lumma | e190e4156d84f4311c5a4b10471bc3465847d6f8aee11a3d7598ca70733a0b71

Analysis

max time kernel
152s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
13-07-2023 07:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c210363cbccbc72e12118622bbbc7083.exe
Size

144KB
MD5

c210363cbccbc72e12118622bbbc7083
SHA1

0305709f74dfee6377f62fa67f5addabcd00efea
SHA256

e190e4156d84f4311c5a4b10471bc3465847d6f8aee11a3d7598ca70733a0b71
SHA512

096cffcfd01e4685893c3e0c606cccab813b4c967f92b70b985fd958e8c49830e17719b60922c3328a792e6add315cc590f6a935735dac38eeadb734af284bdc
SSDEEP

3072:TahKyd2n31ZC5NfvRC5Xv5lX+RXcMNAUjc3dfPRjTyHDn:TahOPKRk/+RXRjsPRa

Score

10^/10

lumma discovery persistence spyware stealer

Malware Config

Extracted

Family

lumma

gstatic-node.io

Signatures

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
Executes dropped EXE 3 IoCs

Processes:

sisterlaboratory.exesisterlaboratory.exesisterllaboratory.exe

pid process

2944 sisterlaboratory.exe
5028 sisterlaboratory.exe
3520 sisterllaboratory.exe
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2944	sisterlaboratory.exe
5028	sisterlaboratory.exe
3520	sisterllaboratory.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

c210363cbccbc72e12118622bbbc7083.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	c210363cbccbc72e12118622bbbc7083.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	c210363cbccbc72e12118622bbbc7083.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

sisterlaboratory.exe

description pid process target process

PID 2944 set thread context of 5028 2944 sisterlaboratory.exe sisterlaboratory.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

sisterlaboratory.exesisterllaboratory.exe

description pid process

Token: SeDebugPrivilege 2944 sisterlaboratory.exe
Token: SeDebugPrivilege 3520 sisterllaboratory.exe

description	pid	process	target process
PID 2944 set thread context of 5028	2944	sisterlaboratory.exe	sisterlaboratory.exe

description	pid	process
Token: SeDebugPrivilege	2944	sisterlaboratory.exe
Token: SeDebugPrivilege	3520	sisterllaboratory.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

c210363cbccbc72e12118622bbbc7083.exesisterlaboratory.exe

description	pid	process	target process
PID 1380 wrote to memory of 2944	1380	c210363cbccbc72e12118622bbbc7083.exe	sisterlaboratory.exe
PID 1380 wrote to memory of 2944	1380	c210363cbccbc72e12118622bbbc7083.exe	sisterlaboratory.exe
PID 1380 wrote to memory of 2944	1380	c210363cbccbc72e12118622bbbc7083.exe	sisterlaboratory.exe
PID 2944 wrote to memory of 5028	2944	sisterlaboratory.exe	sisterlaboratory.exe
PID 2944 wrote to memory of 5028	2944	sisterlaboratory.exe	sisterlaboratory.exe
PID 2944 wrote to memory of 5028	2944	sisterlaboratory.exe	sisterlaboratory.exe
PID 2944 wrote to memory of 5028	2944	sisterlaboratory.exe	sisterlaboratory.exe
PID 2944 wrote to memory of 5028	2944	sisterlaboratory.exe	sisterlaboratory.exe
PID 2944 wrote to memory of 5028	2944	sisterlaboratory.exe	sisterlaboratory.exe
PID 2944 wrote to memory of 5028	2944	sisterlaboratory.exe	sisterlaboratory.exe
PID 2944 wrote to memory of 5028	2944	sisterlaboratory.exe	sisterlaboratory.exe
PID 2944 wrote to memory of 5028	2944	sisterlaboratory.exe	sisterlaboratory.exe
PID 1380 wrote to memory of 3520	1380	c210363cbccbc72e12118622bbbc7083.exe	sisterllaboratory.exe
PID 1380 wrote to memory of 3520	1380	c210363cbccbc72e12118622bbbc7083.exe	sisterllaboratory.exe

C:\Users\Admin\AppData\Local\Temp\c210363cbccbc72e12118622bbbc7083.exe
"C:\Users\Admin\AppData\Local\Temp\c210363cbccbc72e12118622bbbc7083.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1380
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sisterlaboratory.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sisterlaboratory.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2944
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sisterlaboratory.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sisterlaboratory.exe
    3⤵
    - Executes dropped EXE
    PID:5028
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sisterllaboratory.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sisterllaboratory.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3520

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sisterlaboratory.exe

Filesize
29KB

MD5
a25bcf04d4b89bf3cb81e1ed385ffa60

SHA1
80383e91fd13a1fd8b4536ab22b58059b5ae585b

SHA256
a04ed08386329b18c80d97f879e35b971398eed3de397d040e3f3a8189751de6

SHA512
36c76d9352ea80d706a647cb80722acf3e002dee8512558328c7c239e70cc22a5951ce89e1e239876d98ded5d6bd32f777f4e7089bc5f51878864c72c16f395d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sisterlaboratory.exe

Filesize
29KB

MD5
a25bcf04d4b89bf3cb81e1ed385ffa60

SHA1
80383e91fd13a1fd8b4536ab22b58059b5ae585b

SHA256
a04ed08386329b18c80d97f879e35b971398eed3de397d040e3f3a8189751de6

SHA512
36c76d9352ea80d706a647cb80722acf3e002dee8512558328c7c239e70cc22a5951ce89e1e239876d98ded5d6bd32f777f4e7089bc5f51878864c72c16f395d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sisterlaboratory.exe

Filesize
29KB

MD5
a25bcf04d4b89bf3cb81e1ed385ffa60

SHA1
80383e91fd13a1fd8b4536ab22b58059b5ae585b

SHA256
a04ed08386329b18c80d97f879e35b971398eed3de397d040e3f3a8189751de6

SHA512
36c76d9352ea80d706a647cb80722acf3e002dee8512558328c7c239e70cc22a5951ce89e1e239876d98ded5d6bd32f777f4e7089bc5f51878864c72c16f395d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sisterllaboratory.exe

Filesize
29KB

MD5
d5015e9f58ba9b9323beb619a0facc0a

SHA1
178d56c38329804eae86391c697c2732790ec923

SHA256
e33ff871c04ee78873df7a09e162cae176540a0da1e935f985102058cce76742

SHA512
c42e5799e58f097d7193841530f7081c659d991fc4bba5e5af4cd19623af2c93fe37312124048e966b944efd23b008b17a05c01b5592547aac48516a828b895a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sisterllaboratory.exe

Filesize
29KB

MD5
d5015e9f58ba9b9323beb619a0facc0a

SHA1
178d56c38329804eae86391c697c2732790ec923

SHA256
e33ff871c04ee78873df7a09e162cae176540a0da1e935f985102058cce76742

SHA512
c42e5799e58f097d7193841530f7081c659d991fc4bba5e5af4cd19623af2c93fe37312124048e966b944efd23b008b17a05c01b5592547aac48516a828b895a

Download Submit
memory/2944-186-0x0000000006180000-0x0000000006272000-memory.dmp

Filesize
968KB

Download
memory/2944-146-0x0000000006180000-0x0000000006272000-memory.dmp

Filesize
968KB

Download
memory/2944-145-0x0000000006180000-0x0000000006272000-memory.dmp

Filesize
968KB

Download
memory/2944-192-0x0000000006180000-0x0000000006272000-memory.dmp

Filesize
968KB

Download
memory/2944-190-0x0000000006180000-0x0000000006272000-memory.dmp

Filesize
968KB

Download
memory/2944-150-0x0000000006180000-0x0000000006272000-memory.dmp

Filesize
968KB

Download
memory/2944-152-0x0000000006180000-0x0000000006272000-memory.dmp

Filesize
968KB

Download
memory/2944-154-0x0000000006180000-0x0000000006272000-memory.dmp

Filesize
968KB

Download
memory/2944-156-0x0000000006180000-0x0000000006272000-memory.dmp

Filesize
968KB

Download
memory/2944-158-0x0000000006180000-0x0000000006272000-memory.dmp

Filesize
968KB

Download
memory/2944-160-0x0000000006180000-0x0000000006272000-memory.dmp

Filesize
968KB

Download
memory/2944-162-0x0000000006180000-0x0000000006272000-memory.dmp

Filesize
968KB

Download
memory/2944-164-0x0000000006180000-0x0000000006272000-memory.dmp

Filesize
968KB

Download
memory/2944-166-0x0000000006180000-0x0000000006272000-memory.dmp

Filesize
968KB

Download
memory/2944-168-0x0000000006180000-0x0000000006272000-memory.dmp

Filesize
968KB

Download
memory/2944-170-0x0000000006180000-0x0000000006272000-memory.dmp

Filesize
968KB

Download
memory/2944-172-0x0000000006180000-0x0000000006272000-memory.dmp

Filesize
968KB

Download
memory/2944-174-0x0000000006180000-0x0000000006272000-memory.dmp

Filesize
968KB

Download
memory/2944-176-0x0000000006180000-0x0000000006272000-memory.dmp

Filesize
968KB

Download
memory/2944-178-0x0000000006180000-0x0000000006272000-memory.dmp

Filesize
968KB

Download
memory/2944-180-0x0000000006180000-0x0000000006272000-memory.dmp

Filesize
968KB

Download
memory/2944-182-0x0000000006180000-0x0000000006272000-memory.dmp

Filesize
968KB

Download
memory/2944-184-0x0000000006180000-0x0000000006272000-memory.dmp

Filesize
968KB

Download
memory/2944-143-0x0000000074C20000-0x00000000753D0000-memory.dmp

Filesize
7.7MB

Download
memory/2944-188-0x0000000006180000-0x0000000006272000-memory.dmp

Filesize
968KB

Download
memory/2944-148-0x0000000006180000-0x0000000006272000-memory.dmp

Filesize
968KB

Download
memory/2944-144-0x0000000006280000-0x00000000062A2000-memory.dmp

Filesize
136KB

Download
memory/2944-194-0x0000000006180000-0x0000000006272000-memory.dmp

Filesize
968KB

Download
memory/2944-196-0x0000000006180000-0x0000000006272000-memory.dmp

Filesize
968KB

Download
memory/2944-198-0x0000000006180000-0x0000000006272000-memory.dmp

Filesize
968KB

Download
memory/2944-200-0x0000000006180000-0x0000000006272000-memory.dmp

Filesize
968KB

Download
memory/2944-204-0x0000000006180000-0x0000000006272000-memory.dmp

Filesize
968KB

Download
memory/2944-202-0x0000000006180000-0x0000000006272000-memory.dmp

Filesize
968KB

Download
memory/2944-206-0x0000000006180000-0x0000000006272000-memory.dmp

Filesize
968KB

Download
memory/2944-208-0x0000000006180000-0x0000000006272000-memory.dmp

Filesize
968KB

Download
memory/2944-302-0x0000000004E80000-0x0000000004E90000-memory.dmp

Filesize
64KB

Download
memory/2944-1468-0x0000000005840000-0x0000000005841000-memory.dmp

Filesize
4KB

Download
memory/2944-1469-0x0000000006960000-0x0000000006F04000-memory.dmp

Filesize
5.6MB

Download
memory/2944-142-0x0000000004E80000-0x0000000004E90000-memory.dmp

Filesize
64KB

Download
memory/2944-140-0x0000000074C20000-0x00000000753D0000-memory.dmp

Filesize
7.7MB

Download
memory/2944-1476-0x0000000074C20000-0x00000000753D0000-memory.dmp

Filesize
7.7MB

Download
memory/2944-141-0x0000000000550000-0x000000000055E000-memory.dmp

Filesize
56KB

Download
memory/3520-1480-0x00000231FC130000-0x00000231FC13E000-memory.dmp

Filesize
56KB

Download
memory/3520-1481-0x00007FFEE8220000-0x00007FFEE8CE1000-memory.dmp

Filesize
10.8MB

Download
memory/3520-1482-0x00000231FC500000-0x00000231FC510000-memory.dmp

Filesize
64KB

Download
memory/3520-1483-0x00000231FDEB0000-0x00000231FDED2000-memory.dmp

Filesize
136KB

Download
memory/3520-1732-0x00007FFEE8220000-0x00007FFEE8CE1000-memory.dmp

Filesize
10.8MB

Download
memory/3520-1862-0x00000231FC500000-0x00000231FC510000-memory.dmp

Filesize
64KB

Download
memory/3520-2809-0x00000231FC5B0000-0x00000231FC5B1000-memory.dmp

Filesize
4KB

Download
memory/5028-1475-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/5028-1730-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/5028-2810-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download