Analysis

  • max time kernel
    94s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-01-2025 17:17

General

  • Target

    random.exe

  • Size

    358KB

  • MD5

    92bf5eeea4fc551ed2d5090a3061704d

  • SHA1

    e3d11cce21d1ecb7457f583539f5e92a54271bad

  • SHA256

    84b2ae5fc55b2394ffc16022d5dce9b11fb232f14ccedf0cde7b6af44d0c5bc9

  • SHA512

    47b156c503ebe5844bf712b431733f45f9e27797bb929f00293536d8c152a005638aade8a8cf386ca7fcdc1177755ca36aa46754d189daecd093009ad2a9dea6

  • SSDEEP

    6144:TyJN9fUcPi6NViFY1mIHYH2bOVOWX74DscbbQHzm5ZO0zg8lMSKkbgbTjXx7x:2JN9JPi6a4mIG2yVlLKPb+zm5ZzOSL23

Score
10/10

Malware Config

Extracted

Family

lumma

C2

https://wordemnyauop.shop/api

Signatures

  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

  • Lumma family
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\random.exe
    "C:\Users\Admin\AppData\Local\Temp\random.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4532
    • C:\Users\Admin\AppData\Local\Temp\random.exe
      "C:\Users\Admin\AppData\Local\Temp\random.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3948
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4532 -s 800
      2⤵
      • Program crash
      PID:4016
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4532 -ip 4532
    1⤵
      PID:4724

    Network

    • flag-us
      DNS
      8.8.8.8.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      8.8.8.8.in-addr.arpa
      IN PTR
      Response
      8.8.8.8.in-addr.arpa
      IN PTR
      dnsgoogle
    • flag-us
      DNS
      217.106.137.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      217.106.137.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      wordemnyauop.shop
      random.exe
      Remote address:
      8.8.8.8:53
      Request
      wordemnyauop.shop
      IN A
      Response
      wordemnyauop.shop
      IN A
      104.21.80.1
      wordemnyauop.shop
      IN A
      104.21.32.1
      wordemnyauop.shop
      IN A
      104.21.48.1
      wordemnyauop.shop
      IN A
      104.21.112.1
      wordemnyauop.shop
      IN A
      104.21.96.1
      wordemnyauop.shop
      IN A
      104.21.16.1
      wordemnyauop.shop
      IN A
      104.21.64.1
    • flag-us
      POST
      https://wordemnyauop.shop/api
      random.exe
      Remote address:
      104.21.80.1:443
      Request
      POST /api HTTP/1.1
      Connection: Keep-Alive
      Content-Type: application/x-www-form-urlencoded
      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
      Content-Length: 8
      Host: wordemnyauop.shop
      Response
      HTTP/1.1 200 OK
      Date: Sat, 18 Jan 2025 17:17:09 GMT
      Content-Type: text/html; charset=UTF-8
      Transfer-Encoding: chunked
      Connection: keep-alive
      Set-Cookie: PHPSESSID=dnoqeslo0tmr8pn5m1b57msnjq; expires=Wed, 14 May 2025 11:03:48 GMT; Max-Age=9999999; path=/
      Expires: Thu, 19 Nov 1981 08:52:00 GMT
      Cache-Control: no-store, no-cache, must-revalidate
      Pragma: no-cache
      X-Frame-Options: DENY
      X-Content-Type-Options: nosniff
      X-XSS-Protection: 1; mode=block
      cf-cache-status: DYNAMIC
      vary: accept-encoding
      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GpOpoP%2BtlceSFOIEgcKvna9x89gTilSwLdmjbvy2VGaoGNJiXyRcbhT0UFLRZJ%2BcbCbSgwcKCImi4AXRP%2BQy98RP4s%2B6e28FJZRFj1i%2BFP%2FGsb0D0F3bDuqiDaBXKEtTcH9ySg%3D%3D"}],"group":"cf-nel","max_age":604800}
      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
      Server: cloudflare
      CF-RAY: 90403ca80dd193f7-LHR
      alt-svc: h3=":443"; ma=86400
      server-timing: cfL4;desc="?proto=TCP&rtt=31064&min_rtt=26451&rtt_var=12387&sent=6&recv=7&lost=0&retrans=0&sent_bytes=3302&recv_bytes=607&delivery_rate=131956&cwnd=252&unsent_bytes=0&cid=6b60de45604ea46b&ts=284&x=0"
    • flag-us
      DNS
      strivehelpeu.bond
      random.exe
      Remote address:
      8.8.8.8:53
      Request
      strivehelpeu.bond
      IN A
      Response
    • flag-us
      DNS
      crookedfoshe.bond
      random.exe
      Remote address:
      8.8.8.8:53
      Request
      crookedfoshe.bond
      IN A
      Response
    • flag-us
      DNS
      immolatechallen.bond
      random.exe
      Remote address:
      8.8.8.8:53
      Request
      immolatechallen.bond
      IN A
      Response
    • flag-us
      DNS
      stripedre-lot.bond
      random.exe
      Remote address:
      8.8.8.8:53
      Request
      stripedre-lot.bond
      IN A
      Response
    • flag-us
      DNS
      growthselec.bond
      random.exe
      Remote address:
      8.8.8.8:53
      Request
      growthselec.bond
      IN A
      Response
    • flag-us
      DNS
      jarry-deatile.bond
      random.exe
      Remote address:
      8.8.8.8:53
      Request
      jarry-deatile.bond
      IN A
      Response
    • flag-us
      DNS
      pain-temper.bond
      random.exe
      Remote address:
      8.8.8.8:53
      Request
      pain-temper.bond
      IN A
      Response
    • flag-us
      DNS
      jarry-fixxer.bond
      random.exe
      Remote address:
      8.8.8.8:53
      Request
      jarry-fixxer.bond
      IN A
      Response
    • flag-us
      DNS
      steamcommunity.com
      random.exe
      Remote address:
      8.8.8.8:53
      Request
      steamcommunity.com
      IN A
      Response
      steamcommunity.com
      IN A
      104.124.170.33
    • flag-us
      DNS
      73.144.22.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      73.144.22.2.in-addr.arpa
      IN PTR
      Response
      73.144.22.2.in-addr.arpa
      IN PTR
      a2-22-144-73deploystaticakamaitechnologiescom
    • flag-us
      DNS
      1.80.21.104.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      1.80.21.104.in-addr.arpa
      IN PTR
      Response
    • flag-gb
      GET
      https://steamcommunity.com/profiles/76561199724331900
      random.exe
      Remote address:
      104.124.170.33:443
      Request
      GET /profiles/76561199724331900 HTTP/1.1
      Connection: Keep-Alive
      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
      Host: steamcommunity.com
      Response
      HTTP/1.1 200 OK
      Server: nginx
      Content-Type: text/html; charset=UTF-8
      Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;
      Expires: Mon, 26 Jul 1997 05:00:00 GMT
      Cache-Control: no-cache
      Date: Sat, 18 Jan 2025 17:17:10 GMT
      Content-Length: 25984
      Connection: keep-alive
      Set-Cookie: sessionid=fd087003652d22e92a6dcc9a; Path=/; Secure; SameSite=None
      Set-Cookie: steamCountry=GB%7C7d625a3b038bb98f68b4e14dac147806; Path=/; Secure; HttpOnly; SameSite=None
    • flag-us
      DNS
      33.170.124.104.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      33.170.124.104.in-addr.arpa
      IN PTR
      Response
      33.170.124.104.in-addr.arpa
      IN PTR
      a104-124-170-33deploystaticakamaitechnologiescom
    • flag-us
      DNS
      167.173.78.104.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      167.173.78.104.in-addr.arpa
      IN PTR
      Response
      167.173.78.104.in-addr.arpa
      IN PTR
      a104-78-173-167deploystaticakamaitechnologiescom
    • flag-us
      DNS
      209.205.72.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      209.205.72.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      196.249.167.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      196.249.167.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      228.249.119.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      228.249.119.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      197.87.175.4.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      197.87.175.4.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      241.42.69.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      241.42.69.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      86.49.80.91.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      86.49.80.91.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      172.214.232.199.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      172.214.232.199.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      13.227.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      13.227.111.52.in-addr.arpa
      IN PTR
      Response
    • 104.21.80.1:443
      https://wordemnyauop.shop/api
      tls, http
      random.exe
      1.0kB
      4.9kB
      9
      9

      HTTP Request

      POST https://wordemnyauop.shop/api

      HTTP Response

      200
    • 104.124.170.33:443
      https://steamcommunity.com/profiles/76561199724331900
      tls, http
      random.exe
      1.3kB
      33.2kB
      17
      29

      HTTP Request

      GET https://steamcommunity.com/profiles/76561199724331900

      HTTP Response

      200
    • 8.8.8.8:53
      8.8.8.8.in-addr.arpa
      dns
      66 B
      90 B
      1
      1

      DNS Request

      8.8.8.8.in-addr.arpa

    • 8.8.8.8:53
      217.106.137.52.in-addr.arpa
      dns
      73 B
      147 B
      1
      1

      DNS Request

      217.106.137.52.in-addr.arpa

    • 8.8.8.8:53
      wordemnyauop.shop
      dns
      random.exe
      63 B
      175 B
      1
      1

      DNS Request

      wordemnyauop.shop

      DNS Response

      104.21.80.1
      104.21.32.1
      104.21.48.1
      104.21.112.1
      104.21.96.1
      104.21.16.1
      104.21.64.1

    • 8.8.8.8:53
      strivehelpeu.bond
      dns
      random.exe
      63 B
      128 B
      1
      1

      DNS Request

      strivehelpeu.bond

    • 8.8.8.8:53
      crookedfoshe.bond
      dns
      random.exe
      63 B
      128 B
      1
      1

      DNS Request

      crookedfoshe.bond

    • 8.8.8.8:53
      immolatechallen.bond
      dns
      random.exe
      66 B
      131 B
      1
      1

      DNS Request

      immolatechallen.bond

    • 8.8.8.8:53
      stripedre-lot.bond
      dns
      random.exe
      64 B
      129 B
      1
      1

      DNS Request

      stripedre-lot.bond

    • 8.8.8.8:53
      growthselec.bond
      dns
      random.exe
      62 B
      127 B
      1
      1

      DNS Request

      growthselec.bond

    • 8.8.8.8:53
      jarry-deatile.bond
      dns
      random.exe
      64 B
      129 B
      1
      1

      DNS Request

      jarry-deatile.bond

    • 8.8.8.8:53
      pain-temper.bond
      dns
      random.exe
      62 B
      127 B
      1
      1

      DNS Request

      pain-temper.bond

    • 8.8.8.8:53
      jarry-fixxer.bond
      dns
      random.exe
      63 B
      128 B
      1
      1

      DNS Request

      jarry-fixxer.bond

    • 8.8.8.8:53
      steamcommunity.com
      dns
      random.exe
      64 B
      80 B
      1
      1

      DNS Request

      steamcommunity.com

      DNS Response

      104.124.170.33

    • 8.8.8.8:53
      73.144.22.2.in-addr.arpa
      dns
      70 B
      133 B
      1
      1

      DNS Request

      73.144.22.2.in-addr.arpa

    • 8.8.8.8:53
      1.80.21.104.in-addr.arpa
      dns
      70 B
      132 B
      1
      1

      DNS Request

      1.80.21.104.in-addr.arpa

    • 8.8.8.8:53
      33.170.124.104.in-addr.arpa
      dns
      73 B
      139 B
      1
      1

      DNS Request

      33.170.124.104.in-addr.arpa

    • 8.8.8.8:53
      167.173.78.104.in-addr.arpa
      dns
      73 B
      139 B
      1
      1

      DNS Request

      167.173.78.104.in-addr.arpa

    • 8.8.8.8:53
      209.205.72.20.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      209.205.72.20.in-addr.arpa

    • 8.8.8.8:53
      196.249.167.52.in-addr.arpa
      dns
      73 B
      147 B
      1
      1

      DNS Request

      196.249.167.52.in-addr.arpa

    • 8.8.8.8:53
      228.249.119.40.in-addr.arpa
      dns
      73 B
      159 B
      1
      1

      DNS Request

      228.249.119.40.in-addr.arpa

    • 8.8.8.8:53
      197.87.175.4.in-addr.arpa
      dns
      71 B
      157 B
      1
      1

      DNS Request

      197.87.175.4.in-addr.arpa

    • 8.8.8.8:53
      241.42.69.40.in-addr.arpa
      dns
      71 B
      145 B
      1
      1

      DNS Request

      241.42.69.40.in-addr.arpa

    • 8.8.8.8:53
      86.49.80.91.in-addr.arpa
      dns
      70 B
      145 B
      1
      1

      DNS Request

      86.49.80.91.in-addr.arpa

    • 8.8.8.8:53
      172.214.232.199.in-addr.arpa
      dns
      74 B
      128 B
      1
      1

      DNS Request

      172.214.232.199.in-addr.arpa

    • 8.8.8.8:53
      13.227.111.52.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      13.227.111.52.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/3948-4-0x0000000000400000-0x0000000000455000-memory.dmp

      Filesize

      340KB

    • memory/3948-6-0x0000000000400000-0x0000000000455000-memory.dmp

      Filesize

      340KB

    • memory/3948-8-0x0000000000400000-0x0000000000455000-memory.dmp

      Filesize

      340KB

    • memory/4532-0-0x000000007530E000-0x000000007530F000-memory.dmp

      Filesize

      4KB

    • memory/4532-1-0x0000000000CB0000-0x0000000000D12000-memory.dmp

      Filesize

      392KB

    • memory/4532-2-0x0000000005BA0000-0x0000000006144000-memory.dmp

      Filesize

      5.6MB

    • memory/4532-7-0x0000000075300000-0x0000000075AB0000-memory.dmp

      Filesize

      7.7MB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.