lumma | 000abc24d378fefbbee9e4466a200f4088e63c941bb7ecba18af54d6e23fecfa

Analysis

max time kernel
90s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2024 02:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Set-up.exe
Size

6.2MB
MD5

11c8962675b6d535c018a63be0821e4c
SHA1

a150fa871e10919a1d626ffe37b1a400142f452b
SHA256

421e36788bfcb4433178c657d49aa711446b3a783f7697a4d7d402a503c1f273
SHA512

3973c23fc652e82f2415ff81f2756b55e46c6807cc4a8c37e5e31009cec45ab47c5d4228c03b5e3a972cacd6547cf0d3273965f263b1b2d608af89f5be6e459a
SSDEEP

98304:u4bRxuHuFP2rHLpHPA477yNRgoPbfnRROWR721LYfs17u0kcFrXLEJfwY:u4NxuOFI1AEyrbf/52BYfs1LkcFrXL+X

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://candidatersz.cyou/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma
Blocklisted process makes network request 5 IoCs

Processes:

msiexec.exe

flow pid process

19 2500 msiexec.exe
22 2500 msiexec.exe
26 2500 msiexec.exe
30 2500 msiexec.exe
35 2500 msiexec.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Set-up.exe

description pid process target process

PID 4052 set thread context of 3488 4052 Set-up.exe more.com

flow	pid	process
19	2500	msiexec.exe
22	2500	msiexec.exe
26	2500	msiexec.exe
30	2500	msiexec.exe
35	2500	msiexec.exe

description	pid	process	target process
PID 4052 set thread context of 3488	4052	Set-up.exe	more.com

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Set-up.exemore.commsiexec.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Set-up.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	more.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

Set-up.exemore.com

pid process

4052 Set-up.exe
4052 Set-up.exe
3488 more.com
3488 more.com
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

Set-up.exemore.com

pid process

4052 Set-up.exe
3488 more.com

pid	process
4052	Set-up.exe
4052	Set-up.exe
3488	more.com
3488	more.com

pid	process
4052	Set-up.exe
3488	more.com

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

Set-up.exemore.com

description	pid	process	target process
PID 4052 wrote to memory of 3488	4052	Set-up.exe	more.com
PID 4052 wrote to memory of 3488	4052	Set-up.exe	more.com
PID 4052 wrote to memory of 3488	4052	Set-up.exe	more.com
PID 4052 wrote to memory of 3488	4052	Set-up.exe	more.com
PID 3488 wrote to memory of 2500	3488	more.com	msiexec.exe
PID 3488 wrote to memory of 2500	3488	more.com	msiexec.exe
PID 3488 wrote to memory of 2500	3488	more.com	msiexec.exe
PID 3488 wrote to memory of 2500	3488	more.com	msiexec.exe
PID 3488 wrote to memory of 2500	3488	more.com	msiexec.exe

C:\Users\Admin\AppData\Local\Temp\Set-up.exe
"C:\Users\Admin\AppData\Local\Temp\Set-up.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4052
- C:\Windows\SysWOW64\more.com
  C:\Windows\SysWOW64\more.com
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:3488
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\SysWOW64\msiexec.exe
    3⤵
    - Blocklisted process makes network request
    - System Location Discovery: System Language Discovery
    PID:2500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3370c677

Filesize
1.0MB

MD5
55f2535a8864304b954aa953095cdb36

SHA1
c78215dad8df894caa44adcc40c81f197e66bb46

SHA256
80dd866c698f011e348a7ab73ded28772d306b4e194d1e69f9d029caf44cddca

SHA512
81ef967dbed21add416d667529015edb6e3eac2de4fcecba708f5847dd5c5cb1b0c459baa26f82f19ed0e2f1265406c56a81cf0a2b2d395eb7646870f74eb4ec

Download Submit
memory/2500-27-0x0000000000F80000-0x0000000000F92000-memory.dmp

Filesize
72KB

Download
memory/2500-26-0x0000000000C40000-0x0000000000C9D000-memory.dmp

Filesize
372KB

Download
memory/2500-25-0x00007FF9730B0000-0x00007FF9732A5000-memory.dmp

Filesize
2.0MB

Download
memory/3488-20-0x0000000074860000-0x00000000749DB000-memory.dmp

Filesize
1.5MB

Download
memory/3488-15-0x0000000074860000-0x00000000749DB000-memory.dmp

Filesize
1.5MB

Download
memory/3488-17-0x00007FF9730B0000-0x00007FF9732A5000-memory.dmp

Filesize
2.0MB

Download
memory/3488-19-0x0000000074860000-0x00000000749DB000-memory.dmp

Filesize
1.5MB

Download
memory/3488-24-0x0000000074860000-0x00000000749DB000-memory.dmp

Filesize
1.5MB

Download
memory/4052-13-0x0000000074860000-0x00000000749DB000-memory.dmp

Filesize
1.5MB

Download
memory/4052-0-0x0000000074860000-0x00000000749DB000-memory.dmp

Filesize
1.5MB

Download
memory/4052-12-0x0000000074860000-0x00000000749DB000-memory.dmp

Filesize
1.5MB

Download
memory/4052-11-0x0000000074873000-0x0000000074875000-memory.dmp

Filesize
8KB

Download
memory/4052-1-0x00007FF9730B0000-0x00007FF9732A5000-memory.dmp

Filesize
2.0MB

Download