lumma | 9994b9e197b422529221de7238dc0e44ae21e66d78c48355f31837c3696ec90e

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
30-12-2024 05:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

60b98a0907f9721cf28ccd684b565f7f77a90565e9a2bd47f75c419472c25a1c.exe
Size

297KB
MD5

cf19765d8a9a2c2fd11a7a8c4ba3deda
SHA1

63b5142b07b7773d4201932e7834ac11eafa1ab3
SHA256

60b98a0907f9721cf28ccd684b565f7f77a90565e9a2bd47f75c419472c25a1c
SHA512

b97fc305bd0d22e26abf99e302b166cd5d2bb959eddecad0f45dc978761178f5f6d47788c4ad5098313e587198abc66a3477ed42203345c20dc07db4783bb762
SSDEEP

6144:thP45uoAaSWyz8jVnA183ipgz7YGGmEOM8xm53Jhuy3/uL:t25uDiyzmR7kYVxm5i+2L

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://servicedny.site/api

https://authorisev.site/api

https://faulteyotk.site/api

https://dilemmadu.site/api

https://contemteny.site/api

https://goalyfeastz.site/api

https://opposezmny.site/api

https://seallysl.site/api

https://mafnufacut.cyou/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Loads dropped DLL 1 IoCs

pid	Process
2244	60b98a0907f9721cf28ccd684b565f7f77a90565e9a2bd47f75c419472c25a1c.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2244 set thread context of 3424	2244	60b98a0907f9721cf28ccd684b565f7f77a90565e9a2bd47f75c419472c25a1c.exe	82

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	60b98a0907f9721cf28ccd684b565f7f77a90565e9a2bd47f75c419472c25a1c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_regiis.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2244 wrote to memory of 3424	2244	60b98a0907f9721cf28ccd684b565f7f77a90565e9a2bd47f75c419472c25a1c.exe	82
PID 2244 wrote to memory of 3424	2244	60b98a0907f9721cf28ccd684b565f7f77a90565e9a2bd47f75c419472c25a1c.exe	82
PID 2244 wrote to memory of 3424	2244	60b98a0907f9721cf28ccd684b565f7f77a90565e9a2bd47f75c419472c25a1c.exe	82
PID 2244 wrote to memory of 3424	2244	60b98a0907f9721cf28ccd684b565f7f77a90565e9a2bd47f75c419472c25a1c.exe	82
PID 2244 wrote to memory of 3424	2244	60b98a0907f9721cf28ccd684b565f7f77a90565e9a2bd47f75c419472c25a1c.exe	82
PID 2244 wrote to memory of 3424	2244	60b98a0907f9721cf28ccd684b565f7f77a90565e9a2bd47f75c419472c25a1c.exe	82
PID 2244 wrote to memory of 3424	2244	60b98a0907f9721cf28ccd684b565f7f77a90565e9a2bd47f75c419472c25a1c.exe	82
PID 2244 wrote to memory of 3424	2244	60b98a0907f9721cf28ccd684b565f7f77a90565e9a2bd47f75c419472c25a1c.exe	82
PID 2244 wrote to memory of 3424	2244	60b98a0907f9721cf28ccd684b565f7f77a90565e9a2bd47f75c419472c25a1c.exe	82
PID 2244 wrote to memory of 3424	2244	60b98a0907f9721cf28ccd684b565f7f77a90565e9a2bd47f75c419472c25a1c.exe	82
PID 2244 wrote to memory of 3424	2244	60b98a0907f9721cf28ccd684b565f7f77a90565e9a2bd47f75c419472c25a1c.exe	82
PID 2244 wrote to memory of 3424	2244	60b98a0907f9721cf28ccd684b565f7f77a90565e9a2bd47f75c419472c25a1c.exe	82
PID 2244 wrote to memory of 3424	2244	60b98a0907f9721cf28ccd684b565f7f77a90565e9a2bd47f75c419472c25a1c.exe	82

C:\Users\Admin\AppData\Local\Temp\60b98a0907f9721cf28ccd684b565f7f77a90565e9a2bd47f75c419472c25a1c.exe
"C:\Users\Admin\AppData\Local\Temp\60b98a0907f9721cf28ccd684b565f7f77a90565e9a2bd47f75c419472c25a1c.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2244
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\gdi32.dll

Filesize
435KB

MD5
330f34f58ccf18d73fd3762d200a21f9

SHA1
3c5b99bcbd2d8e1a02040a8b25aebdbd274f422c

SHA256
9110eaaf2945deb7a1af94855f90ff10a342ae5ef8d70758d5924fa2371d92fd

SHA512
6df28801cdf4a6f59481e3ac93d50637308be7206958b2cb395cc74fa851bcd2e25fe5f9e926db2b537f0eef9cc32eb2a96c3e821a0c51ee57e1b8ee4aaa90cb

Download Submit
memory/2244-0-0x00000000751AE000-0x00000000751AF000-memory.dmp

Filesize
4KB

Download
memory/2244-1-0x0000000000E10000-0x0000000000E60000-memory.dmp

Filesize
320KB

Download
memory/2244-2-0x0000000007C10000-0x0000000007C16000-memory.dmp

Filesize
24KB

Download
memory/2244-9-0x00000000751A0000-0x0000000075950000-memory.dmp

Filesize
7.7MB

Download
memory/2244-20-0x00000000751A0000-0x0000000075950000-memory.dmp

Filesize
7.7MB

Download
memory/2244-19-0x00000000751A0000-0x0000000075950000-memory.dmp

Filesize
7.7MB

Download
memory/2244-21-0x00000000751A0000-0x0000000075950000-memory.dmp

Filesize
7.7MB

Download
memory/3424-18-0x0000000003410000-0x0000000003471000-memory.dmp

Filesize
388KB

Download
memory/3424-15-0x0000000003410000-0x0000000003471000-memory.dmp

Filesize
388KB

Download
memory/3424-10-0x0000000003410000-0x0000000003471000-memory.dmp

Filesize
388KB

Download