Overview

overview

10

Static

static

3

CFXBypass.exe

windows7-x64

10

CFXBypass.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    76s
  • max time network
    71s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/10/2024, 13:30

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    CFXBypass.exe

  • Size

    490KB

  • MD5

    9c9245810bad661af3d6efec543d34fd

  • SHA1

    93e4f301156d120a87fe2c4be3aaa28b9dfd1a8d

  • SHA256

    f5f14b9073f86da926a8ed319b3289b893442414d1511e45177f6915fb4e5478

  • SHA512

    90d9593595511e722b733a13c53d2e69a1adc9c79b3349350deead2c1cdfed615921fb503597950070e9055f6df74bb64ccd94a60d7716822aa632699c70b767

  • SSDEEP

    6144:3PkcFUUUQHs5TlOhDuy4VjmSO6/tU4j06xeJyCjvhsXZ4m05d0qCsfBLuWWCV/rr:3McWUUysz/NhKjJPhM4/5bV/rvgE3

Score
10/10
lummadiscoverystealer

Malware Config

Extracted

Family

lumma

C2

https://pillowbrocccolipe.shop/api

https://communicationgenerwo.shop/api

https://diskretainvigorousiw.shop/api

https://affordcharmcropwo.shop/api

https://dismissalcylinderhostw.shop/api

https://enthusiasimtitleow.shop/api

https://worryfillvolcawoi.shop/api

https://cleartotalfisherwo.shop/api

Signatures

  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 21 IoCs
  • Suspicious use of SendNotifyMessage 20 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\CFXBypass.exe
    "C:\Users\Admin\AppData\Local\Temp\CFXBypass.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    PID:3644
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:4408
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:4756
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        2⤵
        • Checks processor information in registry
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4332
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2028 -parentBuildID 20240401114208 -prefsHandle 1960 -prefMapHandle 1952 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c9e0f290-0572-4baa-afb1-fe0da15bfb57} 4332 "\\.\pipe\gecko-crash-server-pipe.4332" gpu
          3⤵
            PID:1736
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2440 -parentBuildID 20240401114208 -prefsHandle 2416 -prefMapHandle 2412 -prefsLen 23716 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9ad61821-1b32-48c4-83a2-9445d0e7a087} 4332 "\\.\pipe\gecko-crash-server-pipe.4332" socket
            3⤵
              PID:3172
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3328 -childID 1 -isForBrowser -prefsHandle 3344 -prefMapHandle 3436 -prefsLen 23857 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8a7b4f2e-7333-451d-bb29-918c246ed904} 4332 "\\.\pipe\gecko-crash-server-pipe.4332" tab
              3⤵
                PID:4576
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3644 -childID 2 -isForBrowser -prefsHandle 3684 -prefMapHandle 2692 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ce6f7a81-d765-4d0f-b25e-3e7284dd83bd} 4332 "\\.\pipe\gecko-crash-server-pipe.4332" tab
                3⤵
                  PID:1708
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4744 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4728 -prefMapHandle 4704 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cc9e046f-30f6-4559-8540-03f100f9c7ef} 4332 "\\.\pipe\gecko-crash-server-pipe.4332" utility
                  3⤵
                  • Checks processor information in registry
                  PID:5144
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5320 -childID 3 -isForBrowser -prefsHandle 5264 -prefMapHandle 5316 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {16191e5e-7796-4a22-a54b-bc7df0489e48} 4332 "\\.\pipe\gecko-crash-server-pipe.4332" tab
                  3⤵
                    PID:5692
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5532 -childID 4 -isForBrowser -prefsHandle 5452 -prefMapHandle 5456 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4312da53-a936-4c5d-b4c8-9c564ffdc414} 4332 "\\.\pipe\gecko-crash-server-pipe.4332" tab
                    3⤵
                      PID:5712
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5740 -childID 5 -isForBrowser -prefsHandle 5660 -prefMapHandle 5668 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1edb6d44-407e-4d10-acfa-f6ef468444ce} 4332 "\\.\pipe\gecko-crash-server-pipe.4332" tab
                      3⤵
                        PID:5724

                  Network

                        MITRE ATT&CK Enterprise v15

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lhmx4teg.default-release\activity-stream.discovery_stream.json.tmp
                          Filesize

                          18KB

                          MD5

                          ceed71ff9fbcc8fa66797599672e13a5

                          SHA1

                          270dfff3f21d494437812abebf12b5dfc099af1c

                          SHA256

                          099507bd5fcbd17eb4e4cd5ed6afffc82e78354857d95883e9f09bf448ab6a17

                          SHA512

                          9bfc9d7d6bd9d290127abd686620827fdbae1976d086d18e2fd3ba7d4d5e13eb634b892b39457f13ddaf88b968e0b384aadcd832515263f6879a9034d966f6ac

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\datareporting\glean\db\data.safe.tmp
                          Filesize

                          6KB

                          MD5

                          06e4c1ed5f8e2a19495dd3fbc777c8e5

                          SHA1

                          72aaea43d57c8498ec680771cdf034a9ea0a164b

                          SHA256

                          b14689fbd117e0365a8837c655335d51187953047fd549856ce3c1bd130c3863

                          SHA512

                          66578dd932bf8abffc4be65bb8467a90d7a01a97ccad3ae2528dff13c2704f1e09560625eaca81f585598f530bd08c891eba7185d3213a33be5c19704748ca16

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\datareporting\glean\db\data.safe.tmp
                          Filesize

                          5KB

                          MD5

                          abd4d564a0e7b8e7be66fec5927f55ab

                          SHA1

                          3f53c7362c3963e4ae81338577a3682dd31b9ac9

                          SHA256

                          daf9c7c4193c7091ae96a2d3cc7c54fbaa9db46770d537317e3d30445d625e1d

                          SHA512

                          aae43d2b35558274a4ee31614f30396ca1be5e1a2b700e2e74c9b97795d4136a2b715bb50ba42b01426e940954cb146b93c5536200f3461bb65bf8ce9df7434a

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\datareporting\glean\pending_pings\3bf2cc6d-2782-41a7-9589-9d9ec1e8fbb3
                          Filesize

                          671B

                          MD5

                          f36f9a3e3a68b633e42fe4726ff061f6

                          SHA1

                          7f0bcbaa8d81a48da006402db5441bed0bbabc1e

                          SHA256

                          af0de3a30509d80f4534fee7b44072f8c98a383b04f464a2d61977058ef9a66e

                          SHA512

                          a09ddf90039aaa878bad641586d59d823b316d4631b681d46060158a0e4398c12cc3c58d4388f7bab8275f92d0a7a1c6b92ad7bb117f6026cf4778fe85093bc3

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\datareporting\glean\pending_pings\53c4aa11-6926-4ec5-a370-63bbc6ee4ab7
                          Filesize

                          28KB

                          MD5

                          8044879327ce0ba5a1c4abe86f0415f6

                          SHA1

                          0b60fb1120c5102d9584fe593af9533c3fc17b3a

                          SHA256

                          52a404777fe822b59f8fdcb0c1296d8c9bb633516f41cf8856fe9a37549ff4ee

                          SHA512

                          5b6ed19d93755c3d1a26a6186c6f1f820dc958ee838ce6b09285634e9d78712ead236dbf0b2fd2d178bf205c85742afd7cfc5933ecec416732578b5488857b84

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\datareporting\glean\pending_pings\d89eaf6e-faf4-4ddf-94e5-81da8eb1145a
                          Filesize

                          982B

                          MD5

                          f34e56e25eddf34238687394faa041de

                          SHA1

                          34748321218ff219067457e1331edc8f9a72dc5d

                          SHA256

                          4bf8d1a3b6545f42968ea5c51ff74e4e1ee82cad203a0823dd37434d01568c7c

                          SHA512

                          ff177fce655862eaf2ef9608a938f6045a786290ee02308ea62f24f17dbce0f531e2f32a38e982cc9a1d4eabd47c3d8fa13f5b193a2eaa2f36e083e3cec17dcc

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\prefs.js
                          Filesize

                          11KB

                          MD5

                          f0d586902c8ac0cf3153ea9017455048

                          SHA1

                          12dc811bb09fe7a2085a7ee1d5f4bbaef90e853c

                          SHA256

                          7ba5cf08e99c77e70e1c65093000ba50af67fb9a03d54e714e0eb122e1180ed2

                          SHA512

                          f00b52b01938c02ca4322521bbd20ed7f68d7d6c0eb65d23055de40545ca9dfd5739ca76a9c7deb633aee68a90f5b68d03e09101d213f94433623874fc85a2ca

                          Download Submit

                        • memory/3644-9-0x0000000001320000-0x0000000001321000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/3644-10-0x0000000000F90000-0x0000000000FDB000-memory.dmp

                          Filesize

                          300KB

                          Download

                        • memory/3644-7-0x0000000001320000-0x0000000001321000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/3644-8-0x0000000001320000-0x0000000001321000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/3644-0-0x0000000000F90000-0x0000000000FDB000-memory.dmp

                          Filesize

                          300KB

                          Download

                        • memory/3644-5-0x0000000001320000-0x0000000001321000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/3644-6-0x0000000001320000-0x0000000001321000-memory.dmp

                          Filesize

                          4KB

                          Download