Overview

overview

10

Static

static

5

1b1521f76d...59.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    127s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/04/2025, 18:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1b1521f76dc2d1a101e430d465bf5959.exe

  • Size

    1.0MB

  • MD5

    1b1521f76dc2d1a101e430d465bf5959

  • SHA1

    7ebdca7a5e1a43e5506155636f5b1c182898eeb3

  • SHA256

    044363ef24d3eee654758490d6370fd1fbe211d8f508db31986a3a23dd4fa8a4

  • SHA512

    7e4af46d81c45182fe012bcb18e61cac781d30e442b7b4c5d9759db7820b30afbcdf4d7e37e38ffbbe21fe75b6ed6cde5990e5ede0bb10422f8bf45a0fc8d0e6

  • SSDEEP

    24576:AqDEvCTbMWu7rQYlBQcBiT6rprG8a+IWIjCLeYomVU:ATvC/MTQYxsWR7a1mLBa

Score
10/10
lummanetsupportdefense_evasiondiscoverypersistenceratspywarestealer

Malware Config

Extracted

Family

lumma

C2

https://fescapadue.live/SPzkwq

https://jrxsafer.top/shpaoz

https://krxspint.digital/kendwz

https://4rhxhube.run/pogrs

https://grxeasyw.digital/xxepw

https://advennture.top/GKsiio

https://jtargett.top/dsANGt

https://xrfxcaseq.live/gspaz

https://2ywmedici.top/noagis

Signatures

  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Lumma family
    lumma
  • NetSupport

    NetSupport is a remote access tool sold as a legitimate system administration software.

    ratnetsupport
  • Netsupport family
    netsupport
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    defense_evasion
  • Downloads MZ/PE file 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    defense_evasion
  • Loads dropped DLL 10 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1b1521f76dc2d1a101e430d465bf5959.exe
    "C:\Users\Admin\AppData\Local\Temp\1b1521f76dc2d1a101e430d465bf5959.exe"
    1⤵
    • Downloads MZ/PE file
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4560
    • C:\Users\Admin\AppData\Local\Temp\part.exe
      C:\Users\Admin\AppData\Local\Temp\part.exe
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4760
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Netstat\netsup.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4756
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Netstat\bild.exe"
          4⤵
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          PID:3756
        • C:\Users\Public\Netstat\bild.exe
          C:\Users\Public\Netstat\bild.exe
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          PID:5344
    • C:\Users\Admin\AppData\Local\Temp\part1.exe
      C:\Users\Admin\AppData\Local\Temp\part1.exe
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2108
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /k ping 0 & del C:\Users\Admin\AppData\Local\Temp\1b1521f76dc2d1a101e430d465bf5959.exe & exit
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Suspicious use of WriteProcessMemory
      PID:1876
      • C:\Windows\SysWOW64\PING.EXE
        ping 0
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:5168
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Public\Netstat\bild.exe
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:5348
    • C:\Users\Public\Netstat\bild.exe
      C:\Users\Public\Netstat\bild.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:3196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

5
T1012

Remote System Discovery

1
T1018

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Virtualization/Sandbox Evasion

2
T1497

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\part.exe
    Filesize

    6.8MB

    MD5

    fe290c6da721366cbc2f724ec3591cbe

    SHA1

    b3acd3d32e8a29a097532496d894d8bb448e32b2

    SHA256

    d55b2dbdc471d6c66aae421174fde5a052d1814e436744290d788f88b208ae48

    SHA512

    41a88ed5942702153f1a3beb39d8ebed2e5fe0b813faceb5d42954666943df2096457d5b104b2e430671eff40a8168eba12b5563464552ca6ef45f50e84979c2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\part1.exe
    Filesize

    2.3MB

    MD5

    b8dea100c3343e7ba3bbc108cce7639f

    SHA1

    9a9b052524f1e3b8deaff4248e43934a07fd37c5

    SHA256

    cb1e237933357d1beaedc4a598cdbfd23294e32ea019cb5463b0efd8eb5d7ca9

    SHA512

    e9ed17e2aa3b7208d98ef3201b9ef7b39b0039887a6bccd5b640cd913552534b6ec9503a4646147707f93b524787b939ef7d6be1c07cde61cd6674343bd29ccc

    Download Submit

  • C:\Users\Public\Netstat\HTCTL32.DLL
    Filesize

    320KB

    MD5

    2d3b207c8a48148296156e5725426c7f

    SHA1

    ad464eb7cf5c19c8a443ab5b590440b32dbc618f

    SHA256

    edfe2b923bfb5d1088de1611401f5c35ece91581e71503a5631647ac51f7d796

    SHA512

    55c791705993b83c9b26a8dbd545d7e149c42ee358ecece638128ee271e85b4fdbfd6fbae61d13533bf39ae752144e2cc2c5edcda955f18c37a785084db0860c

    Download Submit

  • C:\Users\Public\Netstat\MSVCR100.dll
    Filesize

    755KB

    MD5

    0e37fbfa79d349d672456923ec5fbbe3

    SHA1

    4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

    SHA256

    8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

    SHA512

    2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

    Download Submit

  • C:\Users\Public\Netstat\NSM.LIC
    Filesize

    257B

    MD5

    7067af414215ee4c50bfcd3ea43c84f0

    SHA1

    c331d410672477844a4ca87f43a14e643c863af9

    SHA256

    2050cc232710a2ea6a207bc78d1eac66a4042f2ee701cdfeee5de3ddcdc31d12

    SHA512

    17b888087192bcea9f56128d0950423b1807e294d1c4f953d1bf0f5bd08e5f8e35afeee584ebf9233bfc44e0723db3661911415798159ac118c8a42aaf0b902f

    Download Submit

  • C:\Users\Public\Netstat\PCICL32.dll
    Filesize

    3.6MB

    MD5

    00587238d16012152c2e951a087f2cc9

    SHA1

    c4e27a43075ce993ff6bb033360af386b2fc58ff

    SHA256

    63aa18c32af7144156e7ee2d5ba0fa4f5872a7deb56894f6f96505cbc9afe6f8

    SHA512

    637950a1f78d3f3d02c30a49a16e91cf3dfccc59104041876789bd7fdf9224d187209547766b91404c67319e13d1606da7cec397315495962cbf3e2ccd5f1226

    Download Submit

  • C:\Users\Public\Netstat\bild.exe
    Filesize

    103KB

    MD5

    8d9709ff7d9c83bd376e01912c734f0a

    SHA1

    e3c92713ce1d7eaa5e2b1fabeb06cdc0bb499294

    SHA256

    49a568f8ac11173e3a0d76cff6bc1d4b9bdf2c35c6d8570177422f142dcfdbe3

    SHA512

    042ad89ed2e15671f5df67766d11e1fa7ada8241d4513e7c8f0d77b983505d63ebfb39fefa590a2712b77d7024c04445390a8bf4999648f83dbab6b0f04eb2ee

    Download Submit

  • C:\Users\Public\Netstat\client32.ini
    Filesize

    701B

    MD5

    eb0e9a59e218fbe2789746866e90a7d6

    SHA1

    004613405eb3d9920634b403545a3441e13df102

    SHA256

    911dfe9f2707adcdb176a787698db957b4c3fbe5fc206e035cb41e3c7c219c53

    SHA512

    dfd7289e536f6bbd289af64c533debed878b0e348035fe65c4d52755e0ee11e6c6a55c62d8902b661e6183d8e01469df5e97796d5780a01bb453b8656195c279

    Download Submit

  • C:\Users\Public\Netstat\netsup.bat
    Filesize

    161B

    MD5

    bb8869e7e80234a30633bd0301b57deb

    SHA1

    13790ad2bc012431324093b16c19b1e532c94e63

    SHA256

    d6f183097bf12a7f68632efecc6dc7ddac16002839229502b32cd40826dd472c

    SHA512

    7d043054fcde4c73e9e5988330a94a737360adf1b0d806efc4660d1e336e27a66149494b611969a29b873d76bc4b1278b47d1efc27a9c7bd50a1f8cdf346937a

    Download Submit

  • C:\Users\Public\Netstat\pcicapi.dll
    Filesize

    32KB

    MD5

    dcde2248d19c778a41aa165866dd52d0

    SHA1

    7ec84be84fe23f0b0093b647538737e1f19ebb03

    SHA256

    9074fd40ea6a0caa892e6361a6a4e834c2e51e6e98d1ffcda7a9a537594a6917

    SHA512

    c5d170d420f1aeb9bcd606a282af6e8da04ae45c83d07faaacb73ff2e27f4188b09446ce508620124f6d9b447a40a23620cfb39b79f02b04bb9e513866352166

    Download Submit

  • C:\Users\Public\Netstat\pcichek.dll
    Filesize

    18KB

    MD5

    a0b9388c5f18e27266a31f8c5765b263

    SHA1

    906f7e94f841d464d4da144f7c858fa2160e36db

    SHA256

    313117e723dda6ea3911faacd23f4405003fb651c73de8deff10b9eb5b4a058a

    SHA512

    6051a0b22af135b4433474dc7c6f53fb1c06844d0a30ed596a3c6c80644df511b023e140c4878867fa2578c79695fac2eb303aea87c0ecfc15a4ad264bd0b3cd

    Download Submit

  • memory/2108-62-0x0000000000CC0000-0x00000000011CC000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/2108-64-0x0000000000CC0000-0x00000000011CC000-memory.dmp

    Filesize

    5.0MB

    Download