lumma | 91e268e53754fcaaab91a3ad32ca4f67fbfc4903e75733a7174d28e1b85dd190

Analysis

max time kernel
540s
max time network
542s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
23-04-2024 18:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup-win-x86-x64.exe.zip
Size

27.0MB
MD5

4b5450d05fe036f720cc7384f400b0fb
SHA1

62e74dfbefab8130604005d07c0b711b3659259a
SHA256

91e268e53754fcaaab91a3ad32ca4f67fbfc4903e75733a7174d28e1b85dd190
SHA512

efcca035e9baa76551c68052e267f97e422fad993d75e04a883854fc17c1e70d7d2055825da260fd2ccfee11aca91642da934ebec758aca822439a3b4acebe24
SSDEEP

786432:g9u6w6aCOcpDtAcwkDFPfHpJrrl4nA4YuiJbIwBNNnTTgnSugbMu1:gA6abQpAVkDRH0IdBHNntMw

Score

10^/10

lumma stealer

Malware Config

Extracted

Family

lumma

https://alcojoldwograpciw.shop/api

https://productivelookewr.shop/api

https://tolerateilusidjukl.shop/api

https://shatterbreathepsw.shop/api

https://shortsvelventysjo.shop/api

https://incredibleextedwj.shop/api

https://liabilitynighstjsko.shop/api

https://demonstationfukewko.shop/api

Signatures

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
Executes dropped EXE 1 IoCs

Processes:

setup-win-x86-x64.exe

pid process

768 setup-win-x86-x64.exe

pid	process
768	setup-win-x86-x64.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

setup-win-x86-x64.exesetup-win-x86-x64.exe

description	pid	process	target process
PID 768 set thread context of 1404	768	setup-win-x86-x64.exe	BitLockerToGo.exe
PID 912 set thread context of 3004	912	setup-win-x86-x64.exe	BitLockerToGo.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

7zG.exesetup-win-x86-x64.exesetup-win-x86-x64.exe

description	pid	process
Token: SeRestorePrivilege	2736	7zG.exe
Token: 35	2736	7zG.exe
Token: SeSecurityPrivilege	2736	7zG.exe
Token: SeSecurityPrivilege	2736	7zG.exe
Token: SeDebugPrivilege	768	setup-win-x86-x64.exe
Token: SeDebugPrivilege	912	setup-win-x86-x64.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

7zG.exe

pid process

2736 7zG.exe

pid	process
2736	7zG.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

setup-win-x86-x64.exesetup-win-x86-x64.exe

description	pid	process	target process
PID 768 wrote to memory of 1404	768	setup-win-x86-x64.exe	BitLockerToGo.exe
PID 768 wrote to memory of 1404	768	setup-win-x86-x64.exe	BitLockerToGo.exe
PID 768 wrote to memory of 1404	768	setup-win-x86-x64.exe	BitLockerToGo.exe
PID 768 wrote to memory of 1404	768	setup-win-x86-x64.exe	BitLockerToGo.exe
PID 768 wrote to memory of 1404	768	setup-win-x86-x64.exe	BitLockerToGo.exe
PID 912 wrote to memory of 3004	912	setup-win-x86-x64.exe	BitLockerToGo.exe
PID 912 wrote to memory of 3004	912	setup-win-x86-x64.exe	BitLockerToGo.exe
PID 912 wrote to memory of 3004	912	setup-win-x86-x64.exe	BitLockerToGo.exe
PID 912 wrote to memory of 3004	912	setup-win-x86-x64.exe	BitLockerToGo.exe
PID 912 wrote to memory of 3004	912	setup-win-x86-x64.exe	BitLockerToGo.exe

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\setup-win-x86-x64.exe.zip
1⤵
PID:936

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4572

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap20244:100:7zEvent6390
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2736

C:\Users\Admin\Desktop\setup-win-x86-x64.exe
"C:\Users\Admin\Desktop\setup-win-x86-x64.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:768
- C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
  C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
  2⤵
  PID:1404

C:\Users\Admin\AppData\Local\Temp\Temp1_setup-win-x86-x64.exe.zip\setup-win-x86-x64.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_setup-win-x86-x64.exe.zip\setup-win-x86-x64.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:912
- C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
  C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
  2⤵
  PID:3004

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\setup-win-x86-x64.exe

Filesize
73.4MB

MD5
1a3657ef519e3d20930f400dd781dbb2

SHA1
14391c5fcc47ce885680ae6dc191181119c593b1

SHA256
3669c3c9c47a5e5c59f508976a2732aa1feabfa7c90d1912032e3426c30edde5

SHA512
227e9986168c5dfe37661a010fe41abcffa794855bdde768699cdb4a3d3e3c97890da1f797de45f31f9b6498493e57377c29ac4e9eba63877c65f6f5897c0ea2

Download Submit
memory/768-10-0x00007FF68DA40000-0x00007FF6924B8000-memory.dmp

Filesize
74.5MB

Download
memory/768-14-0x00007FF68DA40000-0x00007FF6924B8000-memory.dmp

Filesize
74.5MB

Download
memory/912-20-0x00007FF6982D0000-0x00007FF69CD48000-memory.dmp

Filesize
74.5MB

Download
memory/912-25-0x00007FF6982D0000-0x00007FF69CD48000-memory.dmp

Filesize
74.5MB

Download
memory/1404-11-0x0000000001040000-0x000000000108E000-memory.dmp

Filesize
312KB

Download
memory/1404-13-0x0000000001040000-0x000000000108E000-memory.dmp

Filesize
312KB

Download
memory/1404-15-0x0000000001040000-0x000000000108E000-memory.dmp

Filesize
312KB

Download
memory/3004-21-0x0000000000C30000-0x0000000000C7E000-memory.dmp

Filesize
312KB

Download
memory/3004-23-0x0000000000C30000-0x0000000000C7E000-memory.dmp

Filesize
312KB

Download
memory/3004-24-0x0000000000C30000-0x0000000000C7E000-memory.dmp

Filesize
312KB

Download