lumma | fc3085b354e1e35b4a9b15166cbbead6a63fb3f2cd18f00f546868d5392408b7

Analysis

max time kernel
90s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
26/01/2024, 10:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

doc.pdf.exe
Size

1.1MB
MD5

595ed72a44e6d325e8450ed808a75a1b
SHA1

4ee0c75ea588c4d06b3c9748b42343d7550cd523
SHA256

fc3085b354e1e35b4a9b15166cbbead6a63fb3f2cd18f00f546868d5392408b7
SHA512

750e699fc0d25cb1c6f9c944855e73a0844d16b198d96eefb9dbfea683b5b9c45ed041ae25e216895511024c7fe94d1c92513fd984d3ff810d3b4dd7f5c5029f
SSDEEP

24576:hZkE7GcN9ytIFGibL4fzXeoRVofL+0zA7TrjkoG0WIorgXIMLVPO0:hn7XK9iyjCT5A7T/SrdMLV20

Score

10^/10

lumma stealer

Malware Config

Extracted

Family

lumma

https://crisisestimatehealtwh.site/api

Signatures

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	doc.pdf.exe

Executes dropped EXE 1 IoCs

pid	Process
1980	Ri.pif

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3956	1980	WerFault.exe	100

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
2504	tasklist.exe
1988	tasklist.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3680	PING.EXE

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1980	Ri.pif
1980	Ri.pif
1980	Ri.pif
1980	Ri.pif
1980	Ri.pif
1980	Ri.pif
1980	Ri.pif
1980	Ri.pif

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2504	tasklist.exe
Token: SeDebugPrivilege	1988	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1980	Ri.pif
1980	Ri.pif
1980	Ri.pif

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1980	Ri.pif
1980	Ri.pif
1980	Ri.pif

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 2708 wrote to memory of 2648	2708	doc.pdf.exe	88
PID 2708 wrote to memory of 2648	2708	doc.pdf.exe	88
PID 2708 wrote to memory of 2648	2708	doc.pdf.exe	88
PID 2648 wrote to memory of 4468	2648	cmd.exe	90
PID 2648 wrote to memory of 4468	2648	cmd.exe	90
PID 2648 wrote to memory of 4468	2648	cmd.exe	90
PID 4468 wrote to memory of 2504	4468	cmd.exe	91
PID 4468 wrote to memory of 2504	4468	cmd.exe	91
PID 4468 wrote to memory of 2504	4468	cmd.exe	91
PID 4468 wrote to memory of 456	4468	cmd.exe	92
PID 4468 wrote to memory of 456	4468	cmd.exe	92
PID 4468 wrote to memory of 456	4468	cmd.exe	92
PID 4468 wrote to memory of 1988	4468	cmd.exe	94
PID 4468 wrote to memory of 1988	4468	cmd.exe	94
PID 4468 wrote to memory of 1988	4468	cmd.exe	94
PID 4468 wrote to memory of 4260	4468	cmd.exe	95
PID 4468 wrote to memory of 4260	4468	cmd.exe	95
PID 4468 wrote to memory of 4260	4468	cmd.exe	95
PID 4468 wrote to memory of 4948	4468	cmd.exe	96
PID 4468 wrote to memory of 4948	4468	cmd.exe	96
PID 4468 wrote to memory of 4948	4468	cmd.exe	96
PID 4468 wrote to memory of 2396	4468	cmd.exe	97
PID 4468 wrote to memory of 2396	4468	cmd.exe	97
PID 4468 wrote to memory of 2396	4468	cmd.exe	97
PID 4468 wrote to memory of 4808	4468	cmd.exe	98
PID 4468 wrote to memory of 4808	4468	cmd.exe	98
PID 4468 wrote to memory of 4808	4468	cmd.exe	98
PID 4468 wrote to memory of 1980	4468	cmd.exe	100
PID 4468 wrote to memory of 1980	4468	cmd.exe	100
PID 4468 wrote to memory of 1980	4468	cmd.exe	100
PID 4468 wrote to memory of 3680	4468	cmd.exe	99
PID 4468 wrote to memory of 3680	4468	cmd.exe	99
PID 4468 wrote to memory of 3680	4468	cmd.exe	99

C:\Users\Admin\AppData\Local\Temp\doc.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\doc.pdf.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2708
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k cmd < Strings & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2648
- - C:\Windows\SysWOW64\cmd.exe
    cmd
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4468
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2504
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
      4⤵
      PID:456
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1988
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "wrsa.exe"
      4⤵
      PID:4260
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c mkdir 11068
      4⤵
      PID:4948
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b Tour + Wheel + Magical + Sides + Mf + Header 11068\Ri.pif
      4⤵
      PID:2396
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b Coupons + Her + Decorative 11068\d
      4⤵
      PID:4808
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 5 localhost
      4⤵
      Runs ping.exe
      PID:3680
  - - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\11068\Ri.pif
      11068\Ri.pif 11068\d
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:1980
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1980 -s 1400
        5⤵
        Program crash
        
        PID:3956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1980 -ip 1980
1⤵
PID:4048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\11068\Ri.pif

Filesize
924KB

MD5
848164d084384c49937f99d5b894253e

SHA1
3055ef803eeec4f175ebf120f94125717ee12444

SHA256
f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3

SHA512
aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\11068\d

Filesize
1.1MB

MD5
b1c6275d28d8ef11215547a5a1dd041c

SHA1
f917f7c513b240714031ea8b3163570a8c419032

SHA256
652ca8d800770c0592362d8223d23eb0811491a016670103d73942ee882014c2

SHA512
01df5059612ada3e43ddf5051f06393a85705d9e5569ef05d8b03f61ade7f1e0060a3225924a3b944bd2c33fb911d21c0e4f5d52b5fd71de19a09dd0d5e82dde

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Coupons

Filesize
470KB

MD5
868b4f1a860604da4de0fcbdeb8f3955

SHA1
f03051d88f48dd21b44525771e3e058848e50b98

SHA256
2c09af789c33b6a7f769a2076bffb025027b45e28ae21f588a8d431d5c2b7bca

SHA512
aa9e3d40b7d81747ec2e190bd899c59c233c3fbfdafe897fca8101537da50f7ac550704d8ebc25f78c09a1b4ecd51b6179fba56860a94f9d8ff1229fb21c2941

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Decorative

Filesize
287KB

MD5
11b0e09a31165d0b564ed6108247e32e

SHA1
9e44915c1778d17712ce609ab53043d4e270bfba

SHA256
75df35ea009602413921f725b2579716ae76247b986735c31f5037bb2dbb3abb

SHA512
28a44f9152900da7c4ea4a151aab0123d0089953b6b2a217d3dfb7860ea449720172658000589c04c4bdf597290afea32fab0cb53c1571592d4de9fc30210bfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Header

Filesize
103KB

MD5
e904474a7442c2d35dc17a05a2412ec1

SHA1
cb1c7570221703722cc54ead60460b0488ab29a5

SHA256
a5cc801b2db4523d6a7dfa40128b858bd3d297a7ea1607845fb535fd0d721f2c

SHA512
d56684844b13a0df8deacb7c92848eb7b56f12193c274fff7d3b42a1bd0ae4970fe0ba3c48242ae1b2c4746aecf79561e24e26816d9b5521ac9849a68b55839b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Her

Filesize
402KB

MD5
9b6f23f0978c91d394472f6400c32e9e

SHA1
6e520ff244e6ff257a5cf96d6f0ae72fa98d749a

SHA256
7bac1c0e1a8337f9f8d6bb645bf35a6af5e986ccb163fa017dbec86a3cf01a84

SHA512
8832bb69d0967ee4c28804d1babee6d99bf347194f7c0ccef780bb8a7530bc98139246ea2a246bb9bd62390dc9587111187d2cd556c93307f3c46e49e0a90c01

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Magical

Filesize
190KB

MD5
8dee4f87e8b028086bfb9c6e28c7efeb

SHA1
07022aebc3ae5a8966acfe372127f43794ef8c0c

SHA256
95eb67f5407bb608c9d6b2972c87930a1ce4acbcaaf1f6308f3e5439e32dcea4

SHA512
b30f3f265515fa7682d87a82c56a6073647c4c2ba75f08cacc01143d90ec8c06634326fd4d23596417d5c479507a79b81890a99b438f05fb53ad7eff3c235bd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Mf

Filesize
110KB

MD5
70c69b5c519979a93041dc147046963f

SHA1
1549258c1a0a8a957503cc6ee9f4768552469177

SHA256
e0fa999a7596408f51b11d427c5b4f290b8d7ce9d9b47c1a7a98361c728334bc

SHA512
8f8b2aa000b691caac1d0f32b8ef80e708e3cd9f4099e1c09fd837757ec15dc3cc1ff6ce72fc1c9bbab6a48a357ba6791c87c1de1db03d53e98da132751716a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sides

Filesize
138KB

MD5
c2db062feb62093ad5892db13fe4c706

SHA1
e17106b070b70dccf5d94d481b492c2ad6c16c8c

SHA256
c1211df077e49d47d212220fde380911265ead362b42605d20c829900fb151f1

SHA512
6e983abb79fcfdd248241ab2d1a0ac3404fecc428e45863681b9fdd7f9fad3ee7fd0e8681b64d6d3a79295d9b9f721f576661e44aac7e055e74f9d466ec37143

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Strings

Filesize
13KB

MD5
23688d1a4ab6134d67d0183adeda1306

SHA1
d61ef6782c022ac4ec0d7389d10d80d7498984b3

SHA256
7158e8faf43a3376141950870260798133098f81642e68056afd6dc3e1e1d776

SHA512
9808a88456f41d677cb6d8d1c493aba9bf4b7fc49ef88ab099030342fe65dc5473c9aa2c0747958fd0844a6a62750fc1bee15fc06cc7c6d5bf1b387030a90160

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Tour

Filesize
188KB

MD5
62a7e75d1df779e6169adb0cfa905694

SHA1
3f855dc814432bd0cd6e793c5a5bb2776b838602

SHA256
7fa7da730c634c4a21832d2d35cbe4a6d1484fcfadbae988e2e97a9ad76f73db

SHA512
1f22866bfe4c6186b77c05aca2e4088c30e7ea1fe6057782a2a7aefda9221c78be2fe2cc5c673fd266e12218e91a66b254e90ff1d94f9ba6b8552c1e6bbc1698

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Wheel

Filesize
195KB

MD5
9f291e36e5804f3a1ea7456dea65b346

SHA1
e69a6a0df88a24dc318bfaf1a323b080c6ad7624

SHA256
37a743aa0ddda77e81dfb5c1ca3ab0ad2dff05237a87189af2867c82c4916a65

SHA512
7959b0279934eb093f9cfdcdb642a183440f2575bc1a3ccfdfe2a712fb15015739490be27303a78d29a7eb19d432cbc513385d25f7c789e0a9ddd78afed62abf

Download Submit
memory/1980-36-0x0000000000B70000-0x0000000000B71000-memory.dmp

Filesize
4KB

Download
memory/1980-37-0x00000000053D0000-0x0000000005459000-memory.dmp

Filesize
548KB

Download
memory/1980-38-0x00000000053D0000-0x0000000005459000-memory.dmp

Filesize
548KB

Download
memory/1980-39-0x00000000053D0000-0x0000000005459000-memory.dmp

Filesize
548KB

Download
memory/1980-40-0x00000000053D0000-0x0000000005459000-memory.dmp

Filesize
548KB

Download
memory/1980-41-0x00000000053D0000-0x0000000005459000-memory.dmp

Filesize
548KB

Download
memory/1980-42-0x00000000053D0000-0x0000000005459000-memory.dmp

Filesize
548KB

Download
memory/1980-43-0x00000000053D0000-0x0000000005459000-memory.dmp

Filesize
548KB

Download