lumma | c51b710578868212b274ca8bd0b6ab705f79d3e1dd490d4fcfe06d231b6ef7e9

Analysis

max time kernel
132s
max time network
137s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
15/10/2024, 01:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

S0laahgi/S0lara.exe
Size

371KB
MD5

0eddfde16ed6019e4c12920ebb70bcfb
SHA1

6a7397ebd83aff92ca7474f4cccca5ceb592e7fb
SHA256

4f5825e0409c1b2a42f2c1db12acbe9f8df7365e9fac7d569e0d4530d1ded2c4
SHA512

c4aaaacbb9ffeda289ed6784562b9a7ba6ed96985ab5f595cabf2e86358731f127f3bd101cdfa16249cedc92a501d2120eaf282e491623febc5dbe6af161f1ea
SSDEEP

6144:N2R5L8AYOGfl8RWwCtOJE4UkXm9iVe68112twqaZXvw6h:+LAfeRbFJE4+2e6012tUXvw6h

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://drawwyobstacw.sbs

https://condifendteu.sbs

https://ehticsprocw.sbs

https://vennurviot.sbs

https://resinedyw.sbs

https://enlargkiw.sbs

https://allocatinow.sbs

https://mathcucom.sbs

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma

Loads dropped DLL 1 IoCs

pid	Process
3912	S0lara.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3912 set thread context of 2600	3912	S0lara.exe	73

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3412	2600	WerFault.exe	73
3348	2600	WerFault.exe	73

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	S0lara.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_regiis.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3912 wrote to memory of 2600	3912	S0lara.exe	73
PID 3912 wrote to memory of 2600	3912	S0lara.exe	73
PID 3912 wrote to memory of 2600	3912	S0lara.exe	73
PID 3912 wrote to memory of 2600	3912	S0lara.exe	73
PID 3912 wrote to memory of 2600	3912	S0lara.exe	73
PID 3912 wrote to memory of 2600	3912	S0lara.exe	73
PID 3912 wrote to memory of 2600	3912	S0lara.exe	73
PID 3912 wrote to memory of 2600	3912	S0lara.exe	73
PID 3912 wrote to memory of 2600	3912	S0lara.exe	73

C:\Users\Admin\AppData\Local\Temp\S0laahgi\S0lara.exe
"C:\Users\Admin\AppData\Local\Temp\S0laahgi\S0lara.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3912
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2600
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 1196
    3⤵
    - Program crash
    PID:3412
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 1212
    3⤵
    - Program crash
    PID:3348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\msvcp110.dll

Filesize
568KB

MD5
7b70954fcea25aba0ae8c68ab82139ac

SHA1
42fcedf5321f15827624d397092ade16bfee2c39

SHA256
1b2ae36006211bd467357b4d0d7bc9400d3438e97eab18e7b454462b0fd5872f

SHA512
e691457340cbc503c2ad4a1c6d21c8e7f53a9be9204804a6c7f08e6b018abab09901c5d4ea143031b4663df58fc2c7af203ece47967bc6b4ae9d0a551099ede7

Download Submit
memory/2600-15-0x0000000000AF0000-0x0000000000B5C000-memory.dmp

Filesize
432KB

Download
memory/2600-18-0x0000000000AF0000-0x0000000000B5C000-memory.dmp

Filesize
432KB

Download
memory/2600-10-0x0000000000AF0000-0x0000000000B5C000-memory.dmp

Filesize
432KB

Download
memory/3912-0-0x0000000073E0E000-0x0000000073E0F000-memory.dmp

Filesize
4KB

Download
memory/3912-1-0x0000000000630000-0x0000000000696000-memory.dmp

Filesize
408KB

Download
memory/3912-2-0x0000000000F30000-0x0000000000F36000-memory.dmp

Filesize
24KB

Download
memory/3912-9-0x0000000073E00000-0x00000000744EE000-memory.dmp

Filesize
6.9MB

Download
memory/3912-19-0x0000000073E00000-0x00000000744EE000-memory.dmp

Filesize
6.9MB

Download