lumma | 96f35b8f39ac3630a9c58f2621bb0cfce873b69c5a1c2a40612130076e07a533

General

Target

levelcomputer/levelcomputer.exe
Size

192.4MB
MD5

760e4dfcad56f67f80ec4b2def63de69
SHA1

0af7b525ac681f37e6e2d80864a5884d1ff76711
SHA256

86a046300c03712f3d07e9c0e50369937b77a7e8183f3e40574da5de7fc5ce6e
SHA512

bdfeb7e1ce7dc861c853708675024f16ef301081f1cb1e8dc31d7f772d8950984b13e973fbbf1d5ca9b10a28b3e8d6de4da5ef33a6f729be462d2d7119acc705
SSDEEP

6291456:RwNK18un4nZCbavGsedutVPsHdPa1UlcF:6NK6tZ6avyutVmd0U

Score

10^/10

lumma persistence stealer

Malware Config

Signatures

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
Executes dropped EXE 4 IoCs

Processes:

BCUninstaller_5_6_setup_1.exeBCUninstaller_5_6_setup_1.exeBCUninstaller_5_6_setup_1.exeAlwaysMouseWheel_11.exe

pid process

4396 BCUninstaller_5_6_setup_1.exe
4976 BCUninstaller_5_6_setup_1.exe
1836 BCUninstaller_5_6_setup_1.exe
656 AlwaysMouseWheel_11.exe

pid	process
4396	BCUninstaller_5_6_setup_1.exe
4976	BCUninstaller_5_6_setup_1.exe
1836	BCUninstaller_5_6_setup_1.exe
656	AlwaysMouseWheel_11.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

levelcomputer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	levelcomputer.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

BCUninstaller_5_6_setup_1.exe

description pid process target process

PID 4396 set thread context of 1836 4396 BCUninstaller_5_6_setup_1.exe BCUninstaller_5_6_setup_1.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1484 1836 WerFault.exe BCUninstaller_5_6_setup_1.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

BCUninstaller_5_6_setup_1.exe

pid process

4396 BCUninstaller_5_6_setup_1.exe
4396 BCUninstaller_5_6_setup_1.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

BCUninstaller_5_6_setup_1.exeAlwaysMouseWheel_11.exe

description pid process

Token: SeDebugPrivilege 4396 BCUninstaller_5_6_setup_1.exe
Token: SeDebugPrivilege 656 AlwaysMouseWheel_11.exe

description	pid	process	target process
PID 4396 set thread context of 1836	4396	BCUninstaller_5_6_setup_1.exe	BCUninstaller_5_6_setup_1.exe

pid	pid_target	process	target process
1484	1836	WerFault.exe	BCUninstaller_5_6_setup_1.exe

pid	process
4396	BCUninstaller_5_6_setup_1.exe
4396	BCUninstaller_5_6_setup_1.exe

description	pid	process
Token: SeDebugPrivilege	4396	BCUninstaller_5_6_setup_1.exe
Token: SeDebugPrivilege	656	AlwaysMouseWheel_11.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

levelcomputer.exeBCUninstaller_5_6_setup_1.exe

description	pid	process	target process
PID 4392 wrote to memory of 4396	4392	levelcomputer.exe	BCUninstaller_5_6_setup_1.exe
PID 4392 wrote to memory of 4396	4392	levelcomputer.exe	BCUninstaller_5_6_setup_1.exe
PID 4392 wrote to memory of 4396	4392	levelcomputer.exe	BCUninstaller_5_6_setup_1.exe
PID 4396 wrote to memory of 4976	4396	BCUninstaller_5_6_setup_1.exe	BCUninstaller_5_6_setup_1.exe
PID 4396 wrote to memory of 4976	4396	BCUninstaller_5_6_setup_1.exe	BCUninstaller_5_6_setup_1.exe
PID 4396 wrote to memory of 4976	4396	BCUninstaller_5_6_setup_1.exe	BCUninstaller_5_6_setup_1.exe
PID 4396 wrote to memory of 1836	4396	BCUninstaller_5_6_setup_1.exe	BCUninstaller_5_6_setup_1.exe
PID 4396 wrote to memory of 1836	4396	BCUninstaller_5_6_setup_1.exe	BCUninstaller_5_6_setup_1.exe
PID 4396 wrote to memory of 1836	4396	BCUninstaller_5_6_setup_1.exe	BCUninstaller_5_6_setup_1.exe
PID 4396 wrote to memory of 1836	4396	BCUninstaller_5_6_setup_1.exe	BCUninstaller_5_6_setup_1.exe
PID 4396 wrote to memory of 1836	4396	BCUninstaller_5_6_setup_1.exe	BCUninstaller_5_6_setup_1.exe
PID 4396 wrote to memory of 1836	4396	BCUninstaller_5_6_setup_1.exe	BCUninstaller_5_6_setup_1.exe
PID 4396 wrote to memory of 1836	4396	BCUninstaller_5_6_setup_1.exe	BCUninstaller_5_6_setup_1.exe
PID 4396 wrote to memory of 1836	4396	BCUninstaller_5_6_setup_1.exe	BCUninstaller_5_6_setup_1.exe
PID 4396 wrote to memory of 1836	4396	BCUninstaller_5_6_setup_1.exe	BCUninstaller_5_6_setup_1.exe
PID 4392 wrote to memory of 656	4392	levelcomputer.exe	AlwaysMouseWheel_11.exe
PID 4392 wrote to memory of 656	4392	levelcomputer.exe	AlwaysMouseWheel_11.exe

C:\Users\Admin\AppData\Local\Temp\levelcomputer\levelcomputer.exe
"C:\Users\Admin\AppData\Local\Temp\levelcomputer\levelcomputer.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4392

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BCUninstaller_5_6_setup_1.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BCUninstaller_5_6_setup_1.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4396

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BCUninstaller_5_6_setup_1.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BCUninstaller_5_6_setup_1.exe
3⤵
- Executes dropped EXE
PID:4976

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BCUninstaller_5_6_setup_1.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BCUninstaller_5_6_setup_1.exe
3⤵
- Executes dropped EXE
PID:1836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1836 -s 1320
4⤵
- Program crash
PID:1484

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AlwaysMouseWheel_11.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AlwaysMouseWheel_11.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1836 -ip 1836
1⤵
PID:2188

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AlwaysMouseWheel_11.exe
Filesize
97.1MB

MD5
844237faf062b40db4f3a4ea9e6af10f

SHA1
459cbe03e3ff110a1b678e1a3ec8de51ae1da167

SHA256
9c901e9994b0ae477c4d202fd004c84977281602f50a98f80f4480389f195c6a

SHA512
d6d9f94e0f2846b18649738dd48fa455ca6e169231a1eda310cd7006371c022f15b89ab94ac43862e5c8311c151beff5d88d7bad71774dbe50bc997e674fe826

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AlwaysMouseWheel_11.exe
Filesize
97.1MB

MD5
844237faf062b40db4f3a4ea9e6af10f

SHA1
459cbe03e3ff110a1b678e1a3ec8de51ae1da167

SHA256
9c901e9994b0ae477c4d202fd004c84977281602f50a98f80f4480389f195c6a

SHA512
d6d9f94e0f2846b18649738dd48fa455ca6e169231a1eda310cd7006371c022f15b89ab94ac43862e5c8311c151beff5d88d7bad71774dbe50bc997e674fe826

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BCUninstaller_5_6_setup_1.exe
Filesize
95.2MB

MD5
1edc7e9e4c0c5663920395836d17ec82

SHA1
f68a7c5495ca3561c22a75cc998e3854608f6f38

SHA256
3c92c0a47becd2efa579fb3eaa06dd711a55f4a2cdb9a0311492da2205b1e446

SHA512
d595dfdfac98a135c27bb8acea7b8e67d40cec785a51d1b1256d7bdfaff7940372918faa55b93280aca96c45cc7c05264b135acc51ebade24d3523e92469f2a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BCUninstaller_5_6_setup_1.exe
Filesize
95.2MB

MD5
1edc7e9e4c0c5663920395836d17ec82

SHA1
f68a7c5495ca3561c22a75cc998e3854608f6f38

SHA256
3c92c0a47becd2efa579fb3eaa06dd711a55f4a2cdb9a0311492da2205b1e446

SHA512
d595dfdfac98a135c27bb8acea7b8e67d40cec785a51d1b1256d7bdfaff7940372918faa55b93280aca96c45cc7c05264b135acc51ebade24d3523e92469f2a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BCUninstaller_5_6_setup_1.exe
Filesize
95.2MB

MD5
1edc7e9e4c0c5663920395836d17ec82

SHA1
f68a7c5495ca3561c22a75cc998e3854608f6f38

SHA256
3c92c0a47becd2efa579fb3eaa06dd711a55f4a2cdb9a0311492da2205b1e446

SHA512
d595dfdfac98a135c27bb8acea7b8e67d40cec785a51d1b1256d7bdfaff7940372918faa55b93280aca96c45cc7c05264b135acc51ebade24d3523e92469f2a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BCUninstaller_5_6_setup_1.exe
Filesize
95.2MB

MD5
1edc7e9e4c0c5663920395836d17ec82

SHA1
f68a7c5495ca3561c22a75cc998e3854608f6f38

SHA256
3c92c0a47becd2efa579fb3eaa06dd711a55f4a2cdb9a0311492da2205b1e446

SHA512
d595dfdfac98a135c27bb8acea7b8e67d40cec785a51d1b1256d7bdfaff7940372918faa55b93280aca96c45cc7c05264b135acc51ebade24d3523e92469f2a3

Download Submit
memory/656-1073-0x00007FFAD3C10000-0x00007FFAD46D1000-memory.dmp

Filesize
10.8MB

Download
memory/656-2121-0x00000253EB240000-0x00000253EB241000-memory.dmp

Filesize
4KB

Download
memory/656-1076-0x00000253EB230000-0x00000253EB240000-memory.dmp

Filesize
64KB

Download
memory/656-1072-0x00000253EB230000-0x00000253EB240000-memory.dmp

Filesize
64KB

Download
memory/656-1071-0x00000253E4B90000-0x00000253EACAC000-memory.dmp

Filesize
97.1MB

Download
memory/656-1069-0x00007FFAD3C10000-0x00007FFAD46D1000-memory.dmp

Filesize
10.8MB

Download
memory/1836-1065-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1836-1070-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/4396-40-0x000000000BFB0000-0x000000000C092000-memory.dmp

Filesize
904KB

Download
memory/4396-58-0x000000000BFB0000-0x000000000C092000-memory.dmp

Filesize
904KB

Download
memory/4396-20-0x000000000BFB0000-0x000000000C092000-memory.dmp

Filesize
904KB

Download
memory/4396-22-0x000000000BFB0000-0x000000000C092000-memory.dmp

Filesize
904KB

Download
memory/4396-24-0x000000000BFB0000-0x000000000C092000-memory.dmp

Filesize
904KB

Download
memory/4396-26-0x000000000BFB0000-0x000000000C092000-memory.dmp

Filesize
904KB

Download
memory/4396-28-0x000000000BFB0000-0x000000000C092000-memory.dmp

Filesize
904KB

Download
memory/4396-30-0x000000000BFB0000-0x000000000C092000-memory.dmp

Filesize
904KB

Download
memory/4396-32-0x000000000BFB0000-0x000000000C092000-memory.dmp

Filesize
904KB

Download
memory/4396-34-0x000000000BFB0000-0x000000000C092000-memory.dmp

Filesize
904KB

Download
memory/4396-36-0x000000000BFB0000-0x000000000C092000-memory.dmp

Filesize
904KB

Download
memory/4396-38-0x000000000BFB0000-0x000000000C092000-memory.dmp

Filesize
904KB

Download
memory/4396-16-0x000000000BFB0000-0x000000000C092000-memory.dmp

Filesize
904KB

Download
memory/4396-42-0x000000000BFB0000-0x000000000C092000-memory.dmp

Filesize
904KB

Download
memory/4396-44-0x000000000BFB0000-0x000000000C092000-memory.dmp

Filesize
904KB

Download
memory/4396-46-0x000000000BFB0000-0x000000000C092000-memory.dmp

Filesize
904KB

Download
memory/4396-48-0x000000000BFB0000-0x000000000C092000-memory.dmp

Filesize
904KB

Download
memory/4396-50-0x000000000BFB0000-0x000000000C092000-memory.dmp

Filesize
904KB

Download
memory/4396-52-0x000000000BFB0000-0x000000000C092000-memory.dmp

Filesize
904KB

Download
memory/4396-54-0x000000000BFB0000-0x000000000C092000-memory.dmp

Filesize
904KB

Download
memory/4396-56-0x000000000BFB0000-0x000000000C092000-memory.dmp

Filesize
904KB

Download
memory/4396-18-0x000000000BFB0000-0x000000000C092000-memory.dmp

Filesize
904KB

Download
memory/4396-60-0x000000000BFB0000-0x000000000C092000-memory.dmp

Filesize
904KB

Download
memory/4396-62-0x000000000BFB0000-0x000000000C092000-memory.dmp

Filesize
904KB

Download
memory/4396-64-0x000000000BFB0000-0x000000000C092000-memory.dmp

Filesize
904KB

Download
memory/4396-66-0x000000000BFB0000-0x000000000C092000-memory.dmp

Filesize
904KB

Download
memory/4396-68-0x000000000BFB0000-0x000000000C092000-memory.dmp

Filesize
904KB

Download
memory/4396-70-0x000000000BFB0000-0x000000000C092000-memory.dmp

Filesize
904KB

Download
memory/4396-72-0x000000000BFB0000-0x000000000C092000-memory.dmp

Filesize
904KB

Download
memory/4396-74-0x000000000BFB0000-0x000000000C092000-memory.dmp

Filesize
904KB

Download
memory/4396-175-0x000000000AC30000-0x000000000AC40000-memory.dmp

Filesize
64KB

Download
memory/4396-14-0x000000000BFB0000-0x000000000C092000-memory.dmp

Filesize
904KB

Download
memory/4396-11-0x000000000BFB0000-0x000000000C092000-memory.dmp

Filesize
904KB

Download
memory/4396-12-0x000000000BFB0000-0x000000000C092000-memory.dmp

Filesize
904KB

Download
memory/4396-10-0x0000000074AB0000-0x0000000075260000-memory.dmp

Filesize
7.7MB

Download
memory/4396-9-0x000000000AC30000-0x000000000AC40000-memory.dmp

Filesize
64KB

Download
memory/4396-8-0x00000000002B0000-0x00000000061F4000-memory.dmp

Filesize
95.3MB

Download
memory/4396-7-0x0000000074AB0000-0x0000000075260000-memory.dmp

Filesize
7.7MB

Download
memory/4396-1056-0x000000000B4F0000-0x000000000B4F1000-memory.dmp

Filesize
4KB

Download
memory/4396-1057-0x000000000CBF0000-0x000000000D194000-memory.dmp

Filesize
5.6MB

Download
memory/4396-1064-0x0000000074AB0000-0x0000000075260000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads