lumma | 12ca4ad8cd613c8d086cd39a5c6e787c12209f2271ba850817b72eae3cd559da

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
30-11-2024 21:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

pghsefyjhsef.exe
Size

429KB
MD5

e21a937337ce24864bb9ca1b866c4b6e
SHA1

3fdfacb32c866f5684bceaab35cea6725f76182f
SHA256

55db20b6ddab0de6b84f4200fbde54b719709d7c50f0bdd808369dbb73deef70
SHA512

9fb59ecc82984dcc854a31ae2e871f88fd679a162ee912eb92879576397fa29eddc2ec2787f7645aa72c4dc641456980f6b897302650f0d10466dea50506f533
SSDEEP

12288:IjZnv5oukMkCB+N2DLNtFPMGk0Oj75LC:ekMzHBMH0OA

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://infect-crackle.cyou

Extracted

Family

lumma

https://infect-crackle.cyou/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

pghsefyjhsef.exeGxtuum.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	pghsefyjhsef.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Gxtuum.exe

Executes dropped EXE 4 IoCs

Processes:

Gxtuum.exeworkout1.exeGxtuum.exeGxtuum.exe

pid	Process
2072	Gxtuum.exe
4244	workout1.exe
2168	Gxtuum.exe
4640	Gxtuum.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

workout1.exe

description	pid	Process	procid_target
PID 4244 set thread context of 2460	4244	workout1.exe	102

Drops file in Windows directory 1 IoCs

Processes:

pghsefyjhsef.exe

description	ioc	Process
File created	C:\Windows\Tasks\Gxtuum.job	pghsefyjhsef.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid	pid_target	Process	procid_target
4732	2460	WerFault.exe	102
4624	2460	WerFault.exe	102

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Gxtuum.exeworkout1.exeMSBuild.exepghsefyjhsef.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gxtuum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	workout1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pghsefyjhsef.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

workout1.exe

description	pid	Process
Token: SeDebugPrivilege	4244	workout1.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

pghsefyjhsef.exe

pid	Process
4788	pghsefyjhsef.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

pghsefyjhsef.exeGxtuum.exeworkout1.exe

description	pid	Process	procid_target
PID 4788 wrote to memory of 2072	4788	pghsefyjhsef.exe	82
PID 4788 wrote to memory of 2072	4788	pghsefyjhsef.exe	82
PID 4788 wrote to memory of 2072	4788	pghsefyjhsef.exe	82
PID 2072 wrote to memory of 4244	2072	Gxtuum.exe	97
PID 2072 wrote to memory of 4244	2072	Gxtuum.exe	97
PID 2072 wrote to memory of 4244	2072	Gxtuum.exe	97
PID 4244 wrote to memory of 2460	4244	workout1.exe	102
PID 4244 wrote to memory of 2460	4244	workout1.exe	102
PID 4244 wrote to memory of 2460	4244	workout1.exe	102
PID 4244 wrote to memory of 2460	4244	workout1.exe	102
PID 4244 wrote to memory of 2460	4244	workout1.exe	102
PID 4244 wrote to memory of 2460	4244	workout1.exe	102
PID 4244 wrote to memory of 2460	4244	workout1.exe	102
PID 4244 wrote to memory of 2460	4244	workout1.exe	102
PID 4244 wrote to memory of 2460	4244	workout1.exe	102
PID 4244 wrote to memory of 2460	4244	workout1.exe	102

C:\Users\Admin\AppData\Local\Temp\pghsefyjhsef.exe
"C:\Users\Admin\AppData\Local\Temp\pghsefyjhsef.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4788
- C:\Users\Admin\AppData\Local\Temp\bfe2cd46d6\Gxtuum.exe
  "C:\Users\Admin\AppData\Local\Temp\bfe2cd46d6\Gxtuum.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2072
- - C:\Users\Admin\AppData\Local\Temp\10000700101\workout1.exe
    "C:\Users\Admin\AppData\Local\Temp\10000700101\workout1.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4244
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2460
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2460 -s 1392
        5⤵
        Program crash
        
        PID:4624
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2460 -s 1372
        5⤵
        Program crash
        
        PID:4732

C:\Users\Admin\AppData\Local\Temp\bfe2cd46d6\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\bfe2cd46d6\Gxtuum.exe
1⤵
- Executes dropped EXE
PID:2168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2460 -ip 2460
1⤵
PID:372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2460 -ip 2460
1⤵
PID:540

C:\Users\Admin\AppData\Local\Temp\bfe2cd46d6\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\bfe2cd46d6\Gxtuum.exe
1⤵
- Executes dropped EXE
PID:4640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\10000700101\workout1.exe

Filesize
4.0MB

MD5
2c53d432109b7628b438c3ec635c26cd

SHA1
02786b64b55b20c838340af3f30ac99d6815aa23

SHA256
072621dd165f32ba481de7a2b4ccea8d3a25ab7d079ae62373df3d699f97582e

SHA512
90664555d94e986a5399ff8a4d230085c9660b3a85d9d2dfee4b3cad73aeda8757c92fb706e98e93f411bc21b3fc15d29018b8ed4ab3ebd58a1ce1fcf55a521a

Download Submit
C:\Users\Admin\AppData\Local\Temp\10000700101\workout1.exe

Filesize
2.0MB

MD5
e0908c77f5d49635b14b6dae5d2e154e

SHA1
e87f9802d6e527205abb3daa27994c585a03a4ed

SHA256
56ba558cc82f43454c04b3ebced990c3def320934bb8460779a8dc8225a7cffb

SHA512
db1241dfb072c9445ef69bef4e730ee874135b265ae0d43dacd422b7e083b6dec7173d5af87fdccf0ccc689f8b1fbe3dc1542d23698ee8d49cac65fb75048593

Download Submit
C:\Users\Admin\AppData\Local\Temp\bfe2cd46d6\Gxtuum.exe

Filesize
429KB

MD5
e21a937337ce24864bb9ca1b866c4b6e

SHA1
3fdfacb32c866f5684bceaab35cea6725f76182f

SHA256
55db20b6ddab0de6b84f4200fbde54b719709d7c50f0bdd808369dbb73deef70

SHA512
9fb59ecc82984dcc854a31ae2e871f88fd679a162ee912eb92879576397fa29eddc2ec2787f7645aa72c4dc641456980f6b897302650f0d10466dea50506f533

Download Submit
memory/2460-47-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2460-49-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4244-41-0x00000000728D0000-0x0000000073080000-memory.dmp

Filesize
7.7MB

Download
memory/4244-40-0x0000000005060000-0x00000000050FC000-memory.dmp

Filesize
624KB

Download
memory/4244-42-0x00000000728DE000-0x00000000728DF000-memory.dmp

Filesize
4KB

Download
memory/4244-43-0x00000000728D0000-0x0000000073080000-memory.dmp

Filesize
7.7MB

Download
memory/4244-45-0x0000000005440000-0x00000000055AA000-memory.dmp

Filesize
1.4MB

Download
memory/4244-46-0x0000000005030000-0x0000000005052000-memory.dmp

Filesize
136KB

Download
memory/4244-39-0x0000000000490000-0x0000000000692000-memory.dmp

Filesize
2.0MB

Download
memory/4244-38-0x00000000728DE000-0x00000000728DF000-memory.dmp

Filesize
4KB

Download
memory/4244-50-0x00000000728D0000-0x0000000073080000-memory.dmp

Filesize
7.7MB

Download