lumma | e5accffcd09376e462b99edbbf69fcc363a19d33607671898b17c444e64416a7

General

Target

collapse.space.zip
Size

47.3MB
MD5

ad3405fe25ebd6939dd227424fe4e19e
SHA1

7c052e146d44ce8f0228162b756d1ba4453cd65d
SHA256

e5accffcd09376e462b99edbbf69fcc363a19d33607671898b17c444e64416a7
SHA512

e47b22de9b18fd352b1c951d231f2968c7798937bd5b6ae7a5352df7fc4f3488653dd1e27c8506dca104eab712c9791c842f0fdb3449a40a326d21fadd208872
SSDEEP

786432:Cga49q6IS/Q4oLd2HZVmNrWIVmki1kEMJSHB21MzPp8XcdT0WqNwduz6VXZsCkNg:z5IS/QtLd2HZcZi2ElYgp3TACVXZQ4S+

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

C2

https://cloudewahsj.shop/api

https://rabidcowse.shop/api

https://noisycuttej.shop/api

https://tirepublicerj.shop/api

https://framekgirus.shop/api

https://wholersorie.shop/api

https://abruptyopsn.shop/api

https://nearycrepso.shop/api

Extracted

Family

lumma

C2

https://abruptyopsn.shop/api

https://wholersorie.shop/api

https://framekgirus.shop/api

https://tirepublicerj.shop/api

https://noisycuttej.shop/api

https://rabidcowse.shop/api

https://cloudewahsj.shop/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Executes dropped EXE 1 IoCs

pid	Process
3540	Collapse.exe

Loads dropped DLL 1 IoCs

pid	Process
3540	Collapse.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3540 set thread context of 4956	3540	Collapse.exe	109

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3240	3540	WerFault.exe	105

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Collapse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_regiis.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	7zFM.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	7zFM.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4212	7zFM.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	4212	7zFM.exe
Token: 35	4212	7zFM.exe
Token: SeSecurityPrivilege	4212	7zFM.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4212	7zFM.exe
4212	7zFM.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 3540 wrote to memory of 4956	3540	Collapse.exe	109
PID 3540 wrote to memory of 4956	3540	Collapse.exe	109
PID 3540 wrote to memory of 4956	3540	Collapse.exe	109
PID 3540 wrote to memory of 4956	3540	Collapse.exe	109
PID 3540 wrote to memory of 4956	3540	Collapse.exe	109
PID 3540 wrote to memory of 4956	3540	Collapse.exe	109
PID 3540 wrote to memory of 4956	3540	Collapse.exe	109
PID 3540 wrote to memory of 4956	3540	Collapse.exe	109
PID 3540 wrote to memory of 4956	3540	Collapse.exe	109
PID 3540 wrote to memory of 4956	3540	Collapse.exe	109
PID 3540 wrote to memory of 4956	3540	Collapse.exe	109
PID 3540 wrote to memory of 4956	3540	Collapse.exe	109
PID 3540 wrote to memory of 4956	3540	Collapse.exe	109

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\collapse.space.zip"
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4212

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3532

C:\Users\Admin\Desktop\collapse.space\Collapse.exe
"C:\Users\Admin\Desktop\collapse.space\Collapse.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3540
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4956
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3540 -s 1028
  2⤵
  - Program crash
  PID:3240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3540 -ip 3540
1⤵
PID:4856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\gdi32.dll

Filesize
435KB

MD5
1f0616fc60816926fa23aabac6efe1b8

SHA1
4693caed00a8ad22f3688e0bb035697609b67d4d

SHA256
cb1f95b755e59e1eb8b4450cadf9e0f3f1aab2e0a2056245e0261cf332d35dd2

SHA512
626d01d72464d6c4a26c411ae5dbc5801d3c7133f89ac60cc69abf53c7a40bfa106325079fd2d54e8b3d6a2424883542af9bfe6deb22d11318f41b60029db106

Download Submit
C:\Users\Admin\Desktop\collapse.space\Collapse.exe

Filesize
716KB

MD5
7d7c550c2d044b987b10ad7185c7c179

SHA1
a45c66e265b8c2c9e6352e3982b6f8ee5b2a853a

SHA256
e8bf8518c3034877e086721233e26bd60d42a3ea7956b641d6a931a50dd83c8e

SHA512
351aa35ad78ea2b23bae449f8b17be47a38a8df7e7f63352465e0cd0b8e99392a988f5333fbf8d812562c5711c8604007084434a0fef6be03032b54f83cf6179

Download Submit
C:\Users\Admin\Desktop\collapse.space\library\.tests\isfile.txt

Filesize
7B

MD5
260ca9dd8a4577fc00b7bd5810298076

SHA1
53a5687cb26dc41f2ab4033e97e13adefd3740d6

SHA256
aee408847d35e44e99430f0979c3357b85fe8dbb4535a494301198adbee85f27

SHA512
51e85deb51c2b909a21ec5b8e83b1cb28da258b1be227620105a345a2bd4c6aea549cd5429670f2df33324667b9f623a420b3a0bdbbd03ad48602211e75478a7

Download Submit
memory/3540-166-0x000000007523E000-0x000000007523F000-memory.dmp

Filesize
4KB

Download
memory/3540-167-0x0000000000AB0000-0x0000000000B6C000-memory.dmp

Filesize
752KB

Download
memory/3540-168-0x0000000005490000-0x0000000005496000-memory.dmp

Filesize
24KB

Download
memory/3540-175-0x0000000075230000-0x00000000759E0000-memory.dmp

Filesize
7.7MB

Download
memory/3540-184-0x0000000075230000-0x00000000759E0000-memory.dmp

Filesize
7.7MB

Download
memory/3540-185-0x0000000075230000-0x00000000759E0000-memory.dmp

Filesize
7.7MB

Download
memory/4956-180-0x0000000000500000-0x0000000000556000-memory.dmp

Filesize
344KB

Download
memory/4956-176-0x0000000000500000-0x0000000000556000-memory.dmp

Filesize
344KB

Download
memory/4956-183-0x0000000000500000-0x0000000000556000-memory.dmp

Filesize
344KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads