Overview

overview

10

Static

static

1

Setup.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    594s
  • max time network
    599s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-07-2024 10:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Setup.exe

  • Size

    5.8MB

  • MD5

    c34e8f27e5e41acc13f476298be901f5

  • SHA1

    1857dfcf2bbb4e91fed3595395cc6ea1b6e5e425

  • SHA256

    8c09b0520cd0a587ccdab5f16b202ef013d9bf3b4fc7653b5afdf480417d33f1

  • SHA512

    ccc416d96d36b792c59bdfd23c5e2e3b2c08c3498e43af7e0e5b873e0828c23fb30c1f21428fb8f984df99255d232e718422ce95acc8bba888da082f465c6709

  • SSDEEP

    98304:vsMDHDRm8rcgEqQQ5izvWtb2ZaQ9kclxrg/bYzO6TEYJYEHjHO:RHDRLrcgEq55izvWtDaxbBOLYJYmu

Score
10/10
lummastealer

Malware Config

Extracted

Family

lumma

C2

https://prettilikeopwp.shop/api

https://potterryisiw.shop/api

https://foodypannyjsud.shop/api

https://contintnetksows.shop/api

https://reinforcedirectorywd.shop/api

Signatures

  • Lumma Stealer

    An infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Suspicious use of SetThreadContext 4 IoCs
  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 27 IoCs
  • Suspicious behavior: MapViewOfSection 8 IoCs
  • Suspicious use of SetWindowsHookEx 15 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:4064
    • C:\Windows\SysWOW64\more.com
      C:\Windows\SysWOW64\more.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:948
      • C:\Windows\SysWOW64\SearchIndexer.exe
        C:\Windows\SysWOW64\SearchIndexer.exe
        3⤵
          PID:2284
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4352,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=4464 /prefetch:8
      1⤵
        PID:3940
      • C:\Windows\System32\rundll32.exe
        C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
        1⤵
          PID:1180
        • C:\Windows\system32\NOTEPAD.EXE
          "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\StructuredQuery.log
          1⤵
          • Opens file in notepad (likely ransom note)
          PID:872
        • C:\Users\Admin\Desktop\Setup.exe
          "C:\Users\Admin\Desktop\Setup.exe"
          1⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:4744
          • C:\Windows\SysWOW64\more.com
            C:\Windows\SysWOW64\more.com
            2⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of WriteProcessMemory
            PID:4716
            • C:\Windows\SysWOW64\SearchIndexer.exe
              C:\Windows\SysWOW64\SearchIndexer.exe
              3⤵
                PID:4548
          • C:\Windows\system32\OpenWith.exe
            C:\Windows\system32\OpenWith.exe -Embedding
            1⤵
            • Modifies registry class
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:3588
            • C:\Windows\system32\NOTEPAD.EXE
              "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\91931c45
              2⤵
                PID:2364
            • C:\Users\Admin\Desktop\Setup.exe
              "C:\Users\Admin\Desktop\Setup.exe"
              1⤵
              • Suspicious use of SetThreadContext
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of WriteProcessMemory
              PID:1092
              • C:\Windows\SysWOW64\more.com
                C:\Windows\SysWOW64\more.com
                2⤵
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious behavior: MapViewOfSection
                • Suspicious use of WriteProcessMemory
                PID:4616
                • C:\Windows\SysWOW64\SearchIndexer.exe
                  C:\Windows\SysWOW64\SearchIndexer.exe
                  3⤵
                    PID:2136
              • C:\Users\Admin\Desktop\Setup.exe
                "C:\Users\Admin\Desktop\Setup.exe"
                1⤵
                • Suspicious use of SetThreadContext
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious behavior: MapViewOfSection
                • Suspicious use of WriteProcessMemory
                PID:1212
                • C:\Windows\SysWOW64\more.com
                  C:\Windows\SysWOW64\more.com
                  2⤵
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious behavior: MapViewOfSection
                  • Suspicious use of WriteProcessMemory
                  PID:2536
                  • C:\Windows\SysWOW64\SearchIndexer.exe
                    C:\Windows\SysWOW64\SearchIndexer.exe
                    3⤵
                      PID:4848
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3776,i,16856304285138459032,14480077487839828721,262144 --variations-seed-version --mojo-platform-channel-handle=3552 /prefetch:8
                  1⤵
                    PID:3344

                  Network

                  MITRE ATT&CK Matrix

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Temp\7e1b39e3
                    Filesize

                    1.2MB

                    MD5

                    d85456bc93bc20de97041fb8f7f79247

                    SHA1

                    d155e82d273925a86ef370c9f3fda0a0cb1112ef

                    SHA256

                    9046bbd0bcb00410590ff77db0766c8c26f26afa4eb6431b4fb7d5e5aa8d00bf

                    SHA512

                    c6ca930fe9f95058c05ec1c2852645c4c2c967e9423bb058633503541e09bd59bdd42b8eb4a1c11892adf73e2774ce11e90303b01f1f31798d56e5ae23f9de7c

                    Download Submit
                  • C:\Users\Admin\AppData\Local\Temp\8218daed
                    Filesize

                    1016KB

                    MD5

                    5dcce13b91edfa7a1a4a505fd61ddec2

                    SHA1

                    efbf002b4c6464519a7e1cdcd2d87e76d385fca1

                    SHA256

                    026a9a23f4ee90d0cfbf9a7d18012e68ff208fabe71711e1924872ee43147d0e

                    SHA512

                    68b5e54806457d3412505fc6de7942364c5a87279babb554b86f08ba697759617dd9a6142218611b6f8ff480407994eab3ec46f38f3d2d52f4a026922667444e

                    Download Submit
                  • C:\Users\Admin\AppData\Local\Temp\91931c45
                    Filesize

                    1016KB

                    MD5

                    ded69ba6983cc9ea7c2bbb49b3b5cef5

                    SHA1

                    e19799926f9b09e2b44214955e5314a3aee32047

                    SHA256

                    9be7a4b951ed55a0905af4c26362abde14e5620a04ced863990cb312187cb4c8

                    SHA512

                    4b093a9ca0eac70d660fa51fa9711fc0c38d9f569d92f8f6f2adc8f6c663221e276af526534b9e93d90427733396ce5038461eb5476fcb54c8ae6844f760a8cb

                    Download Submit
                  • memory/948-15-0x0000000074EA0000-0x0000000074EF2000-memory.dmp
                    Filesize

                    328KB

                    Download
                  • memory/948-18-0x0000000074EA0000-0x0000000074EF2000-memory.dmp
                    Filesize

                    328KB

                    Download
                  • memory/948-12-0x0000000074EA0000-0x0000000074EF2000-memory.dmp
                    Filesize

                    328KB

                    Download
                  • memory/948-14-0x00007FFA231D0000-0x00007FFA233C5000-memory.dmp
                    Filesize

                    2.0MB

                    Download
                  • memory/948-16-0x0000000074EA0000-0x0000000074EF2000-memory.dmp
                    Filesize

                    328KB

                    Download
                  • memory/1092-50-0x0000000074EA0000-0x0000000074EF2000-memory.dmp
                    Filesize

                    328KB

                    Download
                  • memory/1092-42-0x00000000006F0000-0x0000000000CCB000-memory.dmp
                    Filesize

                    5.9MB

                    Download
                  • memory/1092-48-0x0000000074EA0000-0x0000000074EF2000-memory.dmp
                    Filesize

                    328KB

                    Download
                  • memory/1092-49-0x00007FFA231D0000-0x00007FFA233C5000-memory.dmp
                    Filesize

                    2.0MB

                    Download
                  • memory/1212-62-0x0000000074EA0000-0x0000000074EF2000-memory.dmp
                    Filesize

                    328KB

                    Download
                  • memory/1212-60-0x0000000074EA0000-0x0000000074EF2000-memory.dmp
                    Filesize

                    328KB

                    Download
                  • memory/1212-54-0x00000000006F0000-0x0000000000CCB000-memory.dmp
                    Filesize

                    5.9MB

                    Download
                  • memory/1212-61-0x00007FFA231D0000-0x00007FFA233C5000-memory.dmp
                    Filesize

                    2.0MB

                    Download
                  • memory/2136-68-0x00007FFA231D0000-0x00007FFA233C5000-memory.dmp
                    Filesize

                    2.0MB

                    Download
                  • memory/2136-69-0x00000000002E0000-0x000000000033A000-memory.dmp
                    Filesize

                    360KB

                    Download
                  • memory/2136-73-0x00000000002E0000-0x000000000033A000-memory.dmp
                    Filesize

                    360KB

                    Download
                  • memory/2284-19-0x00007FFA231D0000-0x00007FFA233C5000-memory.dmp
                    Filesize

                    2.0MB

                    Download
                  • memory/2284-23-0x0000000000C70000-0x0000000000CCA000-memory.dmp
                    Filesize

                    360KB

                    Download
                  • memory/2284-20-0x0000000000C70000-0x0000000000CCA000-memory.dmp
                    Filesize

                    360KB

                    Download
                  • memory/2536-66-0x00007FFA231D0000-0x00007FFA233C5000-memory.dmp
                    Filesize

                    2.0MB

                    Download
                  • memory/4064-7-0x00007FFA231D0000-0x00007FFA233C5000-memory.dmp
                    Filesize

                    2.0MB

                    Download
                  • memory/4064-8-0x0000000074EB2000-0x0000000074EB4000-memory.dmp
                    Filesize

                    8KB

                    Download
                  • memory/4064-9-0x0000000074EA0000-0x0000000074EF2000-memory.dmp
                    Filesize

                    328KB

                    Download
                  • memory/4064-10-0x0000000074EA0000-0x0000000074EF2000-memory.dmp
                    Filesize

                    328KB

                    Download
                  • memory/4064-6-0x0000000074EA0000-0x0000000074EF2000-memory.dmp
                    Filesize

                    328KB

                    Download
                  • memory/4064-0-0x00000000000F0000-0x00000000006CB000-memory.dmp
                    Filesize

                    5.9MB

                    Download
                  • memory/4548-40-0x00000000003C0000-0x000000000041A000-memory.dmp
                    Filesize

                    360KB

                    Download
                  • memory/4548-41-0x00000000003C0000-0x000000000041A000-memory.dmp
                    Filesize

                    360KB

                    Download
                  • memory/4548-39-0x00007FFA231D0000-0x00007FFA233C5000-memory.dmp
                    Filesize

                    2.0MB

                    Download
                  • memory/4616-53-0x00007FFA231D0000-0x00007FFA233C5000-memory.dmp
                    Filesize

                    2.0MB

                    Download
                  • memory/4716-36-0x00007FFA231D0000-0x00007FFA233C5000-memory.dmp
                    Filesize

                    2.0MB

                    Download
                  • memory/4744-33-0x0000000074EA0000-0x0000000074EF2000-memory.dmp
                    Filesize

                    328KB

                    Download
                  • memory/4744-32-0x00007FFA231D0000-0x00007FFA233C5000-memory.dmp
                    Filesize

                    2.0MB

                    Download
                  • memory/4744-25-0x00000000006F0000-0x0000000000CCB000-memory.dmp
                    Filesize

                    5.9MB

                    Download
                  • memory/4744-31-0x0000000074EA0000-0x0000000074EF2000-memory.dmp
                    Filesize

                    328KB

                    Download
                  • memory/4848-74-0x00000000005C0000-0x000000000061A000-memory.dmp
                    Filesize

                    360KB

                    Download
                  • memory/4848-72-0x00007FFA231D0000-0x00007FFA233C5000-memory.dmp
                    Filesize

                    2.0MB

                    Download
                  • memory/4848-75-0x00000000005C0000-0x000000000061A000-memory.dmp
                    Filesize

                    360KB

                    Download