lumma | 0b42eeb661e4cf8635ef4205a17073a5ea97143dcf042579540fd9d1a225bd4d

Analysis

max time kernel
85s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
26-04-2024 12:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Codex.rar
Size

15.6MB
MD5

afe31fd838fae3a3f3fb46bc6875b8bc
SHA1

10923315babb259fbe8218d9a7945f71fef0ed6b
SHA256

0b42eeb661e4cf8635ef4205a17073a5ea97143dcf042579540fd9d1a225bd4d
SHA512

dc969f33e442dcfa63a806090d357b4310c75313a44bdbe4400bab6215e91a2f44da994fe736d15c12ad00d85d348d7356e6d27ef8da2043f615766bec1d152a
SSDEEP

393216:nnYQSVHxqK+caxy4zhzp+cWU3LkGmlXJ4PcNamsCWxIt+YA:qVHxqK+Nzpb3ZWyPcfsCWStVA

Score

10^/10

lumma stealer

Malware Config

Extracted

Family

lumma

https://peanuearthflaxes.shop/api

https://productivelookewr.shop/api

https://tolerateilusidjukl.shop/api

https://shatterbreathepsw.shop/api

https://shortsvelventysjo.shop/api

https://incredibleextedwj.shop/api

https://alcojoldwograpciw.shop/api

https://liabilitynighstjsko.shop/api

https://demonstationfukewko.shop/api

Signatures

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

cmd.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation cmd.exe
Executes dropped EXE 2 IoCs

Processes:

Codex.exeCodex.exe

pid process

2056 Codex.exe
1816 Codex.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	cmd.exe

pid	process
2056	Codex.exe
1816	Codex.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

Codex.exeCodex.exe

description	pid	process	target process
PID 2056 set thread context of 1672	2056	Codex.exe	BitLockerToGo.exe
PID 1816 set thread context of 4164	1816	Codex.exe	BitLockerToGo.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 3 IoCs

Processes:

cmd.exe7zFM.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	7zFM.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	7zFM.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

7zFM.exe

pid process

4120 7zFM.exe
4120 7zFM.exe
4120 7zFM.exe
4120 7zFM.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

7zFM.exe

pid process

4120 7zFM.exe

pid	process
4120	7zFM.exe
4120	7zFM.exe
4120	7zFM.exe
4120	7zFM.exe

pid	process
4120	7zFM.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

7zFM.exe

description	pid	process
Token: SeRestorePrivilege	4120	7zFM.exe
Token: 35	4120	7zFM.exe
Token: SeSecurityPrivilege	4120	7zFM.exe
Token: SeSecurityPrivilege	4120	7zFM.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

7zFM.exe

pid process

4120 7zFM.exe
4120 7zFM.exe
4120 7zFM.exe

pid	process
4120	7zFM.exe
4120	7zFM.exe
4120	7zFM.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

cmd.exe7zFM.exeCodex.exeCodex.exe

description	pid	process	target process
PID 1840 wrote to memory of 4120	1840	cmd.exe	7zFM.exe
PID 1840 wrote to memory of 4120	1840	cmd.exe	7zFM.exe
PID 4120 wrote to memory of 2056	4120	7zFM.exe	Codex.exe
PID 4120 wrote to memory of 2056	4120	7zFM.exe	Codex.exe
PID 2056 wrote to memory of 1672	2056	Codex.exe	BitLockerToGo.exe
PID 2056 wrote to memory of 1672	2056	Codex.exe	BitLockerToGo.exe
PID 2056 wrote to memory of 1672	2056	Codex.exe	BitLockerToGo.exe
PID 2056 wrote to memory of 1672	2056	Codex.exe	BitLockerToGo.exe
PID 2056 wrote to memory of 1672	2056	Codex.exe	BitLockerToGo.exe
PID 1816 wrote to memory of 4164	1816	Codex.exe	BitLockerToGo.exe
PID 1816 wrote to memory of 4164	1816	Codex.exe	BitLockerToGo.exe
PID 1816 wrote to memory of 4164	1816	Codex.exe	BitLockerToGo.exe
PID 1816 wrote to memory of 4164	1816	Codex.exe	BitLockerToGo.exe
PID 1816 wrote to memory of 4164	1816	Codex.exe	BitLockerToGo.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Codex.rar
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1840
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Codex.rar"
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4120
- - C:\Users\Admin\AppData\Local\Temp\7zO8104AD68\Codex.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO8104AD68\Codex.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2056
  - - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
      C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
      4⤵
      PID:1672

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3980 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:8
1⤵
PID:680

C:\Users\Admin\Desktop\Codex.exe
"C:\Users\Admin\Desktop\Codex.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1816
- C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
  C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
  2⤵
  PID:4164

C:\Users\Admin\Desktop\Codex.exe
"C:\Users\Admin\Desktop\Codex.exe"
1⤵
PID:4516
- C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
  C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
  2⤵
  PID:1012

C:\Users\Admin\Desktop\Codex.exe
"C:\Users\Admin\Desktop\Codex.exe"
1⤵
PID:4056

C:\Users\Admin\Desktop\Codex.exe
"C:\Users\Admin\Desktop\Codex.exe"
1⤵
PID:5116

C:\Users\Admin\Desktop\Codex.exe
"C:\Users\Admin\Desktop\Codex.exe"
1⤵
PID:468

C:\Users\Admin\Desktop\Codex.exe
"C:\Users\Admin\Desktop\Codex.exe"
1⤵
PID:1544

C:\Users\Admin\Desktop\Codex.exe
"C:\Users\Admin\Desktop\Codex.exe"
1⤵
PID:756

C:\Users\Admin\Desktop\Codex.exe
"C:\Users\Admin\Desktop\Codex.exe"
1⤵
PID:2704

C:\Users\Admin\Desktop\Codex.exe
"C:\Users\Admin\Desktop\Codex.exe"
1⤵
PID:776

C:\Users\Admin\Desktop\Codex.exe
"C:\Users\Admin\Desktop\Codex.exe"
1⤵
PID:1128

C:\Users\Admin\Desktop\Codex.exe
"C:\Users\Admin\Desktop\Codex.exe"
1⤵
PID:2916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zO8104AD68\Codex.exe

Filesize
23.4MB

MD5
2c7698c295ff76f112703bb08ba29aad

SHA1
3bcd3c32f8f636ef5bd096076cb42f47f293b51b

SHA256
c7657c92d0a3997b33c6f54b56f7543f1aef2beb2131e93aad9b68f4a1240070

SHA512
1348bc0183dc970ba70fc321cfbc7412f45d1604f3553c472a7024b0668031a24d6cf5fc899fe93025c947fdb94cd690d9d99ecc1e7e2de36e3dba73516ea00a

Download Submit
C:\Users\Admin\Desktop\Codex.exe

Filesize
19.8MB

MD5
2196047f5370b6cf25adfecc69c138c6

SHA1
355c9c38ce13eaf91af2165daa9101fe58034604

SHA256
80b451d593873facef68c4a5fde44131e737c1fed2ca042bd12cb5051d4d913e

SHA512
92d2f5c7fd4b8e26d8210f3c0bee663a58c0452a78e789ae42c410ab0888f3f83af99d6494e2dfffe6c6b48df980c8f106f14eae5e4b01708781c7cdc61e2192

Download Submit
C:\Users\Admin\Desktop\Codex.exe

Filesize
7.2MB

MD5
61feeddf5aae8926916d9f2c55c322a8

SHA1
405a43ba44e011a4d56e95ba8f6601da537dcce6

SHA256
0fa9d4bf611df4d58ca88fe93d99b86c77ba299f675b49a9b414c8e6cb126b8e

SHA512
9998ff97c8897ee69cd3a2ed995731f54072d57be00de9c6140e8a0963f6fcc6c7fa82a6f7115895b2163fe12420410c9f165d1bdf75ee38b3231dced49fc11f

Download Submit
C:\Users\Admin\Desktop\Codex.exe

Filesize
4.2MB

MD5
f1d358e87fef4d40bbb08ba6af8bfd88

SHA1
fcbac8c7f2b2c9720808c86ce4378dfb84af2f97

SHA256
2e042848726889b2fe6d4daf436f0b50770f8f8faea38724d44d02c52b50f457

SHA512
3b2ebf0b423440577fa5a28fe28a935b6efa471987758b6af786a8855349c79162054876ce4dcad81da4823154b0baa3e66d0b90d4d93ad0c606c78291b3a6ee

Download Submit
C:\Users\Admin\Desktop\Codex.exe

Filesize
2.4MB

MD5
939fd31784e0e59f58aac546b6f9f199

SHA1
92ff57404231c0f68f62cd51255832dd03e0e0d1

SHA256
f4eedda589eef7c498b9118828a19eb2ab8b00a17373df0ad3ef17f2c8e1bb6f

SHA512
235c6fa7c90931a7bb532a3868af61bb416a3555b6b3b563b159511990c2043daeaa69abdca0fd741d5f0a9b5c508230c1692f78541aa495f77618c6d93be2d3

Download Submit
C:\Users\Admin\Desktop\Codex.exe

Filesize
1.9MB

MD5
820854b1903b548241264391873644d9

SHA1
a1534f6d6859b8e02c0801b2a1f5bc51d339e034

SHA256
19b548f2891744ca51f2469ff24640492ef4a41d150c4aec3f48bce94c430676

SHA512
ebb2896d7e29d779d475f6385146a7e8cf5e66d198e87d41680090587e0290eab796798790699817c3b634901900c987abdd7883f6d01c8a7673fa57b20b487d

Download Submit
C:\Users\Admin\Desktop\Codex.exe

Filesize
1.8MB

MD5
1b4eb203d0b398aeb2d811c057f5635d

SHA1
38a3346b4c0128ada1ccb75d118d6cd5da6815b2

SHA256
3e0425bae606fd01dab1c8e4055318e4629c6081bdee3245c1269e82b55458d1

SHA512
d286725a4ff599b0d1c31010f924676159fe58d5f864d0d35b785ca9a023a4b77365c5e334cf01f71edff1c36839f6b04abeb7e5a1bdf9ad9371612d7a53e687

Download Submit
C:\Users\Admin\Desktop\Codex.exe

Filesize
1.1MB

MD5
7ecc511b1989b717651bf2945616acaa

SHA1
263e5f7af0acfb76135c8999db440f4cea890592

SHA256
6f52869a5963c10be021324e6fdd0fad2d468a5c55fac0e70b1cd50b251c4d3b

SHA512
ebf3865992eb50e0a778ed82bae56b49a123dcc310cad787e112b3a4712821b69c09f93b8b90a091fbebf68727a9984ea72b9365c64677fef56fb0f3b212c990

Download Submit
C:\Users\Admin\Desktop\Codex.exe

Filesize
960KB

MD5
5e54c91900f431182678c7ee811d93a9

SHA1
3fe7e2329efc7395f237c4f9ed21c1a7d4912d80

SHA256
26906c4daee613ecffc8b6e5cc458534486a9436673d3515a2ba1d8852317a3f

SHA512
2d5ba6744f1fdd0dc3e6de075a78b7567b2fa2cbd7bd67d132167b034ac5622fc4d2bd21802ecacf91c671fb3ad06cc92f0ad89f41e4447edf4d423884e7c8a4

Download Submit
C:\Users\Admin\Desktop\Codex.exe

Filesize
631KB

MD5
a0bb9b6bc9e70b817fe9f6ca2d8c81b9

SHA1
4f80d2e832488324fb6de89c1918014b2635403b

SHA256
f88d9f06e3d144b4b0d74197df51ab0abaf1b1f760228d5e106319e6bffd37d7

SHA512
bd7b43e651e942f2887af41a8338290a26ddd43f3dc8a6ad2d51b2ed648996dd6d9c55af40044748cb56d4f12cdb71619d73352b9a4e286318aca54d62593ccc

Download Submit
memory/1012-84-0x0000000001040000-0x000000000108F000-memory.dmp

Filesize
316KB

Download
memory/1012-82-0x0000000001040000-0x000000000108F000-memory.dmp

Filesize
316KB

Download
memory/1672-19-0x0000000000F20000-0x0000000000F6F000-memory.dmp

Filesize
316KB

Download
memory/1672-17-0x0000000000F20000-0x0000000000F6F000-memory.dmp

Filesize
316KB

Download
memory/1816-30-0x00007FF74F600000-0x00007FF750DD4000-memory.dmp

Filesize
23.8MB

Download
memory/1816-26-0x00007FF74F600000-0x00007FF750DD4000-memory.dmp

Filesize
23.8MB

Download
memory/2056-16-0x00007FF6729D0000-0x00007FF6741A4000-memory.dmp

Filesize
23.8MB

Download
memory/2056-18-0x00007FF6729D0000-0x00007FF6741A4000-memory.dmp

Filesize
23.8MB

Download
memory/4056-93-0x00007FF74BFE0000-0x00007FF74D7B4000-memory.dmp

Filesize
23.8MB

Download
memory/4164-31-0x0000000000AA0000-0x0000000000AEF000-memory.dmp

Filesize
316KB

Download
memory/4164-29-0x0000000000AA0000-0x0000000000AEF000-memory.dmp

Filesize
316KB

Download
memory/4516-83-0x00007FF74BFE0000-0x00007FF74D7B4000-memory.dmp

Filesize
23.8MB

Download
memory/4516-76-0x00007FF74BFE0000-0x00007FF74D7B4000-memory.dmp

Filesize
23.8MB

Download