Malware Analysis Report

2024-12-07 03:03

Sample ID 241113-ylw57a1qcp
Target burgi.zip
SHA256 ce5052677dc253b8e9e9ee3b3e2ab7fcc3b60c9238f2b19024377d334d9e2ef1
Tags
discovery lumma spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ce5052677dc253b8e9e9ee3b3e2ab7fcc3b60c9238f2b19024377d334d9e2ef1

Threat Level: Known bad

The file burgi.zip was found to be: Known bad.

Malicious Activity Summary

discovery lumma spyware stealer

Lumma Stealer, LummaC

Lumma family

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Unsigned PE

Program crash

System Location Discovery: System Language Discovery

Browser Information Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 19:52

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 19:52

Reported

2024-11-13 19:55

Platform

win7-20240903-en

Max time kernel

118s

Max time network

118s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\cr.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\cr.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\cr.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 288

Network

N/A

Files

memory/2020-0-0x00000000747C0000-0x000000007490C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-13 19:52

Reported

2024-11-13 19:55

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

147s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\cr.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2068 wrote to memory of 4824 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2068 wrote to memory of 4824 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2068 wrote to memory of 4824 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\cr.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\cr.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4824 -ip 4824

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4824 -s 808

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

memory/4824-0-0x0000000077AC2000-0x0000000077AC3000-memory.dmp

memory/4824-1-0x00000000753E0000-0x000000007552C000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-13 19:52

Reported

2024-11-13 19:55

Platform

win7-20240903-en

Max time kernel

141s

Max time network

117s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cr.exe"

Signatures

Lumma Stealer, LummaC

stealer lumma

Lumma family

lumma

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Browser Information Discovery

discovery

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\cr.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cr.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cr.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\cr.exe

"C:\Users\Admin\AppData\Local\Temp\cr.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2416 -s 1044

Network

Country Destination Domain Proto
US 8.8.8.8:53 rel1gitiger.cyou udp
US 104.21.94.195:443 rel1gitiger.cyou tcp
US 104.21.94.195:443 rel1gitiger.cyou tcp
US 104.21.94.195:443 rel1gitiger.cyou tcp

Files

memory/2416-0-0x0000000000230000-0x000000000028A000-memory.dmp

memory/2416-1-0x0000000000230000-0x000000000028A000-memory.dmp

memory/2416-4-0x0000000000230000-0x000000000028A000-memory.dmp

memory/2416-3-0x00000000772CF000-0x00000000772D0000-memory.dmp

memory/2416-2-0x0000000000230000-0x000000000028A000-memory.dmp

memory/2416-5-0x0000000000230000-0x000000000028A000-memory.dmp

memory/2416-6-0x0000000000F70000-0x0000000000FDA000-memory.dmp

memory/2416-7-0x0000000074410000-0x000000007455C000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-13 19:52

Reported

2024-11-13 19:55

Platform

win10v2004-20241007-en

Max time kernel

95s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cr.exe"

Signatures

Lumma Stealer, LummaC

stealer lumma

Lumma family

lumma

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Browser Information Discovery

discovery

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cr.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cr.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\cr.exe

"C:\Users\Admin\AppData\Local\Temp\cr.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 rel1gitiger.cyou udp
US 172.67.168.162:443 rel1gitiger.cyou tcp
US 8.8.8.8:53 162.168.67.172.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 172.67.168.162:443 rel1gitiger.cyou tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 172.67.168.162:443 rel1gitiger.cyou tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 172.67.168.162:443 rel1gitiger.cyou tcp
US 172.67.168.162:443 rel1gitiger.cyou tcp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
US 172.67.168.162:443 rel1gitiger.cyou tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 68.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

memory/3080-0-0x0000000077362000-0x0000000077363000-memory.dmp

memory/3080-1-0x0000000001390000-0x00000000013EA000-memory.dmp

memory/3080-2-0x0000000001390000-0x00000000013EA000-memory.dmp

memory/3080-4-0x0000000001390000-0x00000000013EA000-memory.dmp

memory/3080-3-0x0000000001390000-0x00000000013EA000-memory.dmp

memory/3080-5-0x0000000077362000-0x0000000077363000-memory.dmp

memory/3080-6-0x0000000000F20000-0x0000000000F8A000-memory.dmp

memory/3080-8-0x0000000001390000-0x00000000013EA000-memory.dmp

memory/3080-7-0x0000000074DA0000-0x0000000074EEC000-memory.dmp

memory/3080-13-0x0000000000F20000-0x0000000000F8A000-memory.dmp

memory/3080-15-0x0000000001390000-0x00000000013EA000-memory.dmp