lumma | 4347001de9e86880bed3ef8198e35336814dba78f4481126f78164927bc7f88d

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
27/09/2024, 07:40

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

UkraineProstate.exe
Size

94.0MB
MD5

74176f6844b537e9a0ddca7b6019371b
SHA1

448986335499555ee2965de75796e559d8c46565
SHA256

26d34e08e7c80682ce084a7dac9824f507b52fba32283cebed7c80c7a3317f14
SHA512

710ef9b1338f006b70bbf94f6e5f12ef1c57421f9646b7dc74f22d9f93e2dfd8380e16a8a369be38306485fddb70e21d0dbe89526e99c3eab58ec51cb30e6fd8
SSDEEP

24576:ez9gG11dUGHjJmOgjLcSt+lILLanFZ9WiU0Y2ZVkRuX:A9pTUmBE/LunFZYX0Y2ZiuX

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://reinforcenh.shop/api

https://stogeneratmns.shop/api

https://fragnantbui.shop/api

https://drawzhotdog.shop/api

https://vozmeatillu.shop/api

https://offensivedzvju.shop/api

https://ghostreedmnu.shop/api

https://gutterydhowi.shop/api

Extracted

Family

lumma

https://vozmeatillu.shop/api

https://gutterydhowi.shop/api

https://ghostreedmnu.shop/api

https://offensivedzvju.shop/api

https://drawzhotdog.shop/api

https://fragnantbui.shop/api

https://stogeneratmns.shop/api

https://reinforcenh.shop/api

https://ballotnwu.site/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma

Executes dropped EXE 1 IoCs

pid	Process
576	Boolean.pif

Loads dropped DLL 1 IoCs

pid	Process
2640	cmd.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
2532	tasklist.exe
2568	tasklist.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 576 set thread context of 2572	576	Boolean.pif	42

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\RestAbc	UkraineProstate.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boolean.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UkraineProstate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
576	Boolean.pif
576	Boolean.pif
576	Boolean.pif
576	Boolean.pif
576	Boolean.pif

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2568	tasklist.exe
Token: SeDebugPrivilege	2532	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
576	Boolean.pif
576	Boolean.pif
576	Boolean.pif

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
576	Boolean.pif
576	Boolean.pif
576	Boolean.pif

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 2640	2380	UkraineProstate.exe	30
PID 2380 wrote to memory of 2640	2380	UkraineProstate.exe	30
PID 2380 wrote to memory of 2640	2380	UkraineProstate.exe	30
PID 2380 wrote to memory of 2640	2380	UkraineProstate.exe	30
PID 2640 wrote to memory of 2568	2640	cmd.exe	32
PID 2640 wrote to memory of 2568	2640	cmd.exe	32
PID 2640 wrote to memory of 2568	2640	cmd.exe	32
PID 2640 wrote to memory of 2568	2640	cmd.exe	32
PID 2640 wrote to memory of 2752	2640	cmd.exe	33
PID 2640 wrote to memory of 2752	2640	cmd.exe	33
PID 2640 wrote to memory of 2752	2640	cmd.exe	33
PID 2640 wrote to memory of 2752	2640	cmd.exe	33
PID 2640 wrote to memory of 2532	2640	cmd.exe	35
PID 2640 wrote to memory of 2532	2640	cmd.exe	35
PID 2640 wrote to memory of 2532	2640	cmd.exe	35
PID 2640 wrote to memory of 2532	2640	cmd.exe	35
PID 2640 wrote to memory of 2528	2640	cmd.exe	36
PID 2640 wrote to memory of 2528	2640	cmd.exe	36
PID 2640 wrote to memory of 2528	2640	cmd.exe	36
PID 2640 wrote to memory of 2528	2640	cmd.exe	36
PID 2640 wrote to memory of 2600	2640	cmd.exe	37
PID 2640 wrote to memory of 2600	2640	cmd.exe	37
PID 2640 wrote to memory of 2600	2640	cmd.exe	37
PID 2640 wrote to memory of 2600	2640	cmd.exe	37
PID 2640 wrote to memory of 2608	2640	cmd.exe	38
PID 2640 wrote to memory of 2608	2640	cmd.exe	38
PID 2640 wrote to memory of 2608	2640	cmd.exe	38
PID 2640 wrote to memory of 2608	2640	cmd.exe	38
PID 2640 wrote to memory of 2924	2640	cmd.exe	39
PID 2640 wrote to memory of 2924	2640	cmd.exe	39
PID 2640 wrote to memory of 2924	2640	cmd.exe	39
PID 2640 wrote to memory of 2924	2640	cmd.exe	39
PID 2640 wrote to memory of 576	2640	cmd.exe	40
PID 2640 wrote to memory of 576	2640	cmd.exe	40
PID 2640 wrote to memory of 576	2640	cmd.exe	40
PID 2640 wrote to memory of 576	2640	cmd.exe	40
PID 2640 wrote to memory of 2596	2640	cmd.exe	41
PID 2640 wrote to memory of 2596	2640	cmd.exe	41
PID 2640 wrote to memory of 2596	2640	cmd.exe	41
PID 2640 wrote to memory of 2596	2640	cmd.exe	41
PID 576 wrote to memory of 2572	576	Boolean.pif	42
PID 576 wrote to memory of 2572	576	Boolean.pif	42
PID 576 wrote to memory of 2572	576	Boolean.pif	42
PID 576 wrote to memory of 2572	576	Boolean.pif	42
PID 576 wrote to memory of 2572	576	Boolean.pif	42
PID 576 wrote to memory of 2572	576	Boolean.pif	42

C:\Users\Admin\AppData\Local\Temp\UkraineProstate.exe
"C:\Users\Admin\AppData\Local\Temp\UkraineProstate.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c move Belle Belle.bat & Belle.bat
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2640
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2568
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "wrsa opssvc"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2752
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2532
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2528
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 408694
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2600
- - C:\Windows\SysWOW64\findstr.exe
    findstr /V "nebattlefieldconstitutewizard" Isbn
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2608
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Identical + ..\Harassment + ..\Indirect + ..\Lesbian + ..\Searching + ..\Renewable + ..\Mods v
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2924
- - C:\Users\Admin\AppData\Local\Temp\408694\Boolean.pif
    Boolean.pif v
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:576
  - - C:\Windows\SysWOW64\nslookup.exe
      C:\Windows\SysWOW64\nslookup.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:2572
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\408694\v

Filesize
509KB

MD5
260dad230138b9f30f5bada48382bfbd

SHA1
550930587cc5fe96c6608c46b46f91d7c454bd00

SHA256
43ec86ce4ed0ca12b5a8f122903f7345e52f650604953a78adbef9c64c064796

SHA512
35afbcd125f4b8e9f7f875b3687a891ff1deda717cea99af5e0cfa880055d3916d502579a29213036b0bcc0c4bdf096e996eeb90ef1ba09517d0cfae29d3ee3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Belle

Filesize
11KB

MD5
6ba6f344a8442633c5ef66c6fd6d389f

SHA1
0b96efa182c9353d3b637c3a899382528f5622d7

SHA256
d52e138576a8407b06b550525e881862d40701b2b80ec607460b4c1e12114bb1

SHA512
6c686d3a473a6aec247093b6252a63d93b1777530eb2c74a6dabcc353ecedb8eccc4afce22277dec193a3c9d75b4ff3006d9d458163743d6863ff12ea3879bd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab676C.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Harassment

Filesize
98KB

MD5
bcb45e19eacf41f67118b88265ccba60

SHA1
2580e6ccde79b3df13282d46ac9ce35176799c85

SHA256
cf161152d9d85ea0e45355a776aa4967dbdca9e16f27de63c529a3041236bdd2

SHA512
6f454692645007985c3286fbdf338c3dc65fa3307fc3e88ed67a61520ad1f758dfa5e9e0b34c83bdbbb97bdd41932a8b847d6b1f760c7ecc5cf8095221a6634b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Identical

Filesize
90KB

MD5
a85771f5915b724d5b486e97ab90bbb5

SHA1
b978a93cd146fafe56e5e5e0e917b2adcc44f3f0

SHA256
aad971ccbb9a14e508277c55198fd1f8459eee036dbdad86ffee959f8ef7e165

SHA512
9a861f00802dd5fc89e5d4ce67bcb413c57f44415ece462cbd4bc10fcb5d7bbc93267ba12c44e8c7d07f826deea94efefa5104827daa2ce82ebf2735db302e87

Download Submit
C:\Users\Admin\AppData\Local\Temp\Indirect

Filesize
52KB

MD5
eae122f137877485466036461b62107f

SHA1
7fc9ca8134659874d929fa0508778f42dc5a4e5e

SHA256
135112ca6d0ea83a74353fcd82d417d15addc6e3935ea89513cc106e28c84a3a

SHA512
4d076eb5b808f1a3223c7a71a99ae3596c5eda1365f871af5b8a6a26a1f150dbc396819a404852759431337fcda3c36bc5561a8bda1f1706d9011f36f7c9c89d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Isbn

Filesize
6KB

MD5
6ad7635fa1dff1ed833ad126ef38d156

SHA1
7b59b051a4650106207adedff610b8978b414d1f

SHA256
2e458deec4c359267ec9db97449d9b8407c045162105782998bd58efc623c784

SHA512
87aaf138ffb910d948e6af83f3b3e163d601bb5f488dfba4a072ddae9a1f4ec50b2b1d63e5c6200d66ad9629a77cdced97d2d21d5aa992e96cbc501b49957cb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lesbian

Filesize
95KB

MD5
658715def7f7fc08df5f8d47adf54685

SHA1
39e552b4fdc36774aa7f3f7482b918591f79c623

SHA256
3a21923bf58a25da2b481787030acd17ac1e1d0360c0e1894d6b616aa7794531

SHA512
db020cbd1f6b2fa86e9d5a5e79ac43165071b41c73636c342351d714cf58710e0235d9ea1ce6626c153c80df53d6a062685f615d28b1fa7aa7211cede76f29d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Medal

Filesize
866KB

MD5
65c0b368ff360bf51fd8c3008e73347f

SHA1
9bdbb2fcc758ee86e9595b8ea96ebf10ee8f2cb1

SHA256
d39ec1e31b51e977b1c52ecad15a8f91ed6350e5fc31e1e2065b3389fb9a63d1

SHA512
7b8176564872fa1076fc054bd59fc4d95d69ceb427bea5d11b2896cf865686e7777e1fadcf08f5b42bad2cedbf291003049c280c8f64e6d8f558629fdc859e2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mods

Filesize
9KB

MD5
7e5b10bd90843fa447dc89ef3faa7c9e

SHA1
c7c8626161f6743f61ac9863e4a2b4de64edbf41

SHA256
1329d7af4a6656586baa03a88aeec839353f78986ce114374b14d7b41074718f

SHA512
d560f779bb28792a70cb8c763a926a36af265bf926e2162e126c4372ba3d2402db2b548ca7faffeee0c5a011430c4fd30ac9aa6ba98f608252b0b8b3782e274c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Renewable

Filesize
74KB

MD5
afc3a2773694420405c7d20a01086e48

SHA1
07edaf9411b29f20c2d2d382208e84da09a44f68

SHA256
c86445d36e03cac46546f013e5b46f92b5558128db5b92816b3da17b3f6eeb46

SHA512
7d0aeccad483568e783297f350eb9bbb5240613c729e39d236e185fc3fbc5d1228e5f0bd928da5eec7145420ce5d7949d248cd3178b7ea1a892780c24d368f85

Download Submit
C:\Users\Admin\AppData\Local\Temp\Searching

Filesize
91KB

MD5
981a955680d4fa382d5e3e7516d704d8

SHA1
2d714249c80bac17cd9653fd646599b94ee63327

SHA256
a856d7c3d457b3b6b8661f3c357e2d4f5cc0875a9bcee9cad8ed1c423b939024

SHA512
4cfb7bbf76923d675d97326cd772b0ac2851684c4b9d9527b1e1801deec255a1866614bb5aff656cae10f0068488d0eb7ec434a0e34190f7b2271dd14e29c4ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar679E.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Local\Temp\408694\Boolean.pif

Filesize
872KB

MD5
18ce19b57f43ce0a5af149c96aecc685

SHA1
1bd5ca29fc35fc8ac346f23b155337c5b28bbc36

SHA256
d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd

SHA512
a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558

Download Submit
memory/2572-29-0x0000000000080000-0x00000000000E5000-memory.dmp

Filesize
404KB

Download
memory/2572-30-0x0000000000080000-0x00000000000E5000-memory.dmp

Filesize
404KB

Download
memory/2572-31-0x0000000000080000-0x00000000000E5000-memory.dmp

Filesize
404KB

Download