lumma | 14fa452afcc4ff5ee00c88e603f670af754af1f8d0f53ae7cbaaa4b8c44afe1d

General

Target

x86_64-win64-ranlib.rar
Size

101.6MB
MD5

360e220a0ad7d7771381380291d1fdca
SHA1

8540aff3ff35c33a3537da15d7f59c87dbf367d6
SHA256

14fa452afcc4ff5ee00c88e603f670af754af1f8d0f53ae7cbaaa4b8c44afe1d
SHA512

0dc66bbcfdc3beb5f091c7f8fddf1148c89f98cd5ee177e1d7b4774ca224d6667e3fb8b14e0a198b3f6cfc8f27f1396cc4758db1852a25d0d72df17cb6ba8eee
SSDEEP

3145728:UMqnPiVuViUkukCc63AwWkFb6xuMPPXhz:ULnS0dkuk7ukuePh

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

C2

https://racklilekwqp.shop/api

https://locatedblsoqp.shop/api

https://traineiwnqo.shop/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Executes dropped EXE 1 IoCs

Processes:

win64.exe

pid process

1052 win64.exe
Loads dropped DLL 1 IoCs

Processes:

win64.exe

pid process

1052 win64.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

win64.exe

description pid process target process

PID 1052 set thread context of 3276 1052 win64.exe aspnet_regiis.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

920 3276 WerFault.exe aspnet_regiis.exe
3396 3276 WerFault.exe aspnet_regiis.exe

pid	process
1052	win64.exe

pid	process
1052	win64.exe

description	pid	process	target process
PID 1052 set thread context of 3276	1052	win64.exe	aspnet_regiis.exe

pid	pid_target	process	target process
920	3276	WerFault.exe	aspnet_regiis.exe
3396	3276	WerFault.exe	aspnet_regiis.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

win64.exeaspnet_regiis.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	win64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_regiis.exe

Modifies registry class 3 IoCs

Processes:

cmd.exeOpenWith.exeOpenWith.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	OpenWith.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

7zG.exe

description	pid	process
Token: SeRestorePrivilege	4676	7zG.exe
Token: 35	4676	7zG.exe
Token: SeSecurityPrivilege	4676	7zG.exe
Token: SeSecurityPrivilege	4676	7zG.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

7zG.exe

pid process

4676 7zG.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

OpenWith.exeOpenWith.exe

pid process

4856 OpenWith.exe
2752 OpenWith.exe

pid	process
4676	7zG.exe

pid	process
4856	OpenWith.exe
2752	OpenWith.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

win64.exe

description	pid	process	target process
PID 1052 wrote to memory of 3276	1052	win64.exe	aspnet_regiis.exe
PID 1052 wrote to memory of 3276	1052	win64.exe	aspnet_regiis.exe
PID 1052 wrote to memory of 3276	1052	win64.exe	aspnet_regiis.exe
PID 1052 wrote to memory of 3276	1052	win64.exe	aspnet_regiis.exe
PID 1052 wrote to memory of 3276	1052	win64.exe	aspnet_regiis.exe
PID 1052 wrote to memory of 3276	1052	win64.exe	aspnet_regiis.exe
PID 1052 wrote to memory of 3276	1052	win64.exe	aspnet_regiis.exe
PID 1052 wrote to memory of 3276	1052	win64.exe	aspnet_regiis.exe
PID 1052 wrote to memory of 3276	1052	win64.exe	aspnet_regiis.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\x86_64-win64-ranlib.rar
1⤵
- Modifies registry class
PID:436

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4856

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2608

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2752

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\x86_64-win64-ranlib\" -spe -an -ai#7zMap22102:118:7zEvent2663
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4676

C:\Users\Admin\AppData\Local\Temp\x86_64-win64-ranlib\win64.exe
"C:\Users\Admin\AppData\Local\Temp\x86_64-win64-ranlib\win64.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1052

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
2⤵
- System Location Discovery: System Language Discovery
PID:3276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3276 -s 1188
3⤵
- Program crash
PID:920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3276 -s 1228
3⤵
- Program crash
PID:3396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3276 -ip 3276
1⤵
PID:880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 3276 -ip 3276
1⤵
PID:3996

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\x86_64-win64-ranlib\msvcp140.dll
Filesize
482KB

MD5
cb452ff0e3988a8c7fb41688ec781075

SHA1
b290b4abf85e9ea8e936074af87a80a46a428d82

SHA256
c0afba25a5bee7ede2e6613ee37cc06798eaa01db001818c8f170da140deab7c

SHA512
49df21c1362bdb12b908a2c8fbd9e4b671f32cd6505bc799500a831387c7c8bf302862dc003f7ebdd6d7b11f980bed2d28f5f7ac30550786af712f9336c98ec9

Download Submit
C:\Users\Admin\AppData\Local\Temp\x86_64-win64-ranlib\win64.exe
Filesize
269KB

MD5
2f09c68b10b5408c90e7c1a3cc6acb30

SHA1
3cfcca38337c19e8f9d0468153461a3dbb3fbab9

SHA256
d4b670521fe8171afb54639e2ee31ae5d2474f2f4003e5535fe2cd4fa8d59163

SHA512
f964a0aa40da7b6e470e8326b0f0ee50023e7ff4c2a9752e8ba2aefedddc3ee8ad3db69e350644aeddbfbe2768a8cb3e0898083e7901ed965b1927bdf61d85cf

Download Submit
C:\Users\Admin\AppData\Roaming\d3d9x.dll
Filesize
482KB

MD5
527215990a163859c5839bcb63c33939

SHA1
85a5d60cbbf4e9711886dc45a31e99c9bbc826ca

SHA256
9ff423e7e4032403d5edebd04950241bdeb393ea8d0a528aabd990a5f21ef9e6

SHA512
7730558b4476144891d090091d001f734866314d6006ffc464adcaa7c616fade623a4da0e061d15fc71c7b487b0247c469009d2bc6e24cff2c57c7b96cfe24cc

Download Submit
memory/3276-83-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/3276-84-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads