lumma | 9fcb457a89551c5ab94303779ebfc4737bd74be935a1ac68cda0d22bb51b3202

Resubmissions

25/09/2024, 16:28

240925-tynx5avfkk 10

Analysis

max time kernel
45s
max time network
51s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25/09/2024, 16:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2857272927b6bb6d2ca396778b859b2d.exe
Size

88.0MB
MD5

2857272927b6bb6d2ca396778b859b2d
SHA1

f73dd654b60ac8c2d5e76caa9cfa51c29eaea04a
SHA256

9fcb457a89551c5ab94303779ebfc4737bd74be935a1ac68cda0d22bb51b3202
SHA512

d94571bc8d10c01046ba6dc517eccadd58f3cfd709340c6edb67c24b5c5af775adc1d9fc973e2b93e11e26b382a5a03f1efd42cf4abaa2b78bb97cab1616be84
SSDEEP

24576:49EDJTQBTq7Dy92dekYwlYoRF7La/KK8bvYrCE9InCdPDL:4yEBuPy9g+wl4KK8bvIuQD

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://performenj.shop/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma

Executes dropped EXE 1 IoCs

pid	Process
2588	Staying.pif

Loads dropped DLL 1 IoCs

pid	Process
2672	cmd.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
2808	tasklist.exe
2972	tasklist.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2588 set thread context of 2104	2588	Staying.pif	41

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\IndependentLicking	2857272927b6bb6d2ca396778b859b2d.exe
File opened for modification	C:\Windows\HazardCelebrities	2857272927b6bb6d2ca396778b859b2d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Staying.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2857272927b6bb6d2ca396778b859b2d.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2588	Staying.pif
2588	Staying.pif
2588	Staying.pif
2588	Staying.pif
2588	Staying.pif

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2808	tasklist.exe
Token: SeDebugPrivilege	2972	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2588	Staying.pif
2588	Staying.pif
2588	Staying.pif

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2588	Staying.pif
2588	Staying.pif
2588	Staying.pif

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 2260 wrote to memory of 2672	2260	2857272927b6bb6d2ca396778b859b2d.exe	29
PID 2260 wrote to memory of 2672	2260	2857272927b6bb6d2ca396778b859b2d.exe	29
PID 2260 wrote to memory of 2672	2260	2857272927b6bb6d2ca396778b859b2d.exe	29
PID 2260 wrote to memory of 2672	2260	2857272927b6bb6d2ca396778b859b2d.exe	29
PID 2672 wrote to memory of 2808	2672	cmd.exe	31
PID 2672 wrote to memory of 2808	2672	cmd.exe	31
PID 2672 wrote to memory of 2808	2672	cmd.exe	31
PID 2672 wrote to memory of 2808	2672	cmd.exe	31
PID 2672 wrote to memory of 2828	2672	cmd.exe	32
PID 2672 wrote to memory of 2828	2672	cmd.exe	32
PID 2672 wrote to memory of 2828	2672	cmd.exe	32
PID 2672 wrote to memory of 2828	2672	cmd.exe	32
PID 2672 wrote to memory of 2972	2672	cmd.exe	34
PID 2672 wrote to memory of 2972	2672	cmd.exe	34
PID 2672 wrote to memory of 2972	2672	cmd.exe	34
PID 2672 wrote to memory of 2972	2672	cmd.exe	34
PID 2672 wrote to memory of 2832	2672	cmd.exe	35
PID 2672 wrote to memory of 2832	2672	cmd.exe	35
PID 2672 wrote to memory of 2832	2672	cmd.exe	35
PID 2672 wrote to memory of 2832	2672	cmd.exe	35
PID 2672 wrote to memory of 2760	2672	cmd.exe	36
PID 2672 wrote to memory of 2760	2672	cmd.exe	36
PID 2672 wrote to memory of 2760	2672	cmd.exe	36
PID 2672 wrote to memory of 2760	2672	cmd.exe	36
PID 2672 wrote to memory of 2940	2672	cmd.exe	37
PID 2672 wrote to memory of 2940	2672	cmd.exe	37
PID 2672 wrote to memory of 2940	2672	cmd.exe	37
PID 2672 wrote to memory of 2940	2672	cmd.exe	37
PID 2672 wrote to memory of 2748	2672	cmd.exe	38
PID 2672 wrote to memory of 2748	2672	cmd.exe	38
PID 2672 wrote to memory of 2748	2672	cmd.exe	38
PID 2672 wrote to memory of 2748	2672	cmd.exe	38
PID 2672 wrote to memory of 2588	2672	cmd.exe	39
PID 2672 wrote to memory of 2588	2672	cmd.exe	39
PID 2672 wrote to memory of 2588	2672	cmd.exe	39
PID 2672 wrote to memory of 2588	2672	cmd.exe	39
PID 2672 wrote to memory of 2652	2672	cmd.exe	40
PID 2672 wrote to memory of 2652	2672	cmd.exe	40
PID 2672 wrote to memory of 2652	2672	cmd.exe	40
PID 2672 wrote to memory of 2652	2672	cmd.exe	40
PID 2588 wrote to memory of 2104	2588	Staying.pif	41
PID 2588 wrote to memory of 2104	2588	Staying.pif	41
PID 2588 wrote to memory of 2104	2588	Staying.pif	41
PID 2588 wrote to memory of 2104	2588	Staying.pif	41
PID 2588 wrote to memory of 2104	2588	Staying.pif	41
PID 2588 wrote to memory of 2104	2588	Staying.pif	41

C:\Users\Admin\AppData\Local\Temp\2857272927b6bb6d2ca396778b859b2d.exe
"C:\Users\Admin\AppData\Local\Temp\2857272927b6bb6d2ca396778b859b2d.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2260
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c move Yugoslavia Yugoslavia.bat & Yugoslavia.bat
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2672
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2808
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "wrsa opssvc"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2828
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2972
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2832
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 516523
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2760
- - C:\Windows\SysWOW64\findstr.exe
    findstr /V "domainsseenherbsjoin" Bradley
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2940
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Bike + ..\Davidson + ..\Armenia + ..\Mv + ..\Destinations + ..\Israeli + ..\Quality + ..\Peter T
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2748
- - C:\Users\Admin\AppData\Local\Temp\516523\Staying.pif
    Staying.pif T
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2588
  - - C:\Windows\SysWOW64\nslookup.exe
      C:\Windows\SysWOW64\nslookup.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:2104
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\516523\T

Filesize
514KB

MD5
3035b9cd97522b3b35908ea2143e0e72

SHA1
fc0b1c5487bbe6f0ecf5032247f97faabc808c48

SHA256
0dcf33e6edc569e1a78594c96693b1c7e503de0ce0cc2b85b44822d9d3d0306d

SHA512
cd97708d2e7083a90ecac6fe24fdc20a12851cf65baba604f3c23b83cea9e01a35900ba254ca76a2d195623bcb363bc0454963e6d50ced881710b19d54c0799c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Armenia

Filesize
64KB

MD5
28bce328a3111e3db76a7838b2eb93cd

SHA1
e4bbec9181abc75107e6ff43a08b22ad6208ef21

SHA256
e8aabbaec5f2a50fb250ed6b0782a1e937b9fcc5a346fb4cc7c9ed2125985265

SHA512
a73a87c87071c9524248a09493ae6dab433a7b3744caee209d9f7607d577d03661e8b49a14178f2af7d0103c9e4e2e1088e84143c7c9cf14c79840b32d5901f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bike

Filesize
71KB

MD5
b24e7b4a33a7453f6dfda6828a669ee3

SHA1
3847ff888817187641a6ec0d28498fdbbe21459b

SHA256
b8f32225eed1309966ddeaee61488ccb17ba5302a68a35be0c40ac5bf6a12875

SHA512
49c4aec56e76c0ba9932045dedae6436dc1b2c6bd62585a5567d6a2ed56fa51de3fdb3f13f7a28405ce22972c8ddf175493041a5f6a35dc505a06f6020daca43

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bradley

Filesize
5KB

MD5
e78d7b7cbab8d3729bec179bc4b85844

SHA1
a74b8d006008bf522be15ee22ff4a5050ae5a533

SHA256
b36b0b682a25f96c4f133bce5d5f33e7514be328cf1c8cf8c7984971a7bcfdd6

SHA512
ce07c0145b946929297c393f7e23a00b399cbb292ed3524c5965cbd4b70887737fb7431e119d511dbfc266d2594d5954c7f23ef8896ce31caae3e3fc6683c571

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3E5A.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Davidson

Filesize
66KB

MD5
f7c079a1d03a068b6c27d62479828a9c

SHA1
87a7086b0391f4c4b77605375628680c5f47eb3b

SHA256
b60914c802225ad91dc11183768df905d4e8865f14c0778e9cd22a284e2f455f

SHA512
42701be452f9ea9fa2e369f5cd907d4974e31aab6391d474463da9f23e9908f6bf27e86a1ab0243f1ccc747537e19c9ac263913bace4fa83a652634b3d02e5d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Destinations

Filesize
58KB

MD5
cab9ca23af2aa0cf2eb457c8105ce750

SHA1
907ac57ea10db0e618d4a1e6e73f18c3d2d9c231

SHA256
e50fc78f83547dc9aa15ada75a1f0473b5635a04311279d6b33c203c1982930c

SHA512
a98ebd05ab92d498a4a735bbfa6babdf7c982fd3d6ba35af1c7691bb1f9ae29f9d7252e42430da50b3940ff160fdf26520f801e03f75f58653b9eee8b9f4f87e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Israeli

Filesize
61KB

MD5
d59a95922fb45e8606faf4b143e67198

SHA1
a73997ce522b160218c5559d2ce3a40bee8a9b70

SHA256
1a33fdfe51725d69a8b4a05f790cf4f95297f879ae12c72cf85251a10d92abea

SHA512
82f2ab7c234b2b2c04adc006bdac6cb5cde8a086146ff38eef60d101755ffb28815b0d455ddb9cad9a99eb54f01b27eb2b9e13392fd49aad7ef6b0d0a65e7037

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mv

Filesize
70KB

MD5
3769745338fd6a8e1f139070ab2898d6

SHA1
a71d1ebfa1e3134dab8e8efc252cbaa5be2f9b80

SHA256
2f243cb2f77a86070247ae5783bda91f25f77ee43c6e72ea20f4ef4279723eb5

SHA512
4073cf5d7a047146eb81f082ee1ada57cb9764aa6efbef27dd1956be26b8667f0abd753cac323336311e732494f4a88ec7971faf0dec155c9305192be32c015c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Peter

Filesize
39KB

MD5
aa4523d137e38f52e4f6bef6e5e50810

SHA1
e3be580a755f8d39a573e4ec3fa9d4143664454f

SHA256
56d8bc690f0fbaa14a8068462b950b5c61f4d9e096962cfbd4a4531385c0653d

SHA512
17188786f269a30cc7692764057d8625b6948db034f7a74774782c0b4a5e6e92e7bd7013b53e5e9e3e19dc77ddcd59c4fc1cea758100525227afc820171e5d26

Download Submit
C:\Users\Admin\AppData\Local\Temp\Quality

Filesize
85KB

MD5
ffc751c1fd038fcae5c51f735a9692d8

SHA1
166a7fb08dbe1eec11935e379766d813125d463a

SHA256
e3f943a9a465a891477fcf094d718f930af72a6ac4842e9e8c77189c0b170baa

SHA512
7772998525590da2f1a211ba75430268849577946c36d94d66a213e47bb50f80c0d5fc8affa56cf644e19ae151a9b053db2f13b36327a5b290636401e54e0c1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3EBA.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Task

Filesize
866KB

MD5
335ae3d3c114c13a9129bdb167835512

SHA1
333438727585042fae3bcb5321e12cdb5198e5c1

SHA256
436eb2c076cf1e78b7f7bef74dfac3a04c88aae15f364a7193685a50e754d489

SHA512
77d20a7516f3fd23e32612e8e87923a94425df1cd4d32d27f5aa0a6e765b0aaad6316d58806750b88bcd5796c50950c3446e5643787a89fa055792db5d68b74a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Yugoslavia

Filesize
11KB

MD5
7662d6c4a6684891117286f8d0d7a5cb

SHA1
da9123730a8616cc24186fc18a72fe9a4007e03a

SHA256
118ba09ae23989d1a2c8ea36d65b7c4e5b0394cae1cb3632d19d75dba4a46f18

SHA512
f4622fd8dd1cc2b0265ad1db1e86e40d941a0531e609c382112aff616c2af8557de9a1fc4b9cc65e9233052193544c490367bd59d828dbebbc5d5711751e0e1c

Download Submit
\Users\Admin\AppData\Local\Temp\516523\Staying.pif

Filesize
872KB

MD5
18ce19b57f43ce0a5af149c96aecc685

SHA1
1bd5ca29fc35fc8ac346f23b155337c5b28bbc36

SHA256
d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd

SHA512
a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558

Download Submit
memory/2104-31-0x0000000000080000-0x00000000000E4000-memory.dmp

Filesize
400KB

Download
memory/2104-32-0x0000000000080000-0x00000000000E4000-memory.dmp

Filesize
400KB

Download
memory/2104-33-0x0000000000080000-0x00000000000E4000-memory.dmp

Filesize
400KB

Download