Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
22-01-2025 16:28
General
-
Target
New folder/Set-up.exe
-
Size
86KB
-
MD5
3bd79a1f6d2ea0fddea3f8914b2a6a0c
-
SHA1
3ea3f44f81b3501e652b448a7dc33a8ee739772e
-
SHA256
332e6806eff846a2e6d0dc04a70d3503855dabfa83e6ec27f37e2d9103e80e51
-
SHA512
7bbb3f3af90443803f7689c973a64f894fb48bd744ab0c70af7dfa7c763354dc6f67a7fbb7053d38b0c6611b0aaa532e73eb2579c1445b8a31c573f8bf972a67
-
SSDEEP
1536:EU5EG5XI/6POYy6SAi11XFDwYVyjThxXeZBHl+YMk8iVbNuissy:95EG5XI/SOOQyYVF9l+DkvVp6
Malware Config
Extracted
lumma
https://sordid-snaked.cyou/api
https://awake-weaves.cyou/api
https://wrathful-jammy.cyou/api
https://debonairnukk.xyz/api
https://diffuculttan.xyz/api
https://effecterectz.xyz/api
https://deafeninggeh.biz/api
https://immureprech.biz/api
https://wishbusher.click/api
Signatures
-
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
-
Lumma family
-
Executes dropped EXE 1 IoCs
-
Blocklisted process makes network request 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\New folder\Set-up.exe"C:\Users\Admin\AppData\Local\Temp\New folder\Set-up.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Context\XAWSOHPKKQMHBTRXQ\Caller.exeC:\Users\Admin\AppData\Roaming\Context\XAWSOHPKKQMHBTRXQ\Caller.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\more.comC:\Windows\SysWOW64\more.com2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exeC:\Windows\SysWOW64\msiexec.exe3⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.2MB
MD51eb36a5e12d3e0317e5f113617c588df
SHA103fa2fb7d70a83caa8554eae5f06ca8615e16634
SHA2567d6889c7ea3f2961de5b493d676c05c17ea42aca7cd49c3be0c76a9f6ecc0634
SHA5127ac80413cc1f9e7ae67bf055e0ad593ea73011a2f37d3f612839f9ad11e38b057de35c4855b39067b857930f8397d44766f545f280da81d8b5680e3baeb49af1
-
Filesize
4.2MB
MD52018644aac84a2de8a767ec1da19993e
SHA14ec18507a02d88f49a089851e773c082327ffa42
SHA256d2251490ca5bd67e63ea52a65bbff8823f2012f417ad0bd073366c02aa0b3828
SHA5124b171ce616756ace308b61d3d2cc43ced952ce4dc04360ab18499cc959cbf08dc5331610f7bb59c34fcdcb72694b455dc556757cba4cb1ed17b78503bcc26c48
-
Filesize
72KB
-
Filesize
352KB
-
Filesize
2.0MB
-
Filesize
5.7MB
-
Filesize
2.0MB
-
Filesize
56KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
56KB
-
Filesize
5.7MB
-
Filesize
2.0MB
-
Filesize
5.7MB
-
Filesize
5.6MB
-
Filesize
5.6MB
-
Filesize
15.9MB
-
Filesize
5.7MB
-
Filesize
15.9MB
-
Filesize
4KB