lumma | bdc7b917477bb49af7a5b06e5d9ed20e08fed25944f297a6b36a50d03d8a5777

Analysis

max time kernel
147s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
23-11-2024 20:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MilwaukeeRivers.exe
Size

948KB
MD5

e922a4d7d2c3c937231aa937b9a2ad25
SHA1

b78ade0fbd78bff01d5c86079c9224d7b87f0770
SHA256

bdc7b917477bb49af7a5b06e5d9ed20e08fed25944f297a6b36a50d03d8a5777
SHA512

501a15eb4c5c64f2df9f454c11951907f33a834885113e14491a6823d8e3373c09523a3eedb52952aada8071dbeec88338dbdeb02a2c4d7a8e0af48eb1dbe5f6
SSDEEP

24576:7gk8NlvGOgHdQFQ/Dfw/EQky/vgNs9OHYkc:WvGOgHeFODfwcC3WsSS

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://servicedny.site

https://authorisev.site

https://faulteyotk.site

https://dilemmadu.site

https://contemteny.site

https://goalyfeastz.site

https://opposezmny.site

https://seallysl.site

https://proggresinvj.cyou

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Executes dropped EXE 1 IoCs

pid	Process
4740	Comparing.pif

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
4420	tasklist.exe
4696	tasklist.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\AgePlants	MilwaukeeRivers.exe
File opened for modification	C:\Windows\EarlTowards	MilwaukeeRivers.exe
File opened for modification	C:\Windows\LakesDies	MilwaukeeRivers.exe
File opened for modification	C:\Windows\NycOperational	MilwaukeeRivers.exe
File opened for modification	C:\Windows\MrnaWasher	MilwaukeeRivers.exe
File opened for modification	C:\Windows\StormCups	MilwaukeeRivers.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Comparing.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MilwaukeeRivers.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4740	Comparing.pif
4740	Comparing.pif
4740	Comparing.pif
4740	Comparing.pif
4740	Comparing.pif
4740	Comparing.pif

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4420	tasklist.exe
Token: SeDebugPrivilege	4696	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4740	Comparing.pif
4740	Comparing.pif
4740	Comparing.pif

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4740	Comparing.pif
4740	Comparing.pif
4740	Comparing.pif

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 3588 wrote to memory of 2576	3588	MilwaukeeRivers.exe	77
PID 3588 wrote to memory of 2576	3588	MilwaukeeRivers.exe	77
PID 3588 wrote to memory of 2576	3588	MilwaukeeRivers.exe	77
PID 2576 wrote to memory of 4420	2576	cmd.exe	79
PID 2576 wrote to memory of 4420	2576	cmd.exe	79
PID 2576 wrote to memory of 4420	2576	cmd.exe	79
PID 2576 wrote to memory of 4704	2576	cmd.exe	80
PID 2576 wrote to memory of 4704	2576	cmd.exe	80
PID 2576 wrote to memory of 4704	2576	cmd.exe	80
PID 2576 wrote to memory of 4696	2576	cmd.exe	82
PID 2576 wrote to memory of 4696	2576	cmd.exe	82
PID 2576 wrote to memory of 4696	2576	cmd.exe	82
PID 2576 wrote to memory of 4544	2576	cmd.exe	83
PID 2576 wrote to memory of 4544	2576	cmd.exe	83
PID 2576 wrote to memory of 4544	2576	cmd.exe	83
PID 2576 wrote to memory of 956	2576	cmd.exe	84
PID 2576 wrote to memory of 956	2576	cmd.exe	84
PID 2576 wrote to memory of 956	2576	cmd.exe	84
PID 2576 wrote to memory of 1344	2576	cmd.exe	85
PID 2576 wrote to memory of 1344	2576	cmd.exe	85
PID 2576 wrote to memory of 1344	2576	cmd.exe	85
PID 2576 wrote to memory of 2000	2576	cmd.exe	86
PID 2576 wrote to memory of 2000	2576	cmd.exe	86
PID 2576 wrote to memory of 2000	2576	cmd.exe	86
PID 2576 wrote to memory of 4740	2576	cmd.exe	87
PID 2576 wrote to memory of 4740	2576	cmd.exe	87
PID 2576 wrote to memory of 4740	2576	cmd.exe	87
PID 2576 wrote to memory of 1080	2576	cmd.exe	88
PID 2576 wrote to memory of 1080	2576	cmd.exe	88
PID 2576 wrote to memory of 1080	2576	cmd.exe	88

C:\Users\Admin\AppData\Local\Temp\MilwaukeeRivers.exe
"C:\Users\Admin\AppData\Local\Temp\MilwaukeeRivers.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3588
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy Te Te.bat & Te.bat
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2576
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4420
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "wrsa opssvc"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4704
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4696
- - C:\Windows\SysWOW64\findstr.exe
    findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4544
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 215655
    3⤵
    - System Location Discovery: System Language Discovery
    PID:956
- - C:\Windows\SysWOW64\findstr.exe
    findstr /V "GeologicalAllowStoryVirtually" Commitments
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1344
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Started + ..\Spend + ..\Seek + ..\Etc + ..\Reliability + ..\Lingerie + ..\Washing g
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2000
- - C:\Users\Admin\AppData\Local\Temp\215655\Comparing.pif
    Comparing.pif g
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:4740
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\215655\Comparing.pif

Filesize
872KB

MD5
18ce19b57f43ce0a5af149c96aecc685

SHA1
1bd5ca29fc35fc8ac346f23b155337c5b28bbc36

SHA256
d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd

SHA512
a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558

Download Submit
C:\Users\Admin\AppData\Local\Temp\215655\g

Filesize
497KB

MD5
d266b3c08227e9cb46232736b80e5aa0

SHA1
173c8acee3adeae51142bd0e72c3309e34ee520f

SHA256
ec2604a7647c0186b5e12315f62c27927dbb1cf8f939612e129dcdfc1392b998

SHA512
59cfe54e855d98f3f4b01fa7670b9594376c450cfe210e5f626574dd7449e066f55b6c8d218428601ac526a9d0f2ba7a244d54c12b4dca6e0919800b58f31f0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Commitments

Filesize
6KB

MD5
95b88aac08c10ed0630bff6e25a48d22

SHA1
ad839ffe077b94d8aa26523557826b66268db8ad

SHA256
7c047d4bd015bf4db77fa60edadd2cd71a0969c8b6ba68c7a1799b63ab3a4ed3

SHA512
5342208ef56103e9329f877aec12fc3e85dca2e1363f21960c8293841f0093463a16298ccb8be6d418835febfb3e3e10cee5336ba342a5d170942186974590a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Etc

Filesize
77KB

MD5
a2e6f3d6b4b15803fc39db66d53d5a68

SHA1
4d9e598b94c8a1c3f88a7d70c72c726b306b7da1

SHA256
fc1405b7240e36717d575f651d792db859226ff4ea8ea80773bf7200b6a582b8

SHA512
56254f9a620fb0e38e8252a8cc1dd7d0e599d9c4854ffb8ca69771ef9fb0b3deb6508492d4d2095ab8b7e1bbc0f381dd9fe743d1161ca344f4445d1c5e1b811c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lingerie

Filesize
77KB

MD5
2f47e917ab451b39dee57628583e0e49

SHA1
9a5323f7f24a7d98acb6ad484f39ae2211297dc7

SHA256
fe0de264e44fe42611ad2faafa7a97d45c48de38f251cbc446913611f170e3eb

SHA512
71044cf3e0848e8d7bac6666e452690ef2ee623f408477f815235d0f737b1ec200f44152bfd59616bcd8db538765337c62019f3ff5a122c3fd6f6e8eff16f0c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mate

Filesize
866KB

MD5
25c0cca1b4b6c482fd0135e0e5e747a0

SHA1
339571736c2fc5cde1ad6f9e7dc58ee62a863c63

SHA256
1de377cc55c433743b916de2cfabda2ba5e73ff825f3e7f968ad8905bdd8dfb4

SHA512
a5b2ade00f9f896578f97feccd320675fa1c2824934549352edc9bcb39ca411278ea8a91f0649c3a1aae3c46ee6b6f9b25bb6e2d0afaee57dc35bf50843b2089

Download Submit
C:\Users\Admin\AppData\Local\Temp\Reliability

Filesize
60KB

MD5
8c746ced3ce86327e752383866d630d8

SHA1
3d6befc5ad1e28419ad7834dae43a2b51dbb818a

SHA256
e7db8c4fda3f419f74f3939af4984a4ff079541b02843d6805b048d8bdff0421

SHA512
06b54b6279b80aab06d1e47c221058cae54fa5b9c875fc3c7f4d82f90dbc4acce9b246b678056c2a3d45493b82ceddcd5e2420ca4014c15cd9093cee2b0f27db

Download Submit
C:\Users\Admin\AppData\Local\Temp\Seek

Filesize
88KB

MD5
54c81389f168a434cf19946888499a41

SHA1
3bcb690da7b8809ddf88e833a47dacc04633bc80

SHA256
c9766c34ff13cbb3b62afbc794bc79171e1d573b5d4e2e3ff2c4b21885d537f6

SHA512
61a2a3b2dcbca67ca41e5bb96bba3d31c4f17d491f6430f5b1584ca083310a4d4adb612b5baa6561b0aa5966ba062a0ba85a09e09065f0ec149eacd665328394

Download Submit
C:\Users\Admin\AppData\Local\Temp\Spend

Filesize
90KB

MD5
3b05748621287f6259899970ef155a38

SHA1
def8acf6355fbe03c1f369c86475a1880755fcb2

SHA256
450619a5707d27235f489c4f5b6dbaa953405b7907dd23c03c6ccac08e1187a1

SHA512
787fcbac6a9cea27f2033bdce73c0390d1c8c74d7fbd857fec66efb4d679a9981ec095d289801c92cafc4d5cfb6747f6fce87619d55c5ed10927d25731e9b0a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Started

Filesize
86KB

MD5
6517aa64b07030e6916dfaa84c900553

SHA1
40de8c112f344c59e045e3bcd9d7f9f9cb427d7e

SHA256
3bfc145b382f207a3aded6e9ac0bc61f07c94c0b81658fd43cbb741a1aa7fefe

SHA512
ad71d36193b99219e36cda11dc98bd4d44768c6ea0557f76c1902286942317a66cfab6359d36a7439ec7e30ca85041941e55d5bb77abbe9eb10183c7f7b8c7f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Te

Filesize
23KB

MD5
1e40cfd6dfe1b3c142469bec11eb51f7

SHA1
0e13c823035cbec02e0745e1970bfb7f3bdaa1bc

SHA256
d720ff2ac7655230dc5cf3512402471ce822e7dea81e3cd6121ba34f93081c1e

SHA512
3bfac352f9a61d151a2b217a893ca2e0c2819cf5e06a7c39d60f0fff8481482bde885596d4aaaacc0eba97f5e8d030937315d1df5ebc6768e0e7bdc8893837d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Washing

Filesize
19KB

MD5
93654b776416f68061f5812121d460e3

SHA1
917be2e9a18b06f4b49c9f506faa596d8da4084e

SHA256
6cfb0951411a034c4b06886a3d8bbbe1b58c988c8280183d0409b49aa4069d92

SHA512
6f0dae32fa26e7f02d1b781e7837d971b8e4fdab7ef03df2b1082ca9c7cc048dc23bbf092d827e2fc46b2fd293a26d1bdaeaff34d5c62d4a20b44c2c17cd4570

Download Submit
memory/4740-543-0x0000000000020000-0x0000000000080000-memory.dmp

Filesize
384KB

Download
memory/4740-544-0x0000000000020000-0x0000000000080000-memory.dmp

Filesize
384KB

Download
memory/4740-545-0x0000000000020000-0x0000000000080000-memory.dmp

Filesize
384KB

Download
memory/4740-546-0x0000000000020000-0x0000000000080000-memory.dmp

Filesize
384KB

Download
memory/4740-547-0x0000000000020000-0x0000000000080000-memory.dmp

Filesize
384KB

Download