Analysis

  • max time kernel
    26s
  • max time network
    28s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    12-01-2025 03:10

General

  • Target

    Release.zip

  • Size

    30.0MB

  • MD5

    7b352f4b215d9505e5e1a898990c8658

  • SHA1

    a4cfc444f659a21582c144c4a99eeda75d1e343b

  • SHA256

    d7fc6e32096855a5f4d545f6359b1e0ce5b8ff3173c83ff1407423b0c6025bb0

  • SHA512

    e859cd4130537d0035f1a2b6265bfe91ec36355216f5851f81c0b6ec266a2dcb8bbc92879494e8b0b963f6bab830fc5ea98a9dbe717a3b38b5731d63948e0aad

  • SSDEEP

    786432:FnTe0UOYgy+hEJpfbIHJ0VJi209uBZOLHEk:FTi8y+hapjQ0VJLBZEEk

Score
10/10

Malware Config

Extracted

Family

lumma

C2

https://feerdaiks.biz/api

Signatures

  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

  • Lumma family
  • Executes dropped EXE 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Release.zip"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:2516
    • C:\Users\Admin\AppData\Local\Temp\7zO4D92B927\NewIn [v1.1.0].exe
      "C:\Users\Admin\AppData\Local\Temp\7zO4D92B927\NewIn [v1.1.0].exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2588

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\7zO4D92B927\NewIn [v1.1.0].exe

    Filesize

    6.9MB

    MD5

    b754082694884f8c6e0ff60a37e27d5a

    SHA1

    fbcd2bc7a6b6aeff9a85da5d61e4484b61f4a728

    SHA256

    97246e97f763676c0f5df4b2f9fc2d087067b8a6e497a7a9c29120efde9c1e34

    SHA512

    401ea4ba67457bad1f3b5b69c4a84301476ad1e8e0abdf1d78f8fd0c49e00392efc79d9c59820eb48a42ff6af97edb46fc37b4dc39535447a5bb2f607990f349

  • memory/2588-12-0x00000000007A0000-0x00000000007F8000-memory.dmp

    Filesize

    352KB

  • memory/2588-14-0x00000000007A0000-0x00000000007F8000-memory.dmp

    Filesize

    352KB