lumma | 2a875c4f05a84aa5fa139d23e0b51b7cd2047c06a35d051ebd0891bd11f3a721

Analysis

max time kernel
93s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14/09/2024, 13:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MediPeel.exe
Size

10.7MB
MD5

ebb28d3da6ea29cec25910328415f994
SHA1

a178aaa66b50fb03e3db39902b31400b7088f2b1
SHA256

2a875c4f05a84aa5fa139d23e0b51b7cd2047c06a35d051ebd0891bd11f3a721
SHA512

a6073636b21f19e69a7f0e9b1ef201867fbad9a14f10f1d2c8b63cc3b2f6fdf3b3954be1955b37c8034ff52e048fe489f27553aaf28401bc93a317753f02c09a
SSDEEP

196608:Q4xFLbxtbJBdZaK31/aGdJXOLBZIy+fjfKCGqlQGDM427lZCcxxi6VTDqQ7poZQ:QeVbxH93Fa0JXDysQR57lZnxxi+TOQ7z

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://refrencireoi.shop/api

https://complainnykso.shop/api

https://basedsymsotp.shop/api

https://charistmatwio.shop/api

https://grassemenwji.shop/api

https://stitchmiscpaew.shop/api

https://commisionipwn.shop/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	MediPeel.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	AutoIt3.exe

Executes dropped EXE 4 IoCs

pid	Process
4024	MediPeel.tmp
2348	MediPeel.tmp
2152	AutoIt3.exe
3548	AutoIt3.exe

Loads dropped DLL 2 IoCs

pid	Process
4024	MediPeel.tmp
2348	MediPeel.tmp

Enumerates processes with tasklist 1 TTPs 6 IoCs

discovery

Process Discovery

T1057

pid	Process
4128	tasklist.exe
4828	tasklist.exe
972	tasklist.exe
4172	tasklist.exe
3912	tasklist.exe
3044	tasklist.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3548 set thread context of 2472	3548	AutoIt3.exe	125

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MediPeel.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AutoIt3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GoogleUpdateCore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MediPeel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MediPeel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AutoIt3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MediPeel.tmp

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2976	cmd.exe
1000	PING.EXE

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AutoIt3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AutoIt3.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1000	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2348	MediPeel.tmp
2348	MediPeel.tmp

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	3912	tasklist.exe
Token: SeDebugPrivilege	3044	tasklist.exe
Token: SeDebugPrivilege	4128	tasklist.exe
Token: SeDebugPrivilege	4828	tasklist.exe
Token: SeDebugPrivilege	972	tasklist.exe
Token: SeDebugPrivilege	4172	tasklist.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2348	MediPeel.tmp

Suspicious use of WriteProcessMemory 62 IoCs

description	pid	Process	procid_target
PID 4412 wrote to memory of 4024	4412	MediPeel.exe	85
PID 4412 wrote to memory of 4024	4412	MediPeel.exe	85
PID 4412 wrote to memory of 4024	4412	MediPeel.exe	85
PID 4024 wrote to memory of 3348	4024	MediPeel.tmp	87
PID 4024 wrote to memory of 3348	4024	MediPeel.tmp	87
PID 4024 wrote to memory of 3348	4024	MediPeel.tmp	87
PID 3348 wrote to memory of 2348	3348	MediPeel.exe	88
PID 3348 wrote to memory of 2348	3348	MediPeel.exe	88
PID 3348 wrote to memory of 2348	3348	MediPeel.exe	88
PID 2348 wrote to memory of 4292	2348	MediPeel.tmp	89
PID 2348 wrote to memory of 4292	2348	MediPeel.tmp	89
PID 4292 wrote to memory of 3912	4292	cmd.exe	91
PID 4292 wrote to memory of 3912	4292	cmd.exe	91
PID 4292 wrote to memory of 3224	4292	cmd.exe	92
PID 4292 wrote to memory of 3224	4292	cmd.exe	92
PID 2348 wrote to memory of 688	2348	MediPeel.tmp	94
PID 2348 wrote to memory of 688	2348	MediPeel.tmp	94
PID 688 wrote to memory of 3044	688	cmd.exe	96
PID 688 wrote to memory of 3044	688	cmd.exe	96
PID 688 wrote to memory of 3344	688	cmd.exe	97
PID 688 wrote to memory of 3344	688	cmd.exe	97
PID 2348 wrote to memory of 4536	2348	MediPeel.tmp	98
PID 2348 wrote to memory of 4536	2348	MediPeel.tmp	98
PID 4536 wrote to memory of 4128	4536	cmd.exe	100
PID 4536 wrote to memory of 4128	4536	cmd.exe	100
PID 4536 wrote to memory of 2424	4536	cmd.exe	101
PID 4536 wrote to memory of 2424	4536	cmd.exe	101
PID 2348 wrote to memory of 3840	2348	MediPeel.tmp	102
PID 2348 wrote to memory of 3840	2348	MediPeel.tmp	102
PID 3840 wrote to memory of 4828	3840	cmd.exe	104
PID 3840 wrote to memory of 4828	3840	cmd.exe	104
PID 3840 wrote to memory of 3432	3840	cmd.exe	105
PID 3840 wrote to memory of 3432	3840	cmd.exe	105
PID 2348 wrote to memory of 1300	2348	MediPeel.tmp	106
PID 2348 wrote to memory of 1300	2348	MediPeel.tmp	106
PID 1300 wrote to memory of 972	1300	cmd.exe	108
PID 1300 wrote to memory of 972	1300	cmd.exe	108
PID 1300 wrote to memory of 3360	1300	cmd.exe	109
PID 1300 wrote to memory of 3360	1300	cmd.exe	109
PID 2348 wrote to memory of 2672	2348	MediPeel.tmp	110
PID 2348 wrote to memory of 2672	2348	MediPeel.tmp	110
PID 2672 wrote to memory of 4172	2672	cmd.exe	112
PID 2672 wrote to memory of 4172	2672	cmd.exe	112
PID 2672 wrote to memory of 1652	2672	cmd.exe	113
PID 2672 wrote to memory of 1652	2672	cmd.exe	113
PID 2348 wrote to memory of 2152	2348	MediPeel.tmp	114
PID 2348 wrote to memory of 2152	2348	MediPeel.tmp	114
PID 2348 wrote to memory of 2152	2348	MediPeel.tmp	114
PID 2152 wrote to memory of 2976	2152	AutoIt3.exe	121
PID 2152 wrote to memory of 2976	2152	AutoIt3.exe	121
PID 2152 wrote to memory of 2976	2152	AutoIt3.exe	121
PID 2976 wrote to memory of 1000	2976	cmd.exe	123
PID 2976 wrote to memory of 1000	2976	cmd.exe	123
PID 2976 wrote to memory of 1000	2976	cmd.exe	123
PID 2976 wrote to memory of 3548	2976	cmd.exe	124
PID 2976 wrote to memory of 3548	2976	cmd.exe	124
PID 2976 wrote to memory of 3548	2976	cmd.exe	124
PID 3548 wrote to memory of 2472	3548	AutoIt3.exe	125
PID 3548 wrote to memory of 2472	3548	AutoIt3.exe	125
PID 3548 wrote to memory of 2472	3548	AutoIt3.exe	125
PID 3548 wrote to memory of 2472	3548	AutoIt3.exe	125
PID 3548 wrote to memory of 2472	3548	AutoIt3.exe	125

C:\Users\Admin\AppData\Local\Temp\MediPeel.exe
"C:\Users\Admin\AppData\Local\Temp\MediPeel.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4412
- C:\Users\Admin\AppData\Local\Temp\is-6RADF.tmp\MediPeel.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-6RADF.tmp\MediPeel.tmp" /SL5="$701E0,10267176,812544,C:\Users\Admin\AppData\Local\Temp\MediPeel.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4024
- - C:\Users\Admin\AppData\Local\Temp\MediPeel.exe
    "C:\Users\Admin\AppData\Local\Temp\MediPeel.exe" /VERYSILENT /NORESTART
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3348
  - - C:\Users\Admin\AppData\Local\Temp\is-9MBSG.tmp\MediPeel.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-9MBSG.tmp\MediPeel.tmp" /SL5="$901C2,10267176,812544,C:\Users\Admin\AppData\Local\Temp\MediPeel.exe" /VERYSILENT /NORESTART
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:2348
    - - C:\Windows\system32\cmd.exe
        
        "cmd.exe" /C tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH | find /I "wrsa.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4292
      - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3912
      - C:\Windows\system32\find.exe
        
        find /I "wrsa.exe"
        6⤵
        
        PID:3224
    - - C:\Windows\system32\cmd.exe
        
        "cmd.exe" /C tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH | find /I "opssvc.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:688
      - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3044
      - C:\Windows\system32\find.exe
        
        find /I "opssvc.exe"
        6⤵
        
        PID:3344
    - - C:\Windows\system32\cmd.exe
        
        "cmd.exe" /C tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH | find /I "avastui.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4536
      - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4128
      - C:\Windows\system32\find.exe
        
        find /I "avastui.exe"
        6⤵
        
        PID:2424
    - - C:\Windows\system32\cmd.exe
        
        "cmd.exe" /C tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH | find /I "avgui.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3840
      - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4828
      - C:\Windows\system32\find.exe
        
        find /I "avgui.exe"
        6⤵
        
        PID:3432
    - - C:\Windows\system32\cmd.exe
        
        "cmd.exe" /C tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH | find /I "nswscsvc.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1300
      - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:972
      - C:\Windows\system32\find.exe
        
        find /I "nswscsvc.exe"
        6⤵
        
        PID:3360
    - - C:\Windows\system32\cmd.exe
        
        "cmd.exe" /C tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH | find /I "sophoshealth.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2672
      - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4172
      - C:\Windows\system32\find.exe
        
        find /I "sophoshealth.exe"
        6⤵
        
        PID:1652
    - - C:\Users\Admin\AppData\Local\pensy\AutoIt3.exe
        
        "C:\Users\Admin\AppData\Local\pensy\\AutoIt3.exe" "C:\Users\Admin\AppData\Local\pensy\\bombinate.a3x"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2152
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ping -n 5 127.0.0.1 >nul && AutoIt3.exe C:\ProgramData\\cszzkfj.a3x && del C:\ProgramData\\cszzkfj.a3x
        6⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2976
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 5 127.0.0.1
        7⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1000
        
        C:\Users\Admin\AppData\Local\pensy\AutoIt3.exe
        
        AutoIt3.exe C:\ProgramData\\cszzkfj.a3x
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious use of WriteProcessMemory
        
        PID:3548
        
        C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe
        
        "C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-0PV1T.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-6RADF.tmp\MediPeel.tmp

Filesize
3.1MB

MD5
0d3c13ea2213808a14905b85f141061a

SHA1
31b3a57012127a5bda5beec6ac3901700b6f702c

SHA256
8241b818954f711736e70b5b3c4513e1f035cc35f394d7fefde18b64e59cda51

SHA512
50d84a7c01c2c8c94fd8f1c8b9043c7d9c31e1d7ff16532f115a7a50be6c3cf9df5e0ef8eddb667feeb53ff693468e64db13ad1d7b9c8b9a7c8447d42c3559dc

Download Submit
C:\Users\Admin\AppData\Local\pensy\AutoIt3.exe

Filesize
921KB

MD5
3f58a517f1f4796225137e7659ad2adb

SHA1
e264ba0e9987b0ad0812e5dd4dd3075531cfe269

SHA256
1da298cab4d537b0b7b5dabf09bff6a212b9e45731e0cc772f99026005fb9e48

SHA512
acf740aafce390d06c6a76c84e7ae7c0f721731973aadbe3e57f2eb63241a01303cc6bf11a3f9a88f8be0237998b5772bdaf569137d63ba3d0f877e7d27fc634

Download Submit
C:\Users\Admin\AppData\Local\pensy\bombinate.a3x

Filesize
62KB

MD5
2011fd050c4ca32737a3c7a1eceab131

SHA1
4b1c49c9d00750f57d3ed84f5e0deedfe90ee6ed

SHA256
3076733f6d4d580c995d8a675ad6f1e3731cd08a713aac0a8ce3cdb82182c482

SHA512
3786718aa8dbb4e8377c97ae810019281bfcd36b1f2aa807edfb8e7f0116dac03a9d1fa1d7dbc77cc4135315a8e4abb38e544592994aee95919e5683f2bb24d0

Download Submit
C:\Users\Admin\AppData\Local\pensy\bombinate.gif

Filesize
478KB

MD5
a2d51318f12154d1577dd5d267e38a31

SHA1
63b6e1880f674838612f99754b1a90114d2f71e4

SHA256
3214f770354ce2aa47691390b25fbbf89b472a41ae2e6549f3a1388667a6d6d3

SHA512
28abcaa05df554fa1f5dd4d98aa13e77e45f24aa72c69cf558debe4e87176bd916014b9d8e47f10fcbb8d56fe3d1609b1694e7675f60f224feca9368cf16e4a3

Download Submit
memory/2348-21-0x00000000031B0000-0x00000000031B1000-memory.dmp

Filesize
4KB

Download
memory/2348-174-0x0000000000D90000-0x00000000010C4000-memory.dmp

Filesize
3.2MB

Download
memory/2472-184-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2472-185-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3348-13-0x0000000000050000-0x0000000000124000-memory.dmp

Filesize
848KB

Download
memory/3348-178-0x0000000000050000-0x0000000000124000-memory.dmp

Filesize
848KB

Download
memory/4024-15-0x0000000000D60000-0x0000000001094000-memory.dmp

Filesize
3.2MB

Download
memory/4024-6-0x0000000000D00000-0x0000000000D01000-memory.dmp

Filesize
4KB

Download
memory/4412-17-0x0000000000050000-0x0000000000124000-memory.dmp

Filesize
848KB

Download
memory/4412-2-0x0000000000051000-0x00000000000F9000-memory.dmp

Filesize
672KB

Download
memory/4412-0-0x0000000000050000-0x0000000000124000-memory.dmp

Filesize
848KB

Download