Overview

overview

10

Static

static

1

Release-x86.zip

windows10-2004-x64

10

README.txt

windows10-2004-x64

1

Analysis

  • max time kernel
    22s
  • max time network
    20s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-01-2025 06:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Release-x86.zip

  • Size

    19.7MB

  • MD5

    db1a46d6a06fdbb2a8b2e2a857c3816a

  • SHA1

    c4817795ba83e1e4ce5d62355b2417177de0e489

  • SHA256

    1e43362597cdf2d0f61ab555a4069b7c788ab135d45bf76898adc87f158a4715

  • SHA512

    ecdb95d05cb5e34494abaa347fe7ac24b6747b736ab1d9f5a27f3044014866decc89e4391d0e76fd27c29b9ff1669243ced366a74d293642b8bf2d0b1e301572

  • SSDEEP

    393216:IBckwqPnIgGV/r1NgeJaUv2HrmiOD7m9mHi9rPhkHmUffAi81AAT:IBcKNGV/jhCSR3HiPUmUg

Score
10/10
lummadiscoverystealer

Malware Config

Extracted

Family

lumma

C2

https://cloudewahsj.shop/api

https://rabidcowse.shop/api

https://noisycuttej.shop/api

https://tirepublicerj.shop/api

https://framekgirus.shop/api

https://wholersorie.shop/api

https://abruptyopsn.shop/api

https://nearycrepso.shop/api

Extracted

Family

lumma

C2

https://abruptyopsn.shop/api

https://wholersorie.shop/api

https://framekgirus.shop/api

https://tirepublicerj.shop/api

https://noisycuttej.shop/api

https://rabidcowse.shop/api

Signatures

  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Lumma family
    lumma
  • Executes dropped EXE 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Release-x86.zip"
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:2544
    • C:\Users\Admin\AppData\Local\Temp\7zO0F9199F7\BootstrapperUI.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO0F9199F7\BootstrapperUI.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2384

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\7zO0F9199F7\BootstrapperUI.exe
    Filesize

    334KB

    MD5

    b8707d5c712788bef83bb6b114761980

    SHA1

    f06d73138c9d5130968c53c8e83ee129a09ff17e

    SHA256

    01859764e1398422d1bac65752ed02cfe0c8fdb603b763fcafe329e27eeb3aac

    SHA512

    a17821bc36f8c0a3d1017004c1286ac530eb145f0ce0798c26ec9751a37d349b843d0cd3ae8d8b5b7dfd5d7361ab96c12a86c9dffd4559afea4a65ece28d39ee

    Download Submit

  • memory/2384-9-0x00000000021C0000-0x00000000021EE000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2384-10-0x00000000021F0000-0x000000000223D000-memory.dmp

    Filesize

    308KB

    Download

  • memory/2384-11-0x0000000000400000-0x0000000000457000-memory.dmp

    Filesize

    348KB

    Download

  • memory/2384-12-0x0000000000400000-0x000000000045A000-memory.dmp

    Filesize

    360KB

    Download

  • memory/2384-13-0x00000000021C0000-0x00000000021EE000-memory.dmp

    Filesize

    184KB

    Download