Analysis

  • max time kernel
    93s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/01/2025, 06:17

General

  • Target

    0eb44447fe01d942d8972c146a7196f157985e49f780187545bc867992c13577.exe

  • Size

    639.7MB

  • MD5

    6ee335bab5d56ee573caa2c3daf659a6

  • SHA1

    bde5744100faa5ca58fbe49c894cf8815c928dec

  • SHA256

    0eb44447fe01d942d8972c146a7196f157985e49f780187545bc867992c13577

  • SHA512

    bc03e8da6cda348e3c9c436c612c35382ec5dd49ba605f19e67950d865e688f79d192eeb6fa2e5b574d65954aa3b9d93f25b4542e26f211e728f81b6b0a3f177

  • SSDEEP

    98304:bnb95THK/RTSOvdhwpUPTzcAgqAk5Frd1/BpeAM:bx5THKhpvdhwc/cNBk3rdoAM

Score
10/10

Malware Config

Extracted

Family

lumma

C2

https://toppyneedus.biz/api

Signatures

  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

  • Lumma family
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 4 IoCs
  • Enumerates processes with tasklist 1 TTPs 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0eb44447fe01d942d8972c146a7196f157985e49f780187545bc867992c13577.exe
    "C:\Users\Admin\AppData\Local\Temp\0eb44447fe01d942d8972c146a7196f157985e49f780187545bc867992c13577.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1640
    • C:\Users\Admin\AppData\Local\Temp\is-UD0QS.tmp\0eb44447fe01d942d8972c146a7196f157985e49f780187545bc867992c13577.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-UD0QS.tmp\0eb44447fe01d942d8972c146a7196f157985e49f780187545bc867992c13577.tmp" /SL5="$B0066,2550238,121344,C:\Users\Admin\AppData\Local\Temp\0eb44447fe01d942d8972c146a7196f157985e49f780187545bc867992c13577.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4376
      • C:\Users\Admin\AppData\Local\Temp\0eb44447fe01d942d8972c146a7196f157985e49f780187545bc867992c13577.exe
        "C:\Users\Admin\AppData\Local\Temp\0eb44447fe01d942d8972c146a7196f157985e49f780187545bc867992c13577.exe" /VERYSILENT
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4156
        • C:\Users\Admin\AppData\Local\Temp\is-1N9E3.tmp\0eb44447fe01d942d8972c146a7196f157985e49f780187545bc867992c13577.tmp
          "C:\Users\Admin\AppData\Local\Temp\is-1N9E3.tmp\0eb44447fe01d942d8972c146a7196f157985e49f780187545bc867992c13577.tmp" /SL5="$F0052,2550238,121344,C:\Users\Admin\AppData\Local\Temp\0eb44447fe01d942d8972c146a7196f157985e49f780187545bc867992c13577.exe" /VERYSILENT
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:4508
          • C:\Windows\SysWOW64\cmd.exe
            "cmd.exe" /C tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH | find /I "wrsa.exe"
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1620
            • C:\Windows\SysWOW64\tasklist.exe
              tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH
              6⤵
              • Enumerates processes with tasklist
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              PID:2280
            • C:\Windows\SysWOW64\find.exe
              find /I "wrsa.exe"
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2264
          • C:\Windows\SysWOW64\cmd.exe
            "cmd.exe" /C tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH | find /I "opssvc.exe"
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:3360
            • C:\Windows\SysWOW64\tasklist.exe
              tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH
              6⤵
              • Enumerates processes with tasklist
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              PID:4932
            • C:\Windows\SysWOW64\find.exe
              find /I "opssvc.exe"
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1772
          • C:\Windows\SysWOW64\cmd.exe
            "cmd.exe" /C tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH | find /I "avastui.exe"
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4192
            • C:\Windows\SysWOW64\tasklist.exe
              tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH
              6⤵
              • Enumerates processes with tasklist
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              PID:1256
            • C:\Windows\SysWOW64\find.exe
              find /I "avastui.exe"
              6⤵
              • System Location Discovery: System Language Discovery
              PID:5084
          • C:\Windows\SysWOW64\cmd.exe
            "cmd.exe" /C tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH | find /I "avgui.exe"
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1860
            • C:\Windows\SysWOW64\tasklist.exe
              tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH
              6⤵
              • Enumerates processes with tasklist
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              PID:4692
            • C:\Windows\SysWOW64\find.exe
              find /I "avgui.exe"
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1376
          • C:\Windows\SysWOW64\cmd.exe
            "cmd.exe" /C tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH | find /I "nswscsvc.exe"
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4540
            • C:\Windows\SysWOW64\tasklist.exe
              tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH
              6⤵
              • Enumerates processes with tasklist
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              PID:4468
            • C:\Windows\SysWOW64\find.exe
              find /I "nswscsvc.exe"
              6⤵
              • System Location Discovery: System Language Discovery
              PID:4952
          • C:\Windows\SysWOW64\cmd.exe
            "cmd.exe" /C tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH | find /I "sophoshealth.exe"
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:3448
            • C:\Windows\SysWOW64\tasklist.exe
              tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH
              6⤵
              • Enumerates processes with tasklist
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              PID:4516
            • C:\Windows\SysWOW64\find.exe
              find /I "sophoshealth.exe"
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2252
          • C:\Users\Admin\AppData\Local\Temp\is-DQQQU.tmp\RegAlyzer.exe
            "C:\Users\Admin\AppData\Local\Temp\is-DQQQU.tmp\RegAlyzer.exe"
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            PID:2688

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\is-278TN.tmp\_isetup\_isdecmp.dll

    Filesize

    29KB

    MD5

    fd4743e2a51dd8e0d44f96eae1853226

    SHA1

    646cef384e949aaf61e6d0b243d8d84ab04e79b7

    SHA256

    6535ba91fcca7174c3974b19d9ab471f322c2bf49506ef03424517310080be1b

    SHA512

    4587c853871624414e957f083713ec62d50c46b7041f83faa45dbf99b99b8399fc08d586d240e4bccee5eb0d09e1cdcb3fd013f07878adf4defcc312712e468d

  • C:\Users\Admin\AppData\Local\Temp\is-UD0QS.tmp\0eb44447fe01d942d8972c146a7196f157985e49f780187545bc867992c13577.tmp

    Filesize

    1.1MB

    MD5

    90fc739c83cd19766acb562c66a7d0e2

    SHA1

    451f385a53d5fed15e7649e7891e05f231ef549a

    SHA256

    821bd11693bf4b4b2b9f3c196036e1f4902abd95fb26873ea6c43e123b8c9431

    SHA512

    4cb11ad48b7585ef1b70fac9e3c25610b2f64a16358cd51e32adcb0b17a6ab1c934aeb10adaa8e9ddf69b2e2f1d18fe2e87b49b39f89b05ea13aa3205e41296c

  • memory/1640-21-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

  • memory/1640-1-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

  • memory/1640-2-0x0000000000401000-0x0000000000412000-memory.dmp

    Filesize

    68KB

  • memory/2688-58-0x0000000000400000-0x00000000005E4000-memory.dmp

    Filesize

    1.9MB

  • memory/2688-55-0x00000000007A0000-0x00000000007FD000-memory.dmp

    Filesize

    372KB

  • memory/4156-53-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

  • memory/4156-15-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

  • memory/4156-17-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

  • memory/4156-33-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

  • memory/4376-19-0x0000000000400000-0x000000000052D000-memory.dmp

    Filesize

    1.2MB

  • memory/4376-6-0x0000000000400000-0x000000000052D000-memory.dmp

    Filesize

    1.2MB

  • memory/4508-30-0x0000000000400000-0x000000000052D000-memory.dmp

    Filesize

    1.2MB

  • memory/4508-50-0x0000000000400000-0x000000000052D000-memory.dmp

    Filesize

    1.2MB

  • memory/4508-35-0x0000000000400000-0x000000000052D000-memory.dmp

    Filesize

    1.2MB

  • memory/4508-36-0x0000000000400000-0x000000000052D000-memory.dmp

    Filesize

    1.2MB