Overview

overview

10

Static

static

1

SoftwareApp.exe

windows7-x64

10

SoftwareApp.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-01-2025 18:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SoftwareApp.exe

  • Size

    1.1MB

  • MD5

    79027a797eeeed90f0f914f229750eae

  • SHA1

    8e0576501a2a5b873754c6a7f0739bd79510164c

  • SHA256

    30338f9c85111cfde8e68398db0427f89a549427e0598384744f4a27d9d836d1

  • SHA512

    20d77e4c1dac67e5aeab3ec7c61bb5a5aecc10dd6f799ea99f9b8ac5ceb63b6a52d7f6d1089eb7c4c865cd081dc2ce4a2f886d56a159d1b8a41db9461b2c87e3

  • SSDEEP

    24576:ZXOMDyej0BM8I7oRCL7piz5nWXjeZW7nw5X319kSY07C7L:VPWe01RRGwn4jeZW7w13kSYZ

Score
10/10
lummadiscoverystealer

Malware Config

Extracted

Family

lumma

C2

https://powerful-avoids.sbs/api

https://motion-treesz.sbs/api

https://disobey-curly.sbs/api

https://leg-sate-boat.sbs/api

https://story-tense-faz.sbs/api

https://blade-govern.sbs/api

https://occupy-blushi.sbs/api

https://frogs-severz.sbs/api

https://curved-goose.cyou/api

Signatures

  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Lumma family
    lumma
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates processes with tasklist 1 TTPs 2 IoCs
    discovery
  • Drops file in Windows directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SoftwareApp.exe
    "C:\Users\Admin\AppData\Local\Temp\SoftwareApp.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3024
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c copy Pf Pf.cmd && Pf.cmd
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3400
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist
        3⤵
        • Enumerates processes with tasklist
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:832
      • C:\Windows\SysWOW64\findstr.exe
        findstr /I "wrsa opssvc"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:5060
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist
        3⤵
        • Enumerates processes with tasklist
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:4884
      • C:\Windows\SysWOW64\findstr.exe
        findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1840
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c md 620516
        3⤵
        • System Location Discovery: System Language Discovery
        PID:5108
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c copy /b ..\Bird + ..\Updated + ..\Inner + ..\Ba + ..\Sc + ..\Spring + ..\Publication I
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3932
      • C:\Users\Admin\AppData\Local\Temp\620516\Amendments.com
        Amendments.com I
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:4788
      • C:\Windows\SysWOW64\choice.exe
        choice /d y /t 5
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2392

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\620516\I
    Filesize

    466KB

    MD5

    ba169007ce0879be978ac73959fead79

    SHA1

    70360c5b73b51c2df523b4e8355ca30c25889c52

    SHA256

    3f6c265712e7aa53ea6fd14289093e4767f875df8a73c10bf34b1ff260114ad9

    SHA512

    11da7ef892a050a4f8b7172c841a89eef23a23e9e39e5d5afa309a066819449fb6d9d3caabb3eb265a5535e4df020c61e1989b7d14e1e30ae5f1f3a94bc7b14e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Ba
    Filesize

    59KB

    MD5

    31ceab7961bf0b6c333fa8ebb28af3eb

    SHA1

    8e655c50d8b08979d1c3618b874e58047a7e2ed6

    SHA256

    df222d67dfff592caa344786d56f8bf2b5ba884b7564c942e37ca66965aa8354

    SHA512

    c6e7d1b1c3e5ad2cadb72eee195562286c41fb409c0f617a2cf4cbca9153a581282221686ed4019898c5c1a572c94cba29bf0bf009d0025a0b9ea70ccf09ee0a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Bird
    Filesize

    73KB

    MD5

    c66e93c50b9fd3ff5702f63c1fe96c56

    SHA1

    6a2a5dbfb14fc56ee7abba45f4e968dd23de8056

    SHA256

    862007889c62ae90528de1b1b43b94500c6987250ff1649c145f637454ce1e81

    SHA512

    cbc39b2c74fe4ccfb3e8a800d9217ee579af1e984316a7049b17b1b7e5477420af0381272f8cab765ddfb91c6deac836872e1547780fd9e3ef4611f91a711086

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Inner
    Filesize

    80KB

    MD5

    2f8a50211b9db10b743d2006c3203b2c

    SHA1

    2e7442dd65844297132a554b92777594fdccb455

    SHA256

    fb57488d1940c03cc4b986653ae5841f50215268b0439d8858a34d26fbdd770b

    SHA512

    542f03a24bb48ef99a4ca9ffea4ad63a298bbba84e66f8c44866c19a2a8ae96e197e3f233d200fb2d9436450a6f99d7ff8adbb7e72b0c466d926e58c5bdb46b1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Pf
    Filesize

    21KB

    MD5

    bf982ea83590e1e15117dbeb2aaab1b9

    SHA1

    2baa1e186ae742a87b43cb29c61dfd94ab42f792

    SHA256

    cf26eeeaa5df066c301c4f34509d187cbad2eeb594aa475c5aca3533bb1eb49a

    SHA512

    1cbacfeb492fac8c1050d0dda23b120069f2da359afd9d16f55fdc83e3291db9eff37000b69dd1effce840982e461154993f14433a2248f69a9c2ca74c3e3b0e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Pointing
    Filesize

    925KB

    MD5

    62d09f076e6e0240548c2f837536a46a

    SHA1

    26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

    SHA256

    1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

    SHA512

    32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Publication
    Filesize

    14KB

    MD5

    f0a4aac3387813744b7265be1558b3c3

    SHA1

    a70462ab7fc1358cb1fd5cb59813e04a471e693d

    SHA256

    96800881a41c22f503e0ce7da8dfe2e7f03be16b48fc4ce64a77dbebc702aef6

    SHA512

    cf564fe1b46376c1057b907359639d67ed3744f702bf04ec950ed05741f7937bb085440a0e90f559a61afe09ffe2d56f001becf44f4c34e3a6a7176fbc8c3fbf

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Sc
    Filesize

    67KB

    MD5

    431416797d6b8071301b91118bdac1e8

    SHA1

    b048b520371e4268be95ca60e0012c97909aabe6

    SHA256

    627de6ea879484ae23b92da2746d397b1fde20e9192fe3d81f725e2f38bfa30c

    SHA512

    fb01a189fb8cf0483977e34e98dd768b69819b37c7d4ff3c810a68269ba21c1ece20e254b97f0862e7b78a2342144a712362ed859e45243a8f2a33745473eacd

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Spring
    Filesize

    81KB

    MD5

    98d4ffdc03883da2ba9d41ad4e210747

    SHA1

    af2574f7cd2fc830e032819cab163d3afe0e166d

    SHA256

    5a7e7f49dfcedf551a76074b5a17c4a42c195434144391bf1fd5c222443674c1

    SHA512

    bbe8c0808c9da1025587f899061c06bfab858448e48c8328b1dc551fae92dccfa8a56fcd7800ef34358c2eb538d247bf0cbf73edeb2343560e9a906f7ce4ca19

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Updated
    Filesize

    92KB

    MD5

    ed7f4ff5aa27bc1f1f2c40775d06c8c2

    SHA1

    00e4e8da18c99e09d785c7a5df448f9b5c86b1b4

    SHA256

    eb988e5bf0b2577a74f7fa0ce801f3dfbde3bc7314e73b9972016d4e07789c95

    SHA512

    d611e0b4b62181852cb0d81a7043a14abfd158ecac616ca726c3819b7f33a394cf6064722b0adde96b7540509abcdfdeafb45a5f5b850ceef73810560acd00ca

    Download Submit

  • memory/4788-497-0x00000000009C0000-0x0000000000A1B000-memory.dmp

    Filesize

    364KB

    Download

  • memory/4788-499-0x00000000009C0000-0x0000000000A1B000-memory.dmp

    Filesize

    364KB

    Download

  • memory/4788-498-0x00000000009C0000-0x0000000000A1B000-memory.dmp

    Filesize

    364KB

    Download

  • memory/4788-500-0x00000000009C0000-0x0000000000A1B000-memory.dmp

    Filesize

    364KB

    Download

  • memory/4788-502-0x00000000009C0000-0x0000000000A1B000-memory.dmp

    Filesize

    364KB

    Download

  • memory/4788-501-0x00000000009C0000-0x0000000000A1B000-memory.dmp

    Filesize

    364KB

    Download