Analysis

  • max time kernel
    93s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-01-2025 11:14

General

  • Target

    c168dacd7da92cc12194e02becaf9b51aa43f835a450db1accb0c24eafaea10f.exe

  • Size

    10.5MB

  • MD5

    c15b5a4acadf4a59740b40cdb461a192

  • SHA1

    030122f597c9aaa95b1b849f0a2442bb0a2385bf

  • SHA256

    c168dacd7da92cc12194e02becaf9b51aa43f835a450db1accb0c24eafaea10f

  • SHA512

    35eeed77c2c5b2650c10d4c0f36ea0cfb652c02f897b44bf7e5a3e7046f5ea9f9da7b613fd5caeaa2470e35e336110114701b149978cfba89cd9a83a42398c9d

  • SSDEEP

    196608:MzFsg6BXP4XAGFyxL/jBn1nG5lNniIbZg4TYc1vR31A4zur5MOjjDDTTVp2w/cre:MzFgWcbdebPH1AJp2w/HSk

Score
10/10

Malware Config

Extracted

Family

lumma

C2

https://servicedny.site/api

https://authorisev.site/api

https://faulteyotk.site/api

https://dilemmadu.site/api

https://contemteny.site/api

https://goalyfeastz.site/api

https://opposezmny.site/api

https://seallysl.site/api

https://dominatez.cyou/api

Signatures

  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

  • Lumma family
  • Loads dropped DLL 9 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c168dacd7da92cc12194e02becaf9b51aa43f835a450db1accb0c24eafaea10f.exe
    "C:\Users\Admin\AppData\Local\Temp\c168dacd7da92cc12194e02becaf9b51aa43f835a450db1accb0c24eafaea10f.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4412
    • C:\Users\Admin\AppData\Local\Temp\c168dacd7da92cc12194e02becaf9b51aa43f835a450db1accb0c24eafaea10f.exe
      "C:\Users\Admin\AppData\Local\Temp\c168dacd7da92cc12194e02becaf9b51aa43f835a450db1accb0c24eafaea10f.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4404
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
        C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\ngentask.exe
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1712

Network

  • flag-us
    DNS
    104.219.191.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    104.219.191.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    120.250.22.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    120.250.22.2.in-addr.arpa
    IN PTR
    Response
    120.250.22.2.in-addr.arpa
    IN PTR
    a2-22-250-120deploystaticakamaitechnologiescom
  • flag-us
    DNS
    68.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    68.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    dominatez.cyou
    ngentask.exe
    Remote address:
    8.8.8.8:53
    Request
    dominatez.cyou
    IN A
    Response
  • flag-us
    DNS
    seallysl.site
    ngentask.exe
    Remote address:
    8.8.8.8:53
    Request
    seallysl.site
    IN A
    Response
  • flag-us
    DNS
    opposezmny.site
    ngentask.exe
    Remote address:
    8.8.8.8:53
    Request
    opposezmny.site
    IN A
    Response
  • flag-us
    DNS
    goalyfeastz.site
    ngentask.exe
    Remote address:
    8.8.8.8:53
    Request
    goalyfeastz.site
    IN A
    Response
  • flag-us
    DNS
    contemteny.site
    ngentask.exe
    Remote address:
    8.8.8.8:53
    Request
    contemteny.site
    IN A
    Response
  • flag-us
    DNS
    dilemmadu.site
    ngentask.exe
    Remote address:
    8.8.8.8:53
    Request
    dilemmadu.site
    IN A
    Response
  • flag-us
    DNS
    faulteyotk.site
    ngentask.exe
    Remote address:
    8.8.8.8:53
    Request
    faulteyotk.site
    IN A
    Response
  • flag-us
    DNS
    authorisev.site
    ngentask.exe
    Remote address:
    8.8.8.8:53
    Request
    authorisev.site
    IN A
    Response
  • flag-us
    DNS
    servicedny.site
    ngentask.exe
    Remote address:
    8.8.8.8:53
    Request
    servicedny.site
    IN A
    Response
  • flag-us
    DNS
    steamcommunity.com
    ngentask.exe
    Remote address:
    8.8.8.8:53
    Request
    steamcommunity.com
    IN A
    Response
    steamcommunity.com
    IN A
    23.214.143.155
  • flag-gb
    GET
    https://steamcommunity.com/profiles/76561199724331900
    ngentask.exe
    Remote address:
    23.214.143.155:443
    Request
    GET /profiles/76561199724331900 HTTP/1.1
    Connection: Keep-Alive
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
    Host: steamcommunity.com
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Content-Type: text/html; charset=UTF-8
    Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;
    Expires: Mon, 26 Jul 1997 05:00:00 GMT
    Cache-Control: no-cache
    Date: Sat, 18 Jan 2025 11:14:16 GMT
    Content-Length: 35603
    Connection: keep-alive
    Set-Cookie: sessionid=b3639ffd747412613856e474; Path=/; Secure; SameSite=None
    Set-Cookie: steamCountry=GB%7C7d625a3b038bb98f68b4e14dac147806; Path=/; Secure; HttpOnly; SameSite=None
  • flag-us
    DNS
    7.98.22.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    7.98.22.2.in-addr.arpa
    IN PTR
    Response
    7.98.22.2.in-addr.arpa
    IN PTR
    a2-22-98-7deploystaticakamaitechnologiescom
  • flag-us
    DNS
    nikolay-romanov.su
    ngentask.exe
    Remote address:
    8.8.8.8:53
    Request
    nikolay-romanov.su
    IN A
    Response
  • flag-us
    DNS
    155.143.214.23.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    155.143.214.23.in-addr.arpa
    IN PTR
    Response
    155.143.214.23.in-addr.arpa
    IN PTR
    a23-214-143-155deploystaticakamaitechnologiescom
  • flag-us
    DNS
    212.20.149.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    212.20.149.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    206.23.85.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    206.23.85.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    8.153.16.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.153.16.2.in-addr.arpa
    IN PTR
    Response
    8.153.16.2.in-addr.arpa
    IN PTR
    a2-16-153-8deploystaticakamaitechnologiescom
  • flag-us
    DNS
    30.243.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    30.243.111.52.in-addr.arpa
    IN PTR
    Response
  • 23.214.143.155:443
    https://steamcommunity.com/profiles/76561199724331900
    tls, http
    ngentask.exe
    1.6kB
    43.2kB
    22
    37

    HTTP Request

    GET https://steamcommunity.com/profiles/76561199724331900

    HTTP Response

    200
  • 8.8.8.8:53
    104.219.191.52.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    104.219.191.52.in-addr.arpa

  • 8.8.8.8:53
    120.250.22.2.in-addr.arpa
    dns
    71 B
    135 B
    1
    1

    DNS Request

    120.250.22.2.in-addr.arpa

  • 8.8.8.8:53
    68.32.126.40.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    68.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    dominatez.cyou
    dns
    ngentask.exe
    60 B
    125 B
    1
    1

    DNS Request

    dominatez.cyou

  • 8.8.8.8:53
    seallysl.site
    dns
    ngentask.exe
    59 B
    124 B
    1
    1

    DNS Request

    seallysl.site

  • 8.8.8.8:53
    opposezmny.site
    dns
    ngentask.exe
    61 B
    126 B
    1
    1

    DNS Request

    opposezmny.site

  • 8.8.8.8:53
    goalyfeastz.site
    dns
    ngentask.exe
    62 B
    127 B
    1
    1

    DNS Request

    goalyfeastz.site

  • 8.8.8.8:53
    contemteny.site
    dns
    ngentask.exe
    61 B
    126 B
    1
    1

    DNS Request

    contemteny.site

  • 8.8.8.8:53
    dilemmadu.site
    dns
    ngentask.exe
    60 B
    125 B
    1
    1

    DNS Request

    dilemmadu.site

  • 8.8.8.8:53
    faulteyotk.site
    dns
    ngentask.exe
    61 B
    126 B
    1
    1

    DNS Request

    faulteyotk.site

  • 8.8.8.8:53
    authorisev.site
    dns
    ngentask.exe
    61 B
    126 B
    1
    1

    DNS Request

    authorisev.site

  • 8.8.8.8:53
    servicedny.site
    dns
    ngentask.exe
    61 B
    126 B
    1
    1

    DNS Request

    servicedny.site

  • 8.8.8.8:53
    steamcommunity.com
    dns
    ngentask.exe
    64 B
    80 B
    1
    1

    DNS Request

    steamcommunity.com

    DNS Response

    23.214.143.155

  • 8.8.8.8:53
    7.98.22.2.in-addr.arpa
    dns
    68 B
    129 B
    1
    1

    DNS Request

    7.98.22.2.in-addr.arpa

  • 8.8.8.8:53
    nikolay-romanov.su
    dns
    ngentask.exe
    64 B
    125 B
    1
    1

    DNS Request

    nikolay-romanov.su

  • 8.8.8.8:53
    155.143.214.23.in-addr.arpa
    dns
    73 B
    139 B
    1
    1

    DNS Request

    155.143.214.23.in-addr.arpa

  • 8.8.8.8:53
    212.20.149.52.in-addr.arpa
    dns
    72 B
    146 B
    1
    1

    DNS Request

    212.20.149.52.in-addr.arpa

  • 8.8.8.8:53
    206.23.85.13.in-addr.arpa
    dns
    71 B
    145 B
    1
    1

    DNS Request

    206.23.85.13.in-addr.arpa

  • 8.8.8.8:53
    8.153.16.2.in-addr.arpa
    dns
    69 B
    131 B
    1
    1

    DNS Request

    8.153.16.2.in-addr.arpa

  • 8.8.8.8:53
    30.243.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    30.243.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_MEI44122\VCRUNTIME140.dll

    Filesize

    74KB

    MD5

    31ce620cb32ac950d31e019e67efc638

    SHA1

    eaf02a203bc11d593a1adb74c246f7a613e8ef09

    SHA256

    1e0f8f7f13502f5cee17232e9bebca7b44dd6ec29f1842bb61033044c65b2bbf

    SHA512

    603e8dceda4cb5b3317020e71f1951d01ace045468eaf118b422f4f44b8b6b2794f5002ea2e3fe9107c222e4cb55b932ed0d897a1871976d75f8ee10d5d12374

  • C:\Users\Admin\AppData\Local\Temp\_MEI44122\_ctypes.pyd

    Filesize

    114KB

    MD5

    de2f88b18fabe8586c38074b6fb80873

    SHA1

    cf4b533ffeb9792b33516ec05d3375260ff32b98

    SHA256

    f5480114cf3118e561c4dc55cb733f9d06fae897875d91bb324263b4aedd31b9

    SHA512

    3d89ccc9f9d6bca35f2ce5dbdaff2fd571c3e4c89056aec4de97466aea49d5bd9c7de0a0d345f249f1a33b43597f9c3a1687da246f6c832434391638a10dcd04

  • C:\Users\Admin\AppData\Local\Temp\_MEI44122\_hashlib.pyd

    Filesize

    51KB

    MD5

    3ad5e39cbe6354bb1ce82e29d4b2c072

    SHA1

    c4a18ce9e803ca6a7e33f1bef422f5006df651ff

    SHA256

    eddeedd5fd8a1c49ecaab51ff5117d9fb1fed5637e8ca31f35698bc6d68ca39d

    SHA512

    a9ecab892469c79b50b7c1c79394bb96fcb10beab03114961be5c0c05622765c0f105856065988ed31a7d21911d91c7a5fcdf4a9d33ac35ab99ba5550e91a823

  • C:\Users\Admin\AppData\Local\Temp\_MEI44122\_socket.pyd

    Filesize

    70KB

    MD5

    6ba36034bc861f44e90f547c667da40a

    SHA1

    7fc6d70ac9c80e600b14760b47396369f1c3d9be

    SHA256

    5a3e41a8c91eb5d81ac9d4a7477461414d5431754ffb9d6ad49369238d25fdd4

    SHA512

    ad49ebe8b11592088ccfda6813de3629c1c0ef6663d56724b6db8f5b6b827b8cf28ef71dd7154c223f836059029cd25ff48e57edb3d9b665157716172443b59f

  • C:\Users\Admin\AppData\Local\Temp\_MEI44122\_uuid.pyd

    Filesize

    20KB

    MD5

    2c4dbaa2151c458c8eea5f37b2cfe673

    SHA1

    72aeb5de5e25e67f8f798aed198718b9c4a5cd97

    SHA256

    99dd17fe2d43ed007b301aa5ce80364f2c7d9bbd033e4ce0166defb23140db38

    SHA512

    399491b8d9736732e404640216c8ece073795f9966ae6d2acfd6d64b7c6b35ab63c03287751c0ab46593b072c778e1d4051d667ba693adbafe0a15ae6e6019aa

  • C:\Users\Admin\AppData\Local\Temp\_MEI44122\base_library.zip

    Filesize

    781KB

    MD5

    a6277edd815f1d33215c41309aa0a3b4

    SHA1

    0522d880992f2bb46571e27610410a9d99b69984

    SHA256

    a6e24deab93ca92bb3118081e10987fb7078b0d249e38911bd0c429563941317

    SHA512

    ae83607b951996cc61bfc07aa6946bc8e6b409bc504aa92355c762420ece2d69c2e11bb6c88d4ce81c8d0136ac82e1e04157ed02cdca5b7d945d939d36c4ae39

  • C:\Users\Admin\AppData\Local\Temp\_MEI44122\libcrypto-1_1.dll

    Filesize

    2.2MB

    MD5

    31c2130f39942ac41f99c77273969cd7

    SHA1

    540edcfcfa75d0769c94877b451f5d0133b1826c

    SHA256

    dd55258272eeb8f2b91a85082887463d0596e992614213730000b2dbc164bcad

    SHA512

    cb4e0b90ea86076bd5c904b46f6389d0fd4afffe0bd3a903c7ff0338c542797063870498e674f86d58764cdbb73b444d1df4b4aa64f69f99b224e86ddaf74bb5

  • C:\Users\Admin\AppData\Local\Temp\_MEI44122\libffi-7.dll

    Filesize

    28KB

    MD5

    bc20614744ebf4c2b8acd28d1fe54174

    SHA1

    665c0acc404e13a69800fae94efd69a41bdda901

    SHA256

    0c7ec6de19c246a23756b8550e6178ac2394b1093e96d0f43789124149486f57

    SHA512

    0c473e7070c72d85ae098d208b8d128b50574abebba874dda2a7408aea2aabc6c4b9018801416670af91548c471b7dd5a709a7b17e3358b053c37433665d3f6b

  • C:\Users\Admin\AppData\Local\Temp\_MEI44122\python39.dll

    Filesize

    4.3MB

    MD5

    5bafe23107e6df19de8f7ac9068ed26e

    SHA1

    d2a88beaf959bd5331948b03330c98fe8fa85c7c

    SHA256

    c1e5a847ae6aa9d9f42b482c7a20dcdc9dfe225f7186b0b01924225aa4e5e581

    SHA512

    1c2372debc0e2e53ea281798f15243294430e4e7e4d3b82e4ab998a1b7c77cad68d50e196e37c6ff7ba83b08a12286af5d2797bfa707af5dad180862cce7efc7

  • C:\Users\Admin\AppData\Local\Temp\_MEI44122\select.pyd

    Filesize

    24KB

    MD5

    e03b622acba9d02dc5a10364824ede8c

    SHA1

    40db1a1a0d81c5d165d043502b1205b22bc238a4

    SHA256

    de914028bfddf19ef7279f04c92ef118c59b1ba8b5e27c76a7932e086bbc7978

    SHA512

    02abe8c060a2e046e92db4fdf5efdeaf6a870703ad313d14d3e8a3a308cca032c1d7b7ac40b0c346c0d8bf3193c42dfc69bf50450c9545d6bb6704fc0f5d3d5b

  • memory/1712-40-0x0000000000400000-0x000000000045C000-memory.dmp

    Filesize

    368KB

  • memory/1712-42-0x0000000000400000-0x000000000045C000-memory.dmp

    Filesize

    368KB

  • memory/1712-43-0x0000000000400000-0x000000000045C000-memory.dmp

    Filesize

    368KB

  • memory/1712-55-0x0000000000400000-0x000000000045C000-memory.dmp

    Filesize

    368KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.