lumma | 3d36c412f3e9bd9983629b45cc34dc5ac1d48cec7232a3d8ace19ae1181f7649

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-11-2024 10:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RomanticCopyright.exe
Size

10.0MB
MD5

a737e94c53a284ae8c712eb7b2a2d209
SHA1

a5d4113415f38413b5bcc2698e4aaf573cf8217c
SHA256

677b2f7ea578826adb9c0f359c6436c364f712803080b38d81ecc1f25e5b97f5
SHA512

ab87ef25549d4860269015d279aaf90a35bfd4c26457271a84cacf64c0a0c97d0e4c435136fb9defd2c64307d1bc1e9596ee278c868e101f6a2c657f87bd80b6
SSDEEP

24576:AoN7JofAGrqyy7IyDCaNg9L+HlH8Zlna1bQ1SD:nBJ+AEty7IyOD9L+FUnv1I

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://processhol.sbs/api

https://p10tgrace.sbs/api

https://peepburry828.sbs/api

https://3xp3cts1aim.sbs/api

https://p3ar11fter.sbs/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RomanticCopyright.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	RomanticCopyright.exe

Executes dropped EXE 1 IoCs

Processes:

Dept.com

pid process

4048 Dept.com
Enumerates processes with tasklist 1 TTPs 2 IoCs
discovery

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

624 tasklist.exe
1812 tasklist.exe

pid	process
4048	Dept.com

pid	process
624	tasklist.exe
1812	tasklist.exe

Drops file in Windows directory 8 IoCs

Processes:

RomanticCopyright.exe

description	ioc	process
File opened for modification	C:\Windows\RecordedHeld	RomanticCopyright.exe
File opened for modification	C:\Windows\ColdRecycling	RomanticCopyright.exe
File opened for modification	C:\Windows\PleaseBehavioral	RomanticCopyright.exe
File opened for modification	C:\Windows\ScenesConnecting	RomanticCopyright.exe
File opened for modification	C:\Windows\IncidentsAerospace	RomanticCopyright.exe
File opened for modification	C:\Windows\AssessmentsArmed	RomanticCopyright.exe
File opened for modification	C:\Windows\FarRegistered	RomanticCopyright.exe
File opened for modification	C:\Windows\InsertedHe	RomanticCopyright.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

RomanticCopyright.exeDept.comchoice.execmd.exefindstr.exetasklist.exefindstr.exetasklist.execmd.exefindstr.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RomanticCopyright.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dept.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

Dept.com

pid process

4048 Dept.com
4048 Dept.com
4048 Dept.com
4048 Dept.com
4048 Dept.com
4048 Dept.com
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

tasklist.exetasklist.exe

description pid process

Token: SeDebugPrivilege 624 tasklist.exe
Token: SeDebugPrivilege 1812 tasklist.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

Dept.com

pid process

4048 Dept.com
4048 Dept.com
4048 Dept.com
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

Dept.com

pid process

4048 Dept.com
4048 Dept.com
4048 Dept.com

pid	process
4048	Dept.com
4048	Dept.com
4048	Dept.com
4048	Dept.com
4048	Dept.com
4048	Dept.com

description	pid	process
Token: SeDebugPrivilege	624	tasklist.exe
Token: SeDebugPrivilege	1812	tasklist.exe

pid	process
4048	Dept.com
4048	Dept.com
4048	Dept.com

pid	process
4048	Dept.com
4048	Dept.com
4048	Dept.com

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

RomanticCopyright.execmd.exe

description	pid	process	target process
PID 2992 wrote to memory of 440	2992	RomanticCopyright.exe	cmd.exe
PID 2992 wrote to memory of 440	2992	RomanticCopyright.exe	cmd.exe
PID 2992 wrote to memory of 440	2992	RomanticCopyright.exe	cmd.exe
PID 440 wrote to memory of 624	440	cmd.exe	tasklist.exe
PID 440 wrote to memory of 624	440	cmd.exe	tasklist.exe
PID 440 wrote to memory of 624	440	cmd.exe	tasklist.exe
PID 440 wrote to memory of 1448	440	cmd.exe	findstr.exe
PID 440 wrote to memory of 1448	440	cmd.exe	findstr.exe
PID 440 wrote to memory of 1448	440	cmd.exe	findstr.exe
PID 440 wrote to memory of 1812	440	cmd.exe	tasklist.exe
PID 440 wrote to memory of 1812	440	cmd.exe	tasklist.exe
PID 440 wrote to memory of 1812	440	cmd.exe	tasklist.exe
PID 440 wrote to memory of 3988	440	cmd.exe	findstr.exe
PID 440 wrote to memory of 3988	440	cmd.exe	findstr.exe
PID 440 wrote to memory of 3988	440	cmd.exe	findstr.exe
PID 440 wrote to memory of 4748	440	cmd.exe	cmd.exe
PID 440 wrote to memory of 4748	440	cmd.exe	cmd.exe
PID 440 wrote to memory of 4748	440	cmd.exe	cmd.exe
PID 440 wrote to memory of 860	440	cmd.exe	findstr.exe
PID 440 wrote to memory of 860	440	cmd.exe	findstr.exe
PID 440 wrote to memory of 860	440	cmd.exe	findstr.exe
PID 440 wrote to memory of 2792	440	cmd.exe	cmd.exe
PID 440 wrote to memory of 2792	440	cmd.exe	cmd.exe
PID 440 wrote to memory of 2792	440	cmd.exe	cmd.exe
PID 440 wrote to memory of 4048	440	cmd.exe	Dept.com
PID 440 wrote to memory of 4048	440	cmd.exe	Dept.com
PID 440 wrote to memory of 4048	440	cmd.exe	Dept.com
PID 440 wrote to memory of 2752	440	cmd.exe	choice.exe
PID 440 wrote to memory of 2752	440	cmd.exe	choice.exe
PID 440 wrote to memory of 2752	440	cmd.exe	choice.exe

C:\Users\Admin\AppData\Local\Temp\RomanticCopyright.exe
"C:\Users\Admin\AppData\Local\Temp\RomanticCopyright.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2992
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy Uni Uni.cmd & Uni.cmd
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:440
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:624
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "wrsa opssvc"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1448
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1812
- - C:\Windows\SysWOW64\findstr.exe
    findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3988
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 796989
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4748
- - C:\Windows\SysWOW64\findstr.exe
    findstr /V "SigConsumptionDisciplinesSong" Envelope
    3⤵
    - System Location Discovery: System Language Discovery
    PID:860
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Wan + ..\Module + ..\Is + ..\Read + ..\Bibliography + ..\Match + ..\Qld I
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2792
- - C:\Users\Admin\AppData\Local\Temp\796989\Dept.com
    Dept.com I
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:4048
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\796989\Dept.com

Filesize
921KB

MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
C:\Users\Admin\AppData\Local\Temp\796989\I

Filesize
489KB

MD5
35431b1f719e5f8edd3ee4c56d590bc9

SHA1
c4667dc8990f03e9d3410e636957d5e9c73773c7

SHA256
427536f6a144672b8c5cd873d89c0374dab2c6383256347eef80b291729b99b0

SHA512
358ea29b484c7e7d493fec6270a7d3a6147852ba68f1c1f5fd9dc277e65dc24239b3718fb1ca986f354b5ebc954dae51f1e478db9d034a6f3417f6564d967fbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bibliography

Filesize
91KB

MD5
0124e182e6ab32c597551f987c8efc9e

SHA1
5b1504b161a4748cfdff1463b4a370b7ee6caf14

SHA256
6484dd9a145b3178a2534dd802441a7b8d08a679c3241c11395c22bfa6ba6826

SHA512
70e76a19d9f3382e14463e9f79dee0db404482e714f1ca9b0330ad144c055b6c6464d9be6bbb94e7e05048925b8f2dd1049276b4982722b7e8a2d8fe7e2dd010

Download Submit
C:\Users\Admin\AppData\Local\Temp\Envelope

Filesize
1KB

MD5
930b977ce8cf5c68e617c0cc083b6915

SHA1
07ab167616b479dd68ea9cfdad2c51d180757596

SHA256
cd56fdf1345808d2c8d7a099dabc0d8667581b2888fa973eba477509f7875f3e

SHA512
a823ba03f129037c1feb58f7f5408070f512dc0d4044cbaa5aa28295a1e7d952b4172119a1609c271273e8b31ec6aed5d4b3a570cfc5bbc3846821eb1f791814

Download Submit
C:\Users\Admin\AppData\Local\Temp\Is

Filesize
56KB

MD5
84df1af81b44c0e9ac087f6b724dbfe1

SHA1
c2604b423fa3a1dfd0d41fd05364f390db94e0f0

SHA256
649f01b11633d4f45165010db7e1150d9ddf533fb2906cc7f26ebf4d3807d2c4

SHA512
b69aca208184bac03392a91a04cb737772576a2e29ad8a9549d1917c88e86d2fe12e22d9d1a9d01dd08eb1fefa27c13c26a14c41a0551e75dc72f3d64ce97403

Download Submit
C:\Users\Admin\AppData\Local\Temp\Match

Filesize
81KB

MD5
cce2e35fcd13802b894592bfa8bc4832

SHA1
e4b2ebbcea783891bae927d45a5d20a99b0d2c57

SHA256
49c9f0a08d446ac52e26ec0a79578d6e8cd0363adce44af727c537c2c127f278

SHA512
1f2ac58895ebf1a4c3989a5d76ffac39012fe511030508bfef1c164e0d8301f5f7ce2b87381604b1fa1a0443b5f6ca59948061f7a2f7634d6cdfa0880dc33798

Download Submit
C:\Users\Admin\AppData\Local\Temp\Module

Filesize
86KB

MD5
c3a23aa50702baadcffdb632c0781eaf

SHA1
26adb4b06851eb66a2fc3a4b2dc29055e6291e91

SHA256
e27aec3fc7086af2906fbf8d5a1a17e3f6871651f2663f8e5a3f5b44dd1e7d61

SHA512
545aefc06ba554d32183d8e96f3eafc6204e609d95c4bc8e8bbede315ccc78605d916533fabe995dd9e50b3a0ea63d12e64445e3346dafe24267281b8ca23284

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qld

Filesize
39KB

MD5
47b8c8360718381beb75b78cad9989d4

SHA1
b1c9ed94b846670c0fbb0322b607b3e5affce120

SHA256
0d7c733985efc3042c41b2b26c32b7b8ce65ff9071ebdd872c3d0520a18351ed

SHA512
724d7030e1fab1adc5a9798e18cf75c11159cce1e57ab493a4595bdb14b68129c46a518616c427131963a7fd06e741965faca545fc5f007ab120cf28c1fe4d98

Download Submit
C:\Users\Admin\AppData\Local\Temp\Read

Filesize
62KB

MD5
b09b69ffbbb1c92beb55c7fd798c8c66

SHA1
a648e5a9721d8623dd6fca06d5295d1f07b13519

SHA256
4b54975d3405ea89c477daa9802d93b4a56683a901039d31e8eb1218deb742fa

SHA512
74d6cb22483b46a36887584c97060b16a1f8b6dcc280a8d9c7456d1c8c174b61487990af0bd7426b431ca7fde197ade2f5785784d27ab4371003feaecf2bb409

Download Submit
C:\Users\Admin\AppData\Local\Temp\Standing

Filesize
919KB

MD5
4414fe8f2635b6344106903d0f52455d

SHA1
70f135830f92733b3f0bbdfa35b1f0e36e9e5746

SHA256
578f765c46f2b2842f3455c37549326a9ea665aeedf5b86f6c3ff0be1a5f1244

SHA512
3c818c29afc91ce177db19c91026017cb567e2e6b0727ba271d66cc5c4f107661a677abc4ea5d1c281c56b3de166ed8ceaf298fa2ecb8f50a08bc1fcb6a0c91f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Uni

Filesize
7KB

MD5
df066c1e3038ff1c556a50a0782e0de1

SHA1
ebad7031e3b7651898e3d916d0aa0cb09397d03a

SHA256
cb4ca6cf393c39f6fffab51f095518826e38d4eff4fb0f42aa1fb9a4d7ef0b3a

SHA512
649874ac78af57207d1d06059e9e5eac3814c13910d08e9325cb500434ad4cb553cdab659db3291839523d0ae636251ac925224db04ea29dde8be41e1d8cb194

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wan

Filesize
74KB

MD5
cf96668f1c4973c8b43a72d90221e4d3

SHA1
3b512b9979650f556936a5b0866387820d112745

SHA256
720160bb915923d8cf54be5d580ac5c13e67a261daf3ae65f972435dd716cd07

SHA512
1d9c6299cce257f780252fe4805836f4f27914a816ef89d81119e2553008083754bdb16f25f895f85e35ccb5daa5c5f79fcff2d203b40c5444c88f9fc76b276e

Download Submit
memory/4048-209-0x0000000000200000-0x000000000025F000-memory.dmp

Filesize
380KB

Download
memory/4048-211-0x0000000000200000-0x000000000025F000-memory.dmp

Filesize
380KB

Download
memory/4048-210-0x0000000000200000-0x000000000025F000-memory.dmp

Filesize
380KB

Download
memory/4048-212-0x0000000000200000-0x000000000025F000-memory.dmp

Filesize
380KB

Download
memory/4048-214-0x0000000000200000-0x000000000025F000-memory.dmp

Filesize
380KB

Download
memory/4048-213-0x0000000000200000-0x000000000025F000-memory.dmp

Filesize
380KB

Download