Overview

overview

10

Static

static

1

cincinati.zip

windows7-x64

10

cincinati.zip

windows10-2004-x64

1

RomanticCopyright.exe

windows7-x64

10

RomanticCopyright.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    1267s
  • max time network
    1269s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    19-11-2024 10:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cincinati.zip

  • Size

    982KB

  • MD5

    4b1eee4ab5a46f1215f7397a650e385f

  • SHA1

    93104208b9a3e25900e2c6489c398ec1ae07db56

  • SHA256

    3d36c412f3e9bd9983629b45cc34dc5ac1d48cec7232a3d8ace19ae1181f7649

  • SHA512

    c25c93642125540ac105932fe813243357df50d48cea289effa259a3e7cc2b272e3674c3119ae075412d214ca71b05d9e9414d0a6d50d033364bbf2258d07bb3

  • SSDEEP

    24576:toTUYr0y8REypuQNALZmH5H81Dn81bQ1Sy:t4USz8REyc3LZmZKn91V

Score
10/10
lummadiscoverypersistenceprivilege_escalationstealer

Malware Config

Extracted

Family

lumma

C2

https://processhol.sbs/api

https://p10tgrace.sbs/api

https://peepburry828.sbs/api

https://3xp3cts1aim.sbs/api

https://p3ar11fter.sbs/api

Signatures

  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Lumma family
    lumma
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates processes with tasklist 1 TTPs 2 IoCs
    discovery
  • Drops file in Windows directory 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Accessibility Features 1 TTPs

    Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 34 IoCs
  • Modifies system certificate store 2 TTPs 3 IoCs
    evasionspywaretrojan
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 13 IoCs
  • Suspicious use of FindShellTrayWindow 8 IoCs
  • Suspicious use of SendNotifyMessage 27 IoCs
  • Suspicious use of SetWindowsHookEx 38 IoCs
  • Suspicious use of WriteProcessMemory 47 IoCs

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\cincinati.zip"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:2940
    • C:\Users\Admin\AppData\Local\Temp\7zOC7BFDB57\RomanticCopyright.exe
      "C:\Users\Admin\AppData\Local\Temp\7zOC7BFDB57\RomanticCopyright.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2728
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c copy Uni Uni.cmd & Uni.cmd
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1784
        • C:\Windows\SysWOW64\tasklist.exe
          tasklist
          4⤵
          • Enumerates processes with tasklist
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:1488
        • C:\Windows\SysWOW64\findstr.exe
          findstr /I "wrsa opssvc"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1072
        • C:\Windows\SysWOW64\tasklist.exe
          tasklist
          4⤵
          • Enumerates processes with tasklist
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:2584
        • C:\Windows\SysWOW64\findstr.exe
          findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:752
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c md 796989
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2496
        • C:\Windows\SysWOW64\findstr.exe
          findstr /V "SigConsumptionDisciplinesSong" Envelope
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2500
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c copy /b ..\Wan + ..\Module + ..\Is + ..\Read + ..\Bibliography + ..\Match + ..\Qld I
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1780
        • C:\Users\Admin\AppData\Local\Temp\796989\Dept.com
          Dept.com I
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Modifies system certificate store
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          PID:600
        • C:\Windows\SysWOW64\choice.exe
          choice /d y /t 5
          4⤵
          • System Location Discovery: System Language Discovery
          PID:524
  • C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    1⤵
      PID:2380
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x4f8
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2444
    • C:\Users\Admin\AppData\Local\Temp\796989\Dept.com
      "C:\Users\Admin\AppData\Local\Temp\796989\Dept.com"
      1⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      PID:2536
    • C:\Windows\system32\osk.exe
      "C:\Windows\system32\osk.exe"
      1⤵
        PID:2744
      • C:\Windows\system32\utilman.exe
        utilman.exe /debug
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:2632
        • C:\Windows\System32\osk.exe
          "C:\Windows\System32\osk.exe"
          2⤵
          • Modifies registry class
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of SetWindowsHookEx
          PID:2908
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\796989\Dept.txt
        1⤵
        • Opens file in notepad (likely ransom note)
        PID:2192
      • C:\Windows\system32\AUDIODG.EXE
        C:\Windows\system32\AUDIODG.EXE 0x4f8
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:3052
      • C:\Windows\SysWOW64\DllHost.exe
        C:\Windows\SysWOW64\DllHost.exe /Processid:{60A90A2F-858D-42AF-8929-82BE9D99E8A1}
        1⤵
        • System Location Discovery: System Language Discovery
        PID:2436

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\796989\I
        Filesize

        489KB

        MD5

        35431b1f719e5f8edd3ee4c56d590bc9

        SHA1

        c4667dc8990f03e9d3410e636957d5e9c73773c7

        SHA256

        427536f6a144672b8c5cd873d89c0374dab2c6383256347eef80b291729b99b0

        SHA512

        358ea29b484c7e7d493fec6270a7d3a6147852ba68f1c1f5fd9dc277e65dc24239b3718fb1ca986f354b5ebc954dae51f1e478db9d034a6f3417f6564d967fbd

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\7zOC7BFDB57\RomanticCopyright.exe
        Filesize

        10.0MB

        MD5

        a737e94c53a284ae8c712eb7b2a2d209

        SHA1

        a5d4113415f38413b5bcc2698e4aaf573cf8217c

        SHA256

        677b2f7ea578826adb9c0f359c6436c364f712803080b38d81ecc1f25e5b97f5

        SHA512

        ab87ef25549d4860269015d279aaf90a35bfd4c26457271a84cacf64c0a0c97d0e4c435136fb9defd2c64307d1bc1e9596ee278c868e101f6a2c657f87bd80b6

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Bibliography
        Filesize

        91KB

        MD5

        0124e182e6ab32c597551f987c8efc9e

        SHA1

        5b1504b161a4748cfdff1463b4a370b7ee6caf14

        SHA256

        6484dd9a145b3178a2534dd802441a7b8d08a679c3241c11395c22bfa6ba6826

        SHA512

        70e76a19d9f3382e14463e9f79dee0db404482e714f1ca9b0330ad144c055b6c6464d9be6bbb94e7e05048925b8f2dd1049276b4982722b7e8a2d8fe7e2dd010

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\CabBC7E.tmp
        Filesize

        70KB

        MD5

        49aebf8cbd62d92ac215b2923fb1b9f5

        SHA1

        1723be06719828dda65ad804298d0431f6aff976

        SHA256

        b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

        SHA512

        bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Envelope
        Filesize

        1KB

        MD5

        930b977ce8cf5c68e617c0cc083b6915

        SHA1

        07ab167616b479dd68ea9cfdad2c51d180757596

        SHA256

        cd56fdf1345808d2c8d7a099dabc0d8667581b2888fa973eba477509f7875f3e

        SHA512

        a823ba03f129037c1feb58f7f5408070f512dc0d4044cbaa5aa28295a1e7d952b4172119a1609c271273e8b31ec6aed5d4b3a570cfc5bbc3846821eb1f791814

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Is
        Filesize

        56KB

        MD5

        84df1af81b44c0e9ac087f6b724dbfe1

        SHA1

        c2604b423fa3a1dfd0d41fd05364f390db94e0f0

        SHA256

        649f01b11633d4f45165010db7e1150d9ddf533fb2906cc7f26ebf4d3807d2c4

        SHA512

        b69aca208184bac03392a91a04cb737772576a2e29ad8a9549d1917c88e86d2fe12e22d9d1a9d01dd08eb1fefa27c13c26a14c41a0551e75dc72f3d64ce97403

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Match
        Filesize

        81KB

        MD5

        cce2e35fcd13802b894592bfa8bc4832

        SHA1

        e4b2ebbcea783891bae927d45a5d20a99b0d2c57

        SHA256

        49c9f0a08d446ac52e26ec0a79578d6e8cd0363adce44af727c537c2c127f278

        SHA512

        1f2ac58895ebf1a4c3989a5d76ffac39012fe511030508bfef1c164e0d8301f5f7ce2b87381604b1fa1a0443b5f6ca59948061f7a2f7634d6cdfa0880dc33798

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Module
        Filesize

        86KB

        MD5

        c3a23aa50702baadcffdb632c0781eaf

        SHA1

        26adb4b06851eb66a2fc3a4b2dc29055e6291e91

        SHA256

        e27aec3fc7086af2906fbf8d5a1a17e3f6871651f2663f8e5a3f5b44dd1e7d61

        SHA512

        545aefc06ba554d32183d8e96f3eafc6204e609d95c4bc8e8bbede315ccc78605d916533fabe995dd9e50b3a0ea63d12e64445e3346dafe24267281b8ca23284

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Qld
        Filesize

        39KB

        MD5

        47b8c8360718381beb75b78cad9989d4

        SHA1

        b1c9ed94b846670c0fbb0322b607b3e5affce120

        SHA256

        0d7c733985efc3042c41b2b26c32b7b8ce65ff9071ebdd872c3d0520a18351ed

        SHA512

        724d7030e1fab1adc5a9798e18cf75c11159cce1e57ab493a4595bdb14b68129c46a518616c427131963a7fd06e741965faca545fc5f007ab120cf28c1fe4d98

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Read
        Filesize

        62KB

        MD5

        b09b69ffbbb1c92beb55c7fd798c8c66

        SHA1

        a648e5a9721d8623dd6fca06d5295d1f07b13519

        SHA256

        4b54975d3405ea89c477daa9802d93b4a56683a901039d31e8eb1218deb742fa

        SHA512

        74d6cb22483b46a36887584c97060b16a1f8b6dcc280a8d9c7456d1c8c174b61487990af0bd7426b431ca7fde197ade2f5785784d27ab4371003feaecf2bb409

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Standing
        Filesize

        919KB

        MD5

        4414fe8f2635b6344106903d0f52455d

        SHA1

        70f135830f92733b3f0bbdfa35b1f0e36e9e5746

        SHA256

        578f765c46f2b2842f3455c37549326a9ea665aeedf5b86f6c3ff0be1a5f1244

        SHA512

        3c818c29afc91ce177db19c91026017cb567e2e6b0727ba271d66cc5c4f107661a677abc4ea5d1c281c56b3de166ed8ceaf298fa2ecb8f50a08bc1fcb6a0c91f

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\TarBCA0.tmp
        Filesize

        181KB

        MD5

        4ea6026cf93ec6338144661bf1202cd1

        SHA1

        a1dec9044f750ad887935a01430bf49322fbdcb7

        SHA256

        8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

        SHA512

        6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Uni.cmd
        Filesize

        7KB

        MD5

        df066c1e3038ff1c556a50a0782e0de1

        SHA1

        ebad7031e3b7651898e3d916d0aa0cb09397d03a

        SHA256

        cb4ca6cf393c39f6fffab51f095518826e38d4eff4fb0f42aa1fb9a4d7ef0b3a

        SHA512

        649874ac78af57207d1d06059e9e5eac3814c13910d08e9325cb500434ad4cb553cdab659db3291839523d0ae636251ac925224db04ea29dde8be41e1d8cb194

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Wan
        Filesize

        74KB

        MD5

        cf96668f1c4973c8b43a72d90221e4d3

        SHA1

        3b512b9979650f556936a5b0866387820d112745

        SHA256

        720160bb915923d8cf54be5d580ac5c13e67a261daf3ae65f972435dd716cd07

        SHA512

        1d9c6299cce257f780252fe4805836f4f27914a816ef89d81119e2553008083754bdb16f25f895f85e35ccb5daa5c5f79fcff2d203b40c5444c88f9fc76b276e

        Download Submit

      • \Users\Admin\AppData\Local\Temp\796989\Dept.com
        Filesize

        921KB

        MD5

        78ba0653a340bac5ff152b21a83626cc

        SHA1

        b12da9cb5d024555405040e65ad89d16ae749502

        SHA256

        05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

        SHA512

        efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

        Download Submit

      • memory/600-226-0x00000000037A0000-0x00000000037FF000-memory.dmp

        Filesize

        380KB

        Download

      • memory/600-228-0x00000000037A0000-0x00000000037FF000-memory.dmp

        Filesize

        380KB

        Download

      • memory/600-224-0x00000000037A0000-0x00000000037FF000-memory.dmp

        Filesize

        380KB

        Download

      • memory/600-223-0x00000000037A0000-0x00000000037FF000-memory.dmp

        Filesize

        380KB

        Download

      • memory/600-227-0x00000000037A0000-0x00000000037FF000-memory.dmp

        Filesize

        380KB

        Download

      • memory/600-225-0x00000000037A0000-0x00000000037FF000-memory.dmp

        Filesize

        380KB

        Download

      • memory/2536-265-0x0000000004C80000-0x0000000004C82000-memory.dmp

        Filesize

        8KB

        Download

      • memory/2908-267-0x0000000002F70000-0x0000000002F80000-memory.dmp

        Filesize

        64KB

        Download