lumma | c29aa20740e453ad22c74ea8acd3a04fbc71fe607c3c70493b3aaba3c124235c

Analysis

max time kernel
15s
max time network
16s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
26-11-2024 21:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

begit.zip
Size

4.1MB
MD5

09a4b2535a791e88b4ebfb0563df5b7e
SHA1

b41188a7194307e374f6a7b4425b157a0947cedd
SHA256

c29aa20740e453ad22c74ea8acd3a04fbc71fe607c3c70493b3aaba3c124235c
SHA512

1a56fb8cacca047999fbd4d39d1c273cf1325bf944e59f3122ff8a00cb15732f27c7a0c25820e39236bb5ffca756f075926bb92bb2c525336d4013ac28037893
SSDEEP

98304:H9eR9nYHES0q8Yfk/zwG0GAn5Xv08+xB7tOkCvs2bDOSuDUWRZ7pgR1hcs:H9eLnYHE0fk/bVOf4xKxmSu4WRZ7pg9H

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://powerful-avoids.sbs

https://motion-treesz.sbs

https://disobey-curly.sbs

https://leg-sate-boat.sbs

https://story-tense-faz.sbs

https://blade-govern.sbs

https://occupy-blushi.sbs

https://frogs-severz.sbs

https://humdrum-screw.cyou

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Executes dropped EXE 1 IoCs

pid	Process
4576	zipki.exe

Loads dropped DLL 1 IoCs

pid	Process
4576	zipki.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2508	4576	WerFault.exe	81

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zipki.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3440	7zFM.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	3440	7zFM.exe
Token: 35	3440	7zFM.exe
Token: SeSecurityPrivilege	3440	7zFM.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3440	7zFM.exe
3440	7zFM.exe

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\begit.zip"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3440

C:\Users\Admin\Desktop\zipki.exe
"C:\Users\Admin\Desktop\zipki.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4576
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4576 -s 1504
  2⤵
  - Program crash
  PID:2508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4576 -ip 4576
1⤵
PID:260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\cr.dll

Filesize
7.0MB

MD5
ed37f5e5f0c20c8b9afc5de56c5a1927

SHA1
442e02e927aae3b631f5d4836d7f06ef0df05412

SHA256
dde7b24c2c33b6dbb54ccfeda6a0541289edce98bea2c0cc6be31ee6a0d91359

SHA512
500990fae26e55260f7c86bb38aa4a2854e90ab13d679f7bb2a24d8956914b7bcce9b1e47f0b5774a9e285a3e0cd1d19766ac85e395b2765dd6c4b332153abf3

Download Submit
C:\Users\Admin\Desktop\zipki.exe

Filesize
6.1MB

MD5
77b08da9991693736fad9947c6d140a7

SHA1
f7675a4376c3bd6fe2137c31c67e12b2bb59393c

SHA256
0ffb2e082cf20a0bbe0e09d166a894c8fc5a76d40105fc7cf70df57f78a6c54c

SHA512
ede72075622dacbf9d6472e90806d884839fe3e6bb6215c0a4c4d7d952eccc59c38ebd44c86973ab89839e83d3de6ce1721e23087cff07825f427d0078b53567

Download Submit
memory/4576-10-0x00000000015E0000-0x0000000001638000-memory.dmp

Filesize
352KB

Download
memory/4576-9-0x00000000015E0000-0x0000000001638000-memory.dmp

Filesize
352KB

Download
memory/4576-8-0x00000000015E0000-0x0000000001638000-memory.dmp

Filesize
352KB

Download
memory/4576-11-0x00000000015E0000-0x0000000001638000-memory.dmp

Filesize
352KB

Download
memory/4576-7-0x0000000077BC4000-0x0000000077BC5000-memory.dmp

Filesize
4KB

Download
memory/4576-14-0x0000000074C20000-0x0000000075326000-memory.dmp

Filesize
7.0MB

Download
memory/4576-13-0x00000000000D0000-0x00000000006F7000-memory.dmp

Filesize
6.2MB

Download
memory/4576-15-0x00000000015E0000-0x0000000001638000-memory.dmp

Filesize
352KB

Download