lumma | c0c87999c4766638051dcbece93da4562fc1b919483ccd5eea1cea77c9bb3601

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14/09/2024, 07:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Bootstrapper.exe
Size

760KB
MD5

59a858112ddd4ff9560abc44b560e1d4
SHA1

ccca63a6e8591f9aefa9e83ed94c9e40a6655135
SHA256

c0c87999c4766638051dcbece93da4562fc1b919483ccd5eea1cea77c9bb3601
SHA512

9d1033e2a9f4250d32ac86589c2c7830dedaf9afe49af30f4af750ca8eadcd11f4395c840a297e07ef8dbe2c9e1d27a5438efaf8d2e48335c6909412eb736587
SSDEEP

12288:OAcRtQSzS3X1BiagXPoHRqgjcHTRDOH5WJ/z7pA0ZnwGdAFSpIQUwGuR1Tgpd:GjwmoOv1z7QtFAIQUh2BWd

Score

10^/10

lumma discovery stealer

Malware Config

Signatures

Detect Lumma Stealer payload V4 2 IoCs

resource	yara_rule
behavioral1/memory/2768-11-0x0000000000400000-0x0000000000480000-memory.dmp	family_lumma_v4
behavioral1/memory/2768-3-0x0000000000400000-0x0000000000480000-memory.dmp	family_lumma_v4

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3056 set thread context of 2768	3056	Bootstrapper.exe	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2084	2768	WerFault.exe	32

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bootstrapper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 3056 wrote to memory of 2768	3056	Bootstrapper.exe	32
PID 3056 wrote to memory of 2768	3056	Bootstrapper.exe	32
PID 3056 wrote to memory of 2768	3056	Bootstrapper.exe	32
PID 3056 wrote to memory of 2768	3056	Bootstrapper.exe	32
PID 3056 wrote to memory of 2768	3056	Bootstrapper.exe	32
PID 3056 wrote to memory of 2768	3056	Bootstrapper.exe	32
PID 3056 wrote to memory of 2768	3056	Bootstrapper.exe	32
PID 3056 wrote to memory of 2768	3056	Bootstrapper.exe	32
PID 3056 wrote to memory of 2768	3056	Bootstrapper.exe	32
PID 2768 wrote to memory of 2084	2768	RegSvcs.exe	33
PID 2768 wrote to memory of 2084	2768	RegSvcs.exe	33
PID 2768 wrote to memory of 2084	2768	RegSvcs.exe	33
PID 2768 wrote to memory of 2084	2768	RegSvcs.exe	33

C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3056
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2768
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 288
    3⤵
    - Program crash
    PID:2084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2768-8-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2768-11-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2768-3-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2768-2-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3056-1-0x00000000002F0000-0x00000000003F0000-memory.dmp

Filesize
1024KB

Download