lumma | 5f73dab125efbe100426f39621d5fdedb343a1d912f88ed322ed04a66daab473

Resubmissions

08-11-2024 01:13

241108-blevks1lgs 10

08-11-2024 00:57

241108-ba4dsstqfn 10

07-11-2024 19:15

241107-xypq7sznbk 7

Analysis

max time kernel
77s
max time network
77s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-it
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-itlocale:it-itos:windows10-ltsc 2021-x64systemwindows
submitted
08-11-2024 01:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

infected.zip
Size

31.2MB
MD5

f3086b596f50e215a706559d5ec8cbc8
SHA1

afa5c27fbc93d1398d00324de3ac467ae377bc6e
SHA256

5f73dab125efbe100426f39621d5fdedb343a1d912f88ed322ed04a66daab473
SHA512

d5141566392f7089da4db9940d0ec86d236dfb68dbf05f9377797df0d9ae2b447cffe75fe0d32be402e6f3af57aff677e9ae604a63b839afd62f362a9c687016
SSDEEP

786432:qHjbJsO6eSFdZUDAea6ebsP+DPdIfpCdFD5ojjBW7PQbB:GjCRVFrDeqbsPCdIfpCnDWMbQF

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://seallysl.site/api

https://opposezmny.site/api

https://goalyfeastz.site/api

https://contemteny.site/api

https://dilemmadu.site/api

https://faulteyotk.site/api

https://authorisev.site/api

https://servicedny.site/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Executes dropped EXE 2 IoCs

Processes:

Setup.exenc.exe

pid	Process
3788	Setup.exe
3728	nc.exe

Loads dropped DLL 8 IoCs

Processes:

Setup.exeAutoIt3.exe

pid	Process
3788	Setup.exe
3788	Setup.exe
3788	Setup.exe
3788	Setup.exe
3788	Setup.exe
3788	Setup.exe
3788	Setup.exe
1908	AutoIt3.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Setup.exe

description	pid	Process	procid_target
PID 3788 set thread context of 988	3788	Setup.exe	97

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Setup.exemore.comAutoIt3.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	more.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AutoIt3.exe

Modifies registry class 1 IoCs

Processes:

7zFM.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	7zFM.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

Setup.exemore.com

pid	Process
3788	Setup.exe
3788	Setup.exe
988	more.com
988	more.com

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

7zFM.exe

pid	Process
4060	7zFM.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

Setup.exemore.com

pid	Process
3788	Setup.exe
988	more.com

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

7zFM.exe7zFM.exe

description	pid	Process
Token: SeRestorePrivilege	3004	7zFM.exe
Token: 35	3004	7zFM.exe
Token: SeSecurityPrivilege	3004	7zFM.exe
Token: SeRestorePrivilege	4060	7zFM.exe
Token: 35	4060	7zFM.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

7zFM.exe7zFM.exe

pid	Process
3004	7zFM.exe
3004	7zFM.exe
4060	7zFM.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

Setup.exemore.com

description	pid	Process	procid_target
PID 3788 wrote to memory of 3728	3788	Setup.exe	96
PID 3788 wrote to memory of 3728	3788	Setup.exe	96
PID 3788 wrote to memory of 988	3788	Setup.exe	97
PID 3788 wrote to memory of 988	3788	Setup.exe	97
PID 3788 wrote to memory of 988	3788	Setup.exe	97
PID 3788 wrote to memory of 988	3788	Setup.exe	97
PID 988 wrote to memory of 1908	988	more.com	100
PID 988 wrote to memory of 1908	988	more.com	100
PID 988 wrote to memory of 1908	988	more.com	100
PID 988 wrote to memory of 1908	988	more.com	100
PID 988 wrote to memory of 1908	988	more.com	100

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\infected.zip"
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3004

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5016

C:\Users\Admin\Desktop\infected\Setup.exe
"C:\Users\Admin\Desktop\infected\Setup.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3788
- C:\Users\Admin\AppData\Roaming\DJGB\OODYONNRYTG\nc.exe
  C:\Users\Admin\AppData\Roaming\DJGB\OODYONNRYTG\nc.exe
  2⤵
  - Executes dropped EXE
  PID:3728
- C:\Windows\SysWOW64\more.com
  C:\Windows\SysWOW64\more.com
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:988
- - C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe
    C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:1908

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\infected\Setup.exe"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe

Filesize
921KB

MD5
3f58a517f1f4796225137e7659ad2adb

SHA1
e264ba0e9987b0ad0812e5dd4dd3075531cfe269

SHA256
1da298cab4d537b0b7b5dabf09bff6a212b9e45731e0cc772f99026005fb9e48

SHA512
acf740aafce390d06c6a76c84e7ae7c0f721731973aadbe3e57f2eb63241a01303cc6bf11a3f9a88f8be0237998b5772bdaf569137d63ba3d0f877e7d27fc634

Download Submit
C:\Users\Admin\AppData\Local\Temp\cd9f71a6

Filesize
2.3MB

MD5
b831c75b1427da3f7bced3b5ca5d91f6

SHA1
8f24a1920f0f2100830677df13c60ba885f0c308

SHA256
a0a703b5c2870f5024c199de0d50dcf2b639ba38be5c23005a139c184061d787

SHA512
b1f0118aef723857d7e7785b3176127d45d6ff8ca4951d50b4d6719c05d41fa6e8831198f9d059324f69006b3f17ba412c9ae637755ced6a9e74b99e700f6d44

Download Submit
C:\Users\Admin\AppData\Roaming\DJGB\OODYONNRYTG\nc.exe

Filesize
285KB

MD5
7fb44c5bca4226d8aab7398e836807a2

SHA1
47128e4f8afabfde5037ed0fcaba8752c528ff52

SHA256
a64ead73c06470bc5c84cfc231b0723d70d29fec7d385a268be2c590dc5eb1ef

SHA512
f0bd093f054c99bcc50df4005d0190bd7e3dcefea7008ae4c9b67a29e832e02ae9ff39fa75bc1352c127aeb13afdea9bfdcc238ac826ef17f288d6fbd2ec8cab

Download Submit
C:\Users\Admin\Desktop\infected\MSVCP100.dll

Filesize
411KB

MD5
03e9314004f504a14a61c3d364b62f66

SHA1
0aa3caac24fdf9d9d4c618e2bbf0a063036cd55d

SHA256
a3ba6421991241bea9c8334b62c3088f8f131ab906c3cc52113945d05016a35f

SHA512
2fcff4439d2759d93c57d49b24f28ae89b7698e284e76ac65fe2b50bdefc23a8cc3c83891d671de4e4c0f036cef810856de79ac2b028aa89a895bf35abff8c8d

Download Submit
C:\Users\Admin\Desktop\infected\QtCore4.dll

Filesize
2.5MB

MD5
fecc62a37d37d9759e6b02041728aa23

SHA1
0c5f646caef7a6e9073d58ed698f6cfbfb2883a3

SHA256
94c1395153d7758900979351e633ab68d22ae9b306ef8e253b712a1aab54c805

SHA512
698f90f1248dacbd4bdc49045a4e80972783d9dcec120d187abd08f5ef03224b511f7870320938b7e8be049c243ffb1c450c847429434ef2e2c09288cb9286a6

Download Submit
C:\Users\Admin\Desktop\infected\QtGui4.dll

Filesize
8.2MB

MD5
831ba3a8c9d9916bdf82e07a3e8338cc

SHA1
6c89fd258937427d14d5042736fdfccd0049f042

SHA256
d2c8c8b6cc783e4c00a5ef3365457d776dfc1205a346b676915e39d434f5a52d

SHA512
beda57851e0e3781ece1d0ee53a3f86c52ba99cb045943227b6c8fc1848a452269f2768bf4c661e27ddfbe436df82cfd1de54706d814f81797a13fefec4602c5

Download Submit
C:\Users\Admin\Desktop\infected\QtNetwork4.dll

Filesize
1.0MB

MD5
8a2e025fd3ddd56c8e4f63416e46e2ec

SHA1
5f58feb11e84aa41d5548f5a30fc758221e9dd64

SHA256
52ae07d1d6a467283055a3512d655b6a43a42767024e57279784701206d97003

SHA512
8e3a449163e775dc000e9674bca81ffabc7fecd9278da5a40659620cfc9cc07f50cc29341e74176fe10717b2a12ea3d5148d1ffc906bc809b1cd5c8c59de7ba1

Download Submit
C:\Users\Admin\Desktop\infected\QtWebKit4.dll

Filesize
12.5MB

MD5
094f4248b13cc9890c3d9984d9cf4753

SHA1
fd56012de8499b6a4d37f4a011e352c096a564b5

SHA256
e22b92470da89cb30ff0d57a177e429a7a6b49ada3ad1f351546ff77783126b7

SHA512
c6d93720ed384301247dd961c8d3cd2f8663416039063f404c507c95d4fafbb7f4b1a4982e096b9c43b0fdc3d6d2faa2565397cd96072ce9a6e74910a91e326c

Download Submit
C:\Users\Admin\Desktop\infected\Setup.exe

Filesize
80KB

MD5
2a8613b7d99903516b8fe02fd820bf52

SHA1
78a96addcb556ab1d490fac80f929305263d06b9

SHA256
f1d68c5e7c7660d4f2ce412c109b7fe3e088872fa0ebe61ca9ab9dd92a496407

SHA512
af0902aeb6169ea507b787da7b61c3533df4610c3f51c1d8f65dfc9008c8ce2580f2d86a49a4d0acc2c51c731f3e4c447d0d1d8e779dc1c75e43d30b79c46436

Download Submit
C:\Users\Admin\Desktop\infected\dsngvls

Filesize
1.6MB

MD5
98a00db9b31d4cf6ace08e0eb4925e5f

SHA1
d8aa1d8e0d8ea19ec7e6dc86e56988cd9e1abc52

SHA256
aa7908817b249bca8e364bbc6e11732dab1270e97b17855002f3251c54e7de5c

SHA512
aef598d7fcbd2bff4469b0a6603fd1d9f670ae7de29c0690cdde69fa8fadc335c739000038c5524c0b74cff12732191aacfe9c53fdcfd8052a3ed4fb30561641

Download Submit
C:\Users\Admin\Desktop\infected\msvcr100.dll

Filesize
752KB

MD5
67ec459e42d3081dd8fd34356f7cafc1

SHA1
1738050616169d5b17b5adac3ff0370b8c642734

SHA256
1221a09484964a6f38af5e34ee292b9afefccb3dc6e55435fd3aaf7c235d9067

SHA512
9ed1c106df217e0b4e4fbd1f4275486ceba1d8a225d6c7e47b854b0b5e6158135b81be926f51db0ad5c624f9bd1d09282332cf064680dc9f7d287073b9686d33

Download Submit
C:\Users\Admin\Desktop\infected\pgjs

Filesize
19KB

MD5
a3f833dd4f930631e3115a02949c8ebf

SHA1
0b216e0a51496852d7bd2eeb929d28a7980e87bd

SHA256
e2388092fb1f05fe80f3a4837f868ccc145fdf5b60e2bd042556c8a3dd2014a8

SHA512
e5e6fae414ec65d719b808b13156f79fc0f116824f7cfbbb2eea1dbfa63a917d45cff2ebb4b86a8c159e745548ee9f7338b9983897d877692b679abf61d15c34

Download Submit
memory/988-108-0x00007FFEB9150000-0x00007FFEB9348000-memory.dmp

Filesize
2.0MB

Download
memory/988-110-0x0000000073050000-0x00000000731CB000-memory.dmp

Filesize
1.5MB

Download
memory/1908-118-0x0000000000BC0000-0x0000000000C33000-memory.dmp

Filesize
460KB

Download
memory/1908-117-0x00007FFEB9150000-0x00007FFEB9348000-memory.dmp

Filesize
2.0MB

Download
memory/1908-116-0x0000000000BC0000-0x0000000000C33000-memory.dmp

Filesize
460KB

Download
memory/3728-103-0x000002E4AE360000-0x000002E4AE361000-memory.dmp

Filesize
4KB

Download
memory/3788-86-0x00007FFEB9150000-0x00007FFEB9348000-memory.dmp

Filesize
2.0MB

Download
memory/3788-104-0x0000000073050000-0x00000000731CB000-memory.dmp

Filesize
1.5MB

Download
memory/3788-88-0x0000000073050000-0x00000000731CB000-memory.dmp

Filesize
1.5MB

Download
memory/3788-85-0x0000000073050000-0x00000000731CB000-memory.dmp

Filesize
1.5MB

Download