lumma | 5553e4e355ee0dade1223c455c8232a49a1b53d7f55bfcd27f6aeaff166f67bf

Resubmissions

18-11-2024 08:55

241118-kvmq8asgph 10

18-11-2024 08:52

241118-ks1kasspaz 10

18-11-2024 08:25

241118-kbbvlsshjr 10

Analysis

max time kernel
419s
max time network
423s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-11-2024 08:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5553e4e355ee0dade1223c455c8232a49a1b53d7f55bfcd27f6aeaff166f67bf.exe
Size

10.0MB
MD5

3f743b632a0a52e5d8ba262c13134b17
SHA1

3a0938ca3cccf15af99258c070620e5809a8eaa8
SHA256

5553e4e355ee0dade1223c455c8232a49a1b53d7f55bfcd27f6aeaff166f67bf
SHA512

60813c38db484fa365da3fe37f86a49d3e671e7f9fedcd8082696cf7160a171b5ecb5fd7ee0a76577ae585f3481a1866607a919a2a3efd80553bab9356e17326
SSDEEP

24576:q2T2ETkozkFJ22KXLyGPMK2p/2lYRfKDgJ4tfG2i5:b2ETuFJVCLJGpOlYRiUJ4U2i5

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://processhol.sbs/api

https://p10tgrace.sbs/api

https://peepburry828.sbs/api

https://3xp3cts1aim.sbs/api

https://p3ar11fter.sbs/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	5553e4e355ee0dade1223c455c8232a49a1b53d7f55bfcd27f6aeaff166f67bf.exe

Executes dropped EXE 1 IoCs

pid	Process
4404	Puts.com

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
404	tasklist.exe
1892	tasklist.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ProvideGuatemala	5553e4e355ee0dade1223c455c8232a49a1b53d7f55bfcd27f6aeaff166f67bf.exe
File opened for modification	C:\Windows\OffensiveWeights	5553e4e355ee0dade1223c455c8232a49a1b53d7f55bfcd27f6aeaff166f67bf.exe
File opened for modification	C:\Windows\AxisNewspaper	5553e4e355ee0dade1223c455c8232a49a1b53d7f55bfcd27f6aeaff166f67bf.exe
File opened for modification	C:\Windows\BabiesAllied	5553e4e355ee0dade1223c455c8232a49a1b53d7f55bfcd27f6aeaff166f67bf.exe
File opened for modification	C:\Windows\JoinedDiscussing	5553e4e355ee0dade1223c455c8232a49a1b53d7f55bfcd27f6aeaff166f67bf.exe
File opened for modification	C:\Windows\DamSpringer	5553e4e355ee0dade1223c455c8232a49a1b53d7f55bfcd27f6aeaff166f67bf.exe
File opened for modification	C:\Windows\ExcellentVi	5553e4e355ee0dade1223c455c8232a49a1b53d7f55bfcd27f6aeaff166f67bf.exe
File opened for modification	C:\Windows\FijiPosting	5553e4e355ee0dade1223c455c8232a49a1b53d7f55bfcd27f6aeaff166f67bf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Puts.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5553e4e355ee0dade1223c455c8232a49a1b53d7f55bfcd27f6aeaff166f67bf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4404	Puts.com
4404	Puts.com
4404	Puts.com
4404	Puts.com
4404	Puts.com
4404	Puts.com

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	404	tasklist.exe
Token: SeDebugPrivilege	1892	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4404	Puts.com
4404	Puts.com
4404	Puts.com

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4404	Puts.com
4404	Puts.com
4404	Puts.com

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 5048 wrote to memory of 548	5048	5553e4e355ee0dade1223c455c8232a49a1b53d7f55bfcd27f6aeaff166f67bf.exe	85
PID 5048 wrote to memory of 548	5048	5553e4e355ee0dade1223c455c8232a49a1b53d7f55bfcd27f6aeaff166f67bf.exe	85
PID 5048 wrote to memory of 548	5048	5553e4e355ee0dade1223c455c8232a49a1b53d7f55bfcd27f6aeaff166f67bf.exe	85
PID 548 wrote to memory of 404	548	cmd.exe	88
PID 548 wrote to memory of 404	548	cmd.exe	88
PID 548 wrote to memory of 404	548	cmd.exe	88
PID 548 wrote to memory of 3384	548	cmd.exe	89
PID 548 wrote to memory of 3384	548	cmd.exe	89
PID 548 wrote to memory of 3384	548	cmd.exe	89
PID 548 wrote to memory of 1892	548	cmd.exe	94
PID 548 wrote to memory of 1892	548	cmd.exe	94
PID 548 wrote to memory of 1892	548	cmd.exe	94
PID 548 wrote to memory of 1820	548	cmd.exe	95
PID 548 wrote to memory of 1820	548	cmd.exe	95
PID 548 wrote to memory of 1820	548	cmd.exe	95
PID 548 wrote to memory of 3572	548	cmd.exe	96
PID 548 wrote to memory of 3572	548	cmd.exe	96
PID 548 wrote to memory of 3572	548	cmd.exe	96
PID 548 wrote to memory of 3004	548	cmd.exe	97
PID 548 wrote to memory of 3004	548	cmd.exe	97
PID 548 wrote to memory of 3004	548	cmd.exe	97
PID 548 wrote to memory of 4088	548	cmd.exe	99
PID 548 wrote to memory of 4088	548	cmd.exe	99
PID 548 wrote to memory of 4088	548	cmd.exe	99
PID 548 wrote to memory of 4404	548	cmd.exe	100
PID 548 wrote to memory of 4404	548	cmd.exe	100
PID 548 wrote to memory of 4404	548	cmd.exe	100
PID 548 wrote to memory of 2936	548	cmd.exe	101
PID 548 wrote to memory of 2936	548	cmd.exe	101
PID 548 wrote to memory of 2936	548	cmd.exe	101

C:\Users\Admin\AppData\Local\Temp\5553e4e355ee0dade1223c455c8232a49a1b53d7f55bfcd27f6aeaff166f67bf.exe
"C:\Users\Admin\AppData\Local\Temp\5553e4e355ee0dade1223c455c8232a49a1b53d7f55bfcd27f6aeaff166f67bf.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5048
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy Battle Battle.cmd & Battle.cmd
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:548
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:404
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "wrsa opssvc"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3384
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1892
- - C:\Windows\SysWOW64\findstr.exe
    findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1820
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 701961
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3572
- - C:\Windows\SysWOW64\findstr.exe
    findstr /V "CigaretteSmallPlatesCalgary" Tits
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3004
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Relationship + ..\Playing + ..\Closely + ..\Reducing + ..\Inventory + ..\Kingdom + ..\Suppose j
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4088
- - C:\Users\Admin\AppData\Local\Temp\701961\Puts.com
    Puts.com j
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:4404
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\701961\Puts.com

Filesize
921KB

MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
C:\Users\Admin\AppData\Local\Temp\701961\j

Filesize
505KB

MD5
b4e6782b85bd29593dc52c87c0c00312

SHA1
784b595ba81bdb9093ca3c3228188ecac613defd

SHA256
f11bfa5482beda3c3e7c4a86797e8c2be7d640d7fba4b469f90962cc0a64d4b3

SHA512
d769498c6bb62929584cc74549c1d1abc77a1b0dff0468a00742f74a1615354ac0cc2fb2c9237635ffea53072d793b2c6133359f01c78988924959e734036eef

Download Submit
C:\Users\Admin\AppData\Local\Temp\Battle

Filesize
11KB

MD5
b468e489f7478dd1ab553f2a8ac7dd9b

SHA1
4ac8e9cf88787f01255e349620a55a7bcfc7fc35

SHA256
507cda0b4a35a655c4396515401f7cc68ed71dcea35139840ee841f3d4fb3b07

SHA512
5d926cb49a7b8e3e57f392d64df2b684ab9602379493ee3976adbe24eb30a87e2fea74e2c8e21edae7a7dd3483ae9c6ae788dc3889d22dfd7a51e29e632591d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Closely

Filesize
60KB

MD5
fa2e55cf1a770c71e719d461d4387eb9

SHA1
cc65f46982d93a1e629cbc1c9ad968940b2bdd74

SHA256
e806c729c9e72295a20290418a5d9a3da99545b71e8da2fb7567346a19a52d8f

SHA512
1fd4ab24f80a4cfbf8343e0f0af055f03151eff43fe3b9081650becbc2a3b276f9fa083b54ca5c9dc306f511e12cc48117e3d462fa22986dff79c36bf38b9823

Download Submit
C:\Users\Admin\AppData\Local\Temp\Inventory

Filesize
73KB

MD5
dc2906aae8abf4e2e1541ed078112ada

SHA1
9538d56fbd8acb57f62437f68019ac6055a40e4d

SHA256
7cf33fd97326f3caac0c005d6c17cad3bee8588de8f92f9731a3846cb1475002

SHA512
f977c0380ddec015a4c0349b8fc0883e8c77236e46d91cea9bd447bed665fcb6582b3372986735af85bda5680fa8f60a8c00c1ec3ddd827c466aeeaabd072606

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kingdom

Filesize
94KB

MD5
87deb0e74bc8fd2ae4ac39fad86f7544

SHA1
d465935d4eb28029f61e5dbcf98b85416a51ecd3

SHA256
9215ec62bc6473f16955e39b4b36016e80604853a3f3af2e2c26338673ea3f0b

SHA512
a5fe490f74316be7f8df51ff7fe01bc9ee97de0b574c8a0a9550e9761729ee21f8e0f0acd16b26b7c2ff5cb7d7cfc5040a366886958d94ac645252cf609371a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Playing

Filesize
68KB

MD5
9847bfc360fdae334c6f1ca9c50be501

SHA1
600323c36f2e0adf7c555f89e892eb1059a031fb

SHA256
e51ad11ab6dd79fef226fe7eb61e8f749a46b33d1212bf1c5ea76c5e4cc927cb

SHA512
1259219261256fa9012a300f7a4667ab4c0e2bc57d56232e4ba83c06b9caf6500f7d4a3fcf312e1b78a2cb3d1803899dc0c5f3f97116a42c12b3c1cfb14ba0af

Download Submit
C:\Users\Admin\AppData\Local\Temp\Reducing

Filesize
70KB

MD5
3444cab11b6809cbe675b9f64828a65c

SHA1
615cf824d3cbd00be15d1f085c5b3fd6bc0422ff

SHA256
0050c8566416fd7bd6f45abc6d053bf2ff9fb45bfd1141a7a0b1b047b860cd94

SHA512
98a09564f42220a3a0ad55348efd92c92ba97bc1451eb675df1fd413a6aff90e9d8c7f2dbc349fe1ee560ed0bb30ffb1e79a20806b67e18960f9d68f2a6aa1a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Relationship

Filesize
87KB

MD5
93bf8c8b82622a4045265138bb4c51ae

SHA1
6b5da660e66aca669d203c6b522affc3a06f0347

SHA256
5f5c51d9a18aa81535e2f71cc681f8012369048f4886d45da3783beb5215db71

SHA512
371b4d3a76405e5553d9b9a56acc7d636161fb93274e08a64a953c411f3e039390ff5235af7e9df3fef2c73c3375800d04662313eba5c0589027cb49a0addde8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solution

Filesize
921KB

MD5
663fd2c0ede6b605cf51cdbf708d064b

SHA1
90007034ac17cd96d381d67446c9a1d52d3b53f2

SHA256
6916f08c938585b6151bc98997ff230d146a9f1013f8f5a22346ad908b062ee9

SHA512
d3ec0d440474110bc5b87505135e96e7ef5fc198b3df50c24bf9d48b56c7587be0ccdfd117bff9ad4cfecfee68a7041e250eac5e9179cc178e281e3f87ba97ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\Suppose

Filesize
53KB

MD5
81a6d18b69f315fe47286a6d8c270a05

SHA1
727a37e936e503afc7bf19b209e641aebd423fd6

SHA256
f47e3e89169a13f01ad4899328b8b3e8cc746028631fdf3d2fec816a612754d7

SHA512
a7055c1871c5c1e371daf0bbb6971dff273c546989cf5bb748078fc3a84449f1b8fbba81c6d30e969985d40e168158d71c80c195f4f0326c0bac501f4a223ee9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tits

Filesize
263B

MD5
57d598bb11c33379fe385dff81c08519

SHA1
f6253eb3026c6c6c877e896b6baeaf52ad89256f

SHA256
3714555df8f9ad0598bb38e64eb6f1164fa242d8efbf541373bbeed392bc4e6e

SHA512
c73ef7e89c5bca387d0795bbb58547222e59af48aafc12a9f0c7757107ac0e7c4df5f41dc0bf91136984f826d7916bdcb3132b3a06c85231edec5a55ec327575

Download Submit
memory/4404-277-0x0000000004750000-0x00000000047AF000-memory.dmp

Filesize
380KB

Download
memory/4404-279-0x0000000004750000-0x00000000047AF000-memory.dmp

Filesize
380KB

Download
memory/4404-278-0x0000000004750000-0x00000000047AF000-memory.dmp

Filesize
380KB

Download
memory/4404-281-0x0000000004750000-0x00000000047AF000-memory.dmp

Filesize
380KB

Download
memory/4404-282-0x0000000004750000-0x00000000047AF000-memory.dmp

Filesize
380KB

Download
memory/4404-280-0x0000000004750000-0x00000000047AF000-memory.dmp

Filesize
380KB

Download