lumma | d07c95e8960c8d0a4de79e97afbbb836d73b8869dda97917bce1d0fa4ef88195

Analysis

max time kernel
94s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
02-12-2024 16:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

719d53c1064f54fd79ea4a7844f079d2.exe
Size

1.2MB
MD5

719d53c1064f54fd79ea4a7844f079d2
SHA1

08d3ecaa049dea3ea4eccbf10072180bc36b6fca
SHA256

22fbefa1416f9ccc38791ac6198123e206f4e5b40590fe928f2a4148542c500c
SHA512

23952acbb7a743fcd9ec37f62a18c6bc028f2e50f9168339ee6c4f8ab08ec7835f90b00ee259fc32c76288687defe52e6019187544e263570f6d18d8c9f4ce25
SSDEEP

24576:wyIX57KMY8hlY4Zfoq9dXrqDFxvB1ynLY8bOVHyiBozZTnQ:T47Kv8RrqDFxTyLVOlFBL

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://reinforcenh.shop/api

https://stogeneratmns.shop/api

https://fragnantbui.shop/api

https://drawzhotdog.shop/api

https://vozmeatillu.shop/api

https://offensivedzvju.shop/api

https://ghostreedmnu.shop/api

https://gutterydhowi.shop/api

https://thighfeingjywk.shop/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

719d53c1064f54fd79ea4a7844f079d2.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	719d53c1064f54fd79ea4a7844f079d2.exe

Executes dropped EXE 1 IoCs

Processes:

Casey.pif

pid	Process
5068	Casey.pif

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

Processes:

tasklist.exetasklist.exe

pid	Process
1740	tasklist.exe
4272	tasklist.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Casey.pif

description	pid	Process	procid_target
PID 5068 set thread context of 3064	5068	Casey.pif	105

Drops file in Windows directory 3 IoCs

Processes:

719d53c1064f54fd79ea4a7844f079d2.exe

description	ioc	Process
File opened for modification	C:\Windows\ChileAvenue	719d53c1064f54fd79ea4a7844f079d2.exe
File opened for modification	C:\Windows\ConservationWake	719d53c1064f54fd79ea4a7844f079d2.exe
File opened for modification	C:\Windows\RegardingRoot	719d53c1064f54fd79ea4a7844f079d2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid	pid_target	Process	procid_target
4572	3064	WerFault.exe	105
4544	3064	WerFault.exe	105

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exetasklist.exefindstr.exechoice.exenslookup.execmd.exeCasey.pif719d53c1064f54fd79ea4a7844f079d2.exefindstr.exetasklist.exefindstr.execmd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Casey.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	719d53c1064f54fd79ea4a7844f079d2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

Casey.pif

pid	Process
5068	Casey.pif
5068	Casey.pif
5068	Casey.pif
5068	Casey.pif
5068	Casey.pif
5068	Casey.pif
5068	Casey.pif
5068	Casey.pif
5068	Casey.pif
5068	Casey.pif

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

tasklist.exetasklist.exe

description	pid	Process
Token: SeDebugPrivilege	1740	tasklist.exe
Token: SeDebugPrivilege	4272	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

Casey.pif

pid	Process
5068	Casey.pif
5068	Casey.pif
5068	Casey.pif

Suspicious use of SendNotifyMessage 3 IoCs

Processes:

Casey.pif

pid	Process
5068	Casey.pif
5068	Casey.pif
5068	Casey.pif

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

719d53c1064f54fd79ea4a7844f079d2.execmd.exeCasey.pif

description	pid	Process	procid_target
PID 2432 wrote to memory of 3692	2432	719d53c1064f54fd79ea4a7844f079d2.exe	83
PID 2432 wrote to memory of 3692	2432	719d53c1064f54fd79ea4a7844f079d2.exe	83
PID 2432 wrote to memory of 3692	2432	719d53c1064f54fd79ea4a7844f079d2.exe	83
PID 3692 wrote to memory of 1740	3692	cmd.exe	85
PID 3692 wrote to memory of 1740	3692	cmd.exe	85
PID 3692 wrote to memory of 1740	3692	cmd.exe	85
PID 3692 wrote to memory of 868	3692	cmd.exe	86
PID 3692 wrote to memory of 868	3692	cmd.exe	86
PID 3692 wrote to memory of 868	3692	cmd.exe	86
PID 3692 wrote to memory of 4272	3692	cmd.exe	88
PID 3692 wrote to memory of 4272	3692	cmd.exe	88
PID 3692 wrote to memory of 4272	3692	cmd.exe	88
PID 3692 wrote to memory of 1536	3692	cmd.exe	89
PID 3692 wrote to memory of 1536	3692	cmd.exe	89
PID 3692 wrote to memory of 1536	3692	cmd.exe	89
PID 3692 wrote to memory of 3328	3692	cmd.exe	90
PID 3692 wrote to memory of 3328	3692	cmd.exe	90
PID 3692 wrote to memory of 3328	3692	cmd.exe	90
PID 3692 wrote to memory of 1880	3692	cmd.exe	91
PID 3692 wrote to memory of 1880	3692	cmd.exe	91
PID 3692 wrote to memory of 1880	3692	cmd.exe	91
PID 3692 wrote to memory of 3488	3692	cmd.exe	92
PID 3692 wrote to memory of 3488	3692	cmd.exe	92
PID 3692 wrote to memory of 3488	3692	cmd.exe	92
PID 3692 wrote to memory of 5068	3692	cmd.exe	93
PID 3692 wrote to memory of 5068	3692	cmd.exe	93
PID 3692 wrote to memory of 5068	3692	cmd.exe	93
PID 3692 wrote to memory of 3412	3692	cmd.exe	94
PID 3692 wrote to memory of 3412	3692	cmd.exe	94
PID 3692 wrote to memory of 3412	3692	cmd.exe	94
PID 5068 wrote to memory of 3064	5068	Casey.pif	105
PID 5068 wrote to memory of 3064	5068	Casey.pif	105
PID 5068 wrote to memory of 3064	5068	Casey.pif	105
PID 5068 wrote to memory of 3064	5068	Casey.pif	105
PID 5068 wrote to memory of 3064	5068	Casey.pif	105

C:\Users\Admin\AppData\Local\Temp\719d53c1064f54fd79ea4a7844f079d2.exe
"C:\Users\Admin\AppData\Local\Temp\719d53c1064f54fd79ea4a7844f079d2.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2432
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c move Funk Funk.bat & Funk.bat
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3692
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1740
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "wrsa opssvc"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:868
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4272
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1536
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 664582
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3328
- - C:\Windows\SysWOW64\findstr.exe
    findstr /V "EmmaBookingsInvalidAbraham" Subsequently
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1880
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Characteristic + ..\Share + ..\Hottest + ..\Overview + ..\Giving + ..\Readers + ..\Summaries h
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3488
- - C:\Users\Admin\AppData\Local\Temp\664582\Casey.pif
    Casey.pif h
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:5068
  - - C:\Windows\SysWOW64\nslookup.exe
      C:\Windows\SysWOW64\nslookup.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:3064
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3064 -s 1172
        5⤵
        Program crash
        
        PID:4572
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3064 -s 1204
        5⤵
        Program crash
        
        PID:4544
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3064 -ip 3064
1⤵
PID:780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3064 -ip 3064
1⤵
PID:5112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\664582\Casey.pif

Filesize
872KB

MD5
18ce19b57f43ce0a5af149c96aecc685

SHA1
1bd5ca29fc35fc8ac346f23b155337c5b28bbc36

SHA256
d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd

SHA512
a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558

Download Submit
C:\Users\Admin\AppData\Local\Temp\664582\h

Filesize
503KB

MD5
47ea3aed7aa788ad64c14fada57f8652

SHA1
6d804eef8291ca6dd3d59858dc70e5c96944ea9f

SHA256
62ff4eff62fd0ceb9d862dd4b5e6e8e6d0e534880a1a38256b97d576f013232c

SHA512
ba6feec3540fcff33c2018c89603e0f6eb5a7b44cfc40fb2b592b1c2411a9d37eaea83311153c26780bc6440252552ec32f8ef51272a54b72c8bd38fdffa7ec8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Characteristic

Filesize
65KB

MD5
49eaf44f974adfe5aea8456f1c136c51

SHA1
0c02654e6fcbf79acc10e86a38ec59d19e46ef28

SHA256
938ece01dd94417d009c4ed180d5ed60403c2122ae0b1caec73e78298406b39d

SHA512
0905b787163ab60c30ed56c4842a705c0dd01eed6444d7349a72557980b772290619b917f4c5501b88e6a0700b87e717c4d9f681aec2e2507a26ab5b81316e37

Download Submit
C:\Users\Admin\AppData\Local\Temp\Funk

Filesize
6KB

MD5
dac8d665b46e5dc62839b85dba669e7e

SHA1
b6301450e4d51456ff28ac561dd7e5e6eacb03cc

SHA256
1451051ab61276be7ba040b16dbd8bc7083fe6b8e5385a6d0241eb9c8350fe95

SHA512
951bf3bcc159ec978b1db1e6c46570c435f292d425e6ebd96a54fa074fc7b0599474cd2793d3e27eb021fae656ad4a1ed18acf734a2bd0feeab34d2e2f158fbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Giving

Filesize
54KB

MD5
65d7f1a438570f56f37ebd2f056de757

SHA1
212459247c4cdbdc044e80862541627ae45f3366

SHA256
7ae96c78b5a2b3c65998a0dbf438e06caaf7cf0f2c2c33cbfed96075455ad6b7

SHA512
cda77fe550217bc74914241cbe1020f79f89b189b089453d60d30b1ed5bf8007dd572a4550c4a54a5b52d65f8160d1c5e8ec7a2eeb3933437c1e1d302f7ae0a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hottest

Filesize
86KB

MD5
58c51df04edb4ca17e2d0fd4b8ea08fb

SHA1
39b11025d87d8f4fce17d193b781258a3fdb57ff

SHA256
5a047a5a2e1d178d7e99ad8182718ea4fcc259559b3a434375f6f7f36f1ee968

SHA512
4cb1f4fb09cf3f8cb0c2e04a68e3d8ea7651179862df610489daca8123287746890f70a3f0f364e5527b5615bc6f204c007fe959972535e03d5520b6f8a85013

Download Submit
C:\Users\Admin\AppData\Local\Temp\Overview

Filesize
84KB

MD5
993e18c4ca9619f2f7b67165686bfa5d

SHA1
f2b86af657632852ed032190a2a7560102f8bcd0

SHA256
d5a37b61d716ecf0fb520562a8d55c858a61700e198b18047c097c3e084c8b92

SHA512
9cdb524435f506c614f03347a4d6f4792bed1813773211a7817ddeb01b9a24f35bcbdf46fd550d89fc5753f096d29e1a006f4723aee66dc810dab3767c99f538

Download Submit
C:\Users\Admin\AppData\Local\Temp\Readers

Filesize
53KB

MD5
6c35b985f30a9304f5327636b2d2559d

SHA1
15977d7eaaf2937531f4469233904f3a79db0ead

SHA256
82057754d6ab7d00a8e93989668e1de27fd69b0688ef4b67270cb17706006c8c

SHA512
a4ff268df928f7625e4490d87a5cca56e834774ac4c05b9a40f03c9d6cdb3d65ed8e86ff004f2f278c3a26f31c714d662f03661af0640fdc4aa5490b5bae460b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Share

Filesize
98KB

MD5
9cfba64ef91f9f054bc4b58c55bd2c02

SHA1
3ba4d4419a46f2b55bf7a2963b72f69ded0abc0b

SHA256
3341c48760e6834e24a032ae621d52799870bc6415db26460fcef4b61dbba0d6

SHA512
511360620ea734f66a80dba4e6ff326150e8ac6d1f3ea1b71aa9c4041d0a724d43186b2e23d3dbc1a481791d715919105d512b7bc978c270f996c3219e5f5d59

Download Submit
C:\Users\Admin\AppData\Local\Temp\Subsequently

Filesize
5KB

MD5
21e7fc064f59cc4109d826bc6bb3b9e2

SHA1
3d272388c835def8f5e2605b4359a683fd04a869

SHA256
373d4014ecf188ce8e5cd0ef6324e0fbaa54b0baddb4fa2d058cbe4aedb8802a

SHA512
e8e13dcd2bd63b5b5f73fc0ec02e3e1c259ce76553fa4c2e6a1454eb6b1e2ce5e2c0311045baec9e4740b1dcd70b84578869102aa9f148ef69c2f866b67cd712

Download Submit
C:\Users\Admin\AppData\Local\Temp\Summaries

Filesize
63KB

MD5
7a692bbfb212d49a63617ec5cc1a4c09

SHA1
58a15ea5b93f7dce238c497207c0c406bd098d95

SHA256
8d19dca65f8c62f91bceb758eb650c1cd481c7d33094e79017cd892433969997

SHA512
5bfcd128329c4fa409a36e1ddcc0fa52578c82d58ff250b42230748ff4b6916529e761741824f4e36e493ec60607415e7c91a4bb5f3cc0b7681bb2a56fd827bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zen

Filesize
867KB

MD5
4cacb31c059dea21eebaaae6b2778b1f

SHA1
e2774480f0725e4290ab7fb8dbe25537c8ca83ab

SHA256
45de5604ec7eff4771fb23fc48f4049148fc53a91ef89c915c9b0dbcca24d6d4

SHA512
c0b0c62c721332d9352e1645d5cbaf56a60fd1f23bacfcf1dfeb0d476b774af62093c43d16a7a2be0252dfa1802417b36756841eb3fefa562df7d776fec3d381

Download Submit
memory/3064-27-0x0000000000D20000-0x0000000000D85000-memory.dmp

Filesize
404KB

Download
memory/3064-28-0x0000000000D20000-0x0000000000D85000-memory.dmp

Filesize
404KB

Download
memory/3064-29-0x0000000000D20000-0x0000000000D85000-memory.dmp

Filesize
404KB

Download