lumma | 5f38f9fc4ef01d4b048a0ce6199622afd8f0a82168ff70b13bb1576bec721ef0

Analysis

max time kernel
117s
max time network
120s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
26/11/2023, 13:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5f38f9fc4ef01d4b048a0ce6199622afd8f0a82168ff70b13bb1576bec721ef0.exe
Size

1.6MB
MD5

3c22e9f884a858ecd2343d181660ef27
SHA1

0e12f789d1baad2511f2c5f8877cc61f452cc3c6
SHA256

5f38f9fc4ef01d4b048a0ce6199622afd8f0a82168ff70b13bb1576bec721ef0
SHA512

11792aabbc7eaca84d011683850b9fc35dee0410c0389a62789b45802b3c23baed72448e7c47947778cba14c36dd48b6b5d513067e0c0ee36caed9efe574a3b9
SSDEEP

24576:l7ziH9/8zn+ezqIZeJbzHiNxQ6rK1LFP9lRGjwQGZuxCujhgypxQ1nc:l/A/Die9HUG6rKhPlRZQGZqVVlQF

Score

10^/10

lumma discovery spyware stealer

Malware Config

Signatures

Detect Lumma Stealer payload V2 2 IoCs

resource	yara_rule
behavioral1/memory/2640-36-0x0000000003AE0000-0x0000000003B60000-memory.dmp	family_lumma_V2
behavioral1/memory/2640-37-0x0000000003AE0000-0x0000000003B60000-memory.dmp	family_lumma_V2

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma

Executes dropped EXE 1 IoCs

pid	Process
2640	Bags.pif

Loads dropped DLL 1 IoCs

pid	Process
2860	cmd.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
2732	tasklist.exe
2060	tasklist.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2520	PING.EXE

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
2640	Bags.pif
2640	Bags.pif
2640	Bags.pif
2640	Bags.pif
2640	Bags.pif
2640	Bags.pif
2640	Bags.pif
2640	Bags.pif
2640	Bags.pif
2640	Bags.pif
2640	Bags.pif
2640	Bags.pif
2640	Bags.pif
2640	Bags.pif
2640	Bags.pif

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2732	tasklist.exe
Token: SeDebugPrivilege	2060	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2640	Bags.pif
2640	Bags.pif
2640	Bags.pif

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2640	Bags.pif
2640	Bags.pif
2640	Bags.pif

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 2196 wrote to memory of 2468	2196	5f38f9fc4ef01d4b048a0ce6199622afd8f0a82168ff70b13bb1576bec721ef0.exe	28
PID 2196 wrote to memory of 2468	2196	5f38f9fc4ef01d4b048a0ce6199622afd8f0a82168ff70b13bb1576bec721ef0.exe	28
PID 2196 wrote to memory of 2468	2196	5f38f9fc4ef01d4b048a0ce6199622afd8f0a82168ff70b13bb1576bec721ef0.exe	28
PID 2196 wrote to memory of 2468	2196	5f38f9fc4ef01d4b048a0ce6199622afd8f0a82168ff70b13bb1576bec721ef0.exe	28
PID 2196 wrote to memory of 2824	2196	5f38f9fc4ef01d4b048a0ce6199622afd8f0a82168ff70b13bb1576bec721ef0.exe	29
PID 2196 wrote to memory of 2824	2196	5f38f9fc4ef01d4b048a0ce6199622afd8f0a82168ff70b13bb1576bec721ef0.exe	29
PID 2196 wrote to memory of 2824	2196	5f38f9fc4ef01d4b048a0ce6199622afd8f0a82168ff70b13bb1576bec721ef0.exe	29
PID 2196 wrote to memory of 2824	2196	5f38f9fc4ef01d4b048a0ce6199622afd8f0a82168ff70b13bb1576bec721ef0.exe	29
PID 2824 wrote to memory of 2860	2824	cmd.exe	31
PID 2824 wrote to memory of 2860	2824	cmd.exe	31
PID 2824 wrote to memory of 2860	2824	cmd.exe	31
PID 2824 wrote to memory of 2860	2824	cmd.exe	31
PID 2860 wrote to memory of 2732	2860	cmd.exe	32
PID 2860 wrote to memory of 2732	2860	cmd.exe	32
PID 2860 wrote to memory of 2732	2860	cmd.exe	32
PID 2860 wrote to memory of 2732	2860	cmd.exe	32
PID 2860 wrote to memory of 2980	2860	cmd.exe	33
PID 2860 wrote to memory of 2980	2860	cmd.exe	33
PID 2860 wrote to memory of 2980	2860	cmd.exe	33
PID 2860 wrote to memory of 2980	2860	cmd.exe	33
PID 2860 wrote to memory of 2060	2860	cmd.exe	35
PID 2860 wrote to memory of 2060	2860	cmd.exe	35
PID 2860 wrote to memory of 2060	2860	cmd.exe	35
PID 2860 wrote to memory of 2060	2860	cmd.exe	35
PID 2860 wrote to memory of 2752	2860	cmd.exe	36
PID 2860 wrote to memory of 2752	2860	cmd.exe	36
PID 2860 wrote to memory of 2752	2860	cmd.exe	36
PID 2860 wrote to memory of 2752	2860	cmd.exe	36
PID 2860 wrote to memory of 2448	2860	cmd.exe	37
PID 2860 wrote to memory of 2448	2860	cmd.exe	37
PID 2860 wrote to memory of 2448	2860	cmd.exe	37
PID 2860 wrote to memory of 2448	2860	cmd.exe	37
PID 2860 wrote to memory of 2744	2860	cmd.exe	38
PID 2860 wrote to memory of 2744	2860	cmd.exe	38
PID 2860 wrote to memory of 2744	2860	cmd.exe	38
PID 2860 wrote to memory of 2744	2860	cmd.exe	38
PID 2860 wrote to memory of 2588	2860	cmd.exe	39
PID 2860 wrote to memory of 2588	2860	cmd.exe	39
PID 2860 wrote to memory of 2588	2860	cmd.exe	39
PID 2860 wrote to memory of 2588	2860	cmd.exe	39
PID 2860 wrote to memory of 2640	2860	cmd.exe	40
PID 2860 wrote to memory of 2640	2860	cmd.exe	40
PID 2860 wrote to memory of 2640	2860	cmd.exe	40
PID 2860 wrote to memory of 2640	2860	cmd.exe	40
PID 2860 wrote to memory of 2520	2860	cmd.exe	41
PID 2860 wrote to memory of 2520	2860	cmd.exe	41
PID 2860 wrote to memory of 2520	2860	cmd.exe	41
PID 2860 wrote to memory of 2520	2860	cmd.exe	41

C:\Users\Admin\AppData\Local\Temp\5f38f9fc4ef01d4b048a0ce6199622afd8f0a82168ff70b13bb1576bec721ef0.exe
"C:\Users\Admin\AppData\Local\Temp\5f38f9fc4ef01d4b048a0ce6199622afd8f0a82168ff70b13bb1576bec721ef0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2196
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2468
- C:\Windows\SysWOW64\cmd.exe
  cmd /k cmd < Beth & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2824
- - C:\Windows\SysWOW64\cmd.exe
    cmd
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2860
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2732
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
      4⤵
      PID:2980
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2060
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "wrsa.exe"
      4⤵
      PID:2752
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c mkdir 32521
      4⤵
      PID:2448
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b Pasta + Albums + Range + Hole + Convinced + Wang 32521\Bags.pif
      4⤵
      PID:2744
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b Thy + Relevance + Flour 32521\L
      4⤵
      PID:2588
  - - C:\Users\Admin\AppData\Local\Temp\21373\32521\Bags.pif
      32521\Bags.pif 32521\L
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:2640
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 5 localhost
      4⤵
      Runs ping.exe
      PID:2520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\21373\32521\Bags.pif

Filesize
924KB

MD5
848164d084384c49937f99d5b894253e

SHA1
3055ef803eeec4f175ebf120f94125717ee12444

SHA256
f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3

SHA512
aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a

Download Submit
C:\Users\Admin\AppData\Local\Temp\21373\32521\Bags.pif

Filesize
924KB

MD5
848164d084384c49937f99d5b894253e

SHA1
3055ef803eeec4f175ebf120f94125717ee12444

SHA256
f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3

SHA512
aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a

Download Submit
C:\Users\Admin\AppData\Local\Temp\21373\32521\L

Filesize
974KB

MD5
97417c9c289e53a44afa4d6d1153c603

SHA1
a238caab8585b025738fdb5f948688d2e447cc2e

SHA256
39df402e36b806a8a88a5c8710867595d02be63ffc66c957206758a5e225254e

SHA512
fd698131bb8d8d6ad2fd1ff5997e3ff50cabbc9a83853991f48470fc4f1512d23f1f0b8f57fc4325c4c150c1426bad2b933d97440a25ba9d7f2be9f14f481f18

Download Submit
C:\Users\Admin\AppData\Local\Temp\21373\Albums

Filesize
199KB

MD5
c11d78a15555fe69bdf2199796078079

SHA1
7ab6a9a77ac43bf40783f3cb79edf4bfc5689be4

SHA256
d3c4a3cdb442b135d71871c57bfa0edbd07d185146bc43eaa0c5f94a3c5f147e

SHA512
a45986b1c09c21329c8c75486395dd110868e280f77a86c0ee5f85f1a1456642b0205d31fec53bdc5342fd22e8094c877627cde570f092f3f21ae18991ca4e1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\21373\Beth

Filesize
13KB

MD5
b7649dd33bb8326500c89af118818678

SHA1
027da42428098dd2d8c3d15626445794e888d9c1

SHA256
77c7af59858890577a7fb4e3885654c86ed59392a08528702b65d10c1a6e6f49

SHA512
0d4fda9c585e91993fc6d5e44779c2c2320d7463668142e543634f2991d36525d52d783d166ca5236c8e1cb39deb09cc62e9adec27113655bbea189ee9861235

Download Submit
C:\Users\Admin\AppData\Local\Temp\21373\Convinced

Filesize
156KB

MD5
23972a64db5c06a07bcf0640504afd84

SHA1
cb777091ba4f25636e06242c9172743d4b904347

SHA256
4ef4b9e80c23c2e90a357de9b2dd2a10305aef2d387ca1420f29f546d7bed64a

SHA512
649afcc2ebec276530347daa4fb3f8f88e46f7cb2c122d79b86f51f273f33bd1e4f168e21b52293472bc7d895b7cf2dc2ced5adcddbc8a7c86a8bfda96edf61e

Download Submit
C:\Users\Admin\AppData\Local\Temp\21373\Flour

Filesize
89KB

MD5
49f6ae2b60dd3b1935562a8cd5808980

SHA1
aafcc8d481c8996fcd4bc32bc110f9cb238710b2

SHA256
769d8e90243590dbc064c4131ba903d996a504fb4709c9f024b205967227a456

SHA512
f4fed21856810bf844699118ddb242d7fe2fbbd4b3df2d817c2daa2de4882d5470c2b3f3cc274755f1de0121ca914ad29e7bcd236951780c42b5f451d43a2e9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\21373\Hole

Filesize
126KB

MD5
a2f5a9958d4a1edcba88cd061fff1e8e

SHA1
ffc2aee833df56aa87949141e4ed8a3435c1cbf0

SHA256
51552adf6e9524032beb3d76372848a200b0ffa07ba77d48f0c6c57f42d04823

SHA512
716ca072078b0f0ad3a9998d3d7f153ea97f66ce9335ae6cd2799bcfbcc8ffeb7c71f7b408d5f06f5beeb7114610b77e0193c11be2470e828e4711760a8d416b

Download Submit
C:\Users\Admin\AppData\Local\Temp\21373\Pasta

Filesize
158KB

MD5
85f1d42fa363d02c16ff13325afc146c

SHA1
6c673e16239cacad4083863588c5fb0e5b66bea2

SHA256
db9109ee338c609133bc9a77cb10b40224ab746973eb2c1fbf9101ad82c4071d

SHA512
ba33c67ed29de5d4c09d8518e424c5ff043c605826de83bd7c9612411b7f2c2da02f5530dc58294ef4378c7ee4c39266e7abcdccdf1442ddb671bccc6afe1988

Download Submit
C:\Users\Admin\AppData\Local\Temp\21373\Range

Filesize
280KB

MD5
0cabcaf6e51cf240e17b385f9b9b52ad

SHA1
8c447990e1de3e83ac52686f0cef59743cf66120

SHA256
b75afb1971ce982cf1c83be9e5980353331e6faa3dc2b5e77af4de50a7c95800

SHA512
0a5bc457c719909fff929393e2d95ae7f660a4f1e706f2d2d5bca2b9df7dcbf145897835204dd9bbd5e5d0e59cfd906f588aba6329a3e326bf7327befe836418

Download Submit
C:\Users\Admin\AppData\Local\Temp\21373\Relevance

Filesize
402KB

MD5
68f47075db5f98b2dbdcc978000adb37

SHA1
78fa549e354ce2e4ef1c77185061cc821564625d

SHA256
ee0f1a8618c54fbaebe6610aa2e0c5ef14c02061961fb9fe995e23af1cfa9e79

SHA512
c8b133a790fcaa124c5e260bd15f41aeecf6d82970449fc95a0eb044b3c2f33ad7c2a37de4c3d02b88f3fef60b19cef39fb688bec302e841d0f8d2db1268b23c

Download Submit
C:\Users\Admin\AppData\Local\Temp\21373\Thy

Filesize
483KB

MD5
f08e2d2f912ba62970a920adb4d1af77

SHA1
0e3993561f16093d013ed5db4e73b15c852d3ee1

SHA256
608e15c80b3f9a9b6347730749f1e8a17e7eac457ae735c67aafb36bdd3971fd

SHA512
cd93e9fdb212a29bd0b8c2dcb191c0107cd6da585e533528ed0db0adb76cfec040add5eaafa20cd95f88019777a591baf81f5f39b2f54e998add8a18364f7a41

Download Submit
C:\Users\Admin\AppData\Local\Temp\21373\Wang

Filesize
5KB

MD5
702b89d33d1536072e25593851835622

SHA1
eb477aecd80a859bc08f3c40129b88bd144fdefe

SHA256
f780ee3ed8be1f0dc6db2c7e4732b39878713154ae708ba1325d623df10ffa9f

SHA512
e25bbe4db0d96123317d29c28dbab5a175d76c0470ddf0ab8a087776339fafc9f3c019827a11b16d90882236ca97a6e1293bbea689a9beb1546c746370108a63

Download Submit
\Users\Admin\AppData\Local\Temp\21373\32521\Bags.pif

Filesize
924KB

MD5
848164d084384c49937f99d5b894253e

SHA1
3055ef803eeec4f175ebf120f94125717ee12444

SHA256
f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3

SHA512
aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a

Download Submit
memory/2196-0-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2196-28-0x0000000000400000-0x00000000005A0000-memory.dmp

Filesize
1.6MB

Download
memory/2640-29-0x00000000000B0000-0x00000000000B1000-memory.dmp

Filesize
4KB

Download
memory/2640-30-0x0000000003AE0000-0x0000000003B60000-memory.dmp

Filesize
512KB

Download
memory/2640-31-0x0000000003AE0000-0x0000000003B60000-memory.dmp

Filesize
512KB

Download
memory/2640-32-0x0000000003AE0000-0x0000000003B60000-memory.dmp

Filesize
512KB

Download
memory/2640-33-0x0000000003AE0000-0x0000000003B60000-memory.dmp

Filesize
512KB

Download
memory/2640-34-0x0000000003AE0000-0x0000000003B60000-memory.dmp

Filesize
512KB

Download
memory/2640-35-0x0000000003AE0000-0x0000000003B60000-memory.dmp

Filesize
512KB

Download
memory/2640-36-0x0000000003AE0000-0x0000000003B60000-memory.dmp

Filesize
512KB

Download
memory/2640-37-0x0000000003AE0000-0x0000000003B60000-memory.dmp

Filesize
512KB

Download