lumma | d03820b304f0a79c3778e60b9e9d561f8080525974b66dd62f9de3c8dceebfac

General

Target

Mod Menu v3.1.zip
Size

9.1MB
MD5

df580c685c09a86e2698cbdf608d247c
SHA1

7b125d9f45efb1ebb8f220dc83b71fbe3be4baf3
SHA256

d03820b304f0a79c3778e60b9e9d561f8080525974b66dd62f9de3c8dceebfac
SHA512

8740e3dcb7e5ef36a8450f414b0a98e4ff13c46dfae2e26aa7ed8e8b9a9cfb65d02a6a41b773ffe22d11965d7d6cfad1eceddf3e53659c640edfe5f0fb301ed4
SSDEEP

196608:7HELCspPA/uddApsMU4l3PQ4esfBWGygdOGV:74I3sH4l4LklOGV

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

C2

https://cloudewahsj.shop/api

https://rabidcowse.shop/api

https://noisycuttej.shop/api

https://tirepublicerj.shop/api

https://framekgirus.shop/api

https://wholersorie.shop/api

https://abruptyopsn.shop/api

https://nearycrepso.shop/api

Extracted

Family

lumma

C2

https://abruptyopsn.shop/api

https://wholersorie.shop/api

https://framekgirus.shop/api

https://tirepublicerj.shop/api

https://noisycuttej.shop/api

https://rabidcowse.shop/api

https://cloudewahsj.shop/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Executes dropped EXE 6 IoCs

pid	Process
3140	Loader.exe
5100	Loader.exe
4020	Loader.exe
1344	Loader.exe
424	Loader.exe
1084	Loader.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 3140 set thread context of 5100	3140	Loader.exe	97
PID 4020 set thread context of 1344	4020	Loader.exe	100
PID 424 set thread context of 1084	424	Loader.exe	103

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loader.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	7zFM.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	7zFM.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3972	7zFM.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	3972	7zFM.exe
Token: 35	3972	7zFM.exe
Token: SeSecurityPrivilege	3972	7zFM.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
3972	7zFM.exe
3972	7zFM.exe
3972	7zFM.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
400	OpenWith.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 3140 wrote to memory of 5100	3140	Loader.exe	97
PID 3140 wrote to memory of 5100	3140	Loader.exe	97
PID 3140 wrote to memory of 5100	3140	Loader.exe	97
PID 3140 wrote to memory of 5100	3140	Loader.exe	97
PID 3140 wrote to memory of 5100	3140	Loader.exe	97
PID 3140 wrote to memory of 5100	3140	Loader.exe	97
PID 3140 wrote to memory of 5100	3140	Loader.exe	97
PID 3140 wrote to memory of 5100	3140	Loader.exe	97
PID 3140 wrote to memory of 5100	3140	Loader.exe	97
PID 4020 wrote to memory of 1344	4020	Loader.exe	100
PID 4020 wrote to memory of 1344	4020	Loader.exe	100
PID 4020 wrote to memory of 1344	4020	Loader.exe	100
PID 4020 wrote to memory of 1344	4020	Loader.exe	100
PID 4020 wrote to memory of 1344	4020	Loader.exe	100
PID 4020 wrote to memory of 1344	4020	Loader.exe	100
PID 4020 wrote to memory of 1344	4020	Loader.exe	100
PID 4020 wrote to memory of 1344	4020	Loader.exe	100
PID 4020 wrote to memory of 1344	4020	Loader.exe	100
PID 424 wrote to memory of 1084	424	Loader.exe	103
PID 424 wrote to memory of 1084	424	Loader.exe	103
PID 424 wrote to memory of 1084	424	Loader.exe	103
PID 424 wrote to memory of 1084	424	Loader.exe	103
PID 424 wrote to memory of 1084	424	Loader.exe	103
PID 424 wrote to memory of 1084	424	Loader.exe	103
PID 424 wrote to memory of 1084	424	Loader.exe	103
PID 424 wrote to memory of 1084	424	Loader.exe	103
PID 424 wrote to memory of 1084	424	Loader.exe	103

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Mod Menu v3.1.zip"
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3972

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3700

C:\Users\Admin\Desktop\Mod Menu v3.1\Loader.exe
"C:\Users\Admin\Desktop\Mod Menu v3.1\Loader.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3140
- C:\Users\Admin\Desktop\Mod Menu v3.1\Loader.exe
  "C:\Users\Admin\Desktop\Mod Menu v3.1\Loader.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5100

C:\Users\Admin\Desktop\Mod Menu v3.1\Loader.exe
"C:\Users\Admin\Desktop\Mod Menu v3.1\Loader.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4020
- C:\Users\Admin\Desktop\Mod Menu v3.1\Loader.exe
  "C:\Users\Admin\Desktop\Mod Menu v3.1\Loader.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1344

C:\Users\Admin\Desktop\Mod Menu v3.1\Loader.exe
"C:\Users\Admin\Desktop\Mod Menu v3.1\Loader.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:424
- C:\Users\Admin\Desktop\Mod Menu v3.1\Loader.exe
  "C:\Users\Admin\Desktop\Mod Menu v3.1\Loader.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1084

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:400

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Mod Menu v3.1\updater.ini
1⤵
PID:2564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\Mod Menu v3.1\Loader.exe

Filesize
797KB

MD5
c3cc4c8de64966fac02439d06d9db0b3

SHA1
74782cbd2a26bb52316f4aec515769491128cb10

SHA256
1d6ef55eb647dcc14c81ac16525c1c6ad90a35d169f743ff6155821b4c86ad92

SHA512
594277fea70474511ccca986d0e8af3b84c4079cccd0831ac5ce32a1ce1c75597bb81a448b307782379f30a4ee170b49c2d0c50dafb192c6676404004db67a01

Download Submit
C:\Users\Admin\Desktop\Mod Menu v3.1\d3dcompiler_47.dll

Filesize
4.3MB

MD5
7641e39b7da4077084d2afe7c31032e0

SHA1
2256644f69435ff2fee76deb04d918083960d1eb

SHA256
44422e6936dc72b7ac5ed16bb8bcae164b7554513e52efb66a3e942cec328a47

SHA512
8010e1cb17fa18bbf72d8344e1d63ded7cef7be6e7c13434fa6d8e22ce1d58a4d426959bdcb031502d4b145e29cb111af929fcbc66001111fbc6d7a19e8800a5

Download Submit
C:\Users\Admin\Desktop\Mod Menu v3.1\updater.ini

Filesize
3.6MB

MD5
971543b2412541a890ec173524db2ccf

SHA1
0e49b25e0dc320a85d3c11908a444779695501f5

SHA256
2096cacb59cb1bcf9605e4d6897e02007e06f2cf1ace4cda961c0ae2b57fc8aa

SHA512
bf1c9677f32c24a64d058f6d42f4d65c5d52c94777513b3f7793e62fb974209891881d0d437aeba20a75d4aac1096e1205baa631d98e038ade5f42500e752bed

Download Submit
memory/3140-90-0x0000000000680000-0x0000000000681000-memory.dmp

Filesize
4KB

Download
memory/5100-91-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/5100-94-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/5100-95-0x0000000000650000-0x000000000071D000-memory.dmp

Filesize
820KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads