lumma | 1230f1313b7c82b3fda1ef9f3860d668ed66846cc6252ad2a2b92db29a59d6a9

Analysis

max time kernel
148s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2024 14:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup.exe
Size

351.1MB
MD5

b6cf2050dc61fcc253eb7d7f9105f4c8
SHA1

f88ec60af42abdd3b67a980ae14eb4e58b3bc0e7
SHA256

42d6496db190c2800501a8205f23b610e5efe24312fcfe1ea8b9f6d66aaea9f1
SHA512

944de25459b38cce873f6076e14e40bf701f138002bc9182bba37ea08073185430432b24d07c369a023ebfc5d22d8f97dc622c8d9bc98c98c43fbd288ed307fa
SSDEEP

196608:Hi4rZPnHKOfiGJDxGOOBvaxvQAoOQpDbVHqHI+uzIQDQdy1VM1fzN6Do3pOVNAUe:Hi4rZPxfiGJDxGOOBvaxnQzMj

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://servicedny.site

https://authorisev.site

https://faulteyotk.site

https://dilemmadu.site

https://contemteny.site

https://goalyfeastz.site

https://opposezmny.site

https://seallysl.site

https://reallymenyb.cyou

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Suspicious use of SetThreadContext 1 IoCs

Processes:

Setup.exe

description	pid	Process	procid_target
PID 2744 set thread context of 2688	2744	Setup.exe	87

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Setup.exemore.comOpenWith.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	more.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

Setup.exemore.com

pid	Process
2744	Setup.exe
2744	Setup.exe
2688	more.com
2688	more.com

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

Setup.exemore.com

pid	Process
2744	Setup.exe
2688	more.com

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

Setup.exemore.com

description	pid	Process	procid_target
PID 2744 wrote to memory of 2688	2744	Setup.exe	87
PID 2744 wrote to memory of 2688	2744	Setup.exe	87
PID 2744 wrote to memory of 2688	2744	Setup.exe	87
PID 2744 wrote to memory of 2688	2744	Setup.exe	87
PID 2688 wrote to memory of 3488	2688	more.com	97
PID 2688 wrote to memory of 3488	2688	more.com	97
PID 2688 wrote to memory of 3488	2688	more.com	97
PID 2688 wrote to memory of 3488	2688	more.com	97
PID 2688 wrote to memory of 3488	2688	more.com	97

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2744
- C:\Windows\SysWOW64\more.com
  C:\Windows\SysWOW64\more.com
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\Windows\SysWOW64\OpenWith.exe
    C:\Windows\SysWOW64\OpenWith.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\f07beb8c

Filesize
1.3MB

MD5
94175bd77bc17ca8f7c2196caba3f614

SHA1
f9602cc39643864461fd30e04d01be8c8e82d411

SHA256
526680305be37788cfd31337114c567329ee6f16a139f5496a9a9550442bd7c8

SHA512
4e66917165b19e22fd2aa2f3cafb77e322046f8bf720b143719561936c69916c2a004537dbc2ad14dace514478318d6d31e9372387d383db9bb6369e6366addb

Download Submit
C:\Users\Admin\AppData\Local\Temp\f32369bc

Filesize
1.1MB

MD5
18705c7fd92b80b6d3b328b761ec6612

SHA1
fcbe7d95baf714b82d67c5288738646880628e3f

SHA256
f65261135009cbaf340362e37f65523186bd4f7990e64d250689ab957e8d6d6e

SHA512
79ccaf71bf99b49a8d075add2733b8c83b4f7adb9ba3c92cd9facc03bf6ea5a2527ae1ee0215d9c9e3c2121e68038036fb235c30e10f935cbf66aa6fd365518a

Download Submit
memory/2688-18-0x00000000739F0000-0x0000000073B6B000-memory.dmp

Filesize
1.5MB

Download
memory/2688-13-0x00000000739F0000-0x0000000073B6B000-memory.dmp

Filesize
1.5MB

Download
memory/2688-22-0x00000000739F0000-0x0000000073B6B000-memory.dmp

Filesize
1.5MB

Download
memory/2688-17-0x00000000739F0000-0x0000000073B6B000-memory.dmp

Filesize
1.5MB

Download
memory/2688-16-0x00007FF93D2B0000-0x00007FF93D4A5000-memory.dmp

Filesize
2.0MB

Download
memory/2744-1-0x0000000000F70000-0x0000000001B4C000-memory.dmp

Filesize
11.9MB

Download
memory/2744-11-0x00000000739F0000-0x0000000073B6B000-memory.dmp

Filesize
1.5MB

Download
memory/2744-7-0x00000000739F0000-0x0000000073B6B000-memory.dmp

Filesize
1.5MB

Download
memory/2744-10-0x00000000739F0000-0x0000000073B6B000-memory.dmp

Filesize
1.5MB

Download
memory/2744-9-0x0000000073A03000-0x0000000073A05000-memory.dmp

Filesize
8KB

Download
memory/2744-0-0x0000000000F60000-0x0000000000F61000-memory.dmp

Filesize
4KB

Download
memory/2744-8-0x00007FF93D2B0000-0x00007FF93D4A5000-memory.dmp

Filesize
2.0MB

Download
memory/3488-23-0x00007FF93D2B0000-0x00007FF93D4A5000-memory.dmp

Filesize
2.0MB

Download
memory/3488-25-0x0000000000E80000-0x0000000000E9C000-memory.dmp

Filesize
112KB

Download
memory/3488-24-0x00000000005A0000-0x0000000000617000-memory.dmp

Filesize
476KB

Download