Overview

overview

10

Static

static

3

c002664469...c1.exe

windows7-x64

10

c002664469...c1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-01-2025 14:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c002664469a48ede06c57b592a27b496bfc3cccb75e3fa468d4b3cf562563fc1.exe

  • Size

    14.4MB

  • MD5

    191294c00be02e5bf0807dc1cf52c53a

  • SHA1

    5dbfe490dcc65b2107f9bc0461c9e6767463795a

  • SHA256

    c002664469a48ede06c57b592a27b496bfc3cccb75e3fa468d4b3cf562563fc1

  • SHA512

    7bbefd4dc19290e454e3f4b08eb5f7faf904639a441d96f74c3973db0302a240192e31cf55c3939c7a70e024199754f084eb68a2ecccc0aea803da6a46025bdc

  • SSDEEP

    393216:8ZnXkkkXBPkVr/zc5Vk1LJG9+ydIaxbDdVUD5:8ZXJqkVr/zc521LJG9+ydIIbhGD5

Score
10/10
lummadiscoverystealer

Malware Config

Extracted

Family

lumma

C2

https://p3ar11fter.sbs/api

https://3xp3cts1aim.sbs/api

https://owner-vacat10n.sbs/api

https://peepburry828.sbs/api

https://p10tgrace.sbs/api

https://befall-sm0ker.sbs/api

https://librari-night.sbs/api

https://processhol.sbs/api

https://cashju1cyh0.cyou/api

Signatures

  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Lumma family
    lumma
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Blocklisted process makes network request 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c002664469a48ede06c57b592a27b496bfc3cccb75e3fa468d4b3cf562563fc1.exe
    "C:\Users\Admin\AppData\Local\Temp\c002664469a48ede06c57b592a27b496bfc3cccb75e3fa468d4b3cf562563fc1.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4672
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\333.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\333.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:3500
      • C:\Windows\SysWOW64\more.com
        C:\Windows\SysWOW64\more.com
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        PID:1388
        • C:\Windows\SysWOW64\msiexec.exe
          C:\Windows\SysWOW64\msiexec.exe
          4⤵
          • Blocklisted process makes network request
          • System Location Discovery: System Language Discovery
          PID:4576
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.com/15PRC4
      2⤵
      • Enumerates system info in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:1644
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xdc,0x108,0x7ffc704646f8,0x7ffc70464708,0x7ffc70464718
        3⤵
          PID:684
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,15980112543854875018,14112163743711626527,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2
          3⤵
            PID:2368
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,15980112543854875018,14112163743711626527,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 /prefetch:3
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:2412
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,15980112543854875018,14112163743711626527,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2776 /prefetch:8
            3⤵
              PID:4540
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,15980112543854875018,14112163743711626527,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
              3⤵
                PID:3260
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,15980112543854875018,14112163743711626527,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
                3⤵
                  PID:3236
                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,15980112543854875018,14112163743711626527,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5200 /prefetch:8
                  3⤵
                    PID:4312
                  • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,15980112543854875018,14112163743711626527,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5200 /prefetch:8
                    3⤵
                    • Suspicious behavior: EnumeratesProcesses
                    PID:5052
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,15980112543854875018,14112163743711626527,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5272 /prefetch:1
                    3⤵
                      PID:3616
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,15980112543854875018,14112163743711626527,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:1
                      3⤵
                        PID:3516
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,15980112543854875018,14112163743711626527,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4872 /prefetch:1
                        3⤵
                          PID:2820
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,15980112543854875018,14112163743711626527,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:1
                          3⤵
                            PID:4700
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,15980112543854875018,14112163743711626527,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3388 /prefetch:2
                            3⤵
                            • Suspicious behavior: EnumeratesProcesses
                            PID:4436
                      • C:\Windows\System32\CompPkgSrv.exe
                        C:\Windows\System32\CompPkgSrv.exe -Embedding
                        1⤵
                          PID:1748
                        • C:\Windows\System32\CompPkgSrv.exe
                          C:\Windows\System32\CompPkgSrv.exe -Embedding
                          1⤵
                            PID:2868

                          Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                            Filesize

                            152B

                            MD5

                            61cef8e38cd95bf003f5fdd1dc37dae1

                            SHA1

                            11f2f79ecb349344c143eea9a0fed41891a3467f

                            SHA256

                            ae671613623b4477fbd5daf1fd2d148ae2a09ddcc3804b2b6d4ffcb60b317e3e

                            SHA512

                            6fb9b333fe0e8fde19fdd0bd01a1990a4e60a87c0a02bc8297da1206e42f8690d06b030308e58c862e9e77714a585eed7cc1627590d99a10aeb77fc0dd3d864d

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                            Filesize

                            152B

                            MD5

                            0a9dc42e4013fc47438e96d24beb8eff

                            SHA1

                            806ab26d7eae031a58484188a7eb1adab06457fc

                            SHA256

                            58d66151799526b3fa372552cd99b385415d9e9a119302b99aadc34dd51dd151

                            SHA512

                            868d6b421ae2501a519595d0c34ddef25b2a98b082c5203da8349035f1f6764ddf183197f1054e7e86a752c71eccbc0649e515b63c55bc18cf5f0592397e258f

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
                            Filesize

                            180B

                            MD5

                            8f571752a0c4f3f6020966e96c85ef8b

                            SHA1

                            81fa9c853712e71e4b0a7da1f65a0979e90a1236

                            SHA256

                            d0b6f0f7769d5faf34595b539d766fe475ec0a2f7a14d2b8f874ea7edf71319d

                            SHA512

                            517efe07dc09ac97deca70371d45628e01758fdf5acb2809cab374e27bfc9b36caa9b5740b43f4d22fbee417f36156ee2034b02d3b823a51ca9a50b197fbfc26

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                            Filesize

                            6KB

                            MD5

                            b1790e9ad5a33b3becc20f7431a452f7

                            SHA1

                            f3b2f584b4fcbd0c75b2749b89a700bcc518978f

                            SHA256

                            a52a6f7ec07d3aac33a55796db9e39bc9e8ee3d102ac58bd4c345cbbb6e56707

                            SHA512

                            4c9b4654dcf2c0ec1c32b5d2e3901006259abad75d961e2001a9d25da69557e91a023903eb2a341a115bbd02ca1083492a29864f63bc4fdbc16fb8799d1e1c44

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                            Filesize

                            5KB

                            MD5

                            351180b4e8822617d12601a5ae967d6e

                            SHA1

                            bb52f2f7b8d531ff66e19fff193f8560d2919104

                            SHA256

                            5846d6ba97e6371de9c459a9d222088538948292dddeb6a8fbe61502a6627c86

                            SHA512

                            b49b857878421d63d1ba2180ae26a236434c55c1480c20dbb2be245a64f3af22c3666d24ee6aca72b2c0fedd195e72f55bf31cd081dafce3a3b8cc9ece57dc47

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                            Filesize

                            16B

                            MD5

                            6752a1d65b201c13b62ea44016eb221f

                            SHA1

                            58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                            SHA256

                            0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                            SHA512

                            9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                            Filesize

                            10KB

                            MD5

                            31fd43b5a10c7a81b80c68c3db4522f7

                            SHA1

                            fe9ebdc1c418331f2240a62a4e2c0dbc5dc34994

                            SHA256

                            58ad6f96a35205f284ba9096ad5403089b9a7276a540a9c10df58ba365c7fe52

                            SHA512

                            1dd1ce4598fca0ed0278d4c9f10cd0535d19e34a9873e045dd44b6e599313b727ea364f06bca7a1488149aca2f7fdf57b844fe959aaf80343abe979c57b1728c

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Temp\RarSFX0\333.exe
                            Filesize

                            18.4MB

                            MD5

                            cbd9ae608afda66ba0d1df907fea0eaa

                            SHA1

                            e23af3a3a89ffdb363e887b60ff9d45f316445ba

                            SHA256

                            fe26511a6af7fe9c7c5ffe586b6bd2ce84e21d84bfa04d371f8e2db929b520af

                            SHA512

                            b3639fbb4352fad47eb867ed6b1d508d6c23f7e3d8e88fcda42ffa4885a7e7fab8347924ec55db2f6456c1425cba37be2a2103cb54b30cb199822ec549ee4adc

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Temp\eff57196
                            Filesize

                            1.1MB

                            MD5

                            dc829df7baa6d6ea2d12618e862b737b

                            SHA1

                            022421ae7b594d542dc297c700cc5082f1f84eaf

                            SHA256

                            17ccc2bac73e1c26dd1da9a86cde352ac6f29a8d1a5c53cf1a57529212bb5d0c

                            SHA512

                            795ecf1b815548ef79e13ab6451e0a1606b6662feb7b47e84a7e1b5409f9bb29f04cb9d0e09f4260d0db91277e4857786f53f538e989808481027175bcdae627

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Temp\f92e2d11
                            Filesize

                            1018KB

                            MD5

                            5fa559dac0d42aac37b19b52a7130873

                            SHA1

                            f79745c1c8035774c5c799c1d4a2a48e799266f4

                            SHA256

                            fb00fc50a357b492615a7ff263e47416ea78f53584c1f9c74df3b0c84118d7c8

                            SHA512

                            0433c9afa7bbb7124b0ad89a4d27cd5c4b8c0c437588901c4779d60ca010341f5f00597badf2b68e998c068bb3a67e28c1724cfc1af15eccee222fc9397e6b25

                            Download Submit

                          • memory/1388-28-0x0000000075100000-0x000000007527B000-memory.dmp

                            Filesize

                            1.5MB

                            Download

                          • memory/1388-66-0x00007FFC7FC10000-0x00007FFC7FE05000-memory.dmp

                            Filesize

                            2.0MB

                            Download

                          • memory/1388-91-0x0000000075100000-0x000000007527B000-memory.dmp

                            Filesize

                            1.5MB

                            Download

                          • memory/1388-87-0x0000000075100000-0x000000007527B000-memory.dmp

                            Filesize

                            1.5MB

                            Download

                          • memory/3500-21-0x00007FFC7FC10000-0x00007FFC7FE05000-memory.dmp

                            Filesize

                            2.0MB

                            Download

                          • memory/3500-20-0x0000000075100000-0x000000007527B000-memory.dmp

                            Filesize

                            1.5MB

                            Download

                          • memory/3500-23-0x0000000075100000-0x000000007527B000-memory.dmp

                            Filesize

                            1.5MB

                            Download

                          • memory/3500-26-0x0000000075113000-0x0000000075115000-memory.dmp

                            Filesize

                            8KB

                            Download

                          • memory/3500-27-0x0000000075100000-0x000000007527B000-memory.dmp

                            Filesize

                            1.5MB

                            Download

                          • memory/3500-24-0x0000000075100000-0x000000007527B000-memory.dmp

                            Filesize

                            1.5MB

                            Download

                          • memory/3500-22-0x0000000075113000-0x0000000075115000-memory.dmp

                            Filesize

                            8KB

                            Download

                          • memory/3500-14-0x0000000000400000-0x0000000000CB0000-memory.dmp

                            Filesize

                            8.7MB

                            Download

                          • memory/4576-92-0x00007FFC7FC10000-0x00007FFC7FE05000-memory.dmp

                            Filesize

                            2.0MB

                            Download

                          • memory/4576-94-0x0000000000010000-0x0000000000022000-memory.dmp

                            Filesize

                            72KB

                            Download

                          • memory/4576-93-0x0000000000F20000-0x0000000000F7A000-memory.dmp

                            Filesize

                            360KB

                            Download