lumma | 8f3bd6cfc591e89316c92c06066a0fe8e6ef2b70e81bde41b16a8c264a7acc2d

Analysis

max time kernel
119s
max time network
51s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
10-10-2024 16:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8f3bd6cfc591e89316c92c06066a0fe8e6ef2b70e81bde41b16a8c264a7acc2dN.exe
Size

1013KB
MD5

3b303cd2c4bcb1b1e2c25386712799a0
SHA1

17456a87deb6030c21d1fc57412bbee517d0896e
SHA256

8f3bd6cfc591e89316c92c06066a0fe8e6ef2b70e81bde41b16a8c264a7acc2d
SHA512

df80cfc4472e42b01e77885f97f7d05cf5587f7cd01857304ccf45520b24126b09eb1a4767b9cba70851e997978e2887d16663680e64fcd0cf5c4ace1064206d
SSDEEP

24576:EvuBLEhmTs4RSbRFlM0HztxF57ZE53QboufuqoGSxh:XLEoR2RfM0TtxF57ZYQ3HoGSf

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://clearancek.site

https://licendfilteo.site

https://spirittunek.store

https://bathdoomgaz.store

https://studennotediw.store

https://dissapoiznw.store

https://eaglepawnoy.store

https://mobbipenju.store

https://probablekl.site

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma

Executes dropped EXE 1 IoCs

pid	Process
2680	Sentence.pif

Loads dropped DLL 1 IoCs

pid	Process
2440	cmd.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
2896	tasklist.exe
2684	tasklist.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2680 set thread context of 1376	2680	Sentence.pif	42

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ApproximatelyPal	8f3bd6cfc591e89316c92c06066a0fe8e6ef2b70e81bde41b16a8c264a7acc2dN.exe
File opened for modification	C:\Windows\RegisterBecoming	8f3bd6cfc591e89316c92c06066a0fe8e6ef2b70e81bde41b16a8c264a7acc2dN.exe
File opened for modification	C:\Windows\WorcesterWa	8f3bd6cfc591e89316c92c06066a0fe8e6ef2b70e81bde41b16a8c264a7acc2dN.exe
File opened for modification	C:\Windows\DivxMirror	8f3bd6cfc591e89316c92c06066a0fe8e6ef2b70e81bde41b16a8c264a7acc2dN.exe
File opened for modification	C:\Windows\LightsAnnually	8f3bd6cfc591e89316c92c06066a0fe8e6ef2b70e81bde41b16a8c264a7acc2dN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8f3bd6cfc591e89316c92c06066a0fe8e6ef2b70e81bde41b16a8c264a7acc2dN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sentence.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2680	Sentence.pif
2680	Sentence.pif
2680	Sentence.pif
2680	Sentence.pif
2680	Sentence.pif

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2896	tasklist.exe
Token: SeDebugPrivilege	2684	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2680	Sentence.pif
2680	Sentence.pif
2680	Sentence.pif

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2680	Sentence.pif
2680	Sentence.pif
2680	Sentence.pif

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 2440	2208	8f3bd6cfc591e89316c92c06066a0fe8e6ef2b70e81bde41b16a8c264a7acc2dN.exe	30
PID 2208 wrote to memory of 2440	2208	8f3bd6cfc591e89316c92c06066a0fe8e6ef2b70e81bde41b16a8c264a7acc2dN.exe	30
PID 2208 wrote to memory of 2440	2208	8f3bd6cfc591e89316c92c06066a0fe8e6ef2b70e81bde41b16a8c264a7acc2dN.exe	30
PID 2208 wrote to memory of 2440	2208	8f3bd6cfc591e89316c92c06066a0fe8e6ef2b70e81bde41b16a8c264a7acc2dN.exe	30
PID 2440 wrote to memory of 2896	2440	cmd.exe	32
PID 2440 wrote to memory of 2896	2440	cmd.exe	32
PID 2440 wrote to memory of 2896	2440	cmd.exe	32
PID 2440 wrote to memory of 2896	2440	cmd.exe	32
PID 2440 wrote to memory of 2928	2440	cmd.exe	33
PID 2440 wrote to memory of 2928	2440	cmd.exe	33
PID 2440 wrote to memory of 2928	2440	cmd.exe	33
PID 2440 wrote to memory of 2928	2440	cmd.exe	33
PID 2440 wrote to memory of 2684	2440	cmd.exe	35
PID 2440 wrote to memory of 2684	2440	cmd.exe	35
PID 2440 wrote to memory of 2684	2440	cmd.exe	35
PID 2440 wrote to memory of 2684	2440	cmd.exe	35
PID 2440 wrote to memory of 2860	2440	cmd.exe	36
PID 2440 wrote to memory of 2860	2440	cmd.exe	36
PID 2440 wrote to memory of 2860	2440	cmd.exe	36
PID 2440 wrote to memory of 2860	2440	cmd.exe	36
PID 2440 wrote to memory of 2672	2440	cmd.exe	37
PID 2440 wrote to memory of 2672	2440	cmd.exe	37
PID 2440 wrote to memory of 2672	2440	cmd.exe	37
PID 2440 wrote to memory of 2672	2440	cmd.exe	37
PID 2440 wrote to memory of 1160	2440	cmd.exe	38
PID 2440 wrote to memory of 1160	2440	cmd.exe	38
PID 2440 wrote to memory of 1160	2440	cmd.exe	38
PID 2440 wrote to memory of 1160	2440	cmd.exe	38
PID 2440 wrote to memory of 2704	2440	cmd.exe	39
PID 2440 wrote to memory of 2704	2440	cmd.exe	39
PID 2440 wrote to memory of 2704	2440	cmd.exe	39
PID 2440 wrote to memory of 2704	2440	cmd.exe	39
PID 2440 wrote to memory of 2680	2440	cmd.exe	40
PID 2440 wrote to memory of 2680	2440	cmd.exe	40
PID 2440 wrote to memory of 2680	2440	cmd.exe	40
PID 2440 wrote to memory of 2680	2440	cmd.exe	40
PID 2440 wrote to memory of 1064	2440	cmd.exe	41
PID 2440 wrote to memory of 1064	2440	cmd.exe	41
PID 2440 wrote to memory of 1064	2440	cmd.exe	41
PID 2440 wrote to memory of 1064	2440	cmd.exe	41
PID 2680 wrote to memory of 1376	2680	Sentence.pif	42
PID 2680 wrote to memory of 1376	2680	Sentence.pif	42
PID 2680 wrote to memory of 1376	2680	Sentence.pif	42
PID 2680 wrote to memory of 1376	2680	Sentence.pif	42
PID 2680 wrote to memory of 1376	2680	Sentence.pif	42
PID 2680 wrote to memory of 1376	2680	Sentence.pif	42

C:\Users\Admin\AppData\Local\Temp\8f3bd6cfc591e89316c92c06066a0fe8e6ef2b70e81bde41b16a8c264a7acc2dN.exe
"C:\Users\Admin\AppData\Local\Temp\8f3bd6cfc591e89316c92c06066a0fe8e6ef2b70e81bde41b16a8c264a7acc2dN.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c move Candy Candy.bat & Candy.bat
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2440
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2896
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "wrsa opssvc"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2928
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2684
- - C:\Windows\SysWOW64\findstr.exe
    findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2860
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 485418
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2672
- - C:\Windows\SysWOW64\findstr.exe
    findstr /V "mustangdocumentsinfoislamic" Activity
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1160
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Wellington + ..\Interventions + ..\Translator + ..\Clouds + ..\Endorsement + ..\Memory + ..\Fd J
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2704
- - C:\Users\Admin\AppData\Local\Temp\485418\Sentence.pif
    Sentence.pif J
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2680
  - - C:\Windows\SysWOW64\nslookup.exe
      C:\Windows\SysWOW64\nslookup.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:1376
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\485418\J

Filesize
525KB

MD5
167729921e5fa844e6a90b07aade4ff4

SHA1
13c5da95c3b616a0915c7e32813c50d3103de21a

SHA256
11a4a1a67d7475ef37081f6985c3db2699e75b905ebf53549ab7748bdacd0518

SHA512
06da9c0505963925f5e4ac4ef63171d07b5f33b1243d5173917d43c80d1933d1bce38070247a347dcf9d233e7bd146a0af6dfef0691efeb6c8eff42e40b35792

Download Submit
C:\Users\Admin\AppData\Local\Temp\Activity

Filesize
7KB

MD5
2acdac943879345ad27e7fb52b325154

SHA1
4631fceb4bfaca2517a9e96a0a0234060ec138c6

SHA256
fd21a90e6e02866574c6125b113b832737d486f0ec975f30a3591f2c1f41ab57

SHA512
9c3bf105f900f3f59b2adab705c4ae6793eccddbf6847bd1b91393259c11f0e9fbf4911d1e988e338693fdbddcaf93b298bb572841d0bdfc9b949d72607f5aa3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab27FC.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Candy

Filesize
16KB

MD5
607dda08c5b8241b002fafec805f6877

SHA1
df8124ee6536ed194d500f86fc9f65362dbc14d6

SHA256
0fb793a88216f796fef688b36a8654eb3ee539d155ff4be185f21178e4f7b954

SHA512
2d83f38effd76345a8ad332ad0b28fe5494980f057734cdd75de957d5e72fe75f1a52a57a7d461df4ca619b578a0b1d92fb70c7fb48eb84d09b55143036b8d2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Chad

Filesize
865KB

MD5
aa4a7c5f6c8f0faa2ae79619d0a1729f

SHA1
e8843d708b84be0aab0bf8bd15ec1c5949f94ac6

SHA256
b1fa8e5c1ce2e4f6d8c97d8a2574d6773ac0849ba8ff4d50bace70ca15226634

SHA512
70630ff996ea2e43cd9cce79b06853ad816de022897c5810c58df1538c5a8918303183fb20a0bd9451c0c3fbe6e96d759ba2f374d110ca1ad44b2c92fed5599d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Clouds

Filesize
91KB

MD5
4ed177bd36fb164b993987df8cbc08ba

SHA1
ed27346f2b43d7ec44cb136da97b3bc9a9e78f6c

SHA256
0f8ffc9cd870a5f11dbe0d498c540e55a5063bb45d035d35f3b799f2b91b79e5

SHA512
1e3076a3098e8763699199faf7a9a1ef0eeb52cfca540018cfa00453edce097fa991e84024da56cf707da18f52c48dfe1055db8d60d038fcb3cad37d4985daaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Endorsement

Filesize
86KB

MD5
073deac8234ebcc20b613177fe1ad1cd

SHA1
8e8a29cb952b7d6981bed2947d1add21b867df30

SHA256
438b99c6c06ee11ef805e22156d15a08b8f8729d006208c80b8efeddd7e6a8cd

SHA512
2bcee92b4983de193ee53ef8f2a232da8d9f0d905923b021758653c60ba59b4957c5a6be73c2dc575b9b1e635912e6fd58997e86853cee869065a2cd3f6279c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fd

Filesize
42KB

MD5
b3ca851e168818ff8450314e6fed2968

SHA1
a9bf1c851eef9158cdb4b6987808dcaa33034352

SHA256
4c3d76f9d0390379547c31e8517cf2fe74d447dabda131c7fab4c29245937015

SHA512
8276cb94e50d5358f644a29f9aa1f76483c7ca18478a94dcc2661d6a7bf09036ddae62944140675410e9b0196c18e075cbd6e79f5462059752b5cd5748cd9970

Download Submit
C:\Users\Admin\AppData\Local\Temp\Interventions

Filesize
90KB

MD5
90664ee1f0311ea4c16146c0741e5c06

SHA1
b84d4a782e17197ee5b5e9e333e19756e482b519

SHA256
8b6ee4aae9b8c528657689f00932e65d170d1cf38e89fd99653c5f0b5f3c30dd

SHA512
f9e2bf56941907851f6450db8d87bb79a3875572969dd2784a7b6f9d0bdfc8edb73c77becf07650a6cb75e1daa66d082793408456fd4ef888a0e4bc168519052

Download Submit
C:\Users\Admin\AppData\Local\Temp\Memory

Filesize
59KB

MD5
c2c6e73e58dfe140db7465e1cbf07a56

SHA1
3171eb90b1f9fcdb95f1711496420a4477683afe

SHA256
7e45f9fc3e558a1052f2a6f59d91265bb87e7290d8cd3c12f7dce897e248e689

SHA512
c35dc59646bf6a14a952bd429079852b7f74581f78019bd701a000a2b84a83c07d2d513402ceb629afec7f0fab72c3ece6d293b0eab62b1bbd380712f9cb8edc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar288C.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Translator

Filesize
91KB

MD5
edb4fc11b218e0961155992771522539

SHA1
60a42b2fa26b0c664a563f244d651c58e0534190

SHA256
dd64fc322389b62f949b62c3cdf9d574af9215bbe60d14cd46baddc1868b104e

SHA512
011cfde5d4efa2a197e9536c6922196d09338a0eee9f9d270c87d797a385bf490dd5b4d2c85dd3094aecc9f002a28deff1b320145f6b85ffd9fab4b32c0b4e76

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wellington

Filesize
66KB

MD5
a2c617da128f578f9b4577aef6f67eda

SHA1
faf6234ad8a40e1d11150fe3d1fc6b23e70d69c7

SHA256
f16b7fcb6542be789f362662ef44658f32fc200ec39c62b3a475f34df7c27d9f

SHA512
f2da355adefd6cbc5768de284f45b0d56a5b02bf479113519fae8cfa2ed7ec3148bc8766670b3ca0bef3250091699d8968821dce9918fded2f1f67c90c1b38b9

Download Submit
\Users\Admin\AppData\Local\Temp\485418\Sentence.pif

Filesize
872KB

MD5
18ce19b57f43ce0a5af149c96aecc685

SHA1
1bd5ca29fc35fc8ac346f23b155337c5b28bbc36

SHA256
d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd

SHA512
a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558

Download Submit
memory/1376-29-0x0000000000130000-0x0000000000193000-memory.dmp

Filesize
396KB

Download
memory/1376-30-0x0000000000130000-0x0000000000193000-memory.dmp

Filesize
396KB

Download
memory/1376-31-0x0000000000130000-0x0000000000193000-memory.dmp

Filesize
396KB

Download