lumma | 7c270da2506ba3354531e0934096315422ee719ad9ea16cb1ee86a7004a9ce27

General

Target

XWorm-5.6-main (1).zip
Size

25.1MB
MD5

95c1c4a3673071e05814af8b2a138be4
SHA1

4c08b79195e0ff13b63cfb0e815a09dc426ac340
SHA256

7c270da2506ba3354531e0934096315422ee719ad9ea16cb1ee86a7004a9ce27
SHA512

339a47ecfc6d403beb55d51128164a520c4bea63733be3cfd47aec47953fbf2792aa4e150f4122994a7620122b0e0fc20c1eeb2f9697cf5578df08426820fecd
SSDEEP

786432:Ty5jMDNnx2+4NYobtH8VVtKqi9+i514XZ/pjYlp0:MMDNnxV4iobxibiIi5MpjYv0

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

C2

https://pillowbrocccolipe.shop/api

https://communicationgenerwo.shop/api

https://diskretainvigorousiw.shop/api

https://affordcharmcropwo.shop/api

https://dismissalcylinderhostw.shop/api

https://enthusiasimtitleow.shop/api

https://worryfillvolcawoi.shop/api

https://cleartotalfisherwo.shop/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Executes dropped EXE 4 IoCs

pid	Process
2476	Xworm V5.6.exe
2744	Xworm V5.6.exe
4552	XwormLoader.exe
1824	Xworm V5.6.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XwormLoader.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3744	7zFM.exe
3744	7zFM.exe
3744	7zFM.exe
3744	7zFM.exe
3744	7zFM.exe
3744	7zFM.exe
3744	7zFM.exe
3744	7zFM.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3744	7zFM.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeRestorePrivilege	3744	7zFM.exe
Token: 35	3744	7zFM.exe
Token: SeSecurityPrivilege	3744	7zFM.exe
Token: SeSecurityPrivilege	3744	7zFM.exe
Token: SeSecurityPrivilege	3744	7zFM.exe
Token: SeSecurityPrivilege	3744	7zFM.exe
Token: SeSecurityPrivilege	3744	7zFM.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
3744	7zFM.exe
3744	7zFM.exe
3744	7zFM.exe
3744	7zFM.exe
3744	7zFM.exe
3744	7zFM.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3744 wrote to memory of 2476	3744	7zFM.exe	95
PID 3744 wrote to memory of 2476	3744	7zFM.exe	95
PID 3744 wrote to memory of 2744	3744	7zFM.exe	102
PID 3744 wrote to memory of 2744	3744	7zFM.exe	102
PID 3744 wrote to memory of 4552	3744	7zFM.exe	105
PID 3744 wrote to memory of 4552	3744	7zFM.exe	105
PID 3744 wrote to memory of 4552	3744	7zFM.exe	105
PID 3744 wrote to memory of 1824	3744	7zFM.exe	107
PID 3744 wrote to memory of 1824	3744	7zFM.exe	107

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\XWorm-5.6-main (1).zip"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3744
- C:\Users\Admin\AppData\Local\Temp\7zO0AEEB418\Xworm V5.6.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO0AEEB418\Xworm V5.6.exe"
  2⤵
  - Executes dropped EXE
  PID:2476
- C:\Users\Admin\AppData\Local\Temp\7zO0AE631B8\Xworm V5.6.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO0AE631B8\Xworm V5.6.exe"
  2⤵
  - Executes dropped EXE
  PID:2744
- C:\Users\Admin\AppData\Local\Temp\7zO0AEA6B98\XwormLoader.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO0AEA6B98\XwormLoader.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4552
- C:\Users\Admin\AppData\Local\Temp\7zO0AEC11F8\Xworm V5.6.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO0AEC11F8\Xworm V5.6.exe"
  2⤵
  - Executes dropped EXE
  PID:1824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zO0AEA6B98\XwormLoader.exe

Filesize
490KB

MD5
9c9245810bad661af3d6efec543d34fd

SHA1
93e4f301156d120a87fe2c4be3aaa28b9dfd1a8d

SHA256
f5f14b9073f86da926a8ed319b3289b893442414d1511e45177f6915fb4e5478

SHA512
90d9593595511e722b733a13c53d2e69a1adc9c79b3349350deead2c1cdfed615921fb503597950070e9055f6df74bb64ccd94a60d7716822aa632699c70b767

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO0AEEB418\Xworm V5.6.exe

Filesize
14.9MB

MD5
56ccb739926a725e78a7acf9af52c4bb

SHA1
5b01b90137871c3c8f0d04f510c4d56b23932cbc

SHA256
90f58865f265722ab007abb25074b3fc4916e927402552c6be17ef9afac96405

SHA512
2fee662bc4a1a36ce7328b23f991fa4a383b628839e403d6eb6a9533084b17699a6c939509867a86e803aafef2f9def98fa9305b576dad754aa7f599920c19a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\XWorm-5.6-main\Icons\icon (15).ico

Filesize
361KB

MD5
e3143e8c70427a56dac73a808cba0c79

SHA1
63556c7ad9e778d5bd9092f834b5cc751e419d16

SHA256
b2f57a23ecc789c1bbf6037ac0825bf98babc7bf0c5d438af5e2767a27a79188

SHA512
74e0f4b55625df86a87b9315e4007be8e05bbecca4346a6ea06ef5b1528acb5a8bb636ef3e599a3820dbddcf69563a0a22e2c1062c965544fd75ec96fd9803fc

Download Submit
memory/2476-256-0x00007FFB3F953000-0x00007FFB3F955000-memory.dmp

Filesize
8KB

Download
memory/2476-257-0x00000294EFC70000-0x00000294F0B58000-memory.dmp

Filesize
14.9MB

Download
memory/2476-258-0x00007FFB3F950000-0x00007FFB40411000-memory.dmp

Filesize
10.8MB

Download
memory/2476-259-0x00007FFB3F950000-0x00007FFB40411000-memory.dmp

Filesize
10.8MB

Download
memory/4552-281-0x0000000000370000-0x00000000003BB000-memory.dmp

Filesize
300KB

Download
memory/4552-286-0x0000000000370000-0x00000000003BB000-memory.dmp

Filesize
300KB

Download

Analysis

Sharing