Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
24-01-2025 14:08
General
-
Target
𝐒𝐞𝐭𝐮𝐩.exe
-
Size
11.7MB
-
MD5
738e599d9b27830cb7920e3cfdeabd43
-
SHA1
a6f7881df9c273d8e4444fb3d242c0a8b3b00965
-
SHA256
ffcba56c943bd2e56ccc64c5c7b2b8d30d6068ef97a2c7245b54a3281bd75d48
-
SHA512
60d5fd6f36a1ad60c49401425f89e36b87db5afcd968931eb4bf19bd5d6216564282ffb6ee9dd1315d09ef7fb953748f3b0949090c31dae1daf1a140bcdffd23
-
SSDEEP
196608:oZdc01IU22ea1ulaUHXrVua+k/P5GEVbkagWQyz0WHu+ZQINV45Wpy:UT/mHaUBzdP5/kagWSWLd4
Score
10/10
Malware Config
Extracted
Family
lumma
C2
https://rapeflowwj.lat/api
https://crosshuaht.lat/api
https://sustainskelet.lat/api
https://aspecteirs.lat/api
https://energyaffai.lat/api
https://necklacebudi.lat/api
https://discokeyus.lat/api
https://grannyejh.lat/api
https://recessiowirs.click/api
Signatures
-
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
-
Lumma family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 3 IoCs
-
Enumerates processes with tasklist 1 TTPs 6 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 23 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\𝐒𝐞𝐭𝐮𝐩.exe"C:\Users\Admin\AppData\Local\Temp\𝐒𝐞𝐭𝐮𝐩.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-IPCHA.tmp\𝐒𝐞𝐭𝐮𝐩.tmp"C:\Users\Admin\AppData\Local\Temp\is-IPCHA.tmp\𝐒𝐞𝐭𝐮𝐩.tmp" /SL5="$E004A,11804158,244224,C:\Users\Admin\AppData\Local\Temp\𝐒𝐞𝐭𝐮𝐩.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\𝐒𝐞𝐭𝐮𝐩.exe"C:\Users\Admin\AppData\Local\Temp\𝐒𝐞𝐭𝐮𝐩.exe" /VERYSILENT3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-OS0G7.tmp\𝐒𝐞𝐭𝐮𝐩.tmp"C:\Users\Admin\AppData\Local\Temp\is-OS0G7.tmp\𝐒𝐞𝐭𝐮𝐩.tmp" /SL5="$B0044,11804158,244224,C:\Users\Admin\AppData\Local\Temp\𝐒𝐞𝐭𝐮𝐩.exe" /VERYSILENT4⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH | find /I "wrsa.exe"5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH6⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\find.exefind /I "wrsa.exe"6⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH | find /I "opssvc.exe"5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH6⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\find.exefind /I "opssvc.exe"6⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH | find /I "avastui.exe"5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH6⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\find.exefind /I "avastui.exe"6⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH | find /I "avgui.exe"5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH6⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\find.exefind /I "avgui.exe"6⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH | find /I "nswscsvc.exe"5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH6⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\find.exefind /I "nswscsvc.exe"6⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH | find /I "sophoshealth.exe"5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH6⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\find.exefind /I "sophoshealth.exe"6⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Local\Temp\is-1HQH3.tmp\PacketTrap.exe"C:\Users\Admin\AppData\Local\Temp\is-1HQH3.tmp\PacketTrap.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD5fcc59fa8d3bcb703650668ffdc1cb675
SHA16ef70bd8b8fd3b7306e2a4b7d8fb8a74f9e3a605
SHA2569bb88ac378511a2e2953304a40077d3ccd22446d65f3dcdf79cee8cd998ba88f
SHA5129b700fa1213970e89cd8ea541e234b1ad02b295ae4384e28e7cfad09567c2df1bfa9ccdf9e518ebd3103b3c778777bb4ea9e2ce81774ee807351d13ddc1094bb
-
Filesize
68KB
-
Filesize
280KB
-
Filesize
280KB
-
Filesize
332KB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
280KB
-
Filesize
280KB
-
Filesize
280KB
-
Filesize
280KB