Overview

overview

10

Static

static

1

em_wh1U8LE...64.msi

windows10-1703-x64

10

em_wh1U8LE...64.msi

windows7-x64

10

em_wh1U8LE...64.msi

windows10-2004-x64

10

em_wh1U8LE...64.msi

windows11-21h2-x64

6

Sharing

Copy URL
Twitter E-mail

General

  • Target

    em_wh1U8LEO_installer_Win7-Win11_x86_x64.msi

  • Size

    94.2MB

  • Sample

    240811-s15g8awalq

  • MD5

    f740670bd608f6a564366606e0bba8da

  • SHA1

    c635e8453bf0f06c34d41d3319670e5dc966a5f4

  • SHA256

    ba3cdc5190b44da96e5ecb5f39e2cbe3713984dc8062cdab679c759de51500b1

  • SHA512

    88f1e800265e4e72f914e50240a6a7cca630ea4bcd6981be13237cc6f42b182741542b907737490a367453c179ace55fb64c3e0fb2cb6ecf1bace7a442458e0e

  • SSDEEP

    1572864:SX+lBWb7cVOxi2CDRq/SUx6EIL2CjmFkm+pF7Vxo81MOL9vh12epl37cTLiAhRLh:nLYxsRq/76L2CjmCZpRXouxvD6LbhRHJ

Score
10/10
lummadiscoveryexecutionpersistenceprivilege_escalationstealer

Malware Config

Extracted

Family

lumma

C2

https://swinngydisaosp.shop/api

https://writerospzm.shop/api

https://deallerospfosu.shop/api

https://bassizcellskz.shop/api

https://mennyudosirso.shop/api

https://languagedscie.shop/api

https://complaintsipzzx.shop/api

https://quialitsuzoxm.shop/api

https://tenntysjuxmz.shop/api

Targets

    • Target

      em_wh1U8LEO_installer_Win7-Win11_x86_x64.msi

    • Size

      94.2MB

    • MD5

      f740670bd608f6a564366606e0bba8da

    • SHA1

      c635e8453bf0f06c34d41d3319670e5dc966a5f4

    • SHA256

      ba3cdc5190b44da96e5ecb5f39e2cbe3713984dc8062cdab679c759de51500b1

    • SHA512

      88f1e800265e4e72f914e50240a6a7cca630ea4bcd6981be13237cc6f42b182741542b907737490a367453c179ace55fb64c3e0fb2cb6ecf1bace7a442458e0e

    • SSDEEP

      1572864:SX+lBWb7cVOxi2CDRq/SUx6EIL2CjmFkm+pF7Vxo81MOL9vh12epl37cTLiAhRLh:nLYxsRq/76L2CjmCZpRXouxvD6LbhRHJ

    Score
    10/10
    lummadiscoveryexecutionpersistenceprivilege_escalationstealer

    • Lumma Stealer, LummaC

      Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

      stealerlumma

    • Adds Run key to start application

      persistence

    • Blocklisted process makes network request

    • Checks for any installed AV software in registry

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Command and Scripting Interpreter: AutoIT

      Using AutoIT for possible automate script.

      execution

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

AutoHotKey & AutoIT

1
T1059.010

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

1
T1546

Installer Packages

1
T1546.016

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

1
T1546

Installer Packages

1
T1546.016

Defense Evasion

Modify Registry

1
T1112

System Binary Proxy Execution

1
T1218

Msiexec

1
T1218.007

Credential Access

Discovery

Peripheral Device Discovery

2
T1120

Query Registry

4
T1012

Software Discovery

1
T1518

Security Software Discovery

1
T1518.001

System Information Discovery

4
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks