lumma | f1c2c0985ce7dc4ec3e51dc52ca5af913b3177dab18b6a2f9fefb7f1a0a5c7bc

General

Target

Laun4er!_PSWRD----1889.7z
Size

9.0MB
MD5

5fa7a701e0a05313ae1b40102ede0389
SHA1

2960cba4ef1a0fde8f8dea5b317d35ef1ec63fea
SHA256

f1c2c0985ce7dc4ec3e51dc52ca5af913b3177dab18b6a2f9fefb7f1a0a5c7bc
SHA512

83a2ed56044f5fb7f1bcbdfb747363455e42aab970f700bdc56e7434cbc5644e14c953ff5b6392d04402f68d22d312729f2fea17d042e8aae46807932c9ab660
SSDEEP

196608:0rMa/IGuTieVXUtPs5iO/zMp1WzNDuMYZsNZST:JNXqk53MqzhutZX

Score

10^/10

lumma stealer

Malware Config

Extracted

Family

lumma

C2

https://templecharteredowis.shop/api

https://acceptabledcooeprs.shop/api

https://obsceneclassyjuwks.shop/api

https://zippyfinickysofwps.shop/api

https://miniaturefinerninewjs.shop/api

https://plaintediousidowsko.shop/api

https://sweetsquarediaslw.shop/api

https://holicisticscrarws.shop/api

https://boredimperissvieos.shop/api

Signatures

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma

Executes dropped EXE 2 IoCs

pid	Process
3600	Setupx32_x64.exe
2284	Setupx32_x64.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3600 set thread context of 2672	3600	Setupx32_x64.exe	120
PID 2284 set thread context of 4528	2284	Setupx32_x64.exe	122

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3280	7zFM.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeRestorePrivilege	3280	7zFM.exe
Token: 35	3280	7zFM.exe
Token: SeSecurityPrivilege	3280	7zFM.exe
Token: SeDebugPrivilege	2036	taskmgr.exe
Token: SeSystemProfilePrivilege	2036	taskmgr.exe
Token: SeCreateGlobalPrivilege	2036	taskmgr.exe

Suspicious use of FindShellTrayWindow 24 IoCs

pid	Process
3280	7zFM.exe
3280	7zFM.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe

Suspicious use of SendNotifyMessage 22 IoCs

pid	Process
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
376	OpenWith.exe
1540	OpenWith.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 3600 wrote to memory of 2672	3600	Setupx32_x64.exe	120
PID 3600 wrote to memory of 2672	3600	Setupx32_x64.exe	120
PID 3600 wrote to memory of 2672	3600	Setupx32_x64.exe	120
PID 3600 wrote to memory of 2672	3600	Setupx32_x64.exe	120
PID 3600 wrote to memory of 2672	3600	Setupx32_x64.exe	120
PID 2284 wrote to memory of 4528	2284	Setupx32_x64.exe	122
PID 2284 wrote to memory of 4528	2284	Setupx32_x64.exe	122
PID 2284 wrote to memory of 4528	2284	Setupx32_x64.exe	122
PID 2284 wrote to memory of 4528	2284	Setupx32_x64.exe	122
PID 2284 wrote to memory of 4528	2284	Setupx32_x64.exe	122

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Laun4er!_PSWRD----1889.7z
1⤵
- Modifies registry class
PID:1748

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:376

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2052

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1540

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Laun4er!_PSWRD----1889.7z"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3280

C:\Users\Admin\Desktop\Setupx32_x64.exe
"C:\Users\Admin\Desktop\Setupx32_x64.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3600
- C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
  C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
  2⤵
  PID:2672

C:\Users\Admin\Desktop\Setupx32_x64.exe
"C:\Users\Admin\Desktop\Setupx32_x64.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2284
- C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
  C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
  2⤵
  PID:4528

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\Setupx32_x64.exe

Filesize
19.4MB

MD5
8ce7fffb29a8565b53d58971af37c3b9

SHA1
355ce0ec9e33d58661f3e60052a715c165d8c54a

SHA256
8489316aa7ddfdfa2bdb72b0d1756a01dadd2d23a702c3386056335c3995469e

SHA512
361a9280dc5e555868ce856a136717cd405fadf8373f2ac595ffbb1c608ff7cc2824a0e1407f2a22762326848d8f6da67fbdf8106617955e759c1a760d23d94a

Download Submit
memory/2036-40-0x00000189598D0000-0x00000189598D1000-memory.dmp

Filesize
4KB

Download
memory/2036-41-0x00000189598D0000-0x00000189598D1000-memory.dmp

Filesize
4KB

Download
memory/2036-37-0x00000189598D0000-0x00000189598D1000-memory.dmp

Filesize
4KB

Download
memory/2036-36-0x00000189598D0000-0x00000189598D1000-memory.dmp

Filesize
4KB

Download
memory/2036-39-0x00000189598D0000-0x00000189598D1000-memory.dmp

Filesize
4KB

Download
memory/2036-29-0x00000189598D0000-0x00000189598D1000-memory.dmp

Filesize
4KB

Download
memory/2036-31-0x00000189598D0000-0x00000189598D1000-memory.dmp

Filesize
4KB

Download
memory/2036-30-0x00000189598D0000-0x00000189598D1000-memory.dmp

Filesize
4KB

Download
memory/2036-35-0x00000189598D0000-0x00000189598D1000-memory.dmp

Filesize
4KB

Download
memory/2036-38-0x00000189598D0000-0x00000189598D1000-memory.dmp

Filesize
4KB

Download
memory/2284-28-0x00007FF6516A0000-0x00007FF652A6F000-memory.dmp

Filesize
19.8MB

Download
memory/2284-45-0x00007FF6516A0000-0x00007FF652A6F000-memory.dmp

Filesize
19.8MB

Download
memory/2672-23-0x0000000000600000-0x000000000065D000-memory.dmp

Filesize
372KB

Download
memory/2672-25-0x0000000000600000-0x000000000065D000-memory.dmp

Filesize
372KB

Download
memory/3600-19-0x00007FF6516A0000-0x00007FF652A6F000-memory.dmp

Filesize
19.8MB

Download
memory/3600-24-0x00007FF6516A0000-0x00007FF652A6F000-memory.dmp

Filesize
19.8MB

Download
memory/4528-44-0x00000000004D0000-0x000000000052D000-memory.dmp

Filesize
372KB

Download
memory/4528-46-0x00000000004D0000-0x000000000052D000-memory.dmp

Filesize
372KB

Download

Analysis

Sharing