Analysis
-
max time kernel
77s -
max time network
68s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09-01-2025 23:34
Static task
static1
General
-
Target
Setup.exe
-
Size
673.1MB
-
MD5
da75332f4171d56fdcf037ea9b96e165
-
SHA1
3d053ce23292b257449c3d5190484767f05fefb8
-
SHA256
b0db7b0bb67ab537ed6d63d9219d9e14ab09a0b6171e4439794b2447e87debd4
-
SHA512
a26b77d9102056135ecf13f11c55b057c35838b3c6005acccceb23794474c644c23a6f03a6393fa32399d088d241aff7fa2980df5faef8562ee502ae6f66e372
-
SSDEEP
196608:LgdaTos7s4QA/rmYeus5dgXCKsJdVV3qHDYgJVoT:LgdwbcAheus5KXCKcVV3qHDYAVoT
Malware Config
Extracted
Family
lumma
C2
https://robinsharez.shop/api
https://handscreamny.shop/api
https://chipdonkeruz.shop/api
https://versersleep.shop/api
https://crowdwarek.shop/api
https://apporholis.shop/api
https://femalsabler.shop/api
https://soundtappysk.shop/api
https://hardtofinner.cfd/api
Extracted
Family
lumma
C2
https://hardtofinner.cfd/api
Signatures
-
Lumma family
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Setup.exe -
Modifies data under HKEY_USERS 15 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "5" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3300 Setup.exe 3300 Setup.exe -
Suspicious behavior: LoadsDriver 64 IoCs
pid Process 2956 Process not Found 1328 Process not Found 4748 Process not Found 4356 Process not Found 392 Process not Found 2348 Process not Found 5104 Process not Found 5016 Process not Found 1608 Process not Found 3360 Process not Found 1148 Process not Found 5024 Process not Found 512 Process not Found 4332 Process not Found 400 Process not Found 2560 Process not Found 4988 Process not Found 2492 Process not Found 3648 Process not Found 2460 Process not Found 4620 Process not Found 3024 Process not Found 1960 Process not Found 2652 Process not Found 1972 Process not Found 2116 Process not Found 840 Process not Found 2388 Process not Found 1820 Process not Found 68 Process not Found 4392 Process not Found 4460 Process not Found 2344 Process not Found 1368 Process not Found 820 Process not Found 712 Process not Found 4284 Process not Found 432 Process not Found 1656 Process not Found 1512 Process not Found 5064 Process not Found 5096 Process not Found 2660 Process not Found 1696 Process not Found 3456 Process not Found 4408 Process not Found 4268 Process not Found 1988 Process not Found 212 Process not Found 4840 Process not Found 3256 Process not Found 2488 Process not Found 2124 Process not Found 1932 Process not Found 3212 Process not Found 3252 Process not Found 4312 Process not Found 3692 Process not Found 872 Process not Found 1280 Process not Found 1928 Process not Found 2884 Process not Found 3868 Process not Found 3740 Process not Found -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2440 LogonUI.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3300
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4840
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa399f055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2440