lumma | a48d767621acecbb12a31fbd4007a16e77e6a0155d255c056f2400d0b17cfeba

General

Target

a48d767621acecbb12a31fbd4007a16e77e6a0155d255c056f2400d0b17cfeba.exe
Size

174KB
MD5

df469e0a98c5be3dbbdee404268d491a
SHA1

17951c7c3b3dbb7769efa595298ac0183e000c77
SHA256

a48d767621acecbb12a31fbd4007a16e77e6a0155d255c056f2400d0b17cfeba
SHA512

8c90c9e5b57a854b38600946659d39519a222d5cc36008ef9617df74719e662d66445ca223cff7feffabbb50ecad6028d06d436c5d8fdb349b6bf9ddd1128dfc
SSDEEP

1536:+ngptcHx6TyxkuM39m/wrut+8IGA/75IVL0tQlfYvm/ivedMzcfknx9Xb5Wyq9R9:+nZZBMtjruMGA/lxtbvma2dGTb5Wyq9

Score

10^/10

lumma smokeloader pub1 backdoor bootkit persistence stealer trojan

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Version

2022

C2

http://trad-einmyus.com/index.php

http://tradein-myus.com/index.php

http://trade-inmyus.com/index.php

rc4.i32

Extracted

Family

lumma

C2

https://accountasifkwosov.shop/api

https://productivelookewr.shop/api

https://tolerateilusidjukl.shop/api

https://shatterbreathepsw.shop/api

https://shortsvelventysjo.shop/api

https://incredibleextedwj.shop/api

https://alcojoldwograpciw.shop/api

https://liabilitynighstjsko.shop/api

https://demonstationfukewko.shop/api

https://palmeventeryjusk.shop/api

https://entitlementappwo.shop/api

https://economicscreateojsu.shop/api

https://pushjellysingeywus.shop/api

https://absentconvicsjawun.shop/api

https://suitcaseacanehalk.shop/api

https://bordersoarmanusjuw.shop/api

https://mealplayerpreceodsju.shop/api

https://wifeplasterbakewis.shop/api

Signatures

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Deletes itself 1 IoCs

Processes:

pid process

3188
Executes dropped EXE 3 IoCs

Processes:

F10F.exeF5C3.exeFC8B.exe

pid process

684 F10F.exe
2168 F5C3.exe
4848 FC8B.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service
T1102

Processes:

flow ioc

90 raw.githubusercontent.com
91 raw.githubusercontent.com
64 drive.google.com
65 drive.google.com
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

F5C3.exe

description ioc process

File opened for modification \??\PHYSICALDRIVE0 F5C3.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

F10F.exe

description pid process target process

PID 684 set thread context of 4196 684 F10F.exe BitLockerToGo.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3504 4848 WerFault.exe FC8B.exe

pid	process
3188

pid	process
684	F10F.exe
2168	F5C3.exe
4848	FC8B.exe

flow	ioc
90	raw.githubusercontent.com
91	raw.githubusercontent.com
64	drive.google.com
65	drive.google.com

description	ioc	process
File opened for modification	\??\PHYSICALDRIVE0	F5C3.exe

description	pid	process	target process
PID 684 set thread context of 4196	684	F10F.exe	BitLockerToGo.exe

pid	pid_target	process	target process
3504	4848	WerFault.exe	FC8B.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

a48d767621acecbb12a31fbd4007a16e77e6a0155d255c056f2400d0b17cfeba.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	a48d767621acecbb12a31fbd4007a16e77e6a0155d255c056f2400d0b17cfeba.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	a48d767621acecbb12a31fbd4007a16e77e6a0155d255c056f2400d0b17cfeba.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	a48d767621acecbb12a31fbd4007a16e77e6a0155d255c056f2400d0b17cfeba.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

a48d767621acecbb12a31fbd4007a16e77e6a0155d255c056f2400d0b17cfeba.exe

pid	process
3220	a48d767621acecbb12a31fbd4007a16e77e6a0155d255c056f2400d0b17cfeba.exe
3220	a48d767621acecbb12a31fbd4007a16e77e6a0155d255c056f2400d0b17cfeba.exe
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188
3188

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

a48d767621acecbb12a31fbd4007a16e77e6a0155d255c056f2400d0b17cfeba.exe

pid process

3220 a48d767621acecbb12a31fbd4007a16e77e6a0155d255c056f2400d0b17cfeba.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

explorer.exe

description	pid	process
Token: SeShutdownPrivilege	3188
Token: SeCreatePagefilePrivilege	3188
Token: SeShutdownPrivilege	3188
Token: SeCreatePagefilePrivilege	3188
Token: SeShutdownPrivilege	3188
Token: SeCreatePagefilePrivilege	3188
Token: SeShutdownPrivilege	5104	explorer.exe
Token: SeCreatePagefilePrivilege	5104	explorer.exe
Token: SeShutdownPrivilege	5104	explorer.exe
Token: SeCreatePagefilePrivilege	5104	explorer.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

cmd.execmd.exeF10F.exe

description	pid	process	target process
PID 3188 wrote to memory of 3276	3188		cmd.exe
PID 3188 wrote to memory of 3276	3188		cmd.exe
PID 3276 wrote to memory of 3844	3276	cmd.exe	reg.exe
PID 3276 wrote to memory of 3844	3276	cmd.exe	reg.exe
PID 3188 wrote to memory of 4980	3188		cmd.exe
PID 3188 wrote to memory of 4980	3188		cmd.exe
PID 4980 wrote to memory of 4208	4980	cmd.exe	reg.exe
PID 4980 wrote to memory of 4208	4980	cmd.exe	reg.exe
PID 3188 wrote to memory of 684	3188		F10F.exe
PID 3188 wrote to memory of 684	3188		F10F.exe
PID 3188 wrote to memory of 2168	3188		F5C3.exe
PID 3188 wrote to memory of 2168	3188		F5C3.exe
PID 3188 wrote to memory of 2168	3188		F5C3.exe
PID 3188 wrote to memory of 4848	3188		FC8B.exe
PID 3188 wrote to memory of 4848	3188		FC8B.exe
PID 3188 wrote to memory of 4848	3188		FC8B.exe
PID 684 wrote to memory of 4196	684	F10F.exe	BitLockerToGo.exe
PID 684 wrote to memory of 4196	684	F10F.exe	BitLockerToGo.exe
PID 684 wrote to memory of 4196	684	F10F.exe	BitLockerToGo.exe
PID 684 wrote to memory of 4196	684	F10F.exe	BitLockerToGo.exe
PID 684 wrote to memory of 4196	684	F10F.exe	BitLockerToGo.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\a48d767621acecbb12a31fbd4007a16e77e6a0155d255c056f2400d0b17cfeba.exe
"C:\Users\Admin\AppData\Local\Temp\a48d767621acecbb12a31fbd4007a16e77e6a0155d255c056f2400d0b17cfeba.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3220

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4104 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:8
1⤵
PID:700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BD21.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:3276

C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
2⤵
PID:3844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CE49.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:4980

C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
2⤵
PID:4208

C:\Users\Admin\AppData\Local\Temp\F10F.exe
C:\Users\Admin\AppData\Local\Temp\F10F.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:684

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
2⤵
PID:4196

C:\Users\Admin\AppData\Local\Temp\F5C3.exe
C:\Users\Admin\AppData\Local\Temp\F5C3.exe
1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:2168

C:\Users\Admin\AppData\Local\Temp\FC8B.exe
C:\Users\Admin\AppData\Local\Temp\FC8B.exe
1⤵
- Executes dropped EXE
PID:4848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 384
2⤵
- Program crash
PID:3504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4848 -ip 4848
1⤵
PID:1484

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Suspicious use of AdjustPrivilegeToken
PID:5104

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

Query Registry

2

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BD21.bat
Filesize
77B

MD5
55cc761bf3429324e5a0095cab002113

SHA1
2cc1ef4542a4e92d4158ab3978425d517fafd16d

SHA256
d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a

SHA512
33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

Download Submit
C:\Users\Admin\AppData\Local\Temp\F10F.exe
Filesize
9.9MB

MD5
2627387eb5495186ee3850fdc0b2ebde

SHA1
8c062c24ad34332f8033a8cac193e4519d3d7534

SHA256
9e86e4796a51e2cae9487ec086aa2159b65a037808e70a0e7dbaf5a946a8801e

SHA512
0c86e0b5de1b149913b7039fcc3fb8dcc17112617a5af731c3c90d6c822dbb7f2f5660e5790d0c134437383d5b6a71176839c0125c6c391f4ea26ffce0480b25

Download Submit
C:\Users\Admin\AppData\Local\Temp\F5C3.exe
Filesize
421KB

MD5
9185b776b7a981d060b0bb0d7ffed201

SHA1
427982fb520c099e8d2e831ace18294ade871aff

SHA256
91a45c416324ed3a8c184e349214e7c82d6df0df4fe6d06f3c7818c0d322373b

SHA512
cb46ca0c3156dc7b177fdb73869e13b229cbab8918dbb4b61a854765313fc9526aa5d7b944aa4b9acb77717c5ffd8fe955ba4eb48d75e2528ec844bfcf4aa5e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\FC8B.exe
Filesize
390KB

MD5
6c21c8ef344979d8e474bd775ce3010d

SHA1
bb8d15a1a43284becbc0417832e6fdf23bd90b8a

SHA256
68d4c2cf8164fa47d18242ceff50fdc09a68a485703bd83388a32ffc84d67dd7

SHA512
ca7cdcd9c78e5149d0b3299fcf4f9b94e062f4effb62ba6d952dd65c32d200bcdba2108c9898805543fa1e22f999ae71f818727a82426f85a983cd1148df0431

Download Submit
memory/684-40-0x00007FF68EE80000-0x00007FF68F8C6000-memory.dmp

Filesize
10.3MB

Download
memory/684-38-0x00007FF68EE80000-0x00007FF68F8C6000-memory.dmp

Filesize
10.3MB

Download
memory/3188-45-0x0000000002DC0000-0x0000000002DC1000-memory.dmp

Filesize
4KB

Download
memory/3188-5-0x0000000001470000-0x0000000001486000-memory.dmp

Filesize
88KB

Download
memory/3220-9-0x0000000002BD0000-0x0000000002BDB000-memory.dmp

Filesize
44KB

Download
memory/3220-8-0x0000000000400000-0x0000000002AE9000-memory.dmp

Filesize
38.9MB

Download
memory/3220-1-0x0000000002BE0000-0x0000000002CE0000-memory.dmp

Filesize
1024KB

Download
memory/3220-4-0x0000000000400000-0x0000000002AE9000-memory.dmp

Filesize
38.9MB

Download
memory/3220-3-0x0000000000400000-0x0000000002AE9000-memory.dmp

Filesize
38.9MB

Download
memory/3220-2-0x0000000002BD0000-0x0000000002BDB000-memory.dmp

Filesize
44KB

Download
memory/4196-39-0x0000000001250000-0x000000000129F000-memory.dmp

Filesize
316KB

Download
memory/4196-41-0x0000000001250000-0x000000000129F000-memory.dmp

Filesize
316KB

Download
memory/4848-42-0x0000000000400000-0x0000000001A2D000-memory.dmp

Filesize
22.2MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads