lumma | e88e83193cc7752b3fff67082209bc9c2f40351fd5b24cda09fe170c5335619a

Analysis

max time kernel
65s
max time network
68s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-10-2024 16:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NShаrk.zip
Size

103.5MB
MD5

5ed8758f546ecd41a7dbe294a5ae14e5
SHA1

f8770a55c828efe15083c695ac6cfe2d7f10278b
SHA256

e88e83193cc7752b3fff67082209bc9c2f40351fd5b24cda09fe170c5335619a
SHA512

c03a6dcca6c0ca3b012ec277cdaa16353840145538642edc9edecf175fa6497b932941e3e5101391a3c5d865c6c67ea03583b462ae59761d9b44a979cb9861ee
SSDEEP

3145728:fNazN7yQdY0ZohO/+IxfZlaOpWI36BCvyicYnEu:1oN7yQC0Zp2IJna4WYvxcLu

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://drawwyobstacw.sbs

https://condifendteu.sbs

https://ehticsprocw.sbs

https://vennurviot.sbs

https://resinedyw.sbs

https://enlargkiw.sbs

https://allocatinow.sbs

https://mathcucom.sbs

https://highawaretemptersudwu.xyz/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma

Executes dropped EXE 2 IoCs

pid	Process
4464	NShаrk.exe
316	NShаrk F1 x.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4464 set thread context of 4264	4464	NShаrk.exe	101

Program crash 1 IoCs

pid	pid_target	Process	procid_target
424	4464	WerFault.exe	98

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NShаrk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1708	7zFM.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	1708	7zFM.exe
Token: 35	1708	7zFM.exe
Token: SeSecurityPrivilege	1708	7zFM.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1708	7zFM.exe
1708	7zFM.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4464 wrote to memory of 4264	4464	NShаrk.exe	101
PID 4464 wrote to memory of 4264	4464	NShаrk.exe	101
PID 4464 wrote to memory of 4264	4464	NShаrk.exe	101
PID 4464 wrote to memory of 4264	4464	NShаrk.exe	101
PID 4464 wrote to memory of 4264	4464	NShаrk.exe	101
PID 4464 wrote to memory of 4264	4464	NShаrk.exe	101
PID 4464 wrote to memory of 4264	4464	NShаrk.exe	101
PID 4464 wrote to memory of 4264	4464	NShаrk.exe	101
PID 4464 wrote to memory of 4264	4464	NShаrk.exe	101

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\NShаrk.zip"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1708

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3808

C:\Users\Admin\AppData\Local\Temp\NShаrk\NShаrk.exe
"C:\Users\Admin\AppData\Local\Temp\NShаrk\NShаrk.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4464
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4264
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 256
  2⤵
  - Program crash
  PID:424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4464 -ip 4464
1⤵
PID:2448

C:\Users\Admin\AppData\Local\Temp\NShаrk\F 1X if It dоesn't wоrk\NShаrk F1 x.exe
"C:\Users\Admin\AppData\Local\Temp\NShаrk\F 1X if It dоesn't wоrk\NShаrk F1 x.exe"
1⤵
- Executes dropped EXE
PID:316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\NShаrk\F 1X if It dоesn't wоrk\NShаrk F1 x.exe

Filesize
29.1MB

MD5
152025c926edf53603411541f0f259c0

SHA1
0be7af5fc1c37b723e97846acbea794e31300614

SHA256
e9d09aee08577c911b177231aa238614dc119adb0a1e73ac148f4bac60eab8be

SHA512
e88cb2eeba5c1ff9e7492235810a1b3eb5e959b8056320db92c02e69d7a3ed532f1051e508d64cfd280613dc008409c31b5c3a4e51f92f42eba52d4bab5b7797

Download Submit
C:\Users\Admin\AppData\Local\Temp\NShаrk\NShаrk.exe

Filesize
550KB

MD5
c09a98923a69222bcca1bc1490e1e4fa

SHA1
3d3a91f71b1820260145db0c9cf9007d701de398

SHA256
47025ae589009308160e1135ba486e9b10bd2e7e237f09f0622056edd83333e0

SHA512
44eaf9c1e4ec21f78af1c10ac1610808e985630c7a60ab7aa1305c0ef63511fede812537f918298f0e6660e9090a367386544740050340021dfea3d527899891

Download Submit
memory/316-62-0x00007FF7FBA10000-0x00007FF7FD733000-memory.dmp

Filesize
29.1MB

Download
memory/4264-55-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/4264-57-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/4264-58-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/4264-59-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/4464-54-0x0000000000303000-0x0000000000305000-memory.dmp

Filesize
8KB

Download