lumma | e8a2c65e92425fbf15dd44d059a2c72d91115405c218cb7efb24398e64890e9f

General

Target

CC Checker AcTeam 2024 New.exe
Size

948KB
MD5

0c8a1abfdf5b509c756bf70ee21f336c
SHA1

3c898020da388dfedfb21dc3615d72e8e961f3d5
SHA256

92f3490b6ecbe173abb47430d34e89bc6c15e5768a481eb2e47e8c140c9507cb
SHA512

63a95de14b65bf18cbb856fd2561821b79ccb0cdf455b4bdd7988e1ac19605de03542ec7b6ba4a32b9f319abff833986bcfe4367e009af89cf72b467a894ed74
SSDEEP

12288:oVqjHV2bLAergV8JmdsF/tkz94jXOl3hT4Jt57GwVBtMRxd8t38R+NavlVtmF7ML:oEV27gSMdsFPql3hOML04xvhmFW+EAh

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.exe	bswpEloHXX.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.exe	bswpEloHXX.exe

Executes dropped EXE 2 IoCs

pid	Process
4468	CIVHfsxh2j.exe
1992	bswpEloHXX.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4148 set thread context of 4820	4148	CC Checker AcTeam 2024 New.exe	77
PID 4468 set thread context of 2448	4468	CIVHfsxh2j.exe	83

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4484	4148	WerFault.exe	76
2864	4468	WerFault.exe	81

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CIVHfsxh2j.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CC Checker AcTeam 2024 New.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 4148 wrote to memory of 4820	4148	CC Checker AcTeam 2024 New.exe	77
PID 4148 wrote to memory of 4820	4148	CC Checker AcTeam 2024 New.exe	77
PID 4148 wrote to memory of 4820	4148	CC Checker AcTeam 2024 New.exe	77
PID 4148 wrote to memory of 4820	4148	CC Checker AcTeam 2024 New.exe	77
PID 4148 wrote to memory of 4820	4148	CC Checker AcTeam 2024 New.exe	77
PID 4148 wrote to memory of 4820	4148	CC Checker AcTeam 2024 New.exe	77
PID 4148 wrote to memory of 4820	4148	CC Checker AcTeam 2024 New.exe	77
PID 4148 wrote to memory of 4820	4148	CC Checker AcTeam 2024 New.exe	77
PID 4148 wrote to memory of 4820	4148	CC Checker AcTeam 2024 New.exe	77
PID 4148 wrote to memory of 4820	4148	CC Checker AcTeam 2024 New.exe	77
PID 4820 wrote to memory of 4468	4820	MSBuild.exe	81
PID 4820 wrote to memory of 4468	4820	MSBuild.exe	81
PID 4820 wrote to memory of 4468	4820	MSBuild.exe	81
PID 4820 wrote to memory of 1992	4820	MSBuild.exe	82
PID 4820 wrote to memory of 1992	4820	MSBuild.exe	82
PID 4468 wrote to memory of 2448	4468	CIVHfsxh2j.exe	83
PID 4468 wrote to memory of 2448	4468	CIVHfsxh2j.exe	83
PID 4468 wrote to memory of 2448	4468	CIVHfsxh2j.exe	83
PID 4468 wrote to memory of 2448	4468	CIVHfsxh2j.exe	83
PID 4468 wrote to memory of 2448	4468	CIVHfsxh2j.exe	83
PID 4468 wrote to memory of 2448	4468	CIVHfsxh2j.exe	83
PID 4468 wrote to memory of 2448	4468	CIVHfsxh2j.exe	83
PID 4468 wrote to memory of 2448	4468	CIVHfsxh2j.exe	83
PID 4468 wrote to memory of 2448	4468	CIVHfsxh2j.exe	83

C:\Users\Admin\AppData\Local\Temp\CC Checker AcTeam 2024 New.exe
"C:\Users\Admin\AppData\Local\Temp\CC Checker AcTeam 2024 New.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4148
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4820
- - C:\Users\Admin\AppData\Roaming\CIVHfsxh2j.exe
    "C:\Users\Admin\AppData\Roaming\CIVHfsxh2j.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4468
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2448
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4468 -s 264
      4⤵
      Program crash
      PID:2864
- - C:\Users\Admin\AppData\Roaming\bswpEloHXX.exe
    "C:\Users\Admin\AppData\Roaming\bswpEloHXX.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    PID:1992
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4148 -s 248
  2⤵
  - Program crash
  PID:4484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4148 -ip 4148
1⤵
PID:2704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4468 -ip 4468
1⤵
PID:2332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\CIVHfsxh2j.exe

Filesize
538KB

MD5
7af1438f0aa8ed4019a0d2a57099f09b

SHA1
c64f06fe4fca961cc57870d2b24f79c999b72e5c

SHA256
a113860f88b3d9f7d51d9df36717c54923d69b59598b7eb30238d691615e1d3b

SHA512
7825f79a8b86fa10c8e8fea0f355e6fb4d5c799ae0cc2889f4589b1404338601f7ca9734f37b7daffed9e5b0957b5f6252a599bdaae9f67f7fbdbb84c58ed3d3

Download Submit
C:\Users\Admin\AppData\Roaming\bswpEloHXX.exe

Filesize
11KB

MD5
5afb8ce4dd3923219bd69bd7b5168d91

SHA1
e06283294510284af9082eb67d368e6d88d9e232

SHA256
f727bba8d917fa3f129d71745e0741a8511f940b1a6817ff5130aa2f3ae85c79

SHA512
8135efb34c768a9c292b54bc25845dd9b388e98f9f0b67918fbf5887c8e1d3da81bb84e044eebdf0868c40a685bd157daafb4789b373dea3e273c5275ebd0740

Download Submit
memory/1992-31-0x00000220A01F0000-0x00000220A01F8000-memory.dmp

Filesize
32KB

Download
memory/1992-29-0x00007FFF62B53000-0x00007FFF62B55000-memory.dmp

Filesize
8KB

Download
memory/2448-35-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2448-38-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2448-33-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2448-37-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/4148-0-0x000000000103C000-0x000000000103D000-memory.dmp

Filesize
4KB

Download
memory/4468-32-0x00000000000D5000-0x00000000000D6000-memory.dmp

Filesize
4KB

Download
memory/4820-2-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/4820-3-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/4820-5-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/4820-30-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/4820-28-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/4820-1-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download

Analysis

Sharing