90ae5a33b812620e016558320cf6a64a86da060c07f7bd25215c7da8d93128318471b2499f2b20daae9e5a3fbdf8ea928a2a33c3704c044
-
Filesize
56KB
MD506f59a44c4bbb3d39cbe72bebf550d64
SHA191fc5aa4837b8200f98964bde18f1dde9db05910
SHA256b07124480898677fd977d040a47ed079c3b0296e2721ef9708e756be71e723d6
SHA512029968c019783ae75f14dba50a529936a17fae3dffd0604788d65cf240b63da7d4bd307138bb8650b98b0b6ac5e3f68ee887d1ac96a3aa6c2253d516ab4d62ea
-
Filesize
118KB
MD5afe0d49037508182811d23258b102ec9
SHA1206ba4dfbfea8fabf55524901c13cce4c33d8487
SHA256635dd1439e87abefbd638abe39158e8bfda6110cc4ca894b59c002017209a52a
SHA512dcd2a606628d44e112d761c7000f5bd27a728431d8344afef28c3086a37dc500ec29c883eba81ad44395d30ee1240d5a726b9e7596aee8b5708db50c8088e3a9
-
Filesize
53KB
MD55b569853af53d13f1f5e33da504962ba
SHA1bcec41c860091d94c0ef504a5736e0acf925b357
SHA2560b3d6c0cb76a475bfaf20c163bdb405112b779c05a7f857946eb2bb88c4b4443
SHA512dc959fbcaa2eafb9c16a065d0c0aa6e18b7d326aebfdf9a87f52354bd86c00b4980265de26fdfab07f56f3718f02f6507e8e73d9a9cc214402405f6d3e3eb33d
-
Filesize
87KB
MD5d1774561f82eb00effdf402cab18ae70
SHA1da33bc96c96da1a3fd15c1fa525d939461b78aea
SHA2566c6ece0de41b5f33dc52ddfe5908130e71a1c3c7245fa3cff0e2b020d1f061c5
SHA512febe3ea3a3ffbb24fd270c935fcbc3cdb319a10043254864cf6ebfcdd8236488d8f9c84fc390208f30aade982427f9dbc65fd8f083b5ad6c20c8aa100e4b77ec
-
Filesize
91KB
MD5482d1ead5b6f6ce894e8042a264ac9e1
SHA1525b058e0c3fee2eec8a134fb7be25b1e57f343c
SHA25605f6e70a77434e805846fd02b3f6b20a59965d698901dc5371d995ab31cf4b04
SHA5120a1c622d10241a4c399bb11562f4961a00b5848f13cff67ce9c299fe39e0525fd6239cdeaa1195bf23a2a1d53b7982e87763ab0706d9bdf6686b52ab6e12a308
-
Filesize
64KB
MD573aa51e3b9bbe1c129c64c11e1f3b0e2
SHA1d2b00635ac7bd65b131e571ff727d61aed2c1f20
SHA2568294f9119b6073d0f830deaac65f3f8d47c1d654196b4b5dd7f56b3728d404db
SHA512f8d33a6d887c2d41360ddc06cd71f71e5007b1b58cf99e74db95d41b4d41758b0f32d3d520d4643efbf164740c7d45911a600af043db82025427f3535c6ca78a
-
Filesize
112KB
MD53b4d81abe994cd49de719b68a953d78c
SHA1ea77bb52b4820b7abfaa510bda7cd14aa85929d9
SHA256e66c6c168dbd5a8d552f230e0a7314355f6d72ed7623428769bf85dbb649f21b
SHA512ea8814c9b77c56224ae0fc6b393d519cacf7e81050e21cd904cd50b9a4fe51e88c63ce4fc73583d85a4372e99a6e5c00e59f2c061537a87581d2d9fbcfc7838a
-
Filesize
133KB
MD50544c7badbe97c4d56e72d7d7242e98b
SHA19b117815db490af6d31d75772ec93b26b1330f3d
SHA256333323a0e718c711ae6097df85a5c59f336698723c6aeb02dd184b78e3baaa06
SHA5127ce51468881d12c925e989110096e46fd1eebc7a77cd483a9da9ed0c1b58c78c89c9a5865df62512446138116b24a7d7b70fa53b84c7176a7a4b0a1557678ca9
-
Filesize
90KB
MD52adcadab494462fba495d5ce3706d5e3
SHA12ea7293d91cb152c793fe4d3e5d829dd6bb6ba64
SHA25647fc6ac29d8fcd5b54f93126cbe669f40caf9d5741b64ce4b83942933e148864
SHA5129ebdeb2323bdbebc97ff58e812e928445d5664f570e4d5be0ea6219af2a19f8122efdd9f85dba713b576d37a4c0a3076437ce5b12971c2e1b747f8f9f099bda3
-
Filesize
57KB
MD5dfdd5dfc5e5c40fa85686921dbcc9ce2
SHA14da2e5a9609c1936573261c498b9d4f20191a67b
SHA256eea452360928a61c788aa5c25aaad7c1beb2ed214a336fc74f469d5e9febf29d
SHA512bd11468006656e01694396c8ee02188e4ad5a20e30b35ce49b02cdf1103343054cd18e494703fdd06df237788e166ac4a8cb7f01ef7e7ea21a44a5cd1089aa18
-
Filesize
77KB
MD553a8aa9271206f34628122273cbfa8a0
SHA18287cc19f9eed1d3f8cf43e67e149601ecaf263a
SHA25669139c3dc00b0c3db2ce4ded69c4571cf3fb5460d06d0afc6cc8aec8951585ff
SHA5120c78cd217f1a40e467bb1241acd31e5ce8e1b57203e6fea5334972e141619276f6aa1fb0c5a64431dec2d2ef753a7ddcfaf92aa1a627e4a652d5d1d4746e3f1b
-
Filesize
477KB
MD5b094861fa938bedf7f31665429edbd3f
SHA134f7f7f994ee8bbe5d485224dae3a9cf54e619ee
SHA256ec3fe76c5434b5a2ab018926eb2e4e831a6c050c328d047c1964505a6274e140
SHA51245cc2bd22bf75d1a0002ec1f680edbb8505e414169b4f80e960aad86a7455abce52a19380a536800e20dda01dd0d7044bedf219e5cedfd4d3c0e4d886f8ac0bc
-
Filesize
15KB
MD52c068f885d810cd34c5f470703fff7bc
SHA1b64de9c841cfafbc22a67d3d75e347f199ffc470
SHA256248cd8cf8ec0ab284667a874fc5d2cd4bb92cbb3806dc9474086834eb5ee0720
SHA512f7bfcccec497d0514eb7580d4add5b119a10e77412b617b3af4329f9a32886b8766cdea259af1aa7608ad3d690b16790836b86073dd4648aee54cabdf48f672b
-
Filesize
64KB
MD57b9d8bc02137a80208c6552147488b2d
SHA137409108155824a9d7f9a878925f0b09642d2310
SHA2563859ea981318f558de97061df761f8750b5d6680c7e9d8eb7c7a86832b01c910
SHA512f7c669a7ffa26f89d4cfe350050d8a4f9165b8100e47dba6c9a2e2579f8cb35b1575c5b5b36a875dc7e59232c2fb6b4d47395185aad6caaf0fbe046a78d7a8f7
-
Filesize
59KB
MD533425334f413ff941dbe56b47b3e0747
SHA1656836d03682237892316251f342aff2d3a74811
SHA25674ef38bec95ead303e5b824f44065930c5183d10206b6653a960e672ec374851
SHA5124865e765ecb3c8fa799e27bcb9003b11848b8e0a88aa18ea7957bc959d829826a7b0c423b32adc19481a1826495e76afaaabd65eee5c9de179d449d1aefe63bc
-
Filesize
92KB
MD5d0d3d3f8fa8e3aa72405d0fb9b1587ea
SHA1c5e78f6bfa2c053c27db2f5ae70eb04814937d5c
SHA256541d1303370a41bb377d3f28796ad1e1f4225e73b3ce324891d37250db8f7864
SHA512f3019d48635de8a58f5f7ebdc4b56778ad7894ed3d077a359e3a551a34d867b5e91314ea5f58701ab8b178487e9b680792c4c348a1e7d4abd6463ef1a41defba
-
Filesize
96KB
MD53dc43b59ebd8419fbe78840edf0f4948
SHA110b307d7333e03edc72629dc0a1b169be90ddb76
SHA2567e37730b24244d097b74bdce7062a61556e18040d548cb3b818a440f267b1c8d
SHA512c645d745e3390ed0d471057a6c816697c6fbdfaa0da5db92e09ff623ff729f4d57be5ad402dfa3e3f8de59bdc18b40a5d714a843248da52fe5cb7c3daf9458f0
-
Filesize
2KB
MD527c586be31c9542b70ab377e58a0f72a
SHA127412114d7836cc80f13c49ed19ec7946934834e
SHA256cecf4a764e4e12fc614fa784c4a96cda7127636ac3484093b1089d5aafcdb432
SHA5126b80ddf66cc514617cdf44c483d03bd657189a1329af70d30dc8018a7cc729bab81901987342198df2a180937348b383671b619e5e9f68ea58df408745aae179
-
Filesize
55KB
MD58a73509163198a881058e44e07ba3875
SHA1543bbcf5d4eba4bed5a2233fdc0032cacbaa3074
SHA256709279d5a4e77e5a59d434a90c7f6006f17211dd7053c8dab7463e54c4ae74f5
SHA512b0d432e0ffbf879de22592bd131d4b9eb7a99e4ddb55b2291cc13f31f08acc5804ad09b1db625f843c44b6823d56f6f85cc62f41c0d1af286cc09856b71cd858
-
Filesize
23KB
MD561f93b2b59d9b35aa31f77e3cc7f4b65
SHA1e05fe48381692d16884d979620e9d41b29abd7a4
SHA256e689f665043b3723ace59e4b8b29c8741bfb0d5effce2c3d03945a62c2b0dee9
SHA512c8f6e93f4b437988407a5649ffc9ee6819fa52ced04b628dfdad7fa2a8d0937a4c24f40b06688facb23be893070e78346c42f1cf256d81f1d561ed9f43e9eba9
-
Filesize
79B
MD539f12d3a79296bbe0fa1eea2dff04b6a
SHA15c7e4c3bcddf253f78405a25612111aa3ce086d1
SHA2569eec818c6151ef1c9c3d6e9e7a12f18df1ca877927b61efd90f63dfacc106013
SHA51266c6647534a92d3d8eabd70a6c839d8ce05d496d608e5396c85ad9e3238ce244788381225db79c92c1b53567e558bf4e107bc17dbcf154b67be33982b4992398
-
Filesize
94KB
MD57b37c4f352a44c8246bf685258f75045
SHA1817dacb245334f10de0297e69c98b4c9470f083e
SHA256ec45f6e952b43eddc214dba703cf7f31398f3c9f535aad37f42237c56b9b778e
SHA5121e8d675b3c6c9ba257b616da268cac7f1c7a9db12ffb831ed5f8d43c0887d711c197ebc9daf735e3da9a0355bf21c2b29a2fb38a46482a2c5c8cd5628fea4c02
-
Filesize
68KB
-
Filesize
260KB
-
Filesize
16.7MB
-
Filesize
208KB
-
Filesize
2.7MB
-
Filesize
992KB
-
Filesize
24.4MB
-
Filesize
16.7MB
-
Filesize
132KB
-
Filesize
96KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
2.3MB
-
Filesize
208KB
-
Filesize
2.7MB
-
Filesize
96KB
-
Filesize
92KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
2.0MB
-
Filesize
992KB
-
Filesize
92KB
-
Filesize
68KB
-
Filesize
116KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
92KB
-
Filesize
992KB
-
Filesize
2.7MB
-
Filesize
68KB
-
Filesize
96KB
-
Filesize
208KB
-
Filesize
344KB
-
Filesize
344KB
-
Filesize
344KB
-
Filesize
344KB
-
Filesize
344KB
-
Filesize
992KB
-
Filesize
96KB
-
Filesize
2.7MB
-
Filesize
68KB
-
Filesize
92KB
-
Filesize
208KB