lumma | 380ddb92cb04d1c7030f74ba59bad9c1f06ec3a6b5b2a92ea3b8348d0ab3ecfb

Analysis

max time kernel
34s
max time network
45s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
27-08-2024 00:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fix/x86_64-w64-ranlib.exe
Size

250KB
MD5

b40603b7987e2a438a9031274f9b3a2f
SHA1

33991bf7f63266d80dce58b562a39961f70a44a4
SHA256

fa7512bc01ed215ecbbcc2c1fd8b73fd77c6222f3f86604f714881d4460fa11f
SHA512

c09abbfb10c49a50b3b4c1a5f08a9576a0cb89e87e5d8c60685db4aeb9ec8e47f59773685d182bfcbed8ebe3e72b50503a27876cd917f12a3f39a68816635796
SSDEEP

3072:76b0UkfKZe8wvHInktbACG9er/wFpz05+t6lTMBorSaXXlXf:Ob0UctzH6QjsUazm9

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://froytnewqowv.shop/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Loads dropped DLL 1 IoCs

Processes:

x86_64-w64-ranlib.exe

pid process

4436 x86_64-w64-ranlib.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

x86_64-w64-ranlib.exe

description pid process target process

PID 4436 set thread context of 3132 4436 x86_64-w64-ranlib.exe aspnet_regiis.exe
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3384 3132 WerFault.exe aspnet_regiis.exe
2872 3132 WerFault.exe aspnet_regiis.exe

pid	process
4436	x86_64-w64-ranlib.exe

description	pid	process	target process
PID 4436 set thread context of 3132	4436	x86_64-w64-ranlib.exe	aspnet_regiis.exe

pid	pid_target	process	target process
3384	3132	WerFault.exe	aspnet_regiis.exe
2872	3132	WerFault.exe	aspnet_regiis.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

x86_64-w64-ranlib.exeaspnet_regiis.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x86_64-w64-ranlib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_regiis.exe

Modifies registry class 1 IoCs

Processes:

OpenWith.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings OpenWith.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

OpenWith.exe

pid process

1248 OpenWith.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings	OpenWith.exe

pid	process
1248	OpenWith.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

x86_64-w64-ranlib.exe

description	pid	process	target process
PID 4436 wrote to memory of 3132	4436	x86_64-w64-ranlib.exe	aspnet_regiis.exe
PID 4436 wrote to memory of 3132	4436	x86_64-w64-ranlib.exe	aspnet_regiis.exe
PID 4436 wrote to memory of 3132	4436	x86_64-w64-ranlib.exe	aspnet_regiis.exe
PID 4436 wrote to memory of 3132	4436	x86_64-w64-ranlib.exe	aspnet_regiis.exe
PID 4436 wrote to memory of 3132	4436	x86_64-w64-ranlib.exe	aspnet_regiis.exe
PID 4436 wrote to memory of 3132	4436	x86_64-w64-ranlib.exe	aspnet_regiis.exe
PID 4436 wrote to memory of 3132	4436	x86_64-w64-ranlib.exe	aspnet_regiis.exe
PID 4436 wrote to memory of 3132	4436	x86_64-w64-ranlib.exe	aspnet_regiis.exe
PID 4436 wrote to memory of 3132	4436	x86_64-w64-ranlib.exe	aspnet_regiis.exe

C:\Users\Admin\AppData\Local\Temp\fix\x86_64-w64-ranlib.exe
"C:\Users\Admin\AppData\Local\Temp\fix\x86_64-w64-ranlib.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4436

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
2⤵
- System Location Discovery: System Language Discovery
PID:3132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3132 -s 1188
3⤵
- Program crash
PID:3384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3132 -s 1228
3⤵
- Program crash
PID:2872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3132 -ip 3132
1⤵
PID:2372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3132 -ip 3132
1⤵
PID:4532

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1248

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\d3d9x.dll
Filesize
480KB

MD5
ee17e8b41433c7c5f5df512bbc6c3f4d

SHA1
763dbfd2d8e44c71b7645736f63f2c34f3ff06a3

SHA256
fa0abdf2f09a54637e26f6be24ab38766b7e04c5dfd5c13f485fe3e108cbe3da

SHA512
0231663ed20020bac18bc2bff2e13568651dda747fceee5ac648a276bba3fb79c5cae928dcd12d0715d33b519a46157a2fa9df739a5c3c1e4afdf94299c36e24

Download Submit
memory/3132-11-0x0000000000600000-0x000000000064E000-memory.dmp

Filesize
312KB

Download
memory/3132-15-0x0000000000600000-0x000000000064E000-memory.dmp

Filesize
312KB

Download
memory/3132-18-0x0000000000600000-0x000000000064E000-memory.dmp

Filesize
312KB

Download
memory/4436-6-0x0000000077821000-0x0000000077941000-memory.dmp

Filesize
1.1MB

Download