lumma | c326b43d538c562ff7e613f19773147a0395740c864a4bcdbdcbc1c9a3c3716f

Analysis

max time kernel
93s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/08/2024, 17:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

₳DÐ✵SetUp✓/Setup.exe
Size

4.3MB
MD5

4cba82135c6e44265dfb2a4845dff950
SHA1

7dbce4c16cbd045ce8a3c2ea15df7fee3df10bcc
SHA256

e6d5ef67201ef8ed953a36a6fb44aaafb40dec7a4002efb7ebe6c20f35244495
SHA512

81441841a5fb6fc9507407ea9f07c16d98a1a3ca7c5eb4dabe92cc6fb93f0641ac681906dabf7aedab32a3cb6289cc2922e03bb33210eac72170797e82df60cc
SSDEEP

49152:w8mxtRio/dXZg+KXXI7QKS/++2+UEaipCiPdCQIhdwIxKoZqD6uoZqUO3HoaPgoR:M92/++2+/pDNB3HokjGbc

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://erdefendkzov.shop/api

https://chippyfroggsyhz.shop/api

https://tenntysjuxmz.shop/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma

Executes dropped EXE 1 IoCs

pid	Process
2824	StrCmp.exe

Loads dropped DLL 1 IoCs

pid	Process
2832	BagelHatchet.pif

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 652 set thread context of 1508	652	Setup.exe	87
PID 1508 set thread context of 2832	1508	more.com	89

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	more.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BagelHatchet.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StrCmp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ProxyStubClsid32	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\Programmable	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8A84C003-E3A6-4E71-8E33-5B929D40B81D}\Forward	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{10E6A3D4-CABA-4E61-BD8B-83BA76283791}\ = "cBluetoothDaemon"	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.docktheme	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ObjectDock Theme Package\shell\open\command	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8A84C003-E3A6-4E71-8E33-5B929D40B81D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{10E6A3D4-CABA-4E61-BD8B-83BA76283791}\Forward\ = "{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}"	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ObjectDock Docklet	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ObjectDock Docklet\shell\open\command	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ObjectDock Docklet\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\₳DÐ✵SetUp✓\\Setup.exe\",1"	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ObjectDock DockZip Image Package\DefaultIcon	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ObjectDock DockZip Image Package	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1\HELPDIR	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ = "_cBluetoothDaemon"	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\VERSION	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8A84C003-E3A6-4E71-8E33-5B929D40B81D}\ProxyStubClsid32	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ObjectDock Theme Package	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ObjectDock DockZip Image Package\ = "ObjectDock .DockZip's contain image files that other users have packged up to share, which automatically get added to your ObjectDock Image Library when opened."	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\TypeLib	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\TypeLib\ = "{F477A542-C370-42A1-A166-F9CDAF2AF8C6}"	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ObjectDock Theme	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ObjectDock Theme Package\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\₳DÐ✵SetUp✓\\Setup.exe\" \"%1\""	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\ProgID	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{10E6A3D4-CABA-4E61-BD8B-83BA76283791}\ProxyStubClsid\ = "{00020420-0000-0000-C000-000000000046}"	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{10E6A3D4-CABA-4E61-BD8B-83BA76283791}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ = "__cBluetoothDaemon"	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\TypeLib	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BtDaemon.cBluetoothDaemon	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ObjectDock Theme\shell	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ObjectDock Theme Package\ = "ObjectDock Theme Package"	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\ = "BtDaemon.cBluetoothDaemon"	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\AppServer\\PDZAWQNKTVYDJ\\StrCmp.exe"	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8A84C003-E3A6-4E71-8E33-5B929D40B81D}\ = "cBluetoothDaemon"	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.dockpack\ = "ObjectDock Theme Package"	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BtDaemon.cBluetoothDaemon\Clsid	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.dockzip	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ObjectDock DockZip Image Package\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\₳DÐ✵SetUp✓\\Setup.exe\" \"%1\""	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1\0\win32	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ProxyStubClsid32	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\TypeLib\Version = "2.1"	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8A84C003-E3A6-4E71-8E33-5B929D40B81D}	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ = "cBluetoothDaemon"	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ProxyStubClsid32	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\TypeLib\Version = "2.1"	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{10E6A3D4-CABA-4E61-BD8B-83BA76283791}\Forward	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ObjectDock Theme\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\₳DÐ✵SetUp✓\\Setup.exe\",1"	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ = "cBluetoothDaemon"	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ObjectDock Docklet\ = "ObjectDock Docklet"	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1\ = "BtDaemon"	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\ProgID\ = "BtDaemon.cBluetoothDaemon"	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8A84C003-E3A6-4E71-8E33-5B929D40B81D}\Forward\ = "{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}"	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.docktheme\ = "ObjectDock Theme"	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.dockpack	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ObjectDock Theme Package\shell	Setup.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
652	Setup.exe
652	Setup.exe
1508	more.com
1508	more.com

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
652	Setup.exe
1508	more.com
1508	more.com

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
652	Setup.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
652	Setup.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2824	StrCmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 652 wrote to memory of 2824	652	Setup.exe	85
PID 652 wrote to memory of 2824	652	Setup.exe	85
PID 652 wrote to memory of 2824	652	Setup.exe	85
PID 652 wrote to memory of 1508	652	Setup.exe	87
PID 652 wrote to memory of 1508	652	Setup.exe	87
PID 652 wrote to memory of 1508	652	Setup.exe	87
PID 652 wrote to memory of 1508	652	Setup.exe	87
PID 1508 wrote to memory of 2832	1508	more.com	89
PID 1508 wrote to memory of 2832	1508	more.com	89
PID 1508 wrote to memory of 2832	1508	more.com	89
PID 1508 wrote to memory of 2832	1508	more.com	89
PID 1508 wrote to memory of 2832	1508	more.com	89

C:\Users\Admin\AppData\Local\Temp\₳DÐ✵SetUp✓\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\₳DÐ✵SetUp✓\Setup.exe"
1⤵
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:652
- C:\Users\Admin\AppData\Roaming\AppServer\PDZAWQNKTVYDJ\StrCmp.exe
  C:\Users\Admin\AppData\Roaming\AppServer\PDZAWQNKTVYDJ\StrCmp.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:2824
- C:\Windows\SysWOW64\more.com
  C:\Windows\SysWOW64\more.com
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1508
- - C:\Users\Admin\AppData\Local\Temp\BagelHatchet.pif
    C:\Users\Admin\AppData\Local\Temp\BagelHatchet.pif
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\466035d0

Filesize
1.2MB

MD5
8658475fdad28ed7a1876702bc64776a

SHA1
770ffa2d07bbd7bb4488b591065ad4841b5143a2

SHA256
3b5ae5ed5c3cc4806dcaef9fa8d9f70b20d193f923ec90034b7b3bee9c8951e0

SHA512
cd3f9e8bebfe6ff0a509e47a0e6556853de042c0073d977ae34f673cb5c2d3f228c73b547516f7ab85f1594fd1b207bcee5b6fe0c3249375b73a407025058bd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\BagelHatchet.pif

Filesize
29KB

MD5
d0509de5ba78cdfb67f897b06d9d184d

SHA1
f3ea9fa41831739d38353167754c0bb5a9544001

SHA256
a5a7183977808efbaa1ca3e55776f09bcae8f30e2aa5b0520c9cd88cd0d4997d

SHA512
0cdfb02946e8450a057db69f3e4331adc2b1bffee2d6002ea2a1ba8b9964883dd71c6f5becd41c02a4a06fd84e20836348b56af3696ae21587a774ec75d9f2c5

Download Submit
C:\Users\Admin\AppData\Roaming\AppServer\PDZAWQNKTVYDJ\StrCmp.exe

Filesize
47KB

MD5
916d7425a559aaa77f640710a65f9182

SHA1
23d25052aef9ba71ddeef7cfa86ee43d5ba1ea13

SHA256
118de01fb498e81eab4ade980a621af43b52265a9fcbae5dedc492cdf8889f35

SHA512
d0c260a0347441b4e263da52feb43412df217c207eba594d59c10ee36e47e1a098b82ce633851c16096b22f4a4a6f8282bdd23d149e337439fe63a77ec7343bc

Download Submit
memory/652-0-0x00007FF889D90000-0x00007FF889F02000-memory.dmp

Filesize
1.4MB

Download
memory/652-7-0x00007FF889DA9000-0x00007FF889DAA000-memory.dmp

Filesize
4KB

Download
memory/652-6-0x00007FF889D90000-0x00007FF889F02000-memory.dmp

Filesize
1.4MB

Download
memory/652-8-0x00007FF889D90000-0x00007FF889F02000-memory.dmp

Filesize
1.4MB

Download
memory/652-14-0x00007FF889D90000-0x00007FF889F02000-memory.dmp

Filesize
1.4MB

Download
memory/1508-23-0x0000000075AE0000-0x0000000075C5B000-memory.dmp

Filesize
1.5MB

Download
memory/1508-21-0x0000000075AEE000-0x0000000075AF0000-memory.dmp

Filesize
8KB

Download
memory/1508-20-0x0000000075AE0000-0x0000000075C5B000-memory.dmp

Filesize
1.5MB

Download
memory/1508-26-0x0000000075AE0000-0x0000000075C5B000-memory.dmp

Filesize
1.5MB

Download
memory/1508-18-0x00007FF8A8030000-0x00007FF8A8225000-memory.dmp

Filesize
2.0MB

Download
memory/1508-33-0x0000000075AEE000-0x0000000075AF0000-memory.dmp

Filesize
8KB

Download
memory/2832-25-0x00000000747E0000-0x0000000075A34000-memory.dmp

Filesize
18.3MB

Download
memory/2832-29-0x00007FF8A8030000-0x00007FF8A8225000-memory.dmp

Filesize
2.0MB

Download
memory/2832-30-0x00000000004F0000-0x0000000000562000-memory.dmp

Filesize
456KB

Download
memory/2832-31-0x00000000747E1000-0x00000000747E8000-memory.dmp

Filesize
28KB

Download
memory/2832-32-0x00000000004F0000-0x0000000000562000-memory.dmp

Filesize
456KB

Download
memory/2832-34-0x00000000004F0000-0x0000000000562000-memory.dmp

Filesize
456KB

Download