Overview

overview

10

Static

static

1

setup.exe

windows10-ltsc 2021-x64

10

Analysis

  • max time kernel
    52s
  • max time network
    43s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241211-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    10-01-2025 20:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    setup.exe

  • Size

    71.1MB

  • MD5

    cba1d2bf7aadf6edad9b1074f1d52bc0

  • SHA1

    a90cc53c1ee1299cb5c574bc3fc05198e3b23946

  • SHA256

    d95f10c803cc592a57604241152555f90f4699e8e34cdc3b2189b2a752724024

  • SHA512

    57e20798450eeb1ebbf19b776ff3a2d7dc4d199f64fdc5e80184333afdccc41729cd24cccd8854c443d1bdd153f0875fbfe435446c9a29d1086fa57b8035c78b

  • SSDEEP

    24576:L+QSkqgJVQNDa5lZe9fvyErqPW+UHx+/szlzBF6TmJaxEX:L7Xqei9f7qw3BzB8Tk

Score
10/10
lummadiscoverystealer

Malware Config

Extracted

Family

lumma

C2

https://relatiounces.cyou/api

https://fraggielek.biz/api

https://grandiouseziu.biz/api

https://littlenotii.biz/api

https://marketlumpe.biz/api

https://nuttyshopr.biz/api

https://punishzement.biz/api

https://spookycappy.biz/api

https://truculengisau.biz/api

Signatures

  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Lumma family
    lumma
  • Drops desktop.ini file(s) 7 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 1 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 11 IoCs
  • Suspicious use of SendNotifyMessage 8 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\setup.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    PID:3108
  • C:\Program Files (x86)\Windows Media Player\wmplayer.exe
    "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding
    1⤵
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:3884
    • C:\Windows\SysWOW64\unregmp2.exe
      "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:984
      • C:\Windows\system32\unregmp2.exe
        "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
        3⤵
        • Enumerates connected drives
        • Suspicious use of AdjustPrivilegeToken
        PID:2200
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3884 -s 3112
      2⤵
      • Program crash
      PID:3060
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost
    1⤵
    • Drops file in Windows directory
    PID:2160
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1460
    • C:\Windows\system32\dashost.exe
      dashost.exe {03413c31-3983-46d2-9f52f1751d9c28cd}
      2⤵
        PID:2224
    • C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\SendEdit.mpe"
      1⤵
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:3352
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3884 -ip 3884
      1⤵
        PID:3132

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
        Filesize

        64KB

        MD5

        987a07b978cfe12e4ce45e513ef86619

        SHA1

        22eec9a9b2e83ad33bedc59e3205f86590b7d40c

        SHA256

        f1a4a978ce1c4731df1594043135cf58d084fdf129dd1c8e4507c9e06eac5ea8

        SHA512

        39b86540e4d35c84609ef66537b5aa02058e3d4293f902127c7d4eac8ffc65920cb5c69a77552fc085687eed66e38367f83c177046d0ecb8e6d135463cc142aa

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
        Filesize

        1024KB

        MD5

        813d469474f4ef922e610a48e5a450d6

        SHA1

        510cfad40377b067db055ba96ac3b8cbaf553844

        SHA256

        58e8758f003b4c4ce8457b16921549355a62aaab27b8526bbfe6b3cbb6c0d99a

        SHA512

        6b4553fc76ae6becdd095dcfa3a9487c4e18503da160f09d9affaad4e935345aaffb7aa38c16140bc05597c3623006e4938df856bd52e15d4967767867e3d40c

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Media Player\LocalMLS_3.wmdb
        Filesize

        68KB

        MD5

        146d61ae38dd1f4d11c988642eb0b784

        SHA1

        c135e2f99ec95da4081b0cd4b8e1083bc692d575

        SHA256

        a4d5c760b3fcde931f52b967f08aeefe6c057bd9fb04bb959b477e8f6f5d41e2

        SHA512

        3815ead842ca6e3c187439de60ff7a0649d9a56af2faca6a159d5d1dc3cddd856f2cafef9105948977a95b48a5290846878a15281299875e3dd407a857171bd6

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.DTD
        Filesize

        498B

        MD5

        90be2701c8112bebc6bd58a7de19846e

        SHA1

        a95be407036982392e2e684fb9ff6602ecad6f1e

        SHA256

        644fbcdc20086e16d57f31c5bad98be68d02b1c061938d2f5f91cbe88c871fbf

        SHA512

        d618b473b68b48d746c912ac5fc06c73b047bd35a44a6efc7a859fe1162d68015cf69da41a5db504dcbc4928e360c095b32a3b7792fcc6a38072e1ebd12e7cbe

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML
        Filesize

        9KB

        MD5

        7050d5ae8acfbe560fa11073fef8185d

        SHA1

        5bc38e77ff06785fe0aec5a345c4ccd15752560e

        SHA256

        cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

        SHA512

        a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\wmsetup.log
        Filesize

        1KB

        MD5

        73ee53e527d846ab687ca80c1f0c4c6b

        SHA1

        edae173495d9eb5ece5f95b1459694948f052332

        SHA256

        0d12d4e6caa966cc1b746e51dcb7f73b7ebdc487c2c7da9744bd35510749c417

        SHA512

        255dee542be11d4113da796667b3adf782b4d075744a7562eb90414396078215d667f257e8ce3a56e0dbb229f70ae1046818b176f7439c6a6208468fa790e6a3

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\74d7f43c1561fc1e.customDestinations-ms
        Filesize

        1KB

        MD5

        2efe0ac15189261479679bb6bedea4ac

        SHA1

        f0092d2d10e2aea34b363c34d29a07ccff43ff1c

        SHA256

        a08fbd877277f15108219d43e8a33eea90751c4465abb11a35c8593137da8fff

        SHA512

        914d8b5065069066aaf006bca06513938e11ad44a07df9f98999f8a8288da1e9e61d8b2d257d544951ca02a2b5afb992cbf803deb3bbe4fbe6318f2cad59f7ce

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\74d7f43c1561fc1e.customDestinations-ms
        Filesize

        3KB

        MD5

        35bcdeb82a3f12a0dd1f4f90039402ec

        SHA1

        18133f2456c3969ecb7db30b62de6c8341d5825a

        SHA256

        0d6717c94ddbe4ba22e3311d8019f2ffbbde784d64b906cd7fa3aa052441ae5f

        SHA512

        6d39c8fa9e50cd751f2173cc1654cecd8eae73628d868f30ad64b9f3fe2c4719e451851f00fa04529af6ca2dcd69ffe15973737f4df3d7ea518004ec1119a1c5

        Download Submit

      • memory/3108-5-0x0000000000400000-0x0000000000512000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/3108-3-0x0000000003A30000-0x0000000003A84000-memory.dmp

        Filesize

        336KB

        Download

      • memory/3108-0-0x00000000006B0000-0x00000000006B1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3108-2-0x0000000003A30000-0x0000000003A84000-memory.dmp

        Filesize

        336KB

        Download

      • memory/3108-1-0x00000000006B0000-0x00000000006B1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3884-63-0x00000000083A0000-0x00000000083B0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3884-74-0x00000000083A0000-0x00000000083B0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3884-44-0x00000000083A0000-0x00000000083B0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3884-46-0x0000000008400000-0x0000000008410000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3884-48-0x0000000008400000-0x0000000008410000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3884-47-0x0000000008400000-0x0000000008410000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3884-51-0x0000000008400000-0x0000000008410000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3884-50-0x0000000008400000-0x0000000008410000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3884-49-0x0000000008400000-0x0000000008410000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3884-52-0x0000000008400000-0x0000000008410000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3884-57-0x0000000008400000-0x0000000008410000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3884-56-0x0000000008400000-0x0000000008410000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3884-55-0x0000000008400000-0x0000000008410000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3884-54-0x0000000008400000-0x0000000008410000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3884-53-0x0000000008400000-0x0000000008410000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3884-58-0x0000000008400000-0x0000000008410000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3884-59-0x0000000008400000-0x0000000008410000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3884-60-0x0000000008400000-0x0000000008410000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3884-61-0x00000000083A0000-0x00000000083B0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3884-62-0x00000000083A0000-0x00000000083B0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3884-43-0x00000000083A0000-0x00000000083B0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3884-64-0x0000000008400000-0x0000000008410000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3884-42-0x00000000083A0000-0x00000000083B0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3884-67-0x00000000081E0000-0x00000000081F0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3884-68-0x0000000008400000-0x0000000008410000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3884-70-0x0000000008400000-0x0000000008410000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3884-71-0x00000000083A0000-0x00000000083B0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3884-72-0x00000000083A0000-0x00000000083B0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3884-73-0x00000000083A0000-0x00000000083B0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3884-45-0x00000000083A0000-0x00000000083B0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3884-76-0x00000000083A0000-0x00000000083B0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3884-75-0x0000000008400000-0x0000000008410000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3884-79-0x0000000008400000-0x0000000008410000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3884-78-0x0000000008400000-0x0000000008410000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3884-77-0x0000000008400000-0x0000000008410000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3884-81-0x0000000008400000-0x0000000008410000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3884-83-0x0000000008400000-0x0000000008410000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3884-85-0x0000000008400000-0x0000000008410000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3884-87-0x0000000008400000-0x0000000008410000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3884-88-0x0000000008400000-0x0000000008410000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3884-86-0x0000000008400000-0x0000000008410000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3884-90-0x0000000008400000-0x0000000008410000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3884-91-0x0000000008400000-0x0000000008410000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3884-92-0x00000000083A0000-0x00000000083B0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3884-93-0x0000000008400000-0x0000000008410000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3884-96-0x00000000083A0000-0x00000000083B0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3884-95-0x00000000083A0000-0x00000000083B0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3884-94-0x0000000008400000-0x0000000008410000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3884-97-0x00000000081E0000-0x00000000081F0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3884-98-0x0000000008400000-0x0000000008410000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3884-99-0x0000000008400000-0x0000000008410000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3884-100-0x00000000083A0000-0x00000000083B0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3884-101-0x00000000083A0000-0x00000000083B0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3884-102-0x00000000083A0000-0x00000000083B0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3884-103-0x00000000083A0000-0x00000000083B0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3884-104-0x0000000008400000-0x0000000008410000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3884-40-0x00000000083A0000-0x00000000083B0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3884-39-0x00000000081E0000-0x00000000081F0000-memory.dmp

        Filesize

        64KB

        Download