lumma | hxxps://www[.]youtube[.]com/redirect?event=video_description&redir_token=QUFFLUhqbkM1cFluak1OZzZsa21Ob1c3RFJfTmhLcWp2Z3xBQ3Jtc0tuZ3QtT3o3czVEOWFpUU5Xajd0VWhQX0lQdHpNWE9ZY0NnZlp5QzlTOGdiUld4TDYxa2NYcTBreGhURHAxdVVSV0JfRDlMTTlHNHlnNXhqd1VKM0N6YmIwUXZGR20xenc3Tnd0Ni1xRGhOc1d2NE9pMA&q=https%3A%2F%2Fwww[.]mediafire[.]com%2Ffolder%2Fhh6g372sijmjr%2FLauncher&v=8hu5qno36u8

General

Target

https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqbkM1cFluak1OZzZsa21Ob1c3RFJfTmhLcWp2Z3xBQ3Jtc0tuZ3QtT3o3czVEOWFpUU5Xajd0VWhQX0lQdHpNWE9ZY0NnZlp5QzlTOGdiUld4TDYxa2NYcTBreGhURHAxdVVSV0JfRDlMTTlHNHlnNXhqd1VKM0N6YmIwUXZGR20xenc3Tnd0Ni1xRGhOc1d2NE9pMA&q=https%3A%2F%2Fwww.mediafire.com%2Ffolder%2Fhh6g372sijmjr%2FLauncher&v=8hu5qno36u8

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

C2

https://empiredmnuowq.shop/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma

Executes dropped EXE 1 IoCs

pid	Process
1520	Laucher.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1520 set thread context of 4572	1520	Laucher.exe	132

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4804	4572	WerFault.exe	132
6064	4572	WerFault.exe	132

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Laucher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
3532	NOTEPAD.EXE

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	2492	7zG.exe
Token: 35	2492	7zG.exe
Token: SeSecurityPrivilege	2492	7zG.exe
Token: SeSecurityPrivilege	2492	7zG.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2492	7zG.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1520 wrote to memory of 4572	1520	Laucher.exe	132
PID 1520 wrote to memory of 4572	1520	Laucher.exe	132
PID 1520 wrote to memory of 4572	1520	Laucher.exe	132
PID 1520 wrote to memory of 4572	1520	Laucher.exe	132
PID 1520 wrote to memory of 4572	1520	Laucher.exe	132
PID 1520 wrote to memory of 4572	1520	Laucher.exe	132
PID 1520 wrote to memory of 4572	1520	Laucher.exe	132
PID 1520 wrote to memory of 4572	1520	Laucher.exe	132
PID 1520 wrote to memory of 4572	1520	Laucher.exe	132

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqbkM1cFluak1OZzZsa21Ob1c3RFJfTmhLcWp2Z3xBQ3Jtc0tuZ3QtT3o3czVEOWFpUU5Xajd0VWhQX0lQdHpNWE9ZY0NnZlp5QzlTOGdiUld4TDYxa2NYcTBreGhURHAxdVVSV0JfRDlMTTlHNHlnNXhqd1VKM0N6YmIwUXZGR20xenc3Tnd0Ni1xRGhOc1d2NE9pMA&q=https%3A%2F%2Fwww.mediafire.com%2Ffolder%2Fhh6g372sijmjr%2FLauncher&v=8hu5qno36u8
1⤵
PID:2124

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=4648,i,11251706013556949551,5157034131170452377,262144 --variations-seed-version --mojo-platform-channel-handle=760 /prefetch:1
1⤵
PID:2468

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --field-trial-handle=4392,i,11251706013556949551,5157034131170452377,262144 --variations-seed-version --mojo-platform-channel-handle=4828 /prefetch:1
1⤵
PID:4424

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --field-trial-handle=5428,i,11251706013556949551,5157034131170452377,262144 --variations-seed-version --mojo-platform-channel-handle=5472 /prefetch:1
1⤵
PID:1996

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=5616,i,11251706013556949551,5157034131170452377,262144 --variations-seed-version --mojo-platform-channel-handle=5632 /prefetch:8
1⤵
PID:4708

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --field-trial-handle=5624,i,11251706013556949551,5157034131170452377,262144 --variations-seed-version --mojo-platform-channel-handle=5696 /prefetch:8
1⤵
PID:4908

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=6048,i,11251706013556949551,5157034131170452377,262144 --variations-seed-version --mojo-platform-channel-handle=6068 /prefetch:8
1⤵
PID:3172

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --field-trial-handle=6264,i,11251706013556949551,5157034131170452377,262144 --variations-seed-version --mojo-platform-channel-handle=6156 /prefetch:1
1⤵
PID:2500

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --field-trial-handle=6416,i,11251706013556949551,5157034131170452377,262144 --variations-seed-version --mojo-platform-channel-handle=6440 /prefetch:1
1⤵
PID:2216

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --field-trial-handle=4180,i,11251706013556949551,5157034131170452377,262144 --variations-seed-version --mojo-platform-channel-handle=6676 /prefetch:1
1⤵
PID:2068

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --field-trial-handle=6548,i,11251706013556949551,5157034131170452377,262144 --variations-seed-version --mojo-platform-channel-handle=6424 /prefetch:1
1⤵
PID:2456

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --field-trial-handle=6804,i,11251706013556949551,5157034131170452377,262144 --variations-seed-version --mojo-platform-channel-handle=6796 /prefetch:1
1⤵
PID:1784

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --field-trial-handle=6972,i,11251706013556949551,5157034131170452377,262144 --variations-seed-version --mojo-platform-channel-handle=6492 /prefetch:1
1⤵
PID:4052

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --field-trial-handle=6776,i,11251706013556949551,5157034131170452377,262144 --variations-seed-version --mojo-platform-channel-handle=4040 /prefetch:1
1⤵
PID:3484

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --field-trial-handle=7108,i,11251706013556949551,5157034131170452377,262144 --variations-seed-version --mojo-platform-channel-handle=3844 /prefetch:1
1⤵
PID:4444

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --field-trial-handle=7280,i,11251706013556949551,5157034131170452377,262144 --variations-seed-version --mojo-platform-channel-handle=7416 /prefetch:1
1⤵
PID:4440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --field-trial-handle=7272,i,11251706013556949551,5157034131170452377,262144 --variations-seed-version --mojo-platform-channel-handle=7564 /prefetch:1
1⤵
PID:2588

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --field-trial-handle=7924,i,11251706013556949551,5157034131170452377,262144 --variations-seed-version --mojo-platform-channel-handle=7936 /prefetch:8
1⤵
PID:3056

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --field-trial-handle=7888,i,11251706013556949551,5157034131170452377,262144 --variations-seed-version --mojo-platform-channel-handle=7920 /prefetch:1
1⤵
PID:5020

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --field-trial-handle=8272,i,11251706013556949551,5157034131170452377,262144 --variations-seed-version --mojo-platform-channel-handle=8248 /prefetch:1
1⤵
PID:2408

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --field-trial-handle=8516,i,11251706013556949551,5157034131170452377,262144 --variations-seed-version --mojo-platform-channel-handle=8560 /prefetch:1
1⤵
PID:5284

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --field-trial-handle=8076,i,11251706013556949551,5157034131170452377,262144 --variations-seed-version --mojo-platform-channel-handle=8112 /prefetch:1
1⤵
PID:5392

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --field-trial-handle=6472,i,11251706013556949551,5157034131170452377,262144 --variations-seed-version --mojo-platform-channel-handle=8160 /prefetch:1
1⤵
PID:5452

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --field-trial-handle=8584,i,11251706013556949551,5157034131170452377,262144 --variations-seed-version --mojo-platform-channel-handle=8532 /prefetch:8
1⤵
PID:5828

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=38 --field-trial-handle=6044,i,11251706013556949551,5157034131170452377,262144 --variations-seed-version --mojo-platform-channel-handle=7840 /prefetch:1
1⤵
PID:5952

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --lang=en-US --service-sandbox-type=service --field-trial-handle=8004,i,11251706013556949551,5157034131170452377,262144 --variations-seed-version --mojo-platform-channel-handle=8184 /prefetch:8
1⤵
PID:5996

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --field-trial-handle=5856,i,11251706013556949551,5157034131170452377,262144 --variations-seed-version --mojo-platform-channel-handle=5924 /prefetch:8
1⤵
PID:6040

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5280

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Launcher\" -spe -an -ai#7zMap17410:78:7zEvent29768
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2492

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Launcher\Readme.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:3532

C:\Users\Admin\Downloads\Launcher\Laucher.exe
"C:\Users\Admin\Downloads\Launcher\Laucher.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1520
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4572
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4572 -s 1372
    3⤵
    - Program crash
    PID:4804
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4572 -s 1324
    3⤵
    - Program crash
    PID:6064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4572 -ip 4572
1⤵
PID:3784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4572 -ip 4572
1⤵
PID:6036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Downloads\Launcher\Laucher.exe

Filesize
341KB

MD5
3686bac3dc75f79f0a97abf822c290b1

SHA1
89393c9ad390f6ca8e1a2e5d6489c49b5654e3f8

SHA256
34fb54c90bfe8d0af2071c669fb87953d3bc9632101d66b5c65849df3441f34b

SHA512
f7cf532331e15e46a27e29ca592b309846ddddbcceb2151339de2a46419101af70f6f5453992ba0b4a928aac9fb483d2b28706bcdab64b9ef28f95504b53c4eb

Download Submit
C:\Users\Admin\Downloads\Launcher\Readme.txt

Filesize
323B

MD5
ecb34a34c311327ffd58654187f4fdf7

SHA1
704c685b8db5ba640831a8efd04d813c208803ec

SHA256
ed4f3cb4ebd4b654bd481be9a6bf97c881573d088bda807c72a9e939b8c26214

SHA512
16c319f43e07f65dcb746437f7b30c5cef430b1d356117a972e0fdd20414325f7528e8f773955c431dff4e4a450e6cbc306b8ba2eace00f20cb9195765a88174

Download Submit
memory/1520-41-0x0000000000F00000-0x0000000000F5A000-memory.dmp

Filesize
360KB

Download
memory/4572-43-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4572-47-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4572-46-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download

Resubmissions

Analysis

Sharing