lumma | 89b58012161ec852f2405faa24aa9f502a89908426ee01daac75616989cfb03d

General

Target

Adobbe Photoshop (infected).zip
Size

16.1MB
MD5

eabd21ecd109e3c3c4be2bb2821e5770
SHA1

f46b2a44bd0c49b777c270e4a3fad1358b55ccbc
SHA256

89b58012161ec852f2405faa24aa9f502a89908426ee01daac75616989cfb03d
SHA512

65cc387534a330a4912bd929f1972114219edea715b9603bddf575b6f7a8f8f9b4022b0bcbed6a02e4603decf1e41d7a6a1bdf79b42e129d3c93ea81fe0adb38
SSDEEP

393216:e2o/wXL0ByxAW8Oc11akI6LNyLPX7WcfKQIxx1RWfoy1naXf4m:eRwXoBQALV1aX2y7ycfKQIOFCf4m

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

C2

https://conceptionnyi.sbs

https://platformcati.sbs

https://nervepianoyo.sbs

https://qualifielgalt.sbs

https://smashygally.sbs

https://fightyglobo.sbs

https://modellydivi.sbs

https://pioneeruyj.sbs

https://explorationmsn.store

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma

Executes dropped EXE 1 IoCs

pid	Process
3828	Setup.exe

Loads dropped DLL 1 IoCs

pid	Process
3828	Setup.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3828 set thread context of 3140	3828	Setup.exe	101

Program crash 3 IoCs

pid	pid_target	Process	procid_target
1528	3140	WerFault.exe	101
4980	3140	WerFault.exe	101
3672	3140	WerFault.exe	101

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_regiis.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1080	7zFM.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	1080	7zFM.exe
Token: 35	1080	7zFM.exe
Token: SeSecurityPrivilege	1080	7zFM.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1080	7zFM.exe
1080	7zFM.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3828 wrote to memory of 3140	3828	Setup.exe	101
PID 3828 wrote to memory of 3140	3828	Setup.exe	101
PID 3828 wrote to memory of 3140	3828	Setup.exe	101
PID 3828 wrote to memory of 3140	3828	Setup.exe	101
PID 3828 wrote to memory of 3140	3828	Setup.exe	101
PID 3828 wrote to memory of 3140	3828	Setup.exe	101
PID 3828 wrote to memory of 3140	3828	Setup.exe	101
PID 3828 wrote to memory of 3140	3828	Setup.exe	101
PID 3828 wrote to memory of 3140	3828	Setup.exe	101

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Adobbe Photoshop (infected).zip"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1080

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4332

C:\Users\Admin\Desktop\Adobbe Photoshop\Setup.exe
"C:\Users\Admin\Desktop\Adobbe Photoshop\Setup.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3828
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3140
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3140 -s 1260
    3⤵
    - Program crash
    PID:1528
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3140 -s 1092
    3⤵
    - Program crash
    PID:4980
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3140 -s 1092
    3⤵
    - Program crash
    PID:3672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3140 -ip 3140
1⤵
PID:4616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3140 -ip 3140
1⤵
PID:2632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3140 -ip 3140
1⤵
PID:1124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\msvcp110.dll

Filesize
579KB

MD5
84d2fc5983ee399af5c25e032b642a56

SHA1
3fa1f59c123125d95db924e65dc1dedd3963ad0b

SHA256
e71f8872727a71abb5d2693aca9eb13ce22a2c026d00200a2d9ae9db1aeb4e51

SHA512
e36f88b09fe70fa0311b84bc8dcb6c560469683a6936034df3d1553990b4113cda55ffa06e84dd8eed5928990776b9a664c357c1e1c45d06f78721b042cebb43

Download Submit
C:\Users\Admin\Desktop\Adobbe Photoshop\Setup.exe

Filesize
1.5MB

MD5
8eb69d162817c8e33322ee74b64cc5b6

SHA1
bec92eaab975013af8c680b93e2c97b4c7ef2a16

SHA256
dcc89e557b12193a92fcc83c34944351c74c721d2d76c8c78690aacf1271a56b

SHA512
b07e2cbf1ee9e4d26af306fa1cb6e533633c524c0c6c9da87ab232cdd6a1a7f3cb8b4dd4baf9b90fc907f0b9a267fa88febfd7409873bafdb7ab822716aaf7c7

Download Submit
memory/3140-100-0x00000000011B0000-0x000000000121C000-memory.dmp

Filesize
432KB

Download
memory/3140-105-0x00000000011B0000-0x000000000121C000-memory.dmp

Filesize
432KB

Download
memory/3140-108-0x00000000011B0000-0x000000000121C000-memory.dmp

Filesize
432KB

Download
memory/3828-92-0x0000000073F9E000-0x0000000073F9F000-memory.dmp

Filesize
4KB

Download
memory/3828-93-0x0000000000EA0000-0x000000000102C000-memory.dmp

Filesize
1.5MB

Download
memory/3828-109-0x0000000073F90000-0x0000000074740000-memory.dmp

Filesize
7.7MB

Download
memory/3828-110-0x0000000073F90000-0x0000000074740000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing