lumma | 8f90648143c92c8780cf076b716225ce76fe07e48c10ff5d1d24ed8938791511

Analysis

max time kernel
128s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20241007-it
resource tags

arch:x64arch:x86image:win10v2004-20241007-itlocale:it-itos:windows10-2004-x64systemwindows
submitted
19-11-2024 13:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SmokeySpoofer-main/SmokeySpoofer/SmokeySpoofer.exe
Size

550KB
MD5

ee6be1648866b63fd7f860fa0114f368
SHA1

42cab62fff29eb98851b33986b637514fc904f4b
SHA256

e17bf83e09457d8cecd1f3e903fa4c9770e17e823731650a453bc479591ac511
SHA512

d6492d3b3c1d94d6c87b77a9a248e8c46b889d2e23938ddb8a8e242caccb23e8cd1a1fbeffee6b140cf6fd3ea7e8da89190286a912032ce4a671257bd8e3e28a
SSDEEP

12288:SQ5vTleU6iA6AiJ/uJxZjUXUxYcuORWETWOORGzbZr4QClJJRJAr6Ok:SQ5pexaALoXe4

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://covvercilverow.shop/api

https://surroundeocw.shop/api

https://abortinoiwiam.shop/api

https://pumpkinkwquo.shop/api

https://priooozekw.shop/api

https://deallyharvenw.shop/api

https://defenddsouneuw.shop/api

https://racedsuitreow.shop/api

https://roaddrermncomplai.shop/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma
Loads dropped DLL 1 IoCs

Processes:

SmokeySpoofer.exe

pid process

5016 SmokeySpoofer.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

SmokeySpoofer.exe

description pid process target process

PID 5016 set thread context of 1268 5016 SmokeySpoofer.exe aspnet_regiis.exe

pid	process
5016	SmokeySpoofer.exe

description	pid	process	target process
PID 5016 set thread context of 1268	5016	SmokeySpoofer.exe	aspnet_regiis.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

SmokeySpoofer.exeaspnet_regiis.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SmokeySpoofer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_regiis.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

svchost.exe

description pid process

Token: SeTcbPrivilege 1500 svchost.exe
Token: SeRestorePrivilege 1500 svchost.exe

description	pid	process
Token: SeTcbPrivilege	1500	svchost.exe
Token: SeRestorePrivilege	1500	svchost.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

SmokeySpoofer.exesvchost.exe

description	pid	process	target process
PID 5016 wrote to memory of 1268	5016	SmokeySpoofer.exe	aspnet_regiis.exe
PID 5016 wrote to memory of 1268	5016	SmokeySpoofer.exe	aspnet_regiis.exe
PID 5016 wrote to memory of 1268	5016	SmokeySpoofer.exe	aspnet_regiis.exe
PID 5016 wrote to memory of 1268	5016	SmokeySpoofer.exe	aspnet_regiis.exe
PID 5016 wrote to memory of 1268	5016	SmokeySpoofer.exe	aspnet_regiis.exe
PID 5016 wrote to memory of 1268	5016	SmokeySpoofer.exe	aspnet_regiis.exe
PID 5016 wrote to memory of 1268	5016	SmokeySpoofer.exe	aspnet_regiis.exe
PID 5016 wrote to memory of 1268	5016	SmokeySpoofer.exe	aspnet_regiis.exe
PID 5016 wrote to memory of 1268	5016	SmokeySpoofer.exe	aspnet_regiis.exe
PID 1500 wrote to memory of 2280	1500	svchost.exe	dashost.exe
PID 1500 wrote to memory of 2280	1500	svchost.exe	dashost.exe

C:\Users\Admin\AppData\Local\Temp\SmokeySpoofer-main\SmokeySpoofer\SmokeySpoofer.exe
"C:\Users\Admin\AppData\Local\Temp\SmokeySpoofer-main\SmokeySpoofer\SmokeySpoofer.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5016
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1268

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1500
- C:\Windows\system32\dashost.exe
  dashost.exe {687bff46-06de-43b8-842c3387edb1593a}
  2⤵
  PID:2280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\msvcp110.dll

Filesize
642KB

MD5
9bc424be13dca227268ab018dca9ef0c

SHA1
f6f42e926f511d57ef298613634f3a186ec25ddc

SHA256
59d3999d0989c9c91dae93c26499f5a14b837a0fe56e6fc29f57456f54a1f8a2

SHA512
70a1abb35bd95efc40af6653d5db2e155fab9a8575b7ae5b69ab3fbcd60925c66a675dac6cba57564a430e9b92f1a2ea9e912c4d7f356b82696ed77e92b52715

Download Submit
C:\Users\Admin\Desktop\CheckpointClear.docx

Filesize
422KB

MD5
93263c5d6f87aedefc7a55432dd8cb96

SHA1
758abd87ae8b29b919157a321681d3d53b2c0e9e

SHA256
6a83789a7cc1ccd9a2fc49809b863e9cc78871cec3aa402421dda7ea999d3698

SHA512
bfcb965ae6a7175ea9b54abd6e52a4b525d59c4ac6f039db4c7c748052dff4552f7c0e4c128e9b646c1d0980bc59544748b05221454f68568701f83bb36a2ea9

Download Submit
C:\Users\Admin\Desktop\CheckpointSkip.wav

Filesize
691KB

MD5
d6ac6a1c73fe5a6f526d7b5e87f9b27b

SHA1
5af59f386d893dc3e8f67943404f6be109313055

SHA256
7b2a84e55faf2344b4e65ccd40ef7729004fef42bd96a23e26f5ec6793334837

SHA512
24c599b7206b173cf2737b62ef13e2e373720b891ad602bf9a6b52bbd8b93151622689ff6d3cdd3f754c70423636d82ec774f7b343a5aed19d45a01654ec09aa

Download Submit
C:\Users\Admin\Desktop\CompareDismount.tiff

Filesize
806KB

MD5
e5c7a20ea17aaf15cff4ebd883bc7ac9

SHA1
8e94f9fdc7971ed4b1da65ee1baef51108ea5552

SHA256
d556ed5a0f73cfdca46a711ba6d398bdb61119396867424ae816a8ca8c0a3409

SHA512
1c11f02067b86c010bd4762e4462587305c5081608c67c9296b9226b3260d0b0459d32f0c2057fc8e96725daa5cba078be6e6d139a91bf217908731238233d55

Download Submit
C:\Users\Admin\Desktop\ConvertToLimit.wax

Filesize
729KB

MD5
d0fd781c7f368e36679e9b65814e731e

SHA1
7fdbe3f828bd63e54f6c0f7c22f50278f7b19fac

SHA256
3ec9ffdb09ac3c6b011b699d2cf2242d0e1caf93921d2886f7aaf83c54e82a8c

SHA512
24470378dfbdcbc90dd1b68ba605c9257d0bc9eaabec668df985e67913c1701a3790dc4021a583bc991d4890c3524c21f8870f7b2f4a399351c0cbf453cd5284

Download Submit
C:\Users\Admin\Desktop\CopyMeasure.ogg

Filesize
576KB

MD5
0c110008e96a37c30c0d08ad1b250536

SHA1
d83c8833a7e2e618a791969b77703d912b163e23

SHA256
b2da40a3f7de96e4e3d05452b229a2af738d4fe2955401ac4b2a4a93bcfb00e7

SHA512
a2f727a7c5fd9de0b4e025e8a5428ffa468a48b5be87f64ccf990ed99cb674ee94a85e0b5844bb1e620f6a379f11695ca189db82366bf296334dc9393696e926

Download Submit
C:\Users\Admin\Desktop\DenyStop.ico

Filesize
1.5MB

MD5
272e5b648b154c5ee32411e8665c1f26

SHA1
c818bfb55bbd6268fbf7503fac8cde54480a3720

SHA256
4de54b496dad7c6f424af68609efa3c2bad3d141b9eb03323529bc9af22fdba0

SHA512
45d8c69f2f7e9832a76825692ea7640017b674e65679f492c1c89e32679e24a69bf8d4f8d960f2c10bbeb2accf10acd7e27ac0783f4f8a2637f6e450a50c9f55

Download Submit
C:\Users\Admin\Desktop\DisableSubmit.avi

Filesize
460KB

MD5
60ddc8ab32a3a5009afa23dbd82fbb01

SHA1
94c75557e235b4553b918e4611c40cce8e975425

SHA256
abcb3a2d2f356b132fd475c2e52140060934c2271b5a31cd6bbe2b5161bc6136

SHA512
f19ed3c170ca23c0a1b925616b648efab59cd5d34d5a7a2d4075d2db6898aaba886d1f69676d9639254d4b787752ab968766667d22edafcaf880f98dc7ed5501

Download Submit
C:\Users\Admin\Desktop\DisconnectExport.ps1xml

Filesize
537KB

MD5
f05e6e6cf6a1bd6815f8acd1bf9ee050

SHA1
7e26d8b428947d02e8cc5177e43a9bc5434178cd

SHA256
f3d33c7ca37294b6a03db337b4a8707e7326fc4b697b1b96cc177a62def92489

SHA512
59d82898d8d8af3ee4d1d9ef83e861a3f21ae081111d6c71cc4ad0df45898ae81c8d0230cdd4435dcd29782fdf7342a22438950572161b90ae07ba102a972323

Download Submit
C:\Users\Admin\Desktop\GroupHide.docx

Filesize
17KB

MD5
3546d4a321619e006b87fcc788609370

SHA1
65f6f0b726b55293e8c58aea9a5b5b6df620f4fb

SHA256
d31b0ae28b12364dfbb066ac233d50f10589a5eb57e36c747f4420f62a641947

SHA512
1bf455ceaaa9d71e71c94f9cdaaaf9672063a461dbb2e97cfd999357f636cbd20a75406db34ed1ea17761567d5bd48fb3f4cbb0b1d50ee5c0742f2619c4c6ad3

Download Submit
C:\Users\Admin\Desktop\HideResume.mp4

Filesize
652KB

MD5
11741fc27c929fe2aadd5c1f0747ac22

SHA1
21aa25677c3a1bd29c0e4b43a7f19ec772122e3d

SHA256
c404b0b6ee7ed5a6e13fcad62e1e581d19fb744749fa790d9ed024f2cb89dd05

SHA512
a62e1bb40a9461ddb3b55f6bd144555c05e70440b79d6c137b2cbc2687ff0b2ad52a49698529e7734b28cde5e5eca410750f9d103931c943e499428adb5b8766

Download Submit
C:\Users\Admin\Desktop\HideSuspend.M2T

Filesize
921KB

MD5
21ad89d5932ef1bc5fb745e78d3a874d

SHA1
e14cbe7f6bd056b1054d53a370e67942c26c2ecc

SHA256
3975ba92c7db2d95dc1c99e2aa568d00b2c5f883fd42c8050c6fe345f2be01f7

SHA512
4fcf7a3059927778c5ccb5e359c6aadc72d03c05ea9bbb6b59a12af030286367c726d145413ba52b012071c6095b91f23b60dd59350804ea894b5dc205314704

Download Submit
C:\Users\Admin\Desktop\ImportExport.odt

Filesize
768KB

MD5
937885cc510703f4223661b0548842ca

SHA1
01a0f7109b4c8b05ec8e76eb9386ed7bcd521c85

SHA256
6376c11da1625bcf43e7657adb9fda2560986473cd8acadd62bca0d106e6495a

SHA512
9fd614d92dd5646e5ee18498da016eb496d2ba12b7d7368d079acb6d6342bda532b95956a9f537af979f738b85e9fbed9ece2dfc3873c97b053f8b3d3e1c61b2

Download Submit
C:\Users\Admin\Desktop\LimitRemove.tif

Filesize
1.1MB

MD5
33ab97d99d301771873b1fb2c4922231

SHA1
87efc9bf2e811d0d9aceb5b20fb740e909f54c15

SHA256
a69ded4becd813d3d1696496cb5ed300590699979fd6bfe4f0abf3067a32ee60

SHA512
2db6aee2247860cfb6d5960fd2af9d8186f0090353223785fb6491e79e93d33cc284ce52985713a9fd5d07e372b840ee5f7b5fb78d04b11139135616ab3d1a04

Download Submit
C:\Users\Admin\Desktop\Microsoft Edge.lnk

Filesize
2KB

MD5
3b4f6c30f6ab1a0e24d0d92ad489d9d6

SHA1
c29f74d22e747a8b752a5117b68317972764efa6

SHA256
f7f56acc2d4e975dc4bc4c9eb93ee490366d590a038c3f398d355905b9e1acbb

SHA512
549185e788621292657e7855f42342e37f88946669a6f8ad5f2f79494b9869a839fa9d78a80bf966c5d8381f5f6e95f66d39941777b8569a8127ebde3ede110a

Download Submit
C:\Users\Admin\Desktop\OptimizeImport.ps1

Filesize
1.0MB

MD5
5567ef854024ec4c2dc80ad9de3373ea

SHA1
5725f3b984d4059ae9303e72ac96de96b3dd8d22

SHA256
c5a3a51cb2bb0b135205bea5e940a843829bf9d7ad8a58cbe9682abea2e2c525

SHA512
04905b1c056d4a723748f83ed0694ab8116397dcb1ee6846316ab7f33f800db018760ae0a16ceee531ff80b9fbdfb85d962cbbf854c1683271f6c9fd680651e7

Download Submit
C:\Users\Admin\Desktop\OutConnect.rar

Filesize
998KB

MD5
06cb5d7b801c7ef40934e01cbd8cd3a1

SHA1
5c087dd7e5fdeb0a1d52de35aae2fc68825795a1

SHA256
74c1fd0da8c76cd2c501ab191d7542c1a2715f915045c786f81db37eaa1597eb

SHA512
7e242026ea2de5ae9441a9af1457d9b85d130c007b8e81a6200877af0eed312a0aaebb456efb4be18ada59504105df66ea6a9898244c3249acb2ba6aa0402d4d

Download Submit
C:\Users\Admin\Desktop\ReadTrace.docx

Filesize
14KB

MD5
32d50dea3d45f4c8925f48825c9a038d

SHA1
653ace2468bd2d4401538b13c3f9dff37d789555

SHA256
633a775d910ff9eeb626f532a419bbab9e49442a345402db7fe46179be3d90f7

SHA512
22125b2729830b16686282f9456c562b0f0f13c51c5173ef62dbdbbd3ab1f26065690bd70a0ba8220cb3cfcb70c090ef98a052d56644e9b1a3bc55da0b865650

Download Submit
C:\Users\Admin\Desktop\RequestStep.docx

Filesize
17KB

MD5
446d9f341d3dea4d32c031b156bd7733

SHA1
eee36150355ec59a88a6697a72ac79f093745224

SHA256
8ffac6ea0f2dc28bc025cb51c1dbd34245a16064af755d06b824e90df2a6ee3d

SHA512
8a32bed6dd00060739a8cdc0b6c7fa0928f886a97776e1ebb62c8b6a5b09f30ca0f2a15a42664561abffcdd2d720932e7f32d699177ede13a285dcacb212a02e

Download Submit
C:\Users\Admin\Desktop\RevokeOut.xla

Filesize
844KB

MD5
244f023a050636624ebec607b5351033

SHA1
6e4e090b20d7818e127ffc2114511621743d60f0

SHA256
465fd03167aa65717253d3908fd1ecf7931087abcbea9cb57fe4ffa3995955a0

SHA512
24df77f436337c1bdd2c7c79466526dc05142581f636b5f97966c1d96d0b98522070720a5c044d24ee23b0ef12b720d3c1c75da24928ffa007813f9dbbb90efa

Download Submit
C:\Users\Admin\Desktop\SelectPing.eps

Filesize
499KB

MD5
fc54e7beb9016b4326914b2810f3adb5

SHA1
0cb46cb9a0e9f56a8de48bb332900d0fb9d769f1

SHA256
d5e35f96cc9aa073d8fdce3977d3dc7c3a3db42faa0b065e424e92a9ef65102f

SHA512
a51b39ef286bb1392c8eec6d4a0e9d6629ce62d20a16276ce061d0cb5b331b633c378d4161a5121d756d2a341d6bebcd4105e91754272cb5defd9129469f7597

Download Submit
C:\Users\Admin\Desktop\SplitSkip.mht

Filesize
883KB

MD5
eff20e4f851d8293822bc083928005ce

SHA1
13580211dd852cb0b08d18689e71cdbe2de821e5

SHA256
38f01c36ba5e91e9a572ba7fcee42f6541ade4cfe5896c6a3892e7ad37eedf3d

SHA512
d66b1e3be919e94d7458eed6dc0f41e9874ea9ab2f25100c011960a55287af20f0f919deb5da18342513f5dd14146f461605e56b02ce48dda579905908328369

Download Submit
C:\Users\Admin\Desktop\StopRename.DVR

Filesize
614KB

MD5
b865cd4f7dfefd13f4bfe466fd616815

SHA1
6211af9cef27da8b54fff4af40a6d9feda8ac2da

SHA256
d48c1f6a823dcc78e10ed8792220fd729f69a5d3aa3a57a89abde8f4fa8c7409

SHA512
b62f920177f320420e3b392d2670a75dc3ff0961084f7668580fcb67851ec0446a0f427f63f1d21c56b7649333f75e0583d06e1856b699e0a949ada496e48678

Download Submit
C:\Users\Admin\Desktop\WatchCompare.html

Filesize
384KB

MD5
ad0e529f0a2e670e889a090e86160337

SHA1
35d7ae4a4fdd4f7a7da12b321f27af14723beed3

SHA256
2345f4cdbdcd1c71b20159c54e6006c932f9fc9d0ac4f56fab4cd18c1ed85382

SHA512
72cae0b355f47a19a1817946483eb0aab2724c675ac195b6a875a0630ffad190e72c84949521d8ade9b394423428808345b0f0882e40cf700e677bc101a4ef8b

Download Submit
C:\Users\Admin\Desktop\WatchJoin.rtf

Filesize
960KB

MD5
4d2a97ba84e522a1ea5aad8f3655eb22

SHA1
fe19e0ddba7f388b1be628451294137fc9cf0dbe

SHA256
dcd866e14e533a87a247b864d345a46e7f5fe18c506d54bbbe85f25a3f04f9fe

SHA512
979b0fd3c56fc4a0b866a291344706c60359594f7122eff204d031b854a5d9106fc658755c3fa88d764aff2af0228fe352c6a52d40b3ac39f5a44ba401976674

Download Submit
C:\Users\Public\Desktop\Acrobat Reader DC.lnk

Filesize
2KB

MD5
4d67e89e7c5f405b36ed6594ee36bb8e

SHA1
66f2def44a4dd4c1d5403c01901450e11f57003c

SHA256
042a6a22563e661442b2e3b0f3d5484a8cec101341e0ae2f6a3d1886faa6269c

SHA512
47492a40d93301491ac6befe80af91527b0fa16443e5387830415815fc8df2cea6728e254ea8c4291d370c2afaf298d8446accc5aa3f38440f5128a33cc5706d

Download Submit
C:\Users\Public\Desktop\Firefox.lnk

Filesize
1000B

MD5
f9354eca4e950d15127561f485e0d88b

SHA1
eadf157e7111508060ab31638c5bed55da62816d

SHA256
528837aa4937874f056f57caef4e496dc168b987cdf84876a601c27cea94d32f

SHA512
d93afa1603e71272eab80d7adf5a82323c52e5b15251c138c3bf5e1ed64d6ac85480acd864bcabb91594e7044415f97386e72e9dfef542ba79c6e359be69dfd2

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk

Filesize
2KB

MD5
bc82f1bc10efbfdc6c989e661acb29cb

SHA1
52bd265170a8ca917a639d3e633b2adbb757ff99

SHA256
d18343cc15d2f8e16185523f106c7fb6a512507763a839c5a5afda75df25d34c

SHA512
baa474c70dfb88127243231820831222a0bf385d84d1c79288db2a18dc5054e841f37c925c5c4c7a47ba727c13ead310672244cd388b9142f52f313205be6450

Download Submit
C:\Users\Public\Desktop\VLC media player.lnk

Filesize
923B

MD5
5afaaae04003ad3650ab6e2ce9de3add

SHA1
22809b8f095cafd543111cb8b33df51dfa870027

SHA256
95c1e0d807f45e566a01d7d685f056d6273fa3c679edb3831296c044e0cc75d2

SHA512
31458bc1f670afe45d288b9608167cffbdf9a2dc54f89935b65fe82187f9b13135a398b12a800f8fb04061ebf550dc2ff5e6e62ae93185a2900906197ee03588

Download Submit
memory/1268-9-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1268-12-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1268-14-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/5016-0-0x000000007491E000-0x000000007491F000-memory.dmp

Filesize
4KB

Download
memory/5016-13-0x0000000074910000-0x00000000750C0000-memory.dmp

Filesize
7.7MB

Download
memory/5016-15-0x0000000074910000-0x00000000750C0000-memory.dmp

Filesize
7.7MB

Download
memory/5016-8-0x0000000074910000-0x00000000750C0000-memory.dmp

Filesize
7.7MB

Download
memory/5016-1-0x0000000000840000-0x00000000008D0000-memory.dmp

Filesize
576KB

Download