lumma | 9ff5e6cb0fd29ce67a3c83b09a08cfc37e5eef51123338f085d14be6b93ff50e

Analysis

max time kernel
39s
max time network
47s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
30/12/2024, 05:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

labels 4 after effects free download.exe
Size

911.1MB
MD5

47f78001b89fe3253264d1c4a7499112
SHA1

56dac567c8cd116d2d1d81368780f5163a08ef1a
SHA256

1f6d103331177d55c1559b4b35e17e1e46adc11e7c36f0128f7d428502f98c7d
SHA512

3a302562e64b21288724ffff1a2760e10a83ab073a43a38be162b05c40df7c6a7f9d6506d91a22464b25b8650aed5a6adaa0c398a36e132ac489912737e32073
SSDEEP

786432:8qxPIiniObTMvYFmZ1ABNJiKSpkBVZJZp1DKNSRczO9I/sGTsJyXFwait6Cv9j+E:fIini0pdp1DKQF9jIW

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://tamedgeesy.sbs/api

https://relalingj.sbs/api

https://rottieud.sbs/api

https://brownieyuz.sbs/api

https://explainvees.sbs/api

https://ducksringjk.sbs/api

https://thinkyyokej.sbs/api

https://repostebhu.sbs/api

https://boatfleshedbz.cyou/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Executes dropped EXE 1 IoCs

pid	Process
2548	Write.pif

Loads dropped DLL 1 IoCs

pid	Process
2000	cmd.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
1548	tasklist.exe
2860	tasklist.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\MlsEnter	labels 4 after effects free download.exe
File opened for modification	C:\Windows\RobertsonReverse	labels 4 after effects free download.exe
File opened for modification	C:\Windows\CasinosCollecting	labels 4 after effects free download.exe
File opened for modification	C:\Windows\TraumaFocused	labels 4 after effects free download.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	labels 4 after effects free download.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Write.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2548	Write.pif
2548	Write.pif
2548	Write.pif

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1548	tasklist.exe
Token: SeDebugPrivilege	2860	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2548	Write.pif
2548	Write.pif
2548	Write.pif

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2548	Write.pif
2548	Write.pif
2548	Write.pif

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 1096 wrote to memory of 2000	1096	labels 4 after effects free download.exe	30
PID 1096 wrote to memory of 2000	1096	labels 4 after effects free download.exe	30
PID 1096 wrote to memory of 2000	1096	labels 4 after effects free download.exe	30
PID 1096 wrote to memory of 2000	1096	labels 4 after effects free download.exe	30
PID 2000 wrote to memory of 1548	2000	cmd.exe	32
PID 2000 wrote to memory of 1548	2000	cmd.exe	32
PID 2000 wrote to memory of 1548	2000	cmd.exe	32
PID 2000 wrote to memory of 1548	2000	cmd.exe	32
PID 2000 wrote to memory of 1580	2000	cmd.exe	33
PID 2000 wrote to memory of 1580	2000	cmd.exe	33
PID 2000 wrote to memory of 1580	2000	cmd.exe	33
PID 2000 wrote to memory of 1580	2000	cmd.exe	33
PID 2000 wrote to memory of 2860	2000	cmd.exe	35
PID 2000 wrote to memory of 2860	2000	cmd.exe	35
PID 2000 wrote to memory of 2860	2000	cmd.exe	35
PID 2000 wrote to memory of 2860	2000	cmd.exe	35
PID 2000 wrote to memory of 2220	2000	cmd.exe	36
PID 2000 wrote to memory of 2220	2000	cmd.exe	36
PID 2000 wrote to memory of 2220	2000	cmd.exe	36
PID 2000 wrote to memory of 2220	2000	cmd.exe	36
PID 2000 wrote to memory of 3032	2000	cmd.exe	37
PID 2000 wrote to memory of 3032	2000	cmd.exe	37
PID 2000 wrote to memory of 3032	2000	cmd.exe	37
PID 2000 wrote to memory of 3032	2000	cmd.exe	37
PID 2000 wrote to memory of 2216	2000	cmd.exe	38
PID 2000 wrote to memory of 2216	2000	cmd.exe	38
PID 2000 wrote to memory of 2216	2000	cmd.exe	38
PID 2000 wrote to memory of 2216	2000	cmd.exe	38
PID 2000 wrote to memory of 2568	2000	cmd.exe	39
PID 2000 wrote to memory of 2568	2000	cmd.exe	39
PID 2000 wrote to memory of 2568	2000	cmd.exe	39
PID 2000 wrote to memory of 2568	2000	cmd.exe	39
PID 2000 wrote to memory of 2548	2000	cmd.exe	40
PID 2000 wrote to memory of 2548	2000	cmd.exe	40
PID 2000 wrote to memory of 2548	2000	cmd.exe	40
PID 2000 wrote to memory of 2548	2000	cmd.exe	40
PID 2000 wrote to memory of 1952	2000	cmd.exe	41
PID 2000 wrote to memory of 1952	2000	cmd.exe	41
PID 2000 wrote to memory of 1952	2000	cmd.exe	41
PID 2000 wrote to memory of 1952	2000	cmd.exe	41

C:\Users\Admin\AppData\Local\Temp\labels 4 after effects free download.exe
"C:\Users\Admin\AppData\Local\Temp\labels 4 after effects free download.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1096
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy Lakes Lakes.bat & Lakes.bat
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2000
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1548
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "wrsa opssvc"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1580
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2860
- - C:\Windows\SysWOW64\findstr.exe
    findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2220
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 777406
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3032
- - C:\Windows\SysWOW64\findstr.exe
    findstr /V "SpellingHotmailMooreXl" Loading
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2216
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Ten + ..\Bin + ..\Wheel + ..\Convertible + ..\Configuring + ..\Purchased b
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2568
- - C:\Users\Admin\AppData\Local\Temp\777406\Write.pif
    Write.pif b
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2548
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\777406\b

Filesize
477KB

MD5
3f5a22ffd819770bd1ad3755d898e69b

SHA1
87c8edc6f42787836e3f73c2346e01b294b9636b

SHA256
2c54fb0487b5ddf7c8ff3ef54412c250699af01ead6b60be1366444071423782

SHA512
aaee1dbd06f11b7f62f2afc4f19b2feb56159281d4103b93febe90bb0390c878c93b6d576b6869ac6395a1ba70463ec75278a0a602117b12d918902c58b5f0c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bin

Filesize
99KB

MD5
89ec5aa8b140b612cd863aa524e0442f

SHA1
18e75cd3c85e36b5d75581515cc63b3463d309be

SHA256
5840944ba0ae217f013a3165f431764e635911a210da3e92d032c6a4a46abb88

SHA512
41ccf1e14a2b3fcd601650a54b9e9816ce52aced32ed3eab6b864dc98a5e140799f0030cf4134f9be07a60e00722112e81ed01c51641bceae985943c2cb35d10

Download Submit
C:\Users\Admin\AppData\Local\Temp\Buried

Filesize
910KB

MD5
09edcbde5add4e34ec71cef4dbd5208a

SHA1
a3751901632096dd8750485ff5cf311f81168c8d

SHA256
8559dd6c54e1f6cb1ec017b6c204f55121957127485555aa17c375849d0fda78

SHA512
a129e4b070a7c8022a2c6de49263aebb1b56039008f2f8a128d75ca01cc5b68ac5b5b01ed2d2fd985184968ed037eb176863be21f97f3b39409ba6d0caff0216

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2915.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Configuring

Filesize
79KB

MD5
9a3d7c7b7a0bee57b145f15bc6b9b8c4

SHA1
9a16a0fac3c9676ea9b70cc2eb4740cd338e00b4

SHA256
26354b202fd4ec49d69d86e363f95feb57d57e3d3b92eb14af6ff5190d9bc732

SHA512
798c692668a4c5345ac534aa3b3cc342617d562315f2aff0da45e914c53d39b23cfd9526a36b95277a21771eb355a3af9864a19fde4fa1722b356aea1d1ab453

Download Submit
C:\Users\Admin\AppData\Local\Temp\Convertible

Filesize
91KB

MD5
cace58d1301c180be9e8eab7f4d81768

SHA1
73312b720d7c73ed6239e43dac7669b7701f542c

SHA256
c12d2c0bb1612886b03d8b257901fef21a3bfe6c96f3468d174f878b5c7a526f

SHA512
11ea9552fad5da8a9d80e313cd4adff98be64543a7f0654efa77686662713caccc6b9338f40cefe413122f6929e067a780002e305d08d58ca81ba50620503aa1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lakes

Filesize
18KB

MD5
0c9be35e8ffbf02fa9a12a9c2ed593d2

SHA1
ddc761951e6581e33ca107f493e47a8f3bc2ed91

SHA256
54ecfee15e5e3269aecbe6477c16446c1a5ffb277111190eb65264784da78895

SHA512
00937e006b65cc545e091223bb560f71ad5a47a696ae190e594f5711d6cc25ec866035641261b9ff6cdf1e2db1a2f36a20049efd60b04db078c3f0327b6fe62a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Loading

Filesize
11KB

MD5
9c41de3626d9e487dc368de6d99f37ef

SHA1
cc15ba4058cf24d0777f6f3b3b4cc79ce6614d54

SHA256
18cc71e18d220b8ee5de5caae301fcac98fa92ce01073742357b5baad6b4bbd5

SHA512
30d987359412c828e1985afd8a2ea6a86c9382f390c641c405ed7ac1be6b3ef6177d8ba492b2b38c8f253bcb76097c22cb1c71966683f795efdeac6d87816f76

Download Submit
C:\Users\Admin\AppData\Local\Temp\Purchased

Filesize
62KB

MD5
b7a95dfc5dc8e0d10f05902c58fe74b0

SHA1
0e7562287fdfee62e8cffb0f523f96ece0f3937a

SHA256
0766a52c628d6cb77b76869c38c7b20f2eafef74e49bfb002c3af39e07b0e63e

SHA512
cf7bbfd98654a7c9a52c4fee60ab430afbd0af7e120aacd56dd9f192164eadeed924b87dee1072a052165f79a517dc30de8d5b79ad2ca76183fdba827d09d45a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2937.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ten

Filesize
66KB

MD5
2cb9c2d3e9b94ec1db38541fc559d38b

SHA1
b6e5306eb9b88870f6a842bbf8d7c794b2345fa7

SHA256
3e901b18770ab3277c942a7b9f21fb00ce7ff24a6f5d5bfbaafa04ad428bb716

SHA512
99687ab7aa4a848bc21880f6aaea9b1b46622fc07f937efc39e2c07d4ab810d8971a613d2d3c629da31787e3db3755dfa8b7424e470188c9f99ae1377b137b13

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wheel

Filesize
80KB

MD5
280f1c4805c7dd26cb7f220a9744e8b3

SHA1
d1b50a7b7fd18b9c6beb60b9defeb5d56bb13e5e

SHA256
4e16d952eb2ee72ec642d1727b4489e3af8f99fc9d135c7e88a870a773135fb5

SHA512
699d1143b758c8b23fd055193fae66ac0f915bd4c9a9a79ddb18ff129cf18b58d72aff3cf8d26fb18ea7e878abaf4668a8c2aece6b964737eb027fcadd281c5b

Download Submit
\Users\Admin\AppData\Local\Temp\777406\Write.pif

Filesize
921KB

MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
memory/2548-452-0x0000000003370000-0x00000000033C6000-memory.dmp

Filesize
344KB

Download
memory/2548-453-0x0000000003370000-0x00000000033C6000-memory.dmp

Filesize
344KB

Download
memory/2548-455-0x0000000003370000-0x00000000033C6000-memory.dmp

Filesize
344KB

Download
memory/2548-454-0x0000000003370000-0x00000000033C6000-memory.dmp

Filesize
344KB

Download
memory/2548-451-0x0000000003370000-0x00000000033C6000-memory.dmp

Filesize
344KB

Download
memory/2548-450-0x0000000003370000-0x00000000033C6000-memory.dmp

Filesize
344KB

Download