lumma | 584945fbd2076bc151184065a72373f87405136be7b0131d36ded7d986b968fc

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
09/10/2024, 17:51

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

584945fbd2076bc151184065a72373f87405136be7b0131d36ded7d986b968fc.exe
Size

5.9MB
MD5

30772bcce9852eb58cf05a75bcdce2f9
SHA1

b43da7a9785fb47cc1174bb4a896866fbb1a0df0
SHA256

584945fbd2076bc151184065a72373f87405136be7b0131d36ded7d986b968fc
SHA512

a816a2f40e75925214e19b35e507e1a35b4d9e5775b71e1abfa23d75e4d21d2293080be6598b5060b1d5045d5da180ee263fb395f16619719ec515e0f31b6675
SSDEEP

98304:+pYdpXlLQCWYPzgXWx4qMO3X81hMTuJDdoi37BtYaCCKuZ5qM3g3b9LSsSuIAERN:+pGdbhgXWxRMO3XsmuxddCdoU3J7SuIR

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://facilitycoursedw.shop/api

https://doughtdrillyksow.shop/api

https://disappointcredisotw.shop/api

https://bargainnygroandjwk.shop/api

https://injurypiggyoewirog.shop/api

https://leafcalfconflcitw.shop/api

https://computerexcudesp.shop/api

https://publicitycharetew.shop/api

https://periodicroytewrsn.shop/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma

Executes dropped EXE 2 IoCs

pid	Process
2348	EASteamProxy.exe
2788	EASteamProxy.exe

Loads dropped DLL 20 IoCs

pid	Process
2136	584945fbd2076bc151184065a72373f87405136be7b0131d36ded7d986b968fc.exe
2348	EASteamProxy.exe
2348	EASteamProxy.exe
2348	EASteamProxy.exe
2348	EASteamProxy.exe
2348	EASteamProxy.exe
2348	EASteamProxy.exe
2348	EASteamProxy.exe
2348	EASteamProxy.exe
2348	EASteamProxy.exe
2348	EASteamProxy.exe
2788	EASteamProxy.exe
2788	EASteamProxy.exe
2788	EASteamProxy.exe
2788	EASteamProxy.exe
2788	EASteamProxy.exe
2788	EASteamProxy.exe
2788	EASteamProxy.exe
2788	EASteamProxy.exe
2788	EASteamProxy.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2788 set thread context of 2636	2788	EASteamProxy.exe	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	584945fbd2076bc151184065a72373f87405136be7b0131d36ded7d986b968fc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2348	EASteamProxy.exe
2788	EASteamProxy.exe
2788	EASteamProxy.exe
2636	cmd.exe
2636	cmd.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2788	EASteamProxy.exe
2636	cmd.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2136 wrote to memory of 2348	2136	584945fbd2076bc151184065a72373f87405136be7b0131d36ded7d986b968fc.exe	30
PID 2136 wrote to memory of 2348	2136	584945fbd2076bc151184065a72373f87405136be7b0131d36ded7d986b968fc.exe	30
PID 2136 wrote to memory of 2348	2136	584945fbd2076bc151184065a72373f87405136be7b0131d36ded7d986b968fc.exe	30
PID 2136 wrote to memory of 2348	2136	584945fbd2076bc151184065a72373f87405136be7b0131d36ded7d986b968fc.exe	30
PID 2348 wrote to memory of 2788	2348	EASteamProxy.exe	31
PID 2348 wrote to memory of 2788	2348	EASteamProxy.exe	31
PID 2348 wrote to memory of 2788	2348	EASteamProxy.exe	31
PID 2788 wrote to memory of 2636	2788	EASteamProxy.exe	32
PID 2788 wrote to memory of 2636	2788	EASteamProxy.exe	32
PID 2788 wrote to memory of 2636	2788	EASteamProxy.exe	32
PID 2788 wrote to memory of 2636	2788	EASteamProxy.exe	32
PID 2788 wrote to memory of 2636	2788	EASteamProxy.exe	32
PID 2636 wrote to memory of 2992	2636	cmd.exe	35
PID 2636 wrote to memory of 2992	2636	cmd.exe	35
PID 2636 wrote to memory of 2992	2636	cmd.exe	35
PID 2636 wrote to memory of 2992	2636	cmd.exe	35
PID 2636 wrote to memory of 2992	2636	cmd.exe	35

C:\Users\Admin\AppData\Local\Temp\584945fbd2076bc151184065a72373f87405136be7b0131d36ded7d986b968fc.exe
"C:\Users\Admin\AppData\Local\Temp\584945fbd2076bc151184065a72373f87405136be7b0131d36ded7d986b968fc.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2136
- C:\Users\Admin\AppData\Local\Temp\EASteamProxy.exe
  "C:\Users\Admin\AppData\Local\Temp\EASteamProxy.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2348
- - C:\Users\Admin\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe
    C:\Users\Admin\AppData\Roaming\demoWordpad_dbg\EASteamProxy.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:2788
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\SysWOW64\cmd.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:2636
    - - C:\Windows\SysWOW64\explorer.exe
        
        C:\Windows\SysWOW64\explorer.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\EASteamProxy.exe

Filesize
5.4MB

MD5
ad2735f096925010a53450cb4178c89e

SHA1
c6d65163c6315a642664f4eaec0fae9528549bfe

SHA256
4e775b5fafb4e6d89a4694f8694d2b8b540534bd4a52ff42f70095f1c929160e

SHA512
1868b22a7c5cba89545b06f010c09c5418b3d86039099d681eee9567c47208fdba3b89c6251cf03c964c58c805280d45ba9c3533125f6bd3e0bc067477e03ab9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSVCP140.dll

Filesize
564KB

MD5
1ba6d1cf0508775096f9e121a24e5863

SHA1
df552810d779476610da3c8b956cc921ed6c91ae

SHA256
74892d9b4028c05debaf0b9b5d9dc6d22f7956fa7d7eee00c681318c26792823

SHA512
9887d9f5838aa1555ea87968e014edfe2f7747f138f1b551d1f609bc1d5d8214a5fdab0d76fcac98864c1da5eb81405ca373b2a30cb12203c011d89ea6d069af

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSVCP140_1.dll

Filesize
34KB

MD5
69d96e09a54fbc5cf92a0e084ab33856

SHA1
b4629d51b5c4d8d78ccb3370b40a850f735b8949

SHA256
a3a1199de32bbbc8318ec33e2e1ce556247d012851e4b367fe853a51e74ce4ee

SHA512
2087827137c473cdbec87789361ed34fad88c9fe80ef86b54e72aea891d91af50b17b7a603f9ae2060b3089ce9966fad6d7fbe22dee980c07ed491a75503f2cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qt5Core.dll

Filesize
6.0MB

MD5
68e600cb754e04557ef716b9ebc93fe4

SHA1
8302ab611e787c312b971ce05935ff6e956faede

SHA256
8f4c72e3c7de1ab5d894ec7813f65c5298ecafc183f31924b44a427433ffca42

SHA512
8bbd7d14b59f01eba7c46a6e8592c037cab73bed1eb0762fc278cf7b81082784e88d777a32f71bc2de128c0186321004bfa4ca68d1bcaa5660694c007219e98e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qt5Network.dll

Filesize
1.3MB

MD5
6b63ca8c121d546642f9e2793e0862de

SHA1
f3301b0aa224fa406ec27f4ab16983811ab3b47b

SHA256
e3b7e0392cc48d21850c950ac0799624a9268a3f549ca791687f21acc46bbdf7

SHA512
5ec10a14c7f72c11b1ffa81e1180df1c63bb740d62ba956eef06fb1ba3305eec317f2e148db1a21063ad1c12226567643faa70a99b8e16af7c3ca3377e5a9ac5

Download Submit
C:\Users\Admin\AppData\Local\Temp\VCRUNTIME140.dll

Filesize
106KB

MD5
49c96cecda5c6c660a107d378fdfc3d4

SHA1
00149b7a66723e3f0310f139489fe172f818ca8e

SHA256
69320f278d90efaaeb67e2a1b55e5b0543883125834c812c8d9c39676e0494fc

SHA512
e09e072f3095379b0c921d41d6e64f4f1cd78400594a2317cfb5e5dca03dedb5a8239ed89905c9e967d1acb376b0585a35addf6648422c7ddb472ce38b1ba60d

Download Submit
C:\Users\Admin\AppData\Local\Temp\bd80b3c1

Filesize
1019KB

MD5
0aa0066ee85ac76c44010f3d451c7d7a

SHA1
5e87e3848d69b4a0a04fb1dc6fb6977cffc761dc

SHA256
12fd9ceedec8450f27aa28d541093befc7a5f679ff9fd7342791a4087aa05ed3

SHA512
a6ee46eaab604fc9ff7dfc73dd74939c98bb9591cfca25248c9cebb5846d8ca72f97c55b4e0167c72ab23ed8f551dea87167b8403271096f72b9d08d2b48ca8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\blackleg.pptx

Filesize
19KB

MD5
52faf44080314d7b1649ff4fa2bd4b38

SHA1
819c0be129bd3e02d3db596b657a990bb82142d3

SHA256
3f52b33b984df8e59dbdf6312f7a165437a2b33ee43c80a1e6a4c913c30d959a

SHA512
dbf4276d0c18c15fabb2ca79448b510333ff3f378b5195fd9d0d72bddb3e6ecef316507d1f01c0aeee769c30cbc4293fc594bbbfb1c1d067f95940666407ace2

Download Submit
C:\Users\Admin\AppData\Local\Temp\decibel.mp3

Filesize
790KB

MD5
b60be8ff2a7f2a1c8a49f6adc4ccba97

SHA1
d4c9cd22a4efe790d6e6c5fd0cd6385e54a9ca29

SHA256
114a4c8f8b4cbc799f2093d44386d57cac0990719128cd864bac571c63a02b41

SHA512
af001bc023fddce01f1741248785582dafd859853780ab8058b236e19b068b22a60c2866d9521b1dac53c7fc59f145c5943891f9b0d04f2e491e5e5ea1939a95

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcrypto-1_1-x64.dll

Filesize
2.7MB

MD5
28dea3e780552eb5c53b3b9b1f556628

SHA1
55dccd5b30ce0363e8ebdfeb1cca38d1289748b8

SHA256
52415829d85c06df8724a3d3d00c98f12beabf5d6f3cbad919ec8000841a86e8

SHA512
19dfe5f71901e43ea34d257f693ae1a36433dbdbcd7c9440d9b0f9eea24de65c4a8fe332f7b88144e1a719a6ba791c2048b4dd3e5b1ed0fdd4c813603ad35112

Download Submit
C:\Users\Admin\AppData\Local\Temp\steam_api64.dll

Filesize
291KB

MD5
6b4ab6e60364c55f18a56a39021b74a6

SHA1
39cac2889d8ca497ee0d8434fc9f6966f18fa336

SHA256
1db3fd414039d3e5815a5721925dd2e0a3a9f2549603c6cab7c49b84966a1af3

SHA512
c08de8c6e331d13dfe868ab340e41552fc49123a9f782a5a63b95795d5d979e68b5a6ab171153978679c0791dc3e3809c883471a05864041ce60b240ccdd4c21

Download Submit
\Users\Admin\AppData\Local\Temp\libssl-1_1-x64.dll

Filesize
669KB

MD5
4ad03043a32e9a1ef64115fc1ace5787

SHA1
352e0e3a628c8626cff7eed348221e889f6a25c4

SHA256
a0e43cbc4a2d8d39f225abd91980001b7b2b5001e8b2b8292537ae39b17b85d1

SHA512
edfae3660a5f19a9deda0375efba7261d211a74f1d8b6bf1a8440fed4619c4b747aca8301d221fd91230e7af1dab73123707cc6eda90e53eb8b6b80872689ba6

Download Submit
\Users\Admin\AppData\Local\Temp\vcruntime140_1.dll

Filesize
48KB

MD5
cf0a1c4776ffe23ada5e570fc36e39fe

SHA1
2050fadecc11550ad9bde0b542bcf87e19d37f1a

SHA256
6fd366a691ed68430bcd0a3de3d8d19a0cb2102952bfc140bbef4354ed082c47

SHA512
d95cd98d22ca048d0fc5bca551c9db13d6fa705f6af120bbbb621cf2b30284bfdc7320d0a819bb26dab1e0a46253cc311a370bed4ef72ecb60c69791ed720168

Download Submit
memory/2348-48-0x000007FEF5510000-0x000007FEF5668000-memory.dmp

Filesize
1.3MB

Download
memory/2636-90-0x0000000074D00000-0x0000000074E74000-memory.dmp

Filesize
1.5MB

Download
memory/2636-89-0x0000000077480000-0x0000000077629000-memory.dmp

Filesize
1.7MB

Download
memory/2636-97-0x0000000074D00000-0x0000000074E74000-memory.dmp

Filesize
1.5MB

Download
memory/2788-86-0x000007FEF52B0000-0x000007FEF5408000-memory.dmp

Filesize
1.3MB

Download
memory/2788-85-0x000007FEF52B0000-0x000007FEF5408000-memory.dmp

Filesize
1.3MB

Download
memory/2992-99-0x0000000077480000-0x0000000077629000-memory.dmp

Filesize
1.7MB

Download
memory/2992-100-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2992-101-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download