Analysis

  • max time kernel
    142s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    20-12-2024 00:01

General

  • Target

    Release.zip

  • Size

    37.8MB

  • MD5

    6244f9a11555ee2cf7448e82507ecaa5

  • SHA1

    293cf286e48182cfc9ead87b72a64734ed873daa

  • SHA256

    6e0d32ab1bc8782648c009393a01443fbdf1ab119597d7e915df80cb1fefa84f

  • SHA512

    415059cbd9c741f863d000c0e44fbceaaec0212270be7b095a9a1b0468ecf1ac951660d735c8ff4691f953e2159d50b3c037cf2e0104097f813b943e7ebbdbff

  • SSDEEP

    786432:FL9wPFA0z7sgXBYJ5ebRgtxUEk8VbfSrQMY3P4xplfFQZv5FLidh20EfIVXGR:FuqIsgeJftWgbFMY/4ddQOtGR

Malware Config

Extracted

Family

lumma

C2

https://sordid-snaked.cyou/api

https://awake-weaves.cyou/api

https://wrathful-jammy.cyou/api

https://debonairnukk.xyz/api

https://diffuculttan.xyz/api

https://effecterectz.xyz/api

https://deafeninggeh.biz/api

https://immureprech.biz/api

https://spellshagey.biz/api

Extracted

Family

lumma

C2

https://spellshagey.biz/api

Signatures

  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

  • Lumma family
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 17 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Release.zip"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:824
    • C:\Users\Admin\AppData\Local\Temp\7zO8337B3D6\Bootstrapper.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO8337B3D6\Bootstrapper.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2780
  • C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    1⤵
      PID:2572
    • C:\Program Files\7-Zip\7zG.exe
      "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\" -an -ai#7zMap18878:94:7zEvent24895
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:2876
    • C:\Users\Admin\AppData\Local\Temp\Release\Bootstrapper.exe
      "C:\Users\Admin\AppData\Local\Temp\Release\Bootstrapper.exe"
      1⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2596
    • C:\Users\Admin\AppData\Local\Temp\Release\Bootstrapper.exe
      "C:\Users\Admin\AppData\Local\Temp\Release\Bootstrapper.exe"
      1⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1428
    • C:\Users\Admin\AppData\Local\Temp\Release\Bootstrapper.exe
      "C:\Users\Admin\AppData\Local\Temp\Release\Bootstrapper.exe"
      1⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2052

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\7zO8337B3D6\Bootstrapper.exe

      Filesize

      331KB

      MD5

      3435c5c34e15c946884b4d2f90d326f9

      SHA1

      04ba456f3e9b7f7c4737c4b220d2c8c8f978d6cc

      SHA256

      e6042c8081fccdf46c82cd7f1548cc9d135c5ef04af91f925c4e980bfcccee2e

      SHA512

      049406cca513436b25501951df25abba69f21b0f1668ed9279b68157ef8bf480dd8038f8b54bc0078ab98787fbd39f65e7ad7ef111f16b03eee669c107611eda

    • C:\Users\Admin\AppData\Local\Temp\Release\workspace\.tests\isfile.txt

      Filesize

      7B

      MD5

      260ca9dd8a4577fc00b7bd5810298076

      SHA1

      53a5687cb26dc41f2ab4033e97e13adefd3740d6

      SHA256

      aee408847d35e44e99430f0979c3357b85fe8dbb4535a494301198adbee85f27

      SHA512

      51e85deb51c2b909a21ec5b8e83b1cb28da258b1be227620105a345a2bd4c6aea549cd5429670f2df33324667b9f623a420b3a0bdbbd03ad48602211e75478a7

    • C:\Users\Admin\AppData\Local\Temp\Release\workspace\Xeno.exe.WebView2\EBWebView\Default\DawnWebGPUCache\data_2

      Filesize

      8KB

      MD5

      0962291d6d367570bee5454721c17e11

      SHA1

      59d10a893ef321a706a9255176761366115bedcb

      SHA256

      ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

      SHA512

      f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

    • C:\Users\Admin\AppData\Local\Temp\Release\workspace\Xeno.exe.WebView2\EBWebView\Default\Extension State\CURRENT

      Filesize

      16B

      MD5

      46295cac801e5d4857d09837238a6394

      SHA1

      44e0fa1b517dbf802b18faf0785eeea6ac51594b

      SHA256

      0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

      SHA512

      8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

    • C:\Users\Admin\AppData\Local\Temp\Release\workspace\Xeno.exe.WebView2\EBWebView\Default\Extension State\MANIFEST-000001

      Filesize

      41B

      MD5

      5af87dfd673ba2115e2fcf5cfdb727ab

      SHA1

      d5b5bbf396dc291274584ef71f444f420b6056f1

      SHA256

      f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

      SHA512

      de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

    • C:\Users\Admin\AppData\Local\Temp\Release\workspace\Xeno.exe.WebView2\EBWebView\Default\GPUCache\data_0

      Filesize

      8KB

      MD5

      cf89d16bb9107c631daabf0c0ee58efb

      SHA1

      3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

      SHA256

      d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

      SHA512

      8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

    • C:\Users\Admin\AppData\Local\Temp\Release\workspace\Xeno.exe.WebView2\EBWebView\Default\GPUCache\data_1

      Filesize

      264KB

      MD5

      a833653a021f29ee2ec1a845e0c2308f

      SHA1

      05071159d3c2516d67b765cef012a0a2d3337759

      SHA256

      8e9f3538e43a68caa472fd47adaf43906e097cfb53ef55d1361caf1cc97efca7

      SHA512

      0902a886c95cee1b34f9419ab0a10ce0fe96eae57c59ab4cefba99ba3fc2a0237741f31076ce065db14fe3dfecd325458209f0d1e9fcc8b9ac7bff8328e1744f

    • C:\Users\Admin\AppData\Local\Temp\Release\workspace\Xeno.exe.WebView2\EBWebView\Default\GPUCache\data_3

      Filesize

      8KB

      MD5

      41876349cb12d6db992f1309f22df3f0

      SHA1

      5cf26b3420fc0302cd0a71e8d029739b8765be27

      SHA256

      e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

      SHA512

      e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

    • C:\Users\Admin\AppData\Local\Temp\Release\workspace\Xeno.exe.WebView2\EBWebView\Default\Shared Dictionary\cache\index

      Filesize

      24B

      MD5

      54cb446f628b2ea4a5bce5769910512e

      SHA1

      c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

      SHA256

      fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

      SHA512

      8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

    • memory/1428-680-0x0000000000400000-0x000000000082C000-memory.dmp

      Filesize

      4.2MB

    • memory/2052-681-0x0000000000400000-0x000000000082C000-memory.dmp

      Filesize

      4.2MB

    • memory/2596-677-0x0000000000400000-0x000000000082C000-memory.dmp

      Filesize

      4.2MB

    • memory/2780-14-0x0000000000400000-0x000000000082C000-memory.dmp

      Filesize

      4.2MB