Overview

overview

10

Static

static

3

Bootstrapper.exe

windows7-x64

3

Bootstrapper.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    81s
  • max time network
    82s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-01-2025 13:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Bootstrapper.exe

  • Size

    2.2MB

  • MD5

    8ad45fd72a78fb731a2ba19df0149cae

  • SHA1

    a0614e43edaa61ee50f750c95e5a9361ee76fc3d

  • SHA256

    5612aad58f43e1beb974deda0f1f678e1a4b5f74dbb07a94db5b9558f2814426

  • SHA512

    f94c257a90526a86fb93f0d2fbae87fa4326a3c35aac62c0cc46ee2b2b5f94faefd8d6535594e2d0e317b4c3e4ee468bf3b2b0876ee59440f7a2270d45adacea

  • SSDEEP

    49152:XH4x4BZeJlzHKRiqhT2WqNUiF4rc1XbDc:Ix4BZeJlzHK

Score
10/10
lummadiscoverystealer

Malware Config

Extracted

Family

lumma

C2

https://uprootquincju.shop/api

Signatures

  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Lumma family
    lumma
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
    "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    PID:4792
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:3256
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:2828
    • C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
      "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
      1⤵
      • System Location Discovery: System Language Discovery
      PID:4764

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/3256-10-0x0000020C9E9F0000-0x0000020C9E9F1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3256-16-0x0000020C9E9F0000-0x0000020C9E9F1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3256-17-0x0000020C9E9F0000-0x0000020C9E9F1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3256-18-0x0000020C9E9F0000-0x0000020C9E9F1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3256-19-0x0000020C9E9F0000-0x0000020C9E9F1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3256-20-0x0000020C9E9F0000-0x0000020C9E9F1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3256-21-0x0000020C9E9F0000-0x0000020C9E9F1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3256-22-0x0000020C9E9F0000-0x0000020C9E9F1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3256-11-0x0000020C9E9F0000-0x0000020C9E9F1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3256-12-0x0000020C9E9F0000-0x0000020C9E9F1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4764-28-0x0000000003710000-0x0000000003808000-memory.dmp

      Filesize

      992KB

      Download

    • memory/4764-29-0x00000000018F0000-0x0000000001948000-memory.dmp

      Filesize

      352KB

      Download

    • memory/4764-38-0x0000000000390000-0x00000000005C2000-memory.dmp

      Filesize

      2.2MB

      Download

    • memory/4764-36-0x0000000000390000-0x00000000005C2000-memory.dmp

      Filesize

      2.2MB

      Download

    • memory/4764-30-0x00000000018F0000-0x0000000001948000-memory.dmp

      Filesize

      352KB

      Download

    • memory/4764-31-0x00000000018F0000-0x0000000001948000-memory.dmp

      Filesize

      352KB

      Download

    • memory/4764-32-0x00000000018F0000-0x0000000001948000-memory.dmp

      Filesize

      352KB

      Download

    • memory/4764-34-0x0000000003710000-0x0000000003808000-memory.dmp

      Filesize

      992KB

      Download

    • memory/4764-33-0x00000000018F0000-0x0000000001948000-memory.dmp

      Filesize

      352KB

      Download

    • memory/4792-7-0x0000000000C50000-0x0000000000CA8000-memory.dmp

      Filesize

      352KB

      Download

    • memory/4792-25-0x0000000000390000-0x00000000005C2000-memory.dmp

      Filesize

      2.2MB

      Download

    • memory/4792-0-0x0000000002990000-0x0000000002A89000-memory.dmp

      Filesize

      996KB

      Download

    • memory/4792-1-0x0000000002D30000-0x0000000002E28000-memory.dmp

      Filesize

      992KB

      Download

    • memory/4792-2-0x0000000002D30000-0x0000000002E28000-memory.dmp

      Filesize

      992KB

      Download

    • memory/4792-3-0x0000000000390000-0x00000000005C2000-memory.dmp

      Filesize

      2.2MB

      Download

    • memory/4792-9-0x0000000002D30000-0x0000000002E28000-memory.dmp

      Filesize

      992KB

      Download

    • memory/4792-6-0x0000000000C50000-0x0000000000CA8000-memory.dmp

      Filesize

      352KB

      Download

    • memory/4792-5-0x0000000000C50000-0x0000000000CA8000-memory.dmp

      Filesize

      352KB

      Download

    • memory/4792-4-0x0000000000C50000-0x0000000000CA8000-memory.dmp

      Filesize

      352KB

      Download

    • memory/4792-8-0x0000000000C50000-0x0000000000CA8000-memory.dmp

      Filesize

      352KB

      Download