lumma | 7fb411ee3e34e4b79b372b7d2321bf69b46de30c3286edccb7621562caefb60b

General

Target

7fb411ee3e34e4b79b372b7d2321bf69b46de30c3286edccb7621562caefb60b.exe
Size

3.9MB
MD5

a8001f151c1ce13aac56097a2bf1f789
SHA1

414d9f4219570bc75eb6e6cf2932c4fb407afa56
SHA256

7fb411ee3e34e4b79b372b7d2321bf69b46de30c3286edccb7621562caefb60b
SHA512

9c20f91c378d9559f6e5115857401def02145bb665a4c64f7842175b077bb6406544caa8197c9713f9b22943ffd87405beb809cf0e684c53b934acfe8d421060
SSDEEP

49152:ZHVpQMSWLLKUmQUSgYaNrb5c90DNQdjK/c0kCs:Z1pjSWL5

Score

10^/10

lumma discovery spyware stealer

Malware Config

Signatures

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

Processes:

7fb411ee3e34e4b79b372b7d2321bf69b46de30c3286edccb7621562caefb60b.exe

description	pid	process	target process
PID 3032 set thread context of 2112	3032	7fb411ee3e34e4b79b372b7d2321bf69b46de30c3286edccb7621562caefb60b.exe	7fb411ee3e34e4b79b372b7d2321bf69b46de30c3286edccb7621562caefb60b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exe

pid process

4152 powershell.exe
4152 powershell.exe
4152 powershell.exe

pid	process
4152	powershell.exe
4152	powershell.exe
4152	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exe7fb411ee3e34e4b79b372b7d2321bf69b46de30c3286edccb7621562caefb60b.exe

description	pid	process
Token: SeDebugPrivilege	4152	powershell.exe
Token: SeDebugPrivilege	3032	7fb411ee3e34e4b79b372b7d2321bf69b46de30c3286edccb7621562caefb60b.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

7fb411ee3e34e4b79b372b7d2321bf69b46de30c3286edccb7621562caefb60b.exe

description	pid	process	target process
PID 3032 wrote to memory of 4152	3032	7fb411ee3e34e4b79b372b7d2321bf69b46de30c3286edccb7621562caefb60b.exe	powershell.exe
PID 3032 wrote to memory of 4152	3032	7fb411ee3e34e4b79b372b7d2321bf69b46de30c3286edccb7621562caefb60b.exe	powershell.exe
PID 3032 wrote to memory of 4152	3032	7fb411ee3e34e4b79b372b7d2321bf69b46de30c3286edccb7621562caefb60b.exe	powershell.exe
PID 3032 wrote to memory of 2112	3032	7fb411ee3e34e4b79b372b7d2321bf69b46de30c3286edccb7621562caefb60b.exe	7fb411ee3e34e4b79b372b7d2321bf69b46de30c3286edccb7621562caefb60b.exe
PID 3032 wrote to memory of 2112	3032	7fb411ee3e34e4b79b372b7d2321bf69b46de30c3286edccb7621562caefb60b.exe	7fb411ee3e34e4b79b372b7d2321bf69b46de30c3286edccb7621562caefb60b.exe
PID 3032 wrote to memory of 2112	3032	7fb411ee3e34e4b79b372b7d2321bf69b46de30c3286edccb7621562caefb60b.exe	7fb411ee3e34e4b79b372b7d2321bf69b46de30c3286edccb7621562caefb60b.exe
PID 3032 wrote to memory of 2112	3032	7fb411ee3e34e4b79b372b7d2321bf69b46de30c3286edccb7621562caefb60b.exe	7fb411ee3e34e4b79b372b7d2321bf69b46de30c3286edccb7621562caefb60b.exe
PID 3032 wrote to memory of 2112	3032	7fb411ee3e34e4b79b372b7d2321bf69b46de30c3286edccb7621562caefb60b.exe	7fb411ee3e34e4b79b372b7d2321bf69b46de30c3286edccb7621562caefb60b.exe
PID 3032 wrote to memory of 2112	3032	7fb411ee3e34e4b79b372b7d2321bf69b46de30c3286edccb7621562caefb60b.exe	7fb411ee3e34e4b79b372b7d2321bf69b46de30c3286edccb7621562caefb60b.exe
PID 3032 wrote to memory of 2112	3032	7fb411ee3e34e4b79b372b7d2321bf69b46de30c3286edccb7621562caefb60b.exe	7fb411ee3e34e4b79b372b7d2321bf69b46de30c3286edccb7621562caefb60b.exe
PID 3032 wrote to memory of 2112	3032	7fb411ee3e34e4b79b372b7d2321bf69b46de30c3286edccb7621562caefb60b.exe	7fb411ee3e34e4b79b372b7d2321bf69b46de30c3286edccb7621562caefb60b.exe
PID 3032 wrote to memory of 2112	3032	7fb411ee3e34e4b79b372b7d2321bf69b46de30c3286edccb7621562caefb60b.exe	7fb411ee3e34e4b79b372b7d2321bf69b46de30c3286edccb7621562caefb60b.exe
PID 3032 wrote to memory of 2112	3032	7fb411ee3e34e4b79b372b7d2321bf69b46de30c3286edccb7621562caefb60b.exe	7fb411ee3e34e4b79b372b7d2321bf69b46de30c3286edccb7621562caefb60b.exe
PID 3032 wrote to memory of 2112	3032	7fb411ee3e34e4b79b372b7d2321bf69b46de30c3286edccb7621562caefb60b.exe	7fb411ee3e34e4b79b372b7d2321bf69b46de30c3286edccb7621562caefb60b.exe

C:\Users\Admin\AppData\Local\Temp\7fb411ee3e34e4b79b372b7d2321bf69b46de30c3286edccb7621562caefb60b.exe
"C:\Users\Admin\AppData\Local\Temp\7fb411ee3e34e4b79b372b7d2321bf69b46de30c3286edccb7621562caefb60b.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3032

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4152

C:\Users\Admin\AppData\Local\Temp\7fb411ee3e34e4b79b372b7d2321bf69b46de30c3286edccb7621562caefb60b.exe
C:\Users\Admin\AppData\Local\Temp\7fb411ee3e34e4b79b372b7d2321bf69b46de30c3286edccb7621562caefb60b.exe
2⤵
PID:2112

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

3

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3mrgmxjs.dro.ps1
Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
memory/2112-169-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2112-168-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2112-167-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2112-166-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2112-165-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2112-163-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/3032-156-0x0000000005110000-0x0000000005120000-memory.dmp

Filesize
64KB

Download
memory/3032-127-0x0000000005110000-0x0000000005120000-memory.dmp

Filesize
64KB

Download
memory/3032-129-0x0000000006BF0000-0x0000000006C12000-memory.dmp

Filesize
136KB

Download
memory/3032-121-0x0000000005390000-0x000000000588E000-memory.dmp

Filesize
5.0MB

Download
memory/3032-122-0x0000000004F30000-0x0000000004FC2000-memory.dmp

Filesize
584KB

Download
memory/3032-123-0x0000000004EF0000-0x0000000004EFA000-memory.dmp

Filesize
40KB

Download
memory/3032-128-0x0000000006B10000-0x0000000006BA2000-memory.dmp

Filesize
584KB

Download
memory/3032-124-0x0000000006560000-0x000000000670C000-memory.dmp

Filesize
1.7MB

Download
memory/3032-125-0x0000000006710000-0x0000000006A60000-memory.dmp

Filesize
3.3MB

Download
memory/3032-126-0x0000000006A80000-0x0000000006ACB000-memory.dmp

Filesize
300KB

Download
memory/3032-120-0x0000000000170000-0x0000000000554000-memory.dmp

Filesize
3.9MB

Download
memory/4152-135-0x00000000076C0000-0x0000000007726000-memory.dmp

Filesize
408KB

Download
memory/4152-154-0x0000000009900000-0x0000000009F78000-memory.dmp

Filesize
6.5MB

Download
memory/4152-155-0x0000000008EA0000-0x0000000008EBA000-memory.dmp

Filesize
104KB

Download
memory/4152-139-0x00000000080C0000-0x0000000008136000-memory.dmp

Filesize
472KB

Download
memory/4152-157-0x00000000048F0000-0x0000000004900000-memory.dmp

Filesize
64KB

Download
memory/4152-158-0x00000000048F0000-0x0000000004900000-memory.dmp

Filesize
64KB

Download
memory/4152-138-0x00000000078A0000-0x00000000078BC000-memory.dmp

Filesize
112KB

Download
memory/4152-137-0x00000000048F0000-0x0000000004900000-memory.dmp

Filesize
64KB

Download
memory/4152-136-0x00000000048F0000-0x0000000004900000-memory.dmp

Filesize
64KB

Download
memory/4152-134-0x00000000078D0000-0x0000000007936000-memory.dmp

Filesize
408KB

Download
memory/4152-133-0x0000000006F80000-0x00000000075A8000-memory.dmp

Filesize
6.2MB

Download
memory/4152-132-0x0000000004900000-0x0000000004936000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads