lumma | 826e787cd4449d9814fa273d34c701390baa7deff4d472c9e6487170e8567d1e

Analysis

max time kernel
150s
max time network
205s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
06-12-2024 06:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

lummastealer.7z
Size

20.9MB
MD5

df9957243afdd11725b5f7e454b179aa
SHA1

bd856ebe241d3f0514b16d0a7fa1c9ab0cd47f53
SHA256

826e787cd4449d9814fa273d34c701390baa7deff4d472c9e6487170e8567d1e
SHA512

1e755334095fc60a1f3f5185a102e55cef32e8a096097e5ed0a991d97137f159d782ac2b8e541351a8e79686f2dc23a7ba6de8b1389174059f6f4f1a86000885
SSDEEP

393216:2Yvlm/SBCPubqLpP/iFAC+DyGNu9jIjGjlFb43369OBR2u8es7mdNYq4MXqfamrs:k6B2uuLpiVJkSjbH4euZs7mbqwf

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://impend-differ.biz/api

https://print-vexer.biz/api

https://dare-curbys.biz/api

https://covery-mover.biz/api

https://formy-spill.biz/api

https://dwell-exclaim.biz/api

https://zinc-sneark.biz/api

https://se-blurry.biz/api

Extracted

Family

lumma

https://se-blurry.biz/api

https://zinc-sneark.biz/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Executes dropped EXE 2 IoCs

pid	Process
4320	Setup.exe
4824	Caller.exe

Loads dropped DLL 4 IoCs

pid	Process
4320	Setup.exe
4320	Setup.exe
4320	Setup.exe
4320	Setup.exe

Blocklisted process makes network request 3 IoCs

flow	pid	Process
46	2596	msiexec.exe
48	2596	msiexec.exe
51	2596	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4320 set thread context of 1116	4320	Setup.exe	108

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4332	2596	WerFault.exe	110

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caller.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	more.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4320	Setup.exe
4320	Setup.exe
4320	Setup.exe
4320	Setup.exe
1116	more.com
1116	more.com

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2548	7zFM.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
4320	Setup.exe
1116	more.com

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	2548	7zFM.exe
Token: 35	2548	7zFM.exe
Token: SeSecurityPrivilege	2548	7zFM.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2548	7zFM.exe
2548	7zFM.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4320 wrote to memory of 4824	4320	Setup.exe	107
PID 4320 wrote to memory of 4824	4320	Setup.exe	107
PID 4320 wrote to memory of 4824	4320	Setup.exe	107
PID 4320 wrote to memory of 1116	4320	Setup.exe	108
PID 4320 wrote to memory of 1116	4320	Setup.exe	108
PID 4320 wrote to memory of 1116	4320	Setup.exe	108
PID 4320 wrote to memory of 1116	4320	Setup.exe	108
PID 1116 wrote to memory of 2596	1116	more.com	110
PID 1116 wrote to memory of 2596	1116	more.com	110
PID 1116 wrote to memory of 2596	1116	more.com	110
PID 1116 wrote to memory of 2596	1116	more.com	110
PID 1116 wrote to memory of 2596	1116	more.com	110

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\lummastealer.7z"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2548

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4788

C:\Users\Admin\Desktop\lummastealer\Setup.exe
"C:\Users\Admin\Desktop\lummastealer\Setup.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4320
- C:\Users\Admin\AppData\Roaming\runonce\EVDTAAOQMOANPE\Caller.exe
  C:\Users\Admin\AppData\Roaming\runonce\EVDTAAOQMOANPE\Caller.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4824
- C:\Windows\SysWOW64\more.com
  C:\Windows\SysWOW64\more.com
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1116
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\SysWOW64\msiexec.exe
    3⤵
    - Blocklisted process makes network request
    - System Location Discovery: System Language Discovery
    PID:2596
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2596 -s 1396
      4⤵
      Program crash
      PID:4332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2596 -ip 2596
1⤵
PID:2208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ec664568

Filesize
5.2MB

MD5
983b2976a4322690c7c5c0308e6364b7

SHA1
4fa460d5217c09d1f15b474ed4988b3f5e5f3b7d

SHA256
d6da8d4400c1599a9bfa3b4de7ab36b416773f74309e2fa1d643d79cfa52f572

SHA512
a07b7be04af3a72ebc921f9a7264f693b836adf2b6c4299cbd331b2af7d0900be5d94d6cf148c8f2c06c240d59ea1c21d7d9bb45e77c485a2174d9968bc7c37c

Download Submit
C:\Users\Admin\AppData\Roaming\runonce\EVDTAAOQMOANPE\Caller.exe

Filesize
4.2MB

MD5
2018644aac84a2de8a767ec1da19993e

SHA1
4ec18507a02d88f49a089851e773c082327ffa42

SHA256
d2251490ca5bd67e63ea52a65bbff8823f2012f417ad0bd073366c02aa0b3828

SHA512
4b171ce616756ace308b61d3d2cc43ced952ce4dc04360ab18499cc959cbf08dc5331610f7bb59c34fcdcb72694b455dc556757cba4cb1ed17b78503bcc26c48

Download Submit
C:\Users\Admin\Desktop\lummastealer\ElbyCDIO.dll

Filesize
10.0MB

MD5
480632d4f827ff83a62b2d11def0a8b0

SHA1
2be22b2f102eaa760c5ce055c7aad84ab749ce6d

SHA256
4bd463ee8d69f9ac3defa5be9cd0ea2a4530dc6148da159940c10999748d9a55

SHA512
8d06ee88c08f30618c2a646e47de758a58159e9a64d36458c56097aad25088f732fd0a83cb0517515eb5b892053e71627c33f227cce9f8b8ae9b762d557f9776

Download Submit
C:\Users\Admin\Desktop\lummastealer\ElbyVCD.dll

Filesize
130KB

MD5
f189cc7f7c13a42480d9b58504156c28

SHA1
2526566ce83ad4d7678ac75167c16913b9248530

SHA256
11a37192b44942fa6b1238f3b7b27fddc35bdf638747425b474109d08c947fd0

SHA512
da7fe55a30117196404545dd86a640ad42dc1a0e78d912a8629fe50caa947b0ec08935d82d9e3f8089c76bff89f20acdb148a212bb299a584205a752ae2ce63a

Download Submit
C:\Users\Admin\Desktop\lummastealer\Setup.exe

Filesize
86KB

MD5
3bd79a1f6d2ea0fddea3f8914b2a6a0c

SHA1
3ea3f44f81b3501e652b448a7dc33a8ee739772e

SHA256
332e6806eff846a2e6d0dc04a70d3503855dabfa83e6ec27f37e2d9103e80e51

SHA512
7bbb3f3af90443803f7689c973a64f894fb48bd744ab0c70af7dfa7c763354dc6f67a7fbb7053d38b0c6611b0aaa532e73eb2579c1445b8a31c573f8bf972a67

Download Submit
C:\Users\Admin\Desktop\lummastealer\dxukuss

Filesize
2.4MB

MD5
5c73f8ec5f4f05e458a05bb23c8e8321

SHA1
e05c2a197d915ecb0ddf10c2beebd607cc9b1b86

SHA256
9cef91c5c100b6b616330df4763bc428fe3dd535e0efbd8c3311500fcac7d04f

SHA512
8bf825f773307daeccff21d555f5e09a8a4406c52b95b1886151ed172dcfa8af374667819e570ab658e7706b75a4e8c803cf5ab2271a839f57d895e681e8c1aa

Download Submit
C:\Users\Admin\Desktop\lummastealer\mold

Filesize
51KB

MD5
14e7d17cc0ae65fe4064e8bc82b79899

SHA1
b97356f114b70ae7e271903883e3bf32240c2097

SHA256
de027d07419afdded302c691560f44f897fdae4ddb8bb27d75871d25b842ba15

SHA512
5ac60f6db33e9915aab4bd5da3d18adc8dd7034e0b6ff5ff696305ff688f4d9fcc39c7c5236355ba082c1916f1989ab82b51dfd02c9742890608c25f33c9ed8b

Download Submit
memory/1116-209-0x0000000075590000-0x0000000075B43000-memory.dmp

Filesize
5.7MB

Download
memory/1116-208-0x00007FFF18330000-0x00007FFF18525000-memory.dmp

Filesize
2.0MB

Download
memory/2596-215-0x0000000000210000-0x0000000000222000-memory.dmp

Filesize
72KB

Download
memory/2596-214-0x00000000002D0000-0x0000000000324000-memory.dmp

Filesize
336KB

Download
memory/2596-213-0x00007FFF18330000-0x00007FFF18525000-memory.dmp

Filesize
2.0MB

Download
memory/4320-190-0x0000000002290000-0x0000000003208000-memory.dmp

Filesize
15.5MB

Download
memory/4320-204-0x0000000075590000-0x0000000075B43000-memory.dmp

Filesize
5.7MB

Download
memory/4320-200-0x0000000075590000-0x0000000075B43000-memory.dmp

Filesize
5.7MB

Download
memory/4320-194-0x00007FFF18330000-0x00007FFF18525000-memory.dmp

Filesize
2.0MB

Download
memory/4320-193-0x0000000075590000-0x0000000075B43000-memory.dmp

Filesize
5.7MB

Download
memory/4320-188-0x00000000004B0000-0x00000000004B1000-memory.dmp

Filesize
4KB

Download