lumma | b86f6bae66732ad1c928f05296c9abef2f801e1351362e0956317a8c65ef2942

Analysis

max time kernel
79s
max time network
81s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
24/06/2024, 12:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup.exe
Size

24.7MB
MD5

ff705c79ed5dda7bdbd720803eedfbac
SHA1

a0abfcfa4b58775ca4bd8c4f05887eb8105fe0f8
SHA256

f3c82a7d7446140bce47e45fa8f37def3f36655c6241e18e392703e4a56165e8
SHA512

532649e997b9ba528fef2ad60975a686ae83ae514ff1ead59f53ae8e178f33ff8f8296798e4fa181a16bc83b83c7d6ec26c75d03a1ce542586859379e3a10b8a
SSDEEP

393216:l9jmwJGRFpRdOupOibnGa3dTYDqrycuXhbCNCU:jjLibGmTYgyj2gU

Score

10^/10

lumma persistence privilege_escalation stealer

Malware Config

Extracted

Family

lumma

https://publicitycharetew.shop/api

https://computerexcudesp.shop/api

https://leafcalfconflcitw.shop/api

https://injurypiggyoewirog.shop/api

https://bargainnygroandjwk.shop/api

https://disappointcredisotw.shop/api

https://doughtdrillyksow.shop/api

https://facilitycoursedw.shop/api

Signatures

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma

Executes dropped EXE 5 IoCs

pid	Process
1764	Setup.tmp
4676	Setup.tmp
4420	UnRAR.exe
1724	pythonw.exe
3896	pythonw.exe

Loads dropped DLL 5 IoCs

pid	Process
1724	pythonw.exe
1724	pythonw.exe
3896	pythonw.exe
3896	pythonw.exe
4180	psexec.c

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3896 set thread context of 1532	3896	pythonw.exe	80

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4676	Setup.tmp
4676	Setup.tmp
1724	pythonw.exe
3896	pythonw.exe
3896	pythonw.exe
1532	netsh.exe
1532	netsh.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
3896	pythonw.exe
1532	netsh.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4676	Setup.tmp

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 2912 wrote to memory of 1764	2912	Setup.exe	73
PID 2912 wrote to memory of 1764	2912	Setup.exe	73
PID 2912 wrote to memory of 1764	2912	Setup.exe	73
PID 1764 wrote to memory of 4528	1764	Setup.tmp	74
PID 1764 wrote to memory of 4528	1764	Setup.tmp	74
PID 1764 wrote to memory of 4528	1764	Setup.tmp	74
PID 4528 wrote to memory of 4676	4528	Setup.exe	75
PID 4528 wrote to memory of 4676	4528	Setup.exe	75
PID 4528 wrote to memory of 4676	4528	Setup.exe	75
PID 4676 wrote to memory of 4420	4676	Setup.tmp	76
PID 4676 wrote to memory of 4420	4676	Setup.tmp	76
PID 4676 wrote to memory of 1724	4676	Setup.tmp	78
PID 4676 wrote to memory of 1724	4676	Setup.tmp	78
PID 1724 wrote to memory of 3896	1724	pythonw.exe	79
PID 1724 wrote to memory of 3896	1724	pythonw.exe	79
PID 3896 wrote to memory of 1532	3896	pythonw.exe	80
PID 3896 wrote to memory of 1532	3896	pythonw.exe	80
PID 3896 wrote to memory of 1532	3896	pythonw.exe	80
PID 3896 wrote to memory of 1532	3896	pythonw.exe	80
PID 1532 wrote to memory of 4180	1532	netsh.exe	82
PID 1532 wrote to memory of 4180	1532	netsh.exe	82
PID 1532 wrote to memory of 4180	1532	netsh.exe	82
PID 1532 wrote to memory of 4180	1532	netsh.exe	82

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2912
- C:\Users\Admin\AppData\Local\Temp\is-L0AHF.tmp\Setup.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-L0AHF.tmp\Setup.tmp" /SL5="$10004E,25213810,791040,C:\Users\Admin\AppData\Local\Temp\Setup.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1764
- - C:\Users\Admin\AppData\Local\Temp\Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\Setup.exe" /VERYSILENT
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4528
  - - C:\Users\Admin\AppData\Local\Temp\is-IJP4K.tmp\Setup.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-IJP4K.tmp\Setup.tmp" /SL5="$70058,25213810,791040,C:\Users\Admin\AppData\Local\Temp\Setup.exe" /VERYSILENT
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:4676
    - - C:\Users\Admin\AppData\Local\Temp\is-TLVI2.tmp\UnRAR.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-TLVI2.tmp\\UnRAR.exe" x -pwjfQa$fkeH$U -o+ "C:\Users\Admin\AppData\Local\\ArchiveTool\\config\\\ytvtfccvtrdrtxrex676ddd5r45s5sdd6.rar" "C:\Users\Admin\AppData\Local\\ArchiveTool\\config\\"
        5⤵
        Executes dropped EXE
        
        PID:4420
    - - C:\Users\Admin\AppData\Local\ArchiveTool\config\pythonw.exe
        
        "C:\Users\Admin\AppData\Local\ArchiveTool\config\pythonw.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1724
      - C:\Users\Admin\AppData\Roaming\UpdateConfig_v1\pythonw.exe
        
        C:\Users\Admin\AppData\Roaming\UpdateConfig_v1\pythonw.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:3896
        
        C:\Windows\SysWOW64\netsh.exe
        
        C:\Windows\SysWOW64\netsh.exe
        7⤵
        Event Triggered Execution: Netsh Helper DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\psexec.c
        
        C:\Users\Admin\AppData\Local\Temp\psexec.c
        8⤵
        Loads dropped DLL
        
        PID:4180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\ArchiveTool\config\VCRUNTIME140.dll

Filesize
106KB

MD5
49c96cecda5c6c660a107d378fdfc3d4

SHA1
00149b7a66723e3f0310f139489fe172f818ca8e

SHA256
69320f278d90efaaeb67e2a1b55e5b0543883125834c812c8d9c39676e0494fc

SHA512
e09e072f3095379b0c921d41d6e64f4f1cd78400594a2317cfb5e5dca03dedb5a8239ed89905c9e967d1acb376b0585a35addf6648422c7ddb472ce38b1ba60d

Download Submit
C:\Users\Admin\AppData\Local\ArchiveTool\config\binocular.apk

Filesize
80KB

MD5
03c02077961b71f6a643972b3d988ae5

SHA1
b442b35f1e72354f770b841e9ba049b973c0e8b1

SHA256
1e4d9fa17024468c630a100f9c07e9243cb09efc2be73c825203ff3157e6d0bf

SHA512
b53fab2226b0956f6899fc2589ee23a696f43fb9ec06c78c055316aa4e198cbce474d62f8fdc3336896f63f547b5553a7e4263a72c811c82b7d1e1cf05dc4c4c

Download Submit
C:\Users\Admin\AppData\Local\ArchiveTool\config\grate.mkv

Filesize
1.2MB

MD5
f999e902dbc45970b581b0f5b323f8d0

SHA1
946ddb7c9279a88439372753b32aa00d7fda2a68

SHA256
426bf3fd1c6aca3e9571d95e1694914929c36ed1b83d63e461ab0aafc7381ce9

SHA512
8d1d43ef3e251da5935f94ff0e681592a0e113d955fae71666718f37931d6a3922b165672227e3a3ee18f620c05596adf58ed9b8f75a311404289f11e8a2e30d

Download Submit
C:\Users\Admin\AppData\Local\ArchiveTool\config\python310.dll

Filesize
4.3MB

MD5
e5ab46e36a16ec0dd181d4af1ba767b1

SHA1
f5b98206859ed512848b2cc00b23e04536df15be

SHA256
fdd4698a782a8eab1a1ab83052f58093bd1295d2beb6ba2d1c9fefef36b73c79

SHA512
63d658a291d5f1fd446e50ebbc4e41e6864fe766c0c6689c3d33a0619010f819c32493d1ae7d4107667537539aa6135e462c33f5abc4bcfd5ba0056647f136b8

Download Submit
C:\Users\Admin\AppData\Local\ArchiveTool\config\pythonw.exe

Filesize
94KB

MD5
9a4cc0d8e7007f7ef20ca585324e0739

SHA1
f3e5a2e477cac4bab85940a2158eed78f2d74441

SHA256
040d121a3179f49cd3f33f4bc998bc8f78b7f560bfd93f279224d69e76a06e92

SHA512
54636a48141804112f5b4f2fc70cb7c959a041e5743aeedb5184091b51daa1d1a03f0016e8299c0d56d924c6c8ae585e4fc864021081ffdf1e6f3eab11dd43b3

Download Submit
C:\Users\Admin\AppData\Local\ArchiveTool\config\ytvtfccvtrdrtxrex676ddd5r45s5sdd6.rar

Filesize
3.3MB

MD5
7d51b9ba3241369ecdd16183f46f8c95

SHA1
6445d239a4a5c90a3a8865acca5ee446e05b73cc

SHA256
9a7280c5d69d67544b358e66f1e2da2258d05821095b3fd3de6a2ce525d24a39

SHA512
8dff2af9c2d68f6c115bb7bcb441521fe36275df0b4da96e0aeeb154c425b2894040a173a0ac3d6819e810836f6810cafb3da27b0f6bf310cff5ccbcf86ac8da

Download Submit
C:\Users\Admin\AppData\Local\Temp\eef6aad9

Filesize
1.7MB

MD5
da03b4841b1baaaa760be1a8ab445411

SHA1
5d5a98e2ba6325bfb5829e697e5d15e637453685

SHA256
cd74da0157611982dc8207a477af814260e40abd176d21bbae640bd88fa03282

SHA512
d8503e00c36792a84c545a9e8de64b4e0be79d05b3d21bca279347e09dba1e91efc551c675412d0cf2505ef2385237a160482fd78862191e2dc23831b04c643e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-L0AHF.tmp\Setup.tmp

Filesize
2.5MB

MD5
225ce7b7c4005244f9a868927695b167

SHA1
5c2da01dc94a66fae0a70da81a53b2f7fc3ef0d3

SHA256
0f768482302eac28723bc0d35b942f79a17ad99222c19eccffd3a3c4dfa642a2

SHA512
c9794717e40fc0ebffb093df1dde53ecaf1a00e053543639bfc2cbcb965507811fcd7a2f2675988e4c44a83650bb18b5c59a97ddb483c88a702b9f5285316c69

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TLVI2.tmp\UnRAR.exe

Filesize
494KB

MD5
98ccd44353f7bc5bad1bc6ba9ae0cd68

SHA1
76a4e5bf8d298800c886d29f85ee629e7726052d

SHA256
e51021f6cb20efbd2169f2a2da10ce1abca58b4f5f30fbf4bae931e4ecaac99b

SHA512
d6e8146a1055a59cba5e2aaf47f6cb184acdbe28e42ec3daebf1961a91cec5904554d9d433ebf943dd3639c239ef11560fa49f00e1cff02e11cd8d3506c4125f

Download Submit
C:\Users\Admin\AppData\Local\Temp\psexec.c

Filesize
699KB

MD5
24a648a48741b1ac809e47b9543c6f12

SHA1
3e2272b916da4be3c120d17490423230ab62c174

SHA256
078163d5c16f64caa5a14784323fd51451b8c831c73396b967b4e35e6879937b

SHA512
b974ce956f2e922e92ca414d1bd6cc7bcb36bc44532b28b392f2a8052d6d47fd742841c4add6ec5c8283d28d7245b1704af34a523917e49cef007eef700a0b9a

Download Submit
memory/1532-71-0x00007FFBF1F00000-0x00007FFBF20DB000-memory.dmp

Filesize
1.9MB

Download
memory/1724-53-0x00007FFBE5300000-0x00007FFBE546A000-memory.dmp

Filesize
1.4MB

Download
memory/1764-13-0x0000000000400000-0x0000000000685000-memory.dmp

Filesize
2.5MB

Download
memory/1764-6-0x0000000000400000-0x0000000000685000-memory.dmp

Filesize
2.5MB

Download
memory/2912-15-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/2912-0-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/2912-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/3896-67-0x00007FFBE5300000-0x00007FFBE546A000-memory.dmp

Filesize
1.4MB

Download
memory/3896-68-0x00007FFBE5300000-0x00007FFBE546A000-memory.dmp

Filesize
1.4MB

Download
memory/4180-76-0x00007FFBF1F00000-0x00007FFBF20DB000-memory.dmp

Filesize
1.9MB

Download
memory/4180-77-0x00000000003E0000-0x0000000000438000-memory.dmp

Filesize
352KB

Download
memory/4180-78-0x00000000003E0000-0x0000000000438000-memory.dmp

Filesize
352KB

Download
memory/4528-52-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/4528-9-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/4676-50-0x0000000000400000-0x0000000000685000-memory.dmp

Filesize
2.5MB

Download