lumma | 3f4b288335a86c908e015d254715d6fb9838f729e13aa3c06e53792ddaf59cad

Analysis

max time kernel
90s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-11-2024 08:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Sample/Setup.exe
Size

1.2MB
MD5

b84dfabe933d1160f624693d94779ce5
SHA1

ac0133c09708fe4a3c626e3ba4cdf44d3a0e065f
SHA256

588cb61b36a001384a2833bd5df8d7982ca79d6ae17a3d83a94e01b1e79684bd
SHA512

eeaeef8d6b5fa02dedf9818babaa4b5ffdb87300521883aa290289dcc720b3d543279085ed3fc649b74654143e678502e56eb3f92c4baf53c075977de33c1b0e
SSDEEP

12288:RWiPQmboElHjsxc93LwnfXlP0CT7T4ir7XFXTqlj02F:5Qrat3knTvT4yDpqlj/F

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://processhol.sbs/api

https://p10tgrace.sbs/api

https://peepburry828.sbs/api

https://3xp3cts1aim.sbs/api

https://p3ar11fter.sbs/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Blocklisted process makes network request 11 IoCs

Processes:

msiexec.exe

flow	pid	process
22	792	msiexec.exe
25	792	msiexec.exe
28	792	msiexec.exe
30	792	msiexec.exe
32	792	msiexec.exe
37	792	msiexec.exe
45	792	msiexec.exe
51	792	msiexec.exe
58	792	msiexec.exe
60	792	msiexec.exe
63	792	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Setup.exe

description pid process target process

PID 4040 set thread context of 2716 4040 Setup.exe more.com

description	pid	process	target process
PID 4040 set thread context of 2716	4040	Setup.exe	more.com

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

msiexec.exemore.com

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	more.com

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

Setup.exemore.com

pid process

4040 Setup.exe
4040 Setup.exe
2716 more.com
2716 more.com
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

Setup.exemore.com

pid process

4040 Setup.exe
2716 more.com

pid	process
4040	Setup.exe
4040	Setup.exe
2716	more.com
2716	more.com

pid	process
4040	Setup.exe
2716	more.com

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

Setup.exemore.com

description	pid	process	target process
PID 4040 wrote to memory of 2716	4040	Setup.exe	more.com
PID 4040 wrote to memory of 2716	4040	Setup.exe	more.com
PID 4040 wrote to memory of 2716	4040	Setup.exe	more.com
PID 4040 wrote to memory of 2716	4040	Setup.exe	more.com
PID 2716 wrote to memory of 792	2716	more.com	msiexec.exe
PID 2716 wrote to memory of 792	2716	more.com	msiexec.exe
PID 2716 wrote to memory of 792	2716	more.com	msiexec.exe
PID 2716 wrote to memory of 792	2716	more.com	msiexec.exe
PID 2716 wrote to memory of 792	2716	more.com	msiexec.exe

C:\Users\Admin\AppData\Local\Temp\Sample\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Sample\Setup.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4040
- C:\Windows\SysWOW64\more.com
  C:\Windows\SysWOW64\more.com
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\SysWOW64\msiexec.exe
    3⤵
    - Blocklisted process makes network request
    - System Location Discovery: System Language Discovery
    PID:792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4a3c820e

Filesize
1.0MB

MD5
1a6bf790e88b52afee8e0d698d434401

SHA1
c44a361560925055878196614d6c214c74b358e5

SHA256
4a06c04dab39cb72eb18a53eae6d5ffffc2e4715d62de7dddb94fd3d78a2f784

SHA512
756842543690a2ce008e847d0c483fd7fa604ad163b34cdb87afb42205cdf6b9de7684369d108d5dfd664d92b13634cdc312292216b8eb612427428aa0034b0c

Download Submit
memory/792-27-0x0000000000FD0000-0x000000000102B000-memory.dmp

Filesize
364KB

Download
memory/792-28-0x0000000000730000-0x0000000000742000-memory.dmp

Filesize
72KB

Download
memory/792-26-0x00007FFCE3E10000-0x00007FFCE4005000-memory.dmp

Filesize
2.0MB

Download
memory/2716-21-0x00000000769F0000-0x0000000076FA3000-memory.dmp

Filesize
5.7MB

Download
memory/2716-18-0x00007FFCE3E10000-0x00007FFCE4005000-memory.dmp

Filesize
2.0MB

Download
memory/2716-20-0x00000000769FE000-0x0000000076A00000-memory.dmp

Filesize
8KB

Download
memory/2716-19-0x00000000769F0000-0x0000000076FA3000-memory.dmp

Filesize
5.7MB

Download
memory/2716-25-0x00000000769F0000-0x0000000076FA3000-memory.dmp

Filesize
5.7MB

Download
memory/4040-15-0x00007FFCE3030000-0x00007FFCE376F000-memory.dmp

Filesize
7.2MB

Download
memory/4040-0-0x00007FFCC6390000-0x00007FFCC68DE000-memory.dmp

Filesize
5.3MB

Download
memory/4040-14-0x00007FFCE3030000-0x00007FFCE376F000-memory.dmp

Filesize
7.2MB

Download
memory/4040-13-0x00007FFCE3049000-0x00007FFCE304A000-memory.dmp

Filesize
4KB

Download
memory/4040-1-0x00007FFCE3030000-0x00007FFCE376F000-memory.dmp

Filesize
7.2MB

Download