Overview

overview

10

Static

static

1

Aura.zip

windows10-2004-x64

10

Analysis

  • max time kernel
    49s
  • max time network
    52s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-12-2024 10:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Aura.zip

  • Size

    55.9MB

  • MD5

    46254f0a0bcff2eefa785dd43ee9a72f

  • SHA1

    37973671fa7e9c86c4ca613d912020d5456eefb6

  • SHA256

    dfcc3827140fce18c03481f753685352b94c6d5e574aa03565bb2dfb1d63a989

  • SHA512

    b02f206b80191ceb346b4c2c1edecdc0239a68c08ea982feab303bf5cb465192ac97e3a88d243c695cd1d30ec84eea71aec72b8ad8208fe6336d637f5deb8488

  • SSDEEP

    1572864:0PwxwCbvqT0T+11q5AFfbVDril6hweION1mTdmVzIKAb:Jbvqga11q5AFTV3phVI2goze

Score
10/10
lummadiscoverystealer

Malware Config

Extracted

Family

lumma

C2

https://cloudewahsj.shop/api

https://rabidcowse.shop/api

https://noisycuttej.shop/api

https://tirepublicerj.shop/api

https://framekgirus.shop/api

https://wholersorie.shop/api

https://abruptyopsn.shop/api

https://nearycrepso.shop/api

https://fancywaxxers.shop/api

Extracted

Family

lumma

C2

https://fancywaxxers.shop/api

https://abruptyopsn.shop/api

https://wholersorie.shop/api

https://framekgirus.shop/api

https://tirepublicerj.shop/api

https://noisycuttej.shop/api

https://rabidcowse.shop/api

https://cloudewahsj.shop/api

Signatures

  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Lumma family
    lumma
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Program crash 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Aura.zip"
    1⤵
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1664
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:5004
    • C:\Users\Admin\Desktop\Aura\Aura.exe
      "C:\Users\Admin\Desktop\Aura\Aura.exe"
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1988
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        PID:2288
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 1028
        2⤵
        • Program crash
        PID:4420
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1988 -ip 1988
      1⤵
        PID:2824
      • C:\Users\Admin\Desktop\Aura\Aura.exe
        "C:\Users\Admin\Desktop\Aura\Aura.exe"
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3352
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
          2⤵
          • System Location Discovery: System Language Discovery
          PID:3380
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3352 -s 996
          2⤵
          • Program crash
          PID:2800
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3352 -ip 3352
        1⤵
          PID:2000
        • C:\Users\Admin\Desktop\Aura\Aura.exe
          "C:\Users\Admin\Desktop\Aura\Aura.exe"
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1600
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
            2⤵
            • System Location Discovery: System Language Discovery
            PID:4528
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 1600 -s 996
            2⤵
            • Program crash
            PID:316
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1600 -ip 1600
          1⤵
            PID:4520

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Roaming\gdi32.dll
            Filesize

            436KB

            MD5

            4c75f5cb5f99071569caffce62b2de48

            SHA1

            173fac0a15df5eeb7021a66920df0a1622fc5e4d

            SHA256

            e085b0ce5c6e8fcab3b20c2fa97f73682e4e2d7b8e68a9425e6cb523e61fc1f0

            SHA512

            082d3fed175fe3afec5bf80ab551949dac70ebf648c14d0ed210deb89a4f374bbf91f8f996542b19efb2998948aae765f3f98feec8a8054fa1046dcc9d3222f2

            Download Submit

          • C:\Users\Admin\Desktop\Aura\Aura.exe
            Filesize

            727KB

            MD5

            abbb725d44fb5c30a8d6d68793c0e376

            SHA1

            7cf053cffa5f931e2317120a9878cbb9cebbdcb6

            SHA256

            5b0c3d9f69fc3eb336481f5f71a29b342049a8c956e13e677f3faf5bc86ccdd1

            SHA512

            0b07c9db7d7ec739b9fcec48d71705a43d83e8236efec343a99618fbe18ebdce5cb075c818a4c07f752441d7608a70da5ac119c66bfddefeb55c8828f619bd3c

            Download Submit

          • memory/1988-388-0x0000000074690000-0x0000000074E40000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/1988-380-0x0000000002B10000-0x0000000002B16000-memory.dmp

            Filesize

            24KB

            Download

          • memory/1988-379-0x0000000000700000-0x00000000007BC000-memory.dmp

            Filesize

            752KB

            Download

          • memory/1988-387-0x0000000074690000-0x0000000074E40000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/1988-378-0x000000007469E000-0x000000007469F000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1988-397-0x0000000074690000-0x0000000074E40000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/2288-393-0x00000000009A0000-0x00000000009F6000-memory.dmp

            Filesize

            344KB

            Download

          • memory/2288-389-0x00000000009A0000-0x00000000009F6000-memory.dmp

            Filesize

            344KB

            Download

          • memory/2288-396-0x00000000009A0000-0x00000000009F6000-memory.dmp

            Filesize

            344KB

            Download

          • memory/3380-406-0x00000000011A0000-0x00000000011F6000-memory.dmp

            Filesize

            344KB

            Download

          • memory/3380-409-0x00000000011A0000-0x00000000011F6000-memory.dmp

            Filesize

            344KB

            Download

          • memory/4528-418-0x0000000000B50000-0x0000000000BA6000-memory.dmp

            Filesize

            344KB

            Download

          • memory/4528-421-0x0000000000B50000-0x0000000000BA6000-memory.dmp

            Filesize

            344KB

            Download