lumma | d068a6d76dec4793e1c7e67d849485fec2eac4d1da91b48426c31d7b2b172b48

Analysis

max time kernel
85s
max time network
146s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
11/08/2024, 12:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d068a6d76dec4793e1c7e67d849485fec2eac4d1da91b48426c31d7b2b172b48.exe
Size

1021KB
MD5

a63aa4427cbc2b463642def398f2d217
SHA1

49c3c7d4fea7f7abdf148e33b3470ce1bc23ecc5
SHA256

d068a6d76dec4793e1c7e67d849485fec2eac4d1da91b48426c31d7b2b172b48
SHA512

4fedbe899a27f0c9c34a8c4cced85c68148dab9b605e24787b4552429ab6d1091bc78f8599ca0ca43acd18c6d74fe94830ed4303f24bf9ffe99b0cf9fec6a198
SSDEEP

24576:rhEQaXb3UlbHCxOBHyP1OL7LDMf0f7GSbTmTMs1eC:u9TUBHCxOxyP03LDG0jGSmTnd

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://enthusiandsi.shop/api

https://empiredzmwnx.shop/api

https://boattyownerwrv.shop/api

https://rainbowmynsjn.shop/api

https://definitonizmnx.shop/api

https://creepydxzoxmj.shop/api

https://budgetttysnzm.shop/api

https://chippyfroggsyhz.shop/api

https://assumedtribsosp.shop/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 3388 created 3400	3388	Precisely.pif	52

Executes dropped EXE 2 IoCs

pid	Process
3388	Precisely.pif
3736	Precisely.pif

Loads dropped DLL 1 IoCs

pid	Process
1120	d068a6d76dec4793e1c7e67d849485fec2eac4d1da91b48426c31d7b2b172b48.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
1424	tasklist.exe
2028	tasklist.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3388 set thread context of 3736	3388	Precisely.pif	90

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\InternetBufing	d068a6d76dec4793e1c7e67d849485fec2eac4d1da91b48426c31d7b2b172b48.exe
File opened for modification	C:\Windows\LlpThreats	d068a6d76dec4793e1c7e67d849485fec2eac4d1da91b48426c31d7b2b172b48.exe
File opened for modification	C:\Windows\IpaqCalcium	d068a6d76dec4793e1c7e67d849485fec2eac4d1da91b48426c31d7b2b172b48.exe
File opened for modification	C:\Windows\DistributionNj	d068a6d76dec4793e1c7e67d849485fec2eac4d1da91b48426c31d7b2b172b48.exe
File opened for modification	C:\Windows\BrandonTherefore	d068a6d76dec4793e1c7e67d849485fec2eac4d1da91b48426c31d7b2b172b48.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Precisely.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Precisely.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d068a6d76dec4793e1c7e67d849485fec2eac4d1da91b48426c31d7b2b172b48.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3388	Precisely.pif
3388	Precisely.pif
3388	Precisely.pif
3388	Precisely.pif
3388	Precisely.pif
3388	Precisely.pif
3388	Precisely.pif
3388	Precisely.pif
3388	Precisely.pif
3388	Precisely.pif

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1424	tasklist.exe
Token: SeDebugPrivilege	2028	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
3388	Precisely.pif
3388	Precisely.pif
3388	Precisely.pif

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
3388	Precisely.pif
3388	Precisely.pif
3388	Precisely.pif

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1112 wrote to memory of 1424	1112	cmd.exe	80
PID 1112 wrote to memory of 1424	1112	cmd.exe	80
PID 1112 wrote to memory of 4664	1112	cmd.exe	81
PID 1112 wrote to memory of 4664	1112	cmd.exe	81
PID 1112 wrote to memory of 2028	1112	cmd.exe	83
PID 1112 wrote to memory of 2028	1112	cmd.exe	83
PID 1112 wrote to memory of 2080	1112	cmd.exe	84
PID 1112 wrote to memory of 2080	1112	cmd.exe	84
PID 1112 wrote to memory of 3224	1112	cmd.exe	85
PID 1112 wrote to memory of 3224	1112	cmd.exe	85
PID 1112 wrote to memory of 2696	1112	cmd.exe	86
PID 1112 wrote to memory of 2696	1112	cmd.exe	86
PID 1112 wrote to memory of 1196	1112	cmd.exe	87
PID 1112 wrote to memory of 1196	1112	cmd.exe	87
PID 1112 wrote to memory of 3388	1112	cmd.exe	88
PID 1112 wrote to memory of 3388	1112	cmd.exe	88
PID 1112 wrote to memory of 3388	1112	cmd.exe	88
PID 1112 wrote to memory of 1968	1112	cmd.exe	89
PID 1112 wrote to memory of 1968	1112	cmd.exe	89
PID 3388 wrote to memory of 3736	3388	Precisely.pif	90
PID 3388 wrote to memory of 3736	3388	Precisely.pif	90
PID 3388 wrote to memory of 3736	3388	Precisely.pif	90
PID 3388 wrote to memory of 3736	3388	Precisely.pif	90
PID 3388 wrote to memory of 3736	3388	Precisely.pif	90

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3400
- C:\Users\Admin\AppData\Local\Temp\d068a6d76dec4793e1c7e67d849485fec2eac4d1da91b48426c31d7b2b172b48.exe
  "C:\Users\Admin\AppData\Local\Temp\d068a6d76dec4793e1c7e67d849485fec2eac4d1da91b48426c31d7b2b172b48.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:1120
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k move Themes Themes.cmd & Themes.cmd & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1112
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1424
- - C:\Windows\system32\findstr.exe
    findstr /I "wrsa.exe opssvc.exe"
    3⤵
    PID:4664
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2028
- - C:\Windows\system32\findstr.exe
    findstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe"
    3⤵
    PID:2080
- - C:\Windows\system32\cmd.exe
    cmd /c md 647551
    3⤵
    PID:3224
- - C:\Windows\system32\findstr.exe
    findstr /V "LatviaTicketClevelandPoet" Larger
    3⤵
    PID:2696
- - C:\Windows\system32\cmd.exe
    cmd /c copy /b Develop + Jeremy + Kazakhstan + Reviewed + Subtle + Expect 647551\h
    3⤵
    PID:1196
- - C:\Users\Admin\AppData\Local\Temp\647551\Precisely.pif
    Precisely.pif h
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:3388
- - C:\Windows\system32\choice.exe
    choice /d y /t 5
    3⤵
    PID:1968
- C:\Users\Admin\AppData\Local\Temp\647551\Precisely.pif
  C:\Users\Admin\AppData\Local\Temp\647551\Precisely.pif
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\647551\Precisely.pif

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\647551\h

Filesize
448KB

MD5
6fdfd7bd8eeb457e56d58555cf25da5e

SHA1
8d62d43f955a3ac6d50f4c9b7d1ed888f9049f07

SHA256
0d27d248085e70ec9840900e32e71ee90f530968906eaf519144d007ce097ce6

SHA512
8a5e0fe06f7bd37aab434a4191d20f3c5074a9703e3797d3f59a17073d7e224824ddb7a9cd5e680efb8ac1f2bad217d18c65d1fa939d7f4c25c89eeaaa0af0de

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deemed

Filesize
872KB

MD5
c30baf006c23f5502a6eac13c4121cac

SHA1
a46b52d9441117cc8a6a1c3f68162ec294b68068

SHA256
0aa9d496c6ba1d362368cf3a612cd737f19fdd6051af41d748746da51dbefe9d

SHA512
af29fa6425006c8ff87fa2c422a2d49148bd6107c6d7a8aadc75ced5d5a08aea0e8d01de99cc95f077c58964b24b872a92b7f8d5d03989c3142c50bbd1b3510d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Develop

Filesize
73KB

MD5
1ebc315401a599085e455ae7d76e177e

SHA1
be61fa1790aff061b8bfe2e371c4352c6d172c1e

SHA256
bb86584cf9142113c81fab982202ccb61ef2c5eb1bb8972a0565eb76a8d97f70

SHA512
5c93163f13ebd7b8b6e81644d6bcffb308a0391c070515bcc9e32094c0e3da7c8167e7feefb21fd7c840abf9074a7959a589b8d0fa7aa76e116c6d6de84977c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Expect

Filesize
18KB

MD5
53746be92b194c780a2d58f34ee00b11

SHA1
bb99ba3c2b950b1914182d6aebd760a24b7b8338

SHA256
191e020f3c5af35645b57244b3d84e9bac8463aee6f896bd7141c8e14c905f53

SHA512
f2bbe556a053b2f3b36fc9d6f36de908a23ab633f6a5ff38c62bb105866f0f8a64c66a7c9fad6ae381be1a0e2251bfed51c36ead64f696e24cced718ad1304e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Jeremy

Filesize
99KB

MD5
7dc54410052dbb22f08d596a65d1e601

SHA1
79a2e7f1091008f152a586c446b947067b80709d

SHA256
17dce7c80e90b3b23fb3ba0845c44c0a7c90afeabe4545dbfbe96e0282d929ef

SHA512
258e8e9e88a4599fa481fcbaca5b92df22ee4593d7d0590f4a868dfa7165099899416b6987b83311f17818adf19d4dbb65c18ad659a2ee7e33c368d4bbef252b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kazakhstan

Filesize
99KB

MD5
fc34ac746c73f1a69c6ec09cb470964f

SHA1
9d2af2aa3d507e9dc9037801ca553e58ba8eb077

SHA256
31924043f5d76a478d819d8be63bcd1238f0c503a150893dc2a19e80ace9bb62

SHA512
9308a294788afb379fbb22afab6cbe78418048d708e1629a104a54b090327d8a4e3c958c889db96f186399c5f2ee66c8e5f699a2ee5480d764014366eddac0d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Larger

Filesize
490B

MD5
99352b2770c4409f48bc24896f26baae

SHA1
b23f51bf53495bb973fbaf37ff34184e2b83b081

SHA256
057c2fdd3f765865510d3557f9083a2bdb68987f806a469a966dd2edbb28e37f

SHA512
1c9e194f9666ca0e6fc9df690557f58ec28c8393447c339740d1e29f855e0e8ed792310de420cce38df14a6000744b206bc262b38d0b479ed86203a0909ce2d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Reviewed

Filesize
91KB

MD5
dbb1c7e3ee4a5462f0d20f7f30748ed6

SHA1
55a501b433887f89934a7afb9b7e4eb44e828671

SHA256
d1464a5481d67860e6c99d488fcb5599908d15577fee5da65508492f37e387a1

SHA512
66df41b88eb949c5687ec125b1a4ee92e3ec5c72f8074037db60e8e57ad125d28fccddf5ac10e70708dd94a9a921bbec2e901873a8a267fd01d1505c4e3df79b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Subtle

Filesize
68KB

MD5
271a155148cd40704556bce7a8596163

SHA1
121c56e001c1f23b22ea3322c906f5a21eb690cd

SHA256
cf88957d77c63719387019270a38b952332d9d4ad0435c242833b6ea955eb036

SHA512
b7cdef8ee6f8b8ac04ebb294c10dcc10d266f453e0491dca42f5b1fa0bd2b3c61f3c62a7d32c4e69423cff300ee93cf7dc09c37824ca3cd5b66a15d65b474a02

Download Submit
C:\Users\Admin\AppData\Local\Temp\Themes

Filesize
22KB

MD5
36f1c87d9737391327b7a8a85eb876a4

SHA1
950ab5aa64bf8514b991c273251f37884d0baa8d

SHA256
d19b134a54477eb88a8051049bc528f172902bd7109e02bb48c56b113f45210c

SHA512
429bfdd110fdebbb30f3d455db7b1c1e8057e71a7f53db2d01e8e9ae2aab9bad5a15f7ba6c82704fa1dddf90adfc4a0742cc91d8375eaa3f2ba1a63362fb0793

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjA8D4.tmp\ShellExecAsUser.dll

Filesize
43KB

MD5
552cba3c6c9987e01be178e1ee22d36b

SHA1
4c0ab0127453b0b53aeb27e407859bccb229ea1b

SHA256
1f17e4d5ffe7b2c9a396ee9932ac5198f0c050241e5f9ccd3a56e576613d8a29

SHA512
9bcf47b62ca8ffa578751008cae523d279cdb1699fd916754491899c31ace99f18007ed0e2cbe9902abf132d516259b5fb283379d2fead37c76b19e2e835e95a

Download Submit
memory/3736-34-0x0000000001090000-0x00000000010E7000-memory.dmp

Filesize
348KB

Download
memory/3736-35-0x0000000001090000-0x00000000010E7000-memory.dmp

Filesize
348KB

Download
memory/3736-37-0x0000000001090000-0x00000000010E7000-memory.dmp

Filesize
348KB

Download