lumma | 42a855031626418e5a05586354a73745e5b5b3c9126203d62ffd5a6770ba7b5a

Analysis

max time kernel
145s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2024, 05:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Download Activation Code 3ds Max 7 Crack/download activation code 3ds max 7 crack.exe
Size

835.4MB
MD5

d63291a43f1ae42b58b28247ed671e21
SHA1

e86dd9dc1191c1580ca918c9297c5fc4e9bf4d1c
SHA256

0919f88ae8b34f5ac9202696295b3ac37488c6f2fe7ef12e6e8f3e7e37f718bb
SHA512

de2c04915c742c80f3201a4fbf2ce2cb6b9fa132f274e7f96380fa0c173d4c33aadcf1abf9b16e8f05b537afb5956ab8aef8328a213d5fdec92307ed3b43859f
SSDEEP

196608:/HFiY8Pex90Nw9iYdBVItKMyyxuqYj7AQDymxPW1BvBK9BrZnk6JVUFsIyKJOkxz:/HFiYKeStEWvMJkGiOGT2pjJ08M9

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	download activation code 3ds max 7 crack.exe

Executes dropped EXE 1 IoCs

pid	Process
512	Palestine.com

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
4864	tasklist.exe
4316	tasklist.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DimensionFull	download activation code 3ds max 7 crack.exe
File opened for modification	C:\Windows\PercentageTrademark	download activation code 3ds max 7 crack.exe
File opened for modification	C:\Windows\ImposedDriven	download activation code 3ds max 7 crack.exe
File opened for modification	C:\Windows\ConstMarkets	download activation code 3ds max 7 crack.exe
File opened for modification	C:\Windows\EbonyFares	download activation code 3ds max 7 crack.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Palestine.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	download activation code 3ds max 7 crack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
512	Palestine.com
512	Palestine.com
512	Palestine.com
512	Palestine.com
512	Palestine.com
512	Palestine.com

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4864	tasklist.exe
Token: SeDebugPrivilege	4316	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
512	Palestine.com
512	Palestine.com
512	Palestine.com

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
512	Palestine.com
512	Palestine.com
512	Palestine.com

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 3244 wrote to memory of 1968	3244	download activation code 3ds max 7 crack.exe	85
PID 3244 wrote to memory of 1968	3244	download activation code 3ds max 7 crack.exe	85
PID 3244 wrote to memory of 1968	3244	download activation code 3ds max 7 crack.exe	85
PID 1968 wrote to memory of 4864	1968	cmd.exe	88
PID 1968 wrote to memory of 4864	1968	cmd.exe	88
PID 1968 wrote to memory of 4864	1968	cmd.exe	88
PID 1968 wrote to memory of 4700	1968	cmd.exe	89
PID 1968 wrote to memory of 4700	1968	cmd.exe	89
PID 1968 wrote to memory of 4700	1968	cmd.exe	89
PID 1968 wrote to memory of 4316	1968	cmd.exe	90
PID 1968 wrote to memory of 4316	1968	cmd.exe	90
PID 1968 wrote to memory of 4316	1968	cmd.exe	90
PID 1968 wrote to memory of 2608	1968	cmd.exe	91
PID 1968 wrote to memory of 2608	1968	cmd.exe	91
PID 1968 wrote to memory of 2608	1968	cmd.exe	91
PID 1968 wrote to memory of 1928	1968	cmd.exe	92
PID 1968 wrote to memory of 1928	1968	cmd.exe	92
PID 1968 wrote to memory of 1928	1968	cmd.exe	92
PID 1968 wrote to memory of 3988	1968	cmd.exe	93
PID 1968 wrote to memory of 3988	1968	cmd.exe	93
PID 1968 wrote to memory of 3988	1968	cmd.exe	93
PID 1968 wrote to memory of 4836	1968	cmd.exe	94
PID 1968 wrote to memory of 4836	1968	cmd.exe	94
PID 1968 wrote to memory of 4836	1968	cmd.exe	94
PID 1968 wrote to memory of 512	1968	cmd.exe	95
PID 1968 wrote to memory of 512	1968	cmd.exe	95
PID 1968 wrote to memory of 512	1968	cmd.exe	95
PID 1968 wrote to memory of 1828	1968	cmd.exe	96
PID 1968 wrote to memory of 1828	1968	cmd.exe	96
PID 1968 wrote to memory of 1828	1968	cmd.exe	96

C:\Users\Admin\AppData\Local\Temp\Download Activation Code 3ds Max 7 Crack\download activation code 3ds max 7 crack.exe
"C:\Users\Admin\AppData\Local\Temp\Download Activation Code 3ds Max 7 Crack\download activation code 3ds max 7 crack.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3244
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy Kill Kill.cmd & Kill.cmd
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1968
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4864
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "opssvc wrsa"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4700
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4316
- - C:\Windows\SysWOW64\findstr.exe
    findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2608
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 650429
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1928
- - C:\Windows\SysWOW64\findstr.exe
    findstr /V "GERMANY" False
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3988
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Murray + ..\Indication + ..\Institution + ..\Metres + ..\Display + ..\Cr + ..\Programming D
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4836
- - C:\Users\Admin\AppData\Local\Temp\650429\Palestine.com
    Palestine.com D
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:512
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\650429\D

Filesize
463KB

MD5
9b83bf7cadd60d542183f587ae07e092

SHA1
8907a315d781de77093057ce4a43a190d00b5284

SHA256
f0f666d158614cc2c05ec0f6c428ff2a4c483f05b2a03f7f0a9a6ac600b9b22d

SHA512
9f6ab45bda0ca346366ea6b6bd125f836d30808d4be4d61c37954ed84454aed2dfde5f5f9fe5b8ac6c91e26ab254373ec71e77238de09adf3a3afac7c6fb7c11

Download Submit
C:\Users\Admin\AppData\Local\Temp\650429\Palestine.com

Filesize
925KB

MD5
62d09f076e6e0240548c2f837536a46a

SHA1
26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

SHA256
1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

SHA512
32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Canal

Filesize
117KB

MD5
13d24aa4e93ef82da1567d83b817c03e

SHA1
24b214ef35060ccea94ae5193b8360e7611bf3dd

SHA256
9824cabfce1c95130bea6b69f6e03999e97cf2c45e6922c2e3a3104fcc373205

SHA512
fab74277a3ff0de9e87d54b994bd47ef7dfbbc62c17cc7464e4d1df419d16e68cc754bca7934add146b89e0b8c2a341f66740e5bd833d448f1fde8f7d4818bf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compatible

Filesize
103KB

MD5
ca217340293a4943c905ba624e7a6c72

SHA1
d8334ac7f442203c9ca73baeac9f7a7435bb173e

SHA256
5190f6feda768ea309abfb4b2bd8f46a9a4cc82274e429849828514c70d9d813

SHA512
951583b82531b90188aad52aa0c7a305ad3be7697a3ee1b1f6932feba39fd9a4d56eb8c49192a46463d752bbe17acae926d1913820cb14a8c0bd2eee7a59ae01

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cr

Filesize
84KB

MD5
257ebb27cc75d77a9deb487f9496059d

SHA1
374a7abe4c482535f63f7fc51d96add1d6c6e5cd

SHA256
acac2c119ea0ff3b18bbd1b0f51ec69addb4fa1f211f3ca1802ebb431054d4b1

SHA512
efb47585757e246b2f4f45c0014b0e054ae7509cf0bde92786b79708ac85581d1364a1074eccdcbfbd9f68eecdc4b8d81396bc3782bc1e020bf1fe5676ff9440

Download Submit
C:\Users\Admin\AppData\Local\Temp\Display

Filesize
78KB

MD5
1b651c62e9976918e54ff11622792b9c

SHA1
ff757994e070f9eccd138d02273834aab9637684

SHA256
5daad9bfbdfb2d5aa081fcd8f7764ebad17fdd4e9f690fcc2a5f12a07ccda58b

SHA512
e18a73b16bf232fa2589ceeacab11afbaf2bff90665a31e700687f5c227312bb0aeb8068f336f6c969467deb2d6c60e812e4bcc2666cab250bb781233fef7851

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dresses

Filesize
52KB

MD5
f71a6b8de5e35d265df820d0fb5344dd

SHA1
209bcdcfd5023c7263a8d4aa879d56de1ed6791c

SHA256
c1a62efa509b011e4473e9533e0f99ded16601fa7c222afd8104bbc7759a1c6b

SHA512
2b10cd9c08f02a25508aab9a8bf8556062df2473569062ddfd4ac573806bc781b0f086bd83829b477db277df2ac2b177bb3538c1bdfb89a5f0bd930f0d1d1d83

Download Submit
C:\Users\Admin\AppData\Local\Temp\False

Filesize
2KB

MD5
dc6dca71dc33501438d2c65c5f1c53a6

SHA1
7a8158725676b303fd95694a1df5e1c691cfb8dd

SHA256
90b33984857f95c59e3047c7b94ceb5f2f9898be446bb12941ef9c646532f349

SHA512
de13200d1e804e2e6658a7947549f1a62a966273e99682306735313b9fa6d4fbcc66eb785e581952fea5fb38aa04706c921686ef214f7fe3b56471661778cf92

Download Submit
C:\Users\Admin\AppData\Local\Temp\Indication

Filesize
79KB

MD5
f997aaad93bac3365407710c482548d0

SHA1
4fecd0de9de798a1698b86270240e8c697228386

SHA256
c6a7eb882c69ac388bbf30f2f1050f1bc8c1f5d677c410254ecb43b96bbe0878

SHA512
38742124af5d43e665a852f61fe5a462469cc7492487b8f88445664b13ccfca0550470dfa23eca233546179f7d30d2c2c533b07da1d69f75cfd7e399c58cb1bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Institution

Filesize
64KB

MD5
030e6b7bdc54511621ddc51fe1d3070b

SHA1
acbcb368a81c3fd446d64bee1b7d8bd4c3724bcf

SHA256
b7ca4db3ef2aea9bc3588331ba7ddeb0da874f67175d039c71b1c37df12cbaa2

SHA512
817a5c0b45b42438f1626a1d841f144cb58aad2272f914660fcd1fb379931ce4e9a6791e359a08e4d1807e289147639644d2d1704b799e8b3a445ee4cfbc73a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ireland

Filesize
111KB

MD5
4995f791e86be37567c50323b0b3d98b

SHA1
dc17ad984ecb982cddaa79592fff79363a46b45f

SHA256
71d01d67e707498f1090a296c554f63901fb4f0c9a5846335de67f47b091d7e3

SHA512
ea99b97cfa615b57f1f6cad67636a887d04b720e5ef3a21e28434676457845e6907478321cf6b06ce6637a9a0ffe7c104bb629c70638ac9f488861c3110bbdbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kill

Filesize
26KB

MD5
e93b09d6c9f09d9e3d7ea2b3e08c1688

SHA1
4bb379c69728d45bc2cb8c762a7134186efd0f37

SHA256
8742a9865a67762d52402c5489930ce2c5c31580ba2daf76c23fc9007738f549

SHA512
2636b6a95ba082b1c55bd9e35b29963eb1d4ff2d1530f76a333fe6ef09301cbdfbabadb5cb4d25db034357c53ca8c3e85bda9eec28bedff99309c9fa8628a257

Download Submit
C:\Users\Admin\AppData\Local\Temp\Metres

Filesize
82KB

MD5
70bbc8130ee71a5ff4d48d5a932bf6fc

SHA1
2b2d259558f4fb767ecebcfcd525c850a46519af

SHA256
3ed2cecd3b363caf278cfccac739203baff8ed6741fef81ab4d6515654c8221d

SHA512
c91d63e83f3e7c859a799c8ebeb419e573e37c4371535a3952dd32c7d5765165127ea2c6f069baa9e28a44d9d6e41baad37a12513aaa45366dbcf48c9ef46731

Download Submit
C:\Users\Admin\AppData\Local\Temp\Murray

Filesize
74KB

MD5
781c193f00d297cd53a1eb59c9cdf70e

SHA1
b64bee781f783c1e89fdc9039ef26fb855ee0066

SHA256
03a54fa62214648fdc63126c05934292da4e701c3f2e35464b072cd8c2387f66

SHA512
e93e53653af189115c8fd8e76cd3c72fd167468dce585fca58369458038be9ac38a2f96e56cbceb7bf5a26d89a59aaf7694de77a0b4d27e6ee3e83228b625d06

Download Submit
C:\Users\Admin\AppData\Local\Temp\Physician

Filesize
145KB

MD5
705c2448a0b9d068e72379dd16ccdd73

SHA1
70eb0f1c607851405d21e7cfaa79d06d5700e425

SHA256
5ca53955c5c6a30cc8f9524a4f7039d474ee07c337d20849cf0705d476430f44

SHA512
7d2d322fb64d7a7365869a02d0ce3347c31a033ff523022eec2bd853134103bbe5d6cd946cd7b8bc1ab90c7b4e7c93c9aab47bf2c46d3f1ea8dfbc524e2329ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\Programming

Filesize
2KB

MD5
13948d21219b28f303f621dbaec48120

SHA1
0ed13940ba622ff24ac205303d5d5f80f28205ad

SHA256
f869a6ac60da57200d8948d54146a5d51c095baec3bfe91252643aeaed059520

SHA512
d05956feaec0185f93b5fcc12f35b7068c80562a46ab88421365cfc56786a157104002ec18ef8d0d507092ef35a3bb906de19868a689ccef836941c1fd8d103a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ran

Filesize
102KB

MD5
ab180a93c7b9a2250bae36e890768d8c

SHA1
545b35567fdde09ced64794ef02dc71cf54aed0f

SHA256
2165ea159f34a517996f3428bbc713f71de715487059b176ad660c9db5f19ab4

SHA512
405f9330ec33af461a956c3f0faad349c0dbb64eb9233894f9442b3518a6525507034866d7e0d094c4a12998508ca3faacf8494afee38234c88fbcf55a2e2c0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Reprints

Filesize
61KB

MD5
b9e28f7d26cc55a2697ab3672cf8b427

SHA1
6d8bf6f962030bf2383ae7c95f339242ab628fc8

SHA256
b1ffc6a25321fb50b1b38a4137ab5ee00a480b74b64a72427d64ac3cc4a455c7

SHA512
d20035a4744011379dfec4da3c20fdd9ab40053ffa1d0d8f9357626e9892b940e11cb3cb38d282b7730c992a937fd55d8d6c06c7853799e4c9cf7046dba26cdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sms

Filesize
99KB

MD5
34c1bb59f1e59f491e1f9913c906d5ed

SHA1
a17aada9cf6378b2927fe665b01c1231e655de93

SHA256
1485a4c19776f95875043a80ccd7223830bf9f3e6a27e87cecbcb30df1b11587

SHA512
545c3826b0ffca87a310ef146aa4ebec74196609cfb0f5eea3b085d0b3c15d865c1596f64a1aa1a00dab4a3a9f0429612a6bd4faa06be58b8039ec27f8b06904

Download Submit
C:\Users\Admin\AppData\Local\Temp\Television

Filesize
100KB

MD5
17bc06c71ddd7059916e5aabe0da48b4

SHA1
9e9f45880e943d4901c1873de664ed12c2254932

SHA256
fc3cb814d3541064f45a199788ad1865571496f08635abe48ae3bcec74d63f76

SHA512
267e24182dad10499fbffb3ce1926a2f1d790ef832621d99145cfc0c4698d67222e96a1fe47dc480ec17c07ee81e38a0d4472db5817e9b8cc978aeff48b4f591

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unified

Filesize
32KB

MD5
5326c3a5e46bf8783a052e8304c7b6f2

SHA1
e5e7edbc039046b12aad6b4c457ac0b2c82bfc33

SHA256
3f1af39bacf153b601dde9e26d993d5bf4619122dd7d6e9a8d083d6aad990fde

SHA512
f54c6739402f46c69a10dfe7d80395943294660b7a81fff299da5f21aab0799f2bc1ef76ed8f4b57e9f9930dcfa37ff746d41d19fa5c228400b461e3c5556eac

Download Submit
memory/512-609-0x0000000004690000-0x00000000046E7000-memory.dmp

Filesize
348KB

Download
memory/512-611-0x0000000004690000-0x00000000046E7000-memory.dmp

Filesize
348KB

Download
memory/512-610-0x0000000004690000-0x00000000046E7000-memory.dmp

Filesize
348KB

Download
memory/512-612-0x0000000004690000-0x00000000046E7000-memory.dmp

Filesize
348KB

Download
memory/512-613-0x0000000004690000-0x00000000046E7000-memory.dmp

Filesize
348KB

Download
memory/512-614-0x0000000004690000-0x00000000046E7000-memory.dmp

Filesize
348KB

Download