lumma | 1ce5ca122a8a01ea292b347950b5c8d8cb0cea29f8a9fb9e0d0e249462acebbe

Analysis

max time kernel
99s
max time network
138s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
20-11-2024 18:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1732126153.61061_wild things.exe
Size

8.1MB
MD5

0d192a52df0ca9da48e517684e5ad781
SHA1

557a94480b6fc3fe1c711ab4ff9e1909c3f73e31
SHA256

1ce5ca122a8a01ea292b347950b5c8d8cb0cea29f8a9fb9e0d0e249462acebbe
SHA512

266d0348029f28e75fc83c16487e674fda426f86c174ad79f4a6cb2bae1e9c89c9fa8f9629c010e98df9d77b0af4f71e202b333b45961836f389205fc22ae8e5
SSDEEP

196608:LDkvAN8JGCFSWFLf6P2Pbeq+ybHFjhtWYRuL2Pdd+IjN2:YuCFSkSP2P/+y7FjOEuL2Pdd+

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://gentlewave.shop/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\Control Panel\International\Geo\Nation	1732126153.61061_wild things.exe

Executes dropped EXE 1 IoCs

pid	Process
4820	Efficiency.com

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
1960	tasklist.exe
4700	tasklist.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Efficiency.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1732126153.61061_wild things.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4820	Efficiency.com
4820	Efficiency.com
4820	Efficiency.com
4820	Efficiency.com
4820	Efficiency.com
4820	Efficiency.com

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1960	tasklist.exe
Token: SeDebugPrivilege	4700	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4820	Efficiency.com
4820	Efficiency.com
4820	Efficiency.com

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4820	Efficiency.com
4820	Efficiency.com
4820	Efficiency.com

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 2968 wrote to memory of 4044	2968	1732126153.61061_wild things.exe	84
PID 2968 wrote to memory of 4044	2968	1732126153.61061_wild things.exe	84
PID 2968 wrote to memory of 4044	2968	1732126153.61061_wild things.exe	84
PID 4044 wrote to memory of 1960	4044	cmd.exe	90
PID 4044 wrote to memory of 1960	4044	cmd.exe	90
PID 4044 wrote to memory of 1960	4044	cmd.exe	90
PID 4044 wrote to memory of 2500	4044	cmd.exe	91
PID 4044 wrote to memory of 2500	4044	cmd.exe	91
PID 4044 wrote to memory of 2500	4044	cmd.exe	91
PID 4044 wrote to memory of 4700	4044	cmd.exe	92
PID 4044 wrote to memory of 4700	4044	cmd.exe	92
PID 4044 wrote to memory of 4700	4044	cmd.exe	92
PID 4044 wrote to memory of 3560	4044	cmd.exe	93
PID 4044 wrote to memory of 3560	4044	cmd.exe	93
PID 4044 wrote to memory of 3560	4044	cmd.exe	93
PID 4044 wrote to memory of 2912	4044	cmd.exe	94
PID 4044 wrote to memory of 2912	4044	cmd.exe	94
PID 4044 wrote to memory of 2912	4044	cmd.exe	94
PID 4044 wrote to memory of 1764	4044	cmd.exe	95
PID 4044 wrote to memory of 1764	4044	cmd.exe	95
PID 4044 wrote to memory of 1764	4044	cmd.exe	95
PID 4044 wrote to memory of 4820	4044	cmd.exe	96
PID 4044 wrote to memory of 4820	4044	cmd.exe	96
PID 4044 wrote to memory of 4820	4044	cmd.exe	96
PID 4044 wrote to memory of 192	4044	cmd.exe	97
PID 4044 wrote to memory of 192	4044	cmd.exe	97
PID 4044 wrote to memory of 192	4044	cmd.exe	97

C:\Users\Admin\AppData\Local\Temp\1732126153.61061_wild things.exe
"C:\Users\Admin\AppData\Local\Temp\1732126153.61061_wild things.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2968
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy Brunei Brunei.cmd & Brunei.cmd
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4044
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1960
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "wrsa opssvc"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2500
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4700
- - C:\Windows\SysWOW64\findstr.exe
    findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3560
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 256267
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2912
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Ecological + ..\Something + ..\Consulting + ..\Coffee + ..\Underlying + ..\Employee Q
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1764
- - C:\Users\Admin\AppData\Local\Temp\256267\Efficiency.com
    Efficiency.com Q
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:4820
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\256267\Q

Filesize
484KB

MD5
d7ba2d169be2aaedb58fc6ae7cf950f6

SHA1
255eb0d67c724a97ab32d16600b7aeb79d26b6eb

SHA256
dc3ee8ea7f6e1792c4578ad893d579d8165c7d3a9b4ebe61dc27934c5584f66c

SHA512
c17940b5b7aae805ea6a50df945594ff4ec10a85c3cfedbf25a3b333880ff9c1cdc2cbbca5518c6b750ccc00373450959e765a57a47f5c8900053ea0c44d4445

Download Submit
C:\Users\Admin\AppData\Local\Temp\Brunei

Filesize
26KB

MD5
86e6ea095e903b5bc2f36fb64165b2ce

SHA1
ff26105ec6f2efde2fb61173050b89a927441344

SHA256
5106b66e910cdb8b52b819e837c6de4f7ee2aac2d53bc7355db878d4870f1943

SHA512
5b1503818a69d4c9eadc91d777b33140b8645b953589604055b3865d3f8884008e645bfee4cffa98170c7734e1f2a0a223b12066721b0ea08066b210bf0cfc54

Download Submit
C:\Users\Admin\AppData\Local\Temp\Celebration

Filesize
925KB

MD5
62d09f076e6e0240548c2f837536a46a

SHA1
26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

SHA256
1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

SHA512
32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Coffee

Filesize
90KB

MD5
77b12c07393313514e6184a375226839

SHA1
a2cc46f4ae51be33f1b24617b413dea8d29921f9

SHA256
6f600615a3d1b8a10ff91359d07cb9ad9404eafc28ba736d68de006750bfbf94

SHA512
b7d255852842c949d445f2e47f78eb64c801ecb2aae3e707611fa364f888a494afdb5f9dd0b634e9c13aaaf331cb5c4fe48cd8c797fd128526b7e509caf0c689

Download Submit
C:\Users\Admin\AppData\Local\Temp\Consulting

Filesize
96KB

MD5
c7ef51a71d4fbe8f838dff23ed1e4929

SHA1
237460f0401758a8fb75223fad5d299db604802f

SHA256
90d8a2506d381ea6240096caace82498f5f599c5d32201b0a256ca2934d2ffd2

SHA512
ddd6b16448b6990dd2724e8160b0d22396ad724a405fcf62ca524169baeefbf69debae87357697c758902b5163b2e3fa62336663083b69adfd6d52031a2d7984

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ecological

Filesize
84KB

MD5
fb009fe95c1dffc3f8b7daca36dc083c

SHA1
a977cffa508c9b82336f455c8e63a28ef8bd6743

SHA256
94c1594b3ae252690085351f921e038c1289eb4fed65ee75b13d6508ecb7bbdb

SHA512
35a85aca09ecce4dc48fa487c7bf1e576c7ecfa96c95a02b392275ca8f863c280b36a398686b39e83b696647e716023542288d6f78343118a1673726599db50d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Employee

Filesize
73KB

MD5
740f5cf5643564318a4747d09604a4a1

SHA1
34f98a599c95e9dd4d6dd4ba674ea1c04f1d1971

SHA256
2577c1d66fdeca2e80cbce1baab50286c4df8389b2e5acd5f072e0b9fee1d5e1

SHA512
9860921682950ef22f733aa206dc99c3698994198d9f8b764ae6430d930f86844da798c431ef70513f0b4b49a4ab30aad9926c51f7820bdc0fdc67bdb6c0b55d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Something

Filesize
53KB

MD5
983f92437d97fb0ac3ae37567de237f8

SHA1
5dbca1ccea8eeb92da994268ffd66f5ec09c7f50

SHA256
94d661e8ea870ce2e28f4952e641e1ed47a7ef029816bdc6619d3cd12fc58bcd

SHA512
7c046b6ad03defc6b37bf028cb8888b45a5271a02448a06b73f6e74468b88966ed396b734c8f6cdc6ac4078e295c96bd9f68de793e2dd13fd95a9f494220f919

Download Submit
C:\Users\Admin\AppData\Local\Temp\Underlying

Filesize
88KB

MD5
77614c997a197c9f65c41c4d76d5cf8e

SHA1
f1dd2a60753c8329752e6615c26b91910b4dda04

SHA256
91eb447971a2908f28d7b49febe467ce5e4568df479a8b1a4856ae7214b08fd5

SHA512
9bc88fe4f3c8935cc4fab8b68662edc3ab3b3110add22cf76abd2b5ad27ed6c84d325a7c0d3a9edcb0fe14a750983c6c92c974902c22436af4beb294f5a7bc45

Download Submit
memory/4820-19-0x00000000000C0000-0x000000000011A000-memory.dmp

Filesize
360KB

Download
memory/4820-20-0x00000000000C0000-0x000000000011A000-memory.dmp

Filesize
360KB

Download
memory/4820-21-0x00000000000C0000-0x000000000011A000-memory.dmp

Filesize
360KB

Download
memory/4820-24-0x00000000000C0000-0x000000000011A000-memory.dmp

Filesize
360KB

Download
memory/4820-23-0x00000000000C0000-0x000000000011A000-memory.dmp

Filesize
360KB

Download
memory/4820-22-0x00000000000C0000-0x000000000011A000-memory.dmp

Filesize
360KB

Download