lumma | 7c270da2506ba3354531e0934096315422ee719ad9ea16cb1ee86a7004a9ce27

General

Target

XWorm-5.6-main.zip
Size

25.1MB
MD5

95c1c4a3673071e05814af8b2a138be4
SHA1

4c08b79195e0ff13b63cfb0e815a09dc426ac340
SHA256

7c270da2506ba3354531e0934096315422ee719ad9ea16cb1ee86a7004a9ce27
SHA512

339a47ecfc6d403beb55d51128164a520c4bea63733be3cfd47aec47953fbf2792aa4e150f4122994a7620122b0e0fc20c1eeb2f9697cf5578df08426820fecd
SSDEEP

786432:Ty5jMDNnx2+4NYobtH8VVtKqi9+i514XZ/pjYlp0:MMDNnxV4iobxibiIi5MpjYv0

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

C2

https://pillowbrocccolipe.shop/api

https://communicationgenerwo.shop/api

https://diskretainvigorousiw.shop/api

https://affordcharmcropwo.shop/api

https://dismissalcylinderhostw.shop/api

https://enthusiasimtitleow.shop/api

https://worryfillvolcawoi.shop/api

https://cleartotalfisherwo.shop/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma
Executes dropped EXE 6 IoCs

Processes:

XwormLoader.exeXwormLoader.exeXworm V5.6.exeXwormLoader.exeXworm V5.6.exeXwormLoader.exe

pid process

4408 XwormLoader.exe
2600 XwormLoader.exe
3548 Xworm V5.6.exe
3048 XwormLoader.exe
4920 Xworm V5.6.exe
2464 XwormLoader.exe

pid	process
4408	XwormLoader.exe
2600	XwormLoader.exe
3548	Xworm V5.6.exe
3048	XwormLoader.exe
4920	Xworm V5.6.exe
2464	XwormLoader.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

XwormLoader.exeXwormLoader.exeXwormLoader.exeXwormLoader.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XwormLoader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XwormLoader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XwormLoader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XwormLoader.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

7zFM.exe

pid	process
2208	7zFM.exe
2208	7zFM.exe
2208	7zFM.exe
2208	7zFM.exe
2208	7zFM.exe
2208	7zFM.exe
2208	7zFM.exe
2208	7zFM.exe
2208	7zFM.exe
2208	7zFM.exe
2208	7zFM.exe
2208	7zFM.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

7zFM.exe

pid process

2208 7zFM.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

7zFM.exe

description	pid	process
Token: SeRestorePrivilege	2208	7zFM.exe
Token: 35	2208	7zFM.exe
Token: SeSecurityPrivilege	2208	7zFM.exe
Token: SeSecurityPrivilege	2208	7zFM.exe
Token: SeSecurityPrivilege	2208	7zFM.exe
Token: SeSecurityPrivilege	2208	7zFM.exe
Token: SeSecurityPrivilege	2208	7zFM.exe
Token: SeSecurityPrivilege	2208	7zFM.exe
Token: SeSecurityPrivilege	2208	7zFM.exe
Token: SeSecurityPrivilege	2208	7zFM.exe

Suspicious use of FindShellTrayWindow 10 IoCs

Processes:

7zFM.exe

pid process

2208 7zFM.exe
2208 7zFM.exe
2208 7zFM.exe
2208 7zFM.exe
2208 7zFM.exe
2208 7zFM.exe
2208 7zFM.exe
2208 7zFM.exe
2208 7zFM.exe
2208 7zFM.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

7zFM.exe

description	pid	process	target process
PID 2208 wrote to memory of 4408	2208	7zFM.exe	XwormLoader.exe
PID 2208 wrote to memory of 4408	2208	7zFM.exe	XwormLoader.exe
PID 2208 wrote to memory of 4408	2208	7zFM.exe	XwormLoader.exe
PID 2208 wrote to memory of 2600	2208	7zFM.exe	XwormLoader.exe
PID 2208 wrote to memory of 2600	2208	7zFM.exe	XwormLoader.exe
PID 2208 wrote to memory of 2600	2208	7zFM.exe	XwormLoader.exe
PID 2208 wrote to memory of 3548	2208	7zFM.exe	Xworm V5.6.exe
PID 2208 wrote to memory of 3548	2208	7zFM.exe	Xworm V5.6.exe
PID 2208 wrote to memory of 3048	2208	7zFM.exe	XwormLoader.exe
PID 2208 wrote to memory of 3048	2208	7zFM.exe	XwormLoader.exe
PID 2208 wrote to memory of 3048	2208	7zFM.exe	XwormLoader.exe
PID 2208 wrote to memory of 4920	2208	7zFM.exe	Xworm V5.6.exe
PID 2208 wrote to memory of 4920	2208	7zFM.exe	Xworm V5.6.exe
PID 2208 wrote to memory of 2464	2208	7zFM.exe	XwormLoader.exe
PID 2208 wrote to memory of 2464	2208	7zFM.exe	XwormLoader.exe
PID 2208 wrote to memory of 2464	2208	7zFM.exe	XwormLoader.exe

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\XWorm-5.6-main.zip"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Users\Admin\AppData\Local\Temp\7zO0A8AD568\XwormLoader.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO0A8AD568\XwormLoader.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4408
- C:\Users\Admin\AppData\Local\Temp\7zO0A83E4D8\XwormLoader.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO0A83E4D8\XwormLoader.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2600
- C:\Users\Admin\AppData\Local\Temp\7zO0A848AD8\Xworm V5.6.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO0A848AD8\Xworm V5.6.exe"
  2⤵
  - Executes dropped EXE
  PID:3548
- C:\Users\Admin\AppData\Local\Temp\7zO0A861188\XwormLoader.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO0A861188\XwormLoader.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3048
- C:\Users\Admin\AppData\Local\Temp\7zO0A8274B8\Xworm V5.6.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO0A8274B8\Xworm V5.6.exe"
  2⤵
  - Executes dropped EXE
  PID:4920
- C:\Users\Admin\AppData\Local\Temp\7zO0A848069\XwormLoader.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO0A848069\XwormLoader.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zO0A848AD8\Xworm V5.6.exe

Filesize
14.9MB

MD5
56ccb739926a725e78a7acf9af52c4bb

SHA1
5b01b90137871c3c8f0d04f510c4d56b23932cbc

SHA256
90f58865f265722ab007abb25074b3fc4916e927402552c6be17ef9afac96405

SHA512
2fee662bc4a1a36ce7328b23f991fa4a383b628839e403d6eb6a9533084b17699a6c939509867a86e803aafef2f9def98fa9305b576dad754aa7f599920c19a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO0A8AD568\XwormLoader.exe

Filesize
490KB

MD5
9c9245810bad661af3d6efec543d34fd

SHA1
93e4f301156d120a87fe2c4be3aaa28b9dfd1a8d

SHA256
f5f14b9073f86da926a8ed319b3289b893442414d1511e45177f6915fb4e5478

SHA512
90d9593595511e722b733a13c53d2e69a1adc9c79b3349350deead2c1cdfed615921fb503597950070e9055f6df74bb64ccd94a60d7716822aa632699c70b767

Download Submit
C:\Users\Admin\AppData\Local\Temp\XWorm-5.6-main\Icons\icon (15).ico

Filesize
361KB

MD5
e3143e8c70427a56dac73a808cba0c79

SHA1
63556c7ad9e778d5bd9092f834b5cc751e419d16

SHA256
b2f57a23ecc789c1bbf6037ac0825bf98babc7bf0c5d438af5e2767a27a79188

SHA512
74e0f4b55625df86a87b9315e4007be8e05bbecca4346a6ea06ef5b1528acb5a8bb636ef3e599a3820dbddcf69563a0a22e2c1062c965544fd75ec96fd9803fc

Download Submit
memory/2464-339-0x0000000001200000-0x000000000124B000-memory.dmp

Filesize
300KB

Download
memory/2600-278-0x0000000000DF0000-0x0000000000DF1000-memory.dmp

Filesize
4KB

Download
memory/2600-280-0x0000000000DF0000-0x0000000000DF1000-memory.dmp

Filesize
4KB

Download
memory/2600-284-0x00000000007D0000-0x000000000081B000-memory.dmp

Filesize
300KB

Download
memory/2600-279-0x0000000000DF0000-0x0000000000DF1000-memory.dmp

Filesize
4KB

Download
memory/2600-281-0x0000000000DF0000-0x0000000000DF1000-memory.dmp

Filesize
4KB

Download
memory/2600-273-0x00000000007D0000-0x000000000081B000-memory.dmp

Filesize
300KB

Download
memory/2600-283-0x0000000000DF0000-0x0000000000DF1000-memory.dmp

Filesize
4KB

Download
memory/2600-282-0x0000000000DF0000-0x0000000000DF1000-memory.dmp

Filesize
4KB

Download
memory/3048-307-0x0000000000EB0000-0x0000000000EFB000-memory.dmp

Filesize
300KB

Download
memory/3048-312-0x0000000000EB0000-0x0000000000EFB000-memory.dmp

Filesize
300KB

Download
memory/3548-297-0x000002178F4A0000-0x0000021790388000-memory.dmp

Filesize
14.9MB

Download
memory/4408-263-0x0000000001200000-0x000000000124B000-memory.dmp

Filesize
300KB

Download
memory/4408-262-0x0000000001460000-0x0000000001461000-memory.dmp

Filesize
4KB

Download
memory/4408-260-0x0000000001460000-0x0000000001461000-memory.dmp

Filesize
4KB

Download
memory/4408-259-0x0000000001450000-0x0000000001451000-memory.dmp

Filesize
4KB

Download
memory/4408-261-0x0000000001460000-0x0000000001461000-memory.dmp

Filesize
4KB

Download
memory/4408-258-0x0000000001450000-0x0000000001451000-memory.dmp

Filesize
4KB

Download
memory/4408-253-0x0000000001200000-0x000000000124B000-memory.dmp

Filesize
300KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads