lumma | f03d3c79e32a48817363f4f3a855c6353c250265e4fb8fb16193006b229414e0

Analysis

max time kernel
142s
max time network
205s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/09/2024, 02:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CupCut.zip
Size

60.8MB
MD5

0a46d73b9038266bdd6dc1dd87b25797
SHA1

83dbc577e4474072a45e47a004bfbdd42be18109
SHA256

f03d3c79e32a48817363f4f3a855c6353c250265e4fb8fb16193006b229414e0
SHA512

3c73ce8f845ec6c5361c627282aa6c5bf93e0243e0568dd99970920d5211258e3558154fd179914a97053ae1467d0e6198bd346516e8bc0f0332ca7f3c58ac70
SSDEEP

1572864:U5CDiJoBNMa4CnjuzE2jdCwh6kJFJBAZo3qbwZT:mCDiOBNMa4euE2jUwQa3qbwl

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://liversymbwqp.shop/api

https://condedqpwqm.shop/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma

Executes dropped EXE 1 IoCs

pid	Process
4024	Setup.exe

Loads dropped DLL 1 IoCs

pid	Process
4024	Setup.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4024 set thread context of 736	4024	Setup.exe	101

Program crash 2 IoCs

pid	pid_target	Process	procid_target
844	736	WerFault.exe	101
3288	736	WerFault.exe	101

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_regiis.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	1324	7zG.exe
Token: 35	1324	7zG.exe
Token: SeSecurityPrivilege	1324	7zG.exe
Token: SeSecurityPrivilege	1324	7zG.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1324	7zG.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4024 wrote to memory of 736	4024	Setup.exe	101
PID 4024 wrote to memory of 736	4024	Setup.exe	101
PID 4024 wrote to memory of 736	4024	Setup.exe	101
PID 4024 wrote to memory of 736	4024	Setup.exe	101
PID 4024 wrote to memory of 736	4024	Setup.exe	101
PID 4024 wrote to memory of 736	4024	Setup.exe	101
PID 4024 wrote to memory of 736	4024	Setup.exe	101
PID 4024 wrote to memory of 736	4024	Setup.exe	101
PID 4024 wrote to memory of 736	4024	Setup.exe	101

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\CupCut.zip
1⤵
PID:824

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2184

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\CupCut\" -spe -an -ai#7zMap21278:92:7zEvent23830
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1324

C:\Users\Admin\AppData\Local\Temp\CupCut\CupCut Cracked\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\CupCut\CupCut Cracked\Setup.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4024
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:736
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 736 -s 1184
    3⤵
    - Program crash
    PID:844
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 736 -s 1204
    3⤵
    - Program crash
    PID:3288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 736 -ip 736
1⤵
PID:2552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 736 -ip 736
1⤵
PID:552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CupCut\CupCut Cracked\msvcp140.dll

Filesize
589KB

MD5
9a551ddd4c7615733fb58e08cbb20490

SHA1
10af07f402243c533447f17ea0f7bba07e5c5045

SHA256
5a2c9396c9ca8c6478008661c4db721e3002726dce54c7d874ec7b4722ca1961

SHA512
5ba4ebff32d457677ab02617b5d3a2e98046f2ce04e1ab079f50205a1bea2177f81fc4048f7b3f3ef1a02db097bec6e247574f7def30cfebaccee2c89c0960a9

Download Submit
C:\Users\Admin\AppData\Roaming\msvcp110.dll

Filesize
589KB

MD5
d4dfedf9fe8788fab2bb346496cca3aa

SHA1
503eedc99bfc5d4a518b227ebea94b5b12d0f281

SHA256
fe4904b727f79e3b78a9d5cd10d0bc8361a1f0595af7ef0f0684129ded31e2cc

SHA512
fdc4466c8926eac5670669d8486442e56bc2560cd4e74d45a3d5f28f76e99f8c5b132c505f672b3d14fcc2bc2d6b3fba6da3b578c3c3ad6fe618a0abadf799d7

Download Submit
memory/736-100-0x0000000000360000-0x00000000003BB000-memory.dmp

Filesize
364KB

Download
memory/736-103-0x0000000000360000-0x00000000003BB000-memory.dmp

Filesize
364KB

Download
memory/736-99-0x0000000000360000-0x00000000003BB000-memory.dmp

Filesize
364KB

Download