lumma | db1b59a6777f2d0e813317be50541ff20b72dd82711feb6f73c875e58a37343b

General

Target

scr1ipt.ps1
Size

7KB
MD5

c44d7216c3cc62db69cbe60ac2e67a1c
SHA1

3a7aedb6c1f4d072c4656dbd49317fe5b38dcc12
SHA256

db1b59a6777f2d0e813317be50541ff20b72dd82711feb6f73c875e58a37343b
SHA512

892cc044bab84a48a953f8a46a55247c12bfb3b34774e106ae4632b3bc7e6f63ec88299c3a685d46c64f49c497a261057acc4184bf3a4d9487fd0e7d2817456d
SSDEEP

192:7qFeaF0diqqeaYzkIJm/5Z0dK7ZhWz7Xhbi9pdM3:79QV83YIcRZ3ZhSGQ

Score

10^/10

lumma execution stealer

Malware Config

Extracted

Family

lumma

C2

https://secretiveonnicuw.shop/api

https://liabiliytshareodlkv.shop/api

https://notoriousdcellkw.shop/api

https://conferencefreckewl.shop/api

https://flourhishdiscovrw.shop/api

https://landdumpycolorwskfw.shop/api

https://ohfantasyproclaiwlo.shop/api

https://parallelmercywksoffw.shop/api

https://barebrilliancedkoso.shop/api

Signatures

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma

Blocklisted process makes network request 4 IoCs

flow	pid	Process
2	2840	powershell.exe
4	2840	powershell.exe
8	2840	powershell.exe
12	2840	powershell.exe

Executes dropped EXE 2 IoCs

pid	Process
3324	hv.exe
4292	hv.exe

Loads dropped DLL 3 IoCs

pid	Process
3324	hv.exe
4292	hv.exe
4852	0x21.pif

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4292 set thread context of 4828	4292	hv.exe	74

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2840	powershell.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2840	powershell.exe
2840	powershell.exe
2840	powershell.exe
3324	hv.exe
4292	hv.exe
4292	hv.exe
4828	netsh.exe
4828	netsh.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
4292	hv.exe
4828	netsh.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2840	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3324	hv.exe
4292	hv.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2840 wrote to memory of 3324	2840	powershell.exe	72
PID 2840 wrote to memory of 3324	2840	powershell.exe	72
PID 2840 wrote to memory of 3324	2840	powershell.exe	72
PID 3324 wrote to memory of 4292	3324	hv.exe	73
PID 3324 wrote to memory of 4292	3324	hv.exe	73
PID 3324 wrote to memory of 4292	3324	hv.exe	73
PID 4292 wrote to memory of 4828	4292	hv.exe	74
PID 4292 wrote to memory of 4828	4292	hv.exe	74
PID 4292 wrote to memory of 4828	4292	hv.exe	74
PID 4292 wrote to memory of 4828	4292	hv.exe	74
PID 4828 wrote to memory of 4852	4828	netsh.exe	76
PID 4828 wrote to memory of 4852	4828	netsh.exe	76
PID 4828 wrote to memory of 4852	4828	netsh.exe	76
PID 4828 wrote to memory of 4852	4828	netsh.exe	76

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\scr1ipt.ps1
1⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2840
- C:\Users\Admin\AppData\Local\Temp\o6kdDPLX49vNLa7\hv.exe
  "C:\Users\Admin\AppData\Local\Temp\o6kdDPLX49vNLa7\hv.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3324
- - C:\Users\Admin\AppData\Roaming\BqDaemon\hv.exe
    C:\Users\Admin\AppData\Roaming\BqDaemon\hv.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4292
  - - C:\Windows\SysWOW64\netsh.exe
      C:\Windows\SysWOW64\netsh.exe
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:4828
    - - C:\Users\Admin\AppData\Local\Temp\0x21.pif
        
        C:\Users\Admin\AppData\Local\Temp\0x21.pif
        5⤵
        Loads dropped DLL
        
        PID:4852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0x21.pif

Filesize
76KB

MD5
f43c6b629baaaaee1e7fe095a8821631

SHA1
f0e4b84bb1fa6ba985e281f3afc9642afca168b5

SHA256
4196f6776110e75a9670fb5843f373e90e88c0826ead45a30e9578221ff44ae3

SHA512
2b475850705fa37dd0c1b093d31ccce48ffdbcc614215ffb304070b4f31e16ca651d4569af39b36482c848751f1e31b7fd647bd23245718a0a1e877a6417878a

Download Submit
C:\Users\Admin\AppData\Local\Temp\4258a5c7

Filesize
1.1MB

MD5
dde1133a7ce646dc91f9e7e65d2ee94c

SHA1
2c2bd29bd039299aa23fa805ff067ff0a7efff23

SHA256
151f43a8bc3e2773eb99c101d0eadf20f767f02f8d4c31ebba502dff12e4ad55

SHA512
63859216f1443cffc7ec24c65d5450f8288c98af69a87af6455d21129b31c994bd1f7e1636f10764b1b75822973f276c94bab01e1e8469828c94178dc504424f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jfz0swkk.x1j.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\o6kdDPLX49vNLa7\hv.exe

Filesize
8.7MB

MD5
480f8cf600f5509595b8418c6534caf2

SHA1
dc13258ebb83bdf956523d751f67e29d6e4cf77e

SHA256
6d8905ec0b1dfdc0a10d1cce40714ddd73205a09ad390b933ddbecdcf06a4cf2

SHA512
f0bd99f68d59e80538fb276945d0f383394cb94a35c6d12ebd3e87061222249f78b9ca75716b33e36b66842b97c71149612111fcb6a8a3bc3a97635b03934aaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\o6kdDPLX49vNLa7\iepdf32.dll

Filesize
4.3MB

MD5
f3f6876d132eb277842e31ddc42aa7fa

SHA1
9c167a2854ed106b74dff55a30bdefc55b140e9a

SHA256
4ba2ddde8a4549d08bfe4441643aa626e84d7653b8ddc6ed61823e78aeb3cdf1

SHA512
38b86c745945b0f97461542f89b2570210ddc3fcfeabfe2243a3b861dd80be6641e4b4181956d73926b7926d7c460db8a908ccb912c5209003ee24427aa135f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\o6kdDPLX49vNLa7\rhombohedron.ai

Filesize
59KB

MD5
674dfd74a1bef081bf0da83f893138e5

SHA1
2a254cc02fea4c55bbc3133b99a9e2fd03082ae7

SHA256
67ff95298e395543ea0c9eeec6bfff81688df379bec578aa31c52d214b385180

SHA512
0b2bfbe287a037d46d881a00638a3c272197cf3537bc74169c07c7721cda2bf94927268bfd6cb965ad56e1ac98e3466d809cbc67f2e4d971dd0d7da9568a4cce

Download Submit
C:\Users\Admin\AppData\Local\Temp\o6kdDPLX49vNLa7\shovelnose.deb

Filesize
827KB

MD5
90b47672d8134f8cc464d83a5cde8d34

SHA1
69567e6a2dd5569b8cd2876a275f5d9a2ad8743f

SHA256
cc38b5cb522fdf8d2fe5e85c50d72e1b8ac39d36deb157d4bffdda7970c5ba8b

SHA512
7dbeb8d4a5674c088fa904a9fdcddf9cb84d41b2d2c887ba38cfcdd1ac30cf4cd8ae28bc33fc3ee51139e78645f7fb580dfaf57e939c4e144b79d507a1d1d90b

Download Submit
memory/2840-27-0x00007FFAB90B0000-0x00007FFAB9A9C000-memory.dmp

Filesize
9.9MB

Download
memory/2840-10-0x00007FFAB90B0000-0x00007FFAB9A9C000-memory.dmp

Filesize
9.9MB

Download
memory/2840-39-0x00007FFAB90B3000-0x00007FFAB90B4000-memory.dmp

Filesize
4KB

Download
memory/2840-40-0x00007FFAB90B0000-0x00007FFAB9A9C000-memory.dmp

Filesize
9.9MB

Download
memory/2840-41-0x00007FFAB90B0000-0x00007FFAB9A9C000-memory.dmp

Filesize
9.9MB

Download
memory/2840-42-0x00007FFAB90B0000-0x00007FFAB9A9C000-memory.dmp

Filesize
9.9MB

Download
memory/2840-46-0x0000020549AC0000-0x000002054A266000-memory.dmp

Filesize
7.6MB

Download
memory/2840-63-0x00000205489D0000-0x00000205489E2000-memory.dmp

Filesize
72KB

Download
memory/2840-76-0x00000205489B0000-0x00000205489BA000-memory.dmp

Filesize
40KB

Download
memory/2840-26-0x0000020548DE0000-0x0000020549306000-memory.dmp

Filesize
5.1MB

Download
memory/2840-25-0x00000205486E0000-0x00000205488A2000-memory.dmp

Filesize
1.8MB

Download
memory/2840-9-0x0000020548170000-0x00000205481E6000-memory.dmp

Filesize
472KB

Download
memory/2840-5-0x0000020547FC0000-0x0000020547FE2000-memory.dmp

Filesize
136KB

Download
memory/2840-0-0x00007FFAB90B3000-0x00007FFAB90B4000-memory.dmp

Filesize
4KB

Download
memory/2840-121-0x00007FFAB90B0000-0x00007FFAB9A9C000-memory.dmp

Filesize
9.9MB

Download
memory/2840-6-0x00007FFAB90B0000-0x00007FFAB9A9C000-memory.dmp

Filesize
9.9MB

Download
memory/3324-130-0x0000000000190000-0x0000000000A66000-memory.dmp

Filesize
8.8MB

Download
memory/3324-122-0x00007FFAD4D50000-0x00007FFAD4F2B000-memory.dmp

Filesize
1.9MB

Download
memory/3324-120-0x00000000763F0000-0x0000000076457000-memory.dmp

Filesize
412KB

Download
memory/4292-135-0x00000000763F0000-0x0000000076457000-memory.dmp

Filesize
412KB

Download
memory/4292-136-0x00007FFAD4D50000-0x00007FFAD4F2B000-memory.dmp

Filesize
1.9MB

Download
memory/4292-137-0x00000000763F0000-0x0000000076457000-memory.dmp

Filesize
412KB

Download
memory/4292-139-0x0000000000980000-0x0000000001256000-memory.dmp

Filesize
8.8MB

Download
memory/4828-141-0x00007FFAD4D50000-0x00007FFAD4F2B000-memory.dmp

Filesize
1.9MB

Download
memory/4852-146-0x00007FFAD4D50000-0x00007FFAD4F2B000-memory.dmp

Filesize
1.9MB

Download
memory/4852-147-0x00000000001C0000-0x0000000000218000-memory.dmp

Filesize
352KB

Download
memory/4852-148-0x00000000001C0000-0x0000000000218000-memory.dmp

Filesize
352KB

Download

Analysis

Sharing