Resubmissions

01/07/2025, 06:37

250701-hdmc1sdm3x 10

01/07/2025, 05:20

250701-f1tdqs1tew 10

Analysis

  • geolocation tags

    nanew-jerseynorth-americaunited-statesususa
  • max time kernel
    136s
  • max time network
    137s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250619-en
  • resource tags

    arch:x64arch:x86image:win11-20250619-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    01/07/2025, 06:37

General

  • Target

    Setup.exe

  • Size

    1.1MB

  • MD5

    5e80f3a191aae0fb63a1a0c6d8d781bb

  • SHA1

    2083c8270cc0270cc2d2de1858fc38f5e9d09f9e

  • SHA256

    240bce5a0d11df228597503ac7070f5f54cb40b71a8d1ed7f3de3d97dafacd47

  • SHA512

    7e2601c6fc8e0642a2e405d39988d980c8a83c0d31b352e4b48525d73b67cf0582b4a77a80cc046717cf32a8d5f7b0a7ae2ec304dade1f6c769573ae3b08c0d8

  • SSDEEP

    24576:O0adjo4mkZ7hDsijX4nq9wrQ9c5qAoKtzi2T9pgLbHcjXDFyMZI0Q2Myk81:OXU4p7hLjonq9RcVVBjpqbHczDS2n

Score
10/10

Malware Config

Extracted

Family

lumma

C2

https://stochalyqp.xyz/alfp

https://narrathfpt.top/tekq

https://escczlv.top/bufi

https://localixbiw.top/zlpa

https://korxddl.top/qidz

https://diecam.top/laur

https://citellcagt.top/gjtu

https://peppinqikp.xyz/xaow

Attributes
  • build_id

    f020fca5b284e3026ebd4807041a821b354185

Signatures

  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

  • Lumma family
  • Executes dropped EXE 1 IoCs
  • Enumerates processes with tasklist 1 TTPs 2 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2608
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c copy Entitled.dot Entitled.dot.bat & Entitled.dot.bat
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3288
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist
        3⤵
        • Enumerates processes with tasklist
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:4352
      • C:\Windows\SysWOW64\findstr.exe
        findstr /I "opssvc wrsa"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4360
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist
        3⤵
        • Enumerates processes with tasklist
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:4076
      • C:\Windows\SysWOW64\findstr.exe
        findstr "bdservicehost SophosHealth AvastUI AVGUI nsWscSvc ekrn"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4164
      • C:\Windows\SysWOW64\extrac32.exe
        extrac32 /Y Importantly.dot *.*
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1564
      • C:\Windows\SysWOW64\findstr.exe
        findstr /V "educators" Operation
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1324
      • C:\Users\Admin\AppData\Local\Temp\479390\Super.com
        Super.com C
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2108
      • C:\Windows\SysWOW64\choice.exe
        choice /d n /t 5
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1460

Network

        MITRE ATT&CK Enterprise v16

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\479390\C

          Filesize

          542KB

          MD5

          58b12ad622c122c1e76488df86a53582

          SHA1

          8033c0f09f6c4fac2d0af43b186c1a4a149262fb

          SHA256

          94815a1957251a5924efce89a640c9a4f854d762faad7da43da0d9b8badbfdcd

          SHA512

          8b3a09bce7eeafdf233b2e27bed34217708a88059a334fcea4c9c6208cf295beb614e4f129b42af3ef70d1fc465b411feaf628e3ab54f412b83d67b9c3d2e01c

        • C:\Users\Admin\AppData\Local\Temp\479390\Super.com

          Filesize

          925KB

          MD5

          62d09f076e6e0240548c2f837536a46a

          SHA1

          26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

          SHA256

          1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

          SHA512

          32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

        • C:\Users\Admin\AppData\Local\Temp\Anytime.dot

          Filesize

          54KB

          MD5

          828b31c554ffafc6a3aa5d8d07c5120b

          SHA1

          2c381442f05d082b4a55eb67088d89ffe14473a5

          SHA256

          3a13f040064fb52fe07a62ccf1f863d852d908d58b6b02167f565e68a5f91837

          SHA512

          f10c8b35357d240ada8f3f05000b7341ffa660e929f9fca4b2c6afcb89aeedb74a69438bde35754322fe14f625409229c8caa624b5ef8febf51bf6ac3a2a3691

        • C:\Users\Admin\AppData\Local\Temp\Attitude.dot

          Filesize

          63KB

          MD5

          63da6ebb69ec97a1c5cbc175935e74f5

          SHA1

          cc5a440ad643073cc8fccdd9c95c243323033444

          SHA256

          d2bed4576ba8aacfa88d79c65e4c0b015c59ada2b1a76d8fcc2fcfaba27ea7c7

          SHA512

          370a0c44a8a02461420173f5356965ad7c811c9c30f7dd0b0a10645c1d628eae25011218aeeae2df50eb2c01e1eae1dc993f1b3be5c421822f8bf21c8611bd4f

        • C:\Users\Admin\AppData\Local\Temp\Centers

          Filesize

          73KB

          MD5

          47840f944f7019f520af43892891a443

          SHA1

          6fa211dbf633d025ba9ef2a49e81b83815343450

          SHA256

          ac87653d27bf3fdaa6340f7eed1f894871bc27f5417547adbcaea5c6c15d328f

          SHA512

          d04184afe607c8b8f573b6368fbb66e356336f3eae2983e79a5b05d942f233122a1cbee83c857422e2fc6b6cae1b085f4b1c9b8439afb04c1f000c24777b7aba

        • C:\Users\Admin\AppData\Local\Temp\Color.dot

          Filesize

          61KB

          MD5

          d86cce1201dba1d880a23e21b0e0294e

          SHA1

          5f5a05a0a06774ad6ac99411e848991bd29631bb

          SHA256

          c6eee1cae85e9fc7d4604b2b8fc30f117fe79176a1048ae08f7d390efb62c1ed

          SHA512

          0296259fc2b53fcfae380288cca10a01f21bcd794e0570e8d9fd1145614a1f7d8efeda6bac3dcc1ad593c834cf159e9f44a4da94934d2a225532f36fce26609f

        • C:\Users\Admin\AppData\Local\Temp\Consequences.dot

          Filesize

          87KB

          MD5

          a77ee830abc2608cc2b16d97d8d62322

          SHA1

          631a98da3cf8433d24b5c7e0f220f2613d3d955a

          SHA256

          28140a1897426ea43491b719d3fa3d3567739b0dfac5a9ee15dabbff9aaa6f65

          SHA512

          b6fd9f2baa689190701a9a95602d8c82bc0d3956a6bfd8902dbdc5a19cc3655b3d3ec65a5f97000f84d3223ffce4c683417370ed472de54a6eefff1cec58ac31

        • C:\Users\Admin\AppData\Local\Temp\Entitled.dot

          Filesize

          8KB

          MD5

          1d4e02a00655816925b5242ccd3d027d

          SHA1

          ccf060157f77aa8e870e21ab2d82215064c4a135

          SHA256

          85fbc188e297280432f6f505267bfe210cf395ad8b8f0bd4a805a95b17ca6df7

          SHA512

          09a72a9eecd20b2b4bcce80f6a5b7464885f122d1f9949fe585e3ea5709f53cd218d9619b5d48f159af01e6644bd1c010b504ab1ad4db4247d34fdeb32327aa8

        • C:\Users\Admin\AppData\Local\Temp\Eventually

          Filesize

          50KB

          MD5

          daa384bb26db91e041885d265dc53ef9

          SHA1

          46596c6103ae9180467e93ea84ef5ecca94f76c7

          SHA256

          a566caa435a45dd2b7fc6c99b0244314d77ea30e62cd791e94225ecbfb7b5b67

          SHA512

          b823da80880cd0cbf214191bf793cded30391396d5a08b1b24d615acfb392bea7bbd9d0fb4340695e2c508510d26f65363fa823a496d5d2b93b859e0b091836e

        • C:\Users\Admin\AppData\Local\Temp\Finish

          Filesize

          90KB

          MD5

          5214eef8013a68c98aef0ea346b2bc14

          SHA1

          388e4d6f1a4da6ed54c448f9f6d88111bdc6e036

          SHA256

          461dd1f464e661218c345b16dc5a641cbaadcb91af6d80a687190cd0d52f803f

          SHA512

          0c4525fce592e90045e066e78fa74ab1a365a90c0c9c824482edf24929ddd8a59d6d8531b6ffdb99b1f17170c803121a016a6a4be41b40b0ee8a99406eaaec2f

        • C:\Users\Admin\AppData\Local\Temp\Hungarian

          Filesize

          52KB

          MD5

          b770e75363da196ccfadcbd554311a85

          SHA1

          f8ad1a19cef5e58c1b97c6f5dbfd1d10981a8229

          SHA256

          ace7f310fe461a3f4ac6f842abc02c41afb4629181eb21f6dc1aee2057fbd513

          SHA512

          ac8548cbd5ed04bc709e90544b6964198fd91dc4eec918d4eb9c46b28b6c8433c950f8043a83b11ca41ce4e7a31808a4d424a4e0b407141f32f727905b6efc04

        • C:\Users\Admin\AppData\Local\Temp\Importantly.dot

          Filesize

          477KB

          MD5

          9b80a0dc679e8c2a2c7eca051b52b94b

          SHA1

          35e0f7800be58aeb04a1ca6aef0bea9c226d8e3a

          SHA256

          510a71332bef204c7db600ebae5f6355607ed5befda8aa18373d298aa6296b67

          SHA512

          b769ece6eff85222bba3e041f396b7bbfc1f68b22b339b6c09521406b6966494337d37654ad69fa3c8d5f463578189f835c779fda46daf0b93fe69fe7bec11c9

        • C:\Users\Admin\AppData\Local\Temp\Many

          Filesize

          50KB

          MD5

          6de79cfe065be5669b9fc13eeab9817b

          SHA1

          36d7cfaa1c1a0e23e007fe9a68508aab20ccd9d9

          SHA256

          31d8eb0f61968f10e27d6b06035b51d88fb615e0e2fe4fad3255976696238428

          SHA512

          420bb25064888581fd2e0beff5a67165ed57c023f4c62031a3c0833b98d3a275f00fc4a7224e77b99dc076ebb57e15fa17aa3131144819d72028adc77cfcbe67

        • C:\Users\Admin\AppData\Local\Temp\Monroe

          Filesize

          126KB

          MD5

          f7c6cf32130ca0ece5fdf1680c9d5078

          SHA1

          07188325f55a2f78dad2a0b02e5a10dc25de6926

          SHA256

          7cf3e2a4796cfd510146c9359bd70e354a2a4f0b2f50930c131222186c515b55

          SHA512

          cbebf27184dcd23f9242a2345c5699e8be07e7c6e63a6c3f37965fb82c7f06922c6fb72da916697c2b09eb9bca91266d8fc8b8e526013ddc645639e6bf8cf02f

        • C:\Users\Admin\AppData\Local\Temp\Operation

          Filesize

          1KB

          MD5

          2fdf15b45ef59773a59f2df97d9387dd

          SHA1

          03f1645fa46746baf71e008c2c89110acdad1f8c

          SHA256

          7ca612ef72d566772188cdd64a33151be5e25dbc013ec17388ded2dcb42ca84b

          SHA512

          2a6c776e47e9ceb2a311410015e5cef2e5e974e03a84906f84ce3bf2c4db75f10fa4ad80d3a16295580b146bdaaef2be24687f8cea5b9e9d561f27606b0b9a10

        • C:\Users\Admin\AppData\Local\Temp\Orange

          Filesize

          65KB

          MD5

          e14d6edd72de863fde8b8089c6bfcab6

          SHA1

          cd5147f4968cc166d1bdb2ff6355e6493bc410af

          SHA256

          2d331231316452fb8a9aa81bfd1c94de5922dc7a4bcf4468d9784877671a2adc

          SHA512

          b70f9f087f8001c845df596490d7a91b02902bd0c6bc18e7c636f52942da094ba9f02c7e57b9399ce74c9167204747ea67494fa9abba5ca708ee3b600826b48e

        • C:\Users\Admin\AppData\Local\Temp\Parallel

          Filesize

          69KB

          MD5

          8ed3aff005c1751b3c592f1111525669

          SHA1

          d28dd942674e3334e07d399b53cf54373afceeca

          SHA256

          0ac8c37abf0f0f18b7d06c0a5196bc41708ec513b36ea61cf67e70f9d126d855

          SHA512

          d101edf50862fc3308e4719ddd631532dccf7a51598da72a05e46e83effece454dc32ffa444f8a173a4d478b99c7589f2947d724d6c1af2925128e406473c105

        • C:\Users\Admin\AppData\Local\Temp\Pleased.dot

          Filesize

          68KB

          MD5

          e6ad99f9219779111b4f1b35cee18430

          SHA1

          4beb43bfa99ae71388f74fcde1da0e07f4f9f6ce

          SHA256

          3c66570a3d37aaede803c327d01bdd03880ecfd0eef847d645248c642ec2226e

          SHA512

          b1345dd106c614ecdfd67a4a6c085ed33eb7562a0226504f4605dbeeaa9c9892b0f0fc31265911df435d8cc3c56711a9dc45925ff095709a8a9bc4de9a03102d

        • C:\Users\Admin\AppData\Local\Temp\Ratings

          Filesize

          146KB

          MD5

          7c2cd501a08cf4257a7bd8e2f14aea4d

          SHA1

          15c52ca78d50d7978549fa2e1819f5512febc04f

          SHA256

          17f7046bf36ff156243a1b74e10e21a65bd6c4336921aaf9cf649b550b7f1547

          SHA512

          6147aff7abd381a1fa94fde5a77541458206ff38d63a6af7e4489ebb1ce33a34c0edde2476132885f830d84e837b68ef726b9959e0072c063022c2a3ffb1780f

        • C:\Users\Admin\AppData\Local\Temp\Richardson.dot

          Filesize

          86KB

          MD5

          59b53c75aa34be7e47c81e4a2a14b077

          SHA1

          3b7ded22e4354a2b1bc13798899f2036508c3236

          SHA256

          bdc480c7eed5371b031679313f387c38917d9e71ad73c46f2c5b174ccf43cb8a

          SHA512

          9c9caeebea0d97653635bbd5fb5338f3f61b6b579afafd109ddd2e8f64e261d0de20d8bbb04843a01794cdf29a288780886b5fb2ad33952f403b7c82100fdc66

        • C:\Users\Admin\AppData\Local\Temp\Submitting.dot

          Filesize

          53KB

          MD5

          5754a2f4323b175d5432eac0bb81f2ca

          SHA1

          92f37a04cfc07ef1e20bda3d5cc33011766dbeb5

          SHA256

          8ffcdab3021da520c02211fa2df6a480718618f1600abb5e9a430d3e90150fbe

          SHA512

          f0c04b0ec63b420fa183ac65e7f5c48beb0daacd114076956aabb78ec05796e4c7685d0c4b6851a80fe9cb46edd2ca753b8913928c2a34745b445dc618a6fe28

        • C:\Users\Admin\AppData\Local\Temp\Sweden

          Filesize

          104KB

          MD5

          3a9772059dae128c1d85e4ff5d798181

          SHA1

          6ffc0e3cae9ef7a5e5bd1e9b50f6e2d06da9c12c

          SHA256

          718898c453ee4232a62e7247d2e365ff963b48dcfb3511c03d036ca8682834e4

          SHA512

          f13c4c43056ff805d630b945bc6846d1ca8b764c296858ea31f3cdb4209255414925fff6a3fde6e07807742053f803b527c55774d735a13ea3bdb16a3739ac62

        • C:\Users\Admin\AppData\Local\Temp\Turning.dot

          Filesize

          70KB

          MD5

          c27e01a7a3d0062890583b330d8b8280

          SHA1

          5fdb3acaf5e478d55cc8c44faf19b37234aa6698

          SHA256

          222a85f880cac9de2d6b8895acb05aa2dbee29e7986c471223ba6b62a0bd8614

          SHA512

          7860975e2b61260363f2f13cda357ba03f34320cd8803181b2012c12a6fbe836a073fb32eefbe0a4777baad7f20d0105d1b49c5968c49a37634dd37d5b90ea17

        • C:\Users\Admin\AppData\Local\Temp\Wet

          Filesize

          98KB

          MD5

          7c4b83d506c2047c38ec34786559f9f4

          SHA1

          12f6430bbee8555fb006960be543e1705180bb23

          SHA256

          f1b3f6ef436d895705212891858c6f305cc4d15083683132ed3d65aefce4ed90

          SHA512

          f807a9edfa5e00b5fb1eb1aca47a85c7684748a7bad2e06f088eefa009c24a30a065b4812bc5aae8999bc200904b8b083689171c65904d7f135558f23560ed0f

        • memory/2108-257-0x0000000004A10000-0x0000000004A73000-memory.dmp

          Filesize

          396KB

        • memory/2108-258-0x0000000004A10000-0x0000000004A73000-memory.dmp

          Filesize

          396KB

        • memory/2108-259-0x0000000004A10000-0x0000000004A73000-memory.dmp

          Filesize

          396KB

        • memory/2108-261-0x0000000004A10000-0x0000000004A73000-memory.dmp

          Filesize

          396KB

        • memory/2108-260-0x0000000004A10000-0x0000000004A73000-memory.dmp

          Filesize

          396KB