lumma | 250dd49463bef0ec8fd03d4d1311a001ddccd84b47a01b2b74624f5e9c794b0f

Analysis

max time kernel
96s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
31-12-2024 19:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Nowy folder.rar
Size

36.6MB
MD5

11c5adc493c544fea747bd02a5e87e15
SHA1

4e74e105af5e61549bbdcac9b2458f4804185832
SHA256

250dd49463bef0ec8fd03d4d1311a001ddccd84b47a01b2b74624f5e9c794b0f
SHA512

ad5ee83646976de5aa86434b86dc153a65dd828f798a10b89337177d8fe1767bea17284a2fbff0fc8b0410ed438bfb61a0e481e9d901e614c5199524053f0202
SSDEEP

786432:y5A+gaBhqHPdZ06ugf6LFnybnmBiUx51+KwNYOqEj0KHbhHRTfVrdRU0:y5A+5BEVq6NCR+UH19ARj0OlxTNrl

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://abruptyopsn.shop/api

https://wholersorie.shop/api

https://framekgirus.shop/api

https://tirepublicerj.shop/api

https://noisycuttej.shop/api

https://rabidcowse.shop/api

https://cloudewahsj.shop/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Executes dropped EXE 2 IoCs

pid	Process
4152	ModiFyx.exe
3756	ModiFyx.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ModiFyx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ModiFyx.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4152	ModiFyx.exe
4152	ModiFyx.exe
3756	ModiFyx.exe
3756	ModiFyx.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	548	7zFM.exe
Token: 35	548	7zFM.exe
Token: SeSecurityPrivilege	548	7zFM.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
548	7zFM.exe
548	7zFM.exe

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Nowy folder.rar"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:548

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2936

C:\Users\Admin\Desktop\Nowy folder\ModiFyx.exe
"C:\Users\Admin\Desktop\Nowy folder\ModiFyx.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4152

C:\Users\Admin\Desktop\Nowy folder\ModiFyx.exe
"C:\Users\Admin\Desktop\Nowy folder\ModiFyx.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zE422671F7\Nowy folder\apt\postgresql\13\main\PG_VERSION

Filesize
3B

MD5
aa6ed9e0f26a6eba784aae8267df1951

SHA1
feee44ad365b6b1ec75c5621a0ad067371102854

SHA256
1a252402972f6057fa53cc172b52b9ffca698e18311facd0f3b06ecaaef79e17

SHA512
01765ddfd925d70d41d53cabdba5f2588e678e534ef5d8840a813bc58d33198039006ce6395c6b95747a2e05d21ff3a47389638ba9405fd11ab1b0857f56426f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zE422671F7\Nowy folder\apt\postgresql\13\main\base\14088\1259_fsm

Filesize
24KB

MD5
9a360591abd6ca7d3aca9b36ce19841d

SHA1
1f3d3f59be3657821aa1f4f66ea9d16c5d545c2d

SHA256
8acdc937fca22a496215056ed3960bff6d3319b9c45f3050e8edfc09d7085c27

SHA512
3ce5e0cb8db3beb16d254a01dfd7019931c1f30b9e5ba7341a95ba8b5db956a95e057a949c4934788c34bc1443f52b02fad93da5bd0ca7f06135927fc7d221a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zE422671F7\Nowy folder\apt\postgresql\13\main\base\14088\13938_fsm

Filesize
24KB

MD5
c7cdb534af6bd29fb2c6e3ef3ed24526

SHA1
490b58cb3588090289f7b18e33cb2691dc8fcacf

SHA256
1026c5125dd766e9b5b35a9dc36622cb8b9e441fb4e6c9b62e65cb46566652cf

SHA512
85f587aedfea35bad2857e9f7772bb72aef0ebd96c88f5c29f2bd32cf20dd07befd08ff4ac4eb11ad4d244a20d40be29ebb69815850b75d9bf0702f4e65ffc9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zE422671F7\Nowy folder\apt\postgresql\13\main\base\14088\13948_fsm

Filesize
24KB

MD5
99d1debbe47a2018c43693c11dd06300

SHA1
c341d19b9b9011c1dfda387a42b2764dfc44e2a3

SHA256
962a13e899d74c006af6764efbbc6901d740f1a9165dd8f79d1e9338bb3f18c7

SHA512
f5ed0df7f76cf571d4e8d8a9efc53dd5588cfb78187c2fc914451a8d5eae3580d1e4004e59aaa52d7006aef2b746a4fc5f501185765a241824ac48e2cf438883

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zE422671F7\Nowy folder\apt\postgresql\13\main\base\14088\3079_fsm

Filesize
24KB

MD5
2a3216a10d8aeed6ac8058c1f5f6cabb

SHA1
6a01bfc3f8c7c15a5624300cbd6047c5dcfa9a4a

SHA256
a0551e864782ad52e08fb6d723a01d381d7c16a18009bb83025faba4e8179e53

SHA512
ece4efb1d1bc5910c8c967290760a8ee27a1d8dec39a137566c374f946bff14d6a190ba4aa90af6983dceec4f5684d53714ec53242bc8f586c07fe82cede8264

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zE422671F7\Nowy folder\apt\postgresql\13\main\global\1214_fsm

Filesize
24KB

MD5
461ce67a44bad8aa641f0f8ac7f750a3

SHA1
8839d3ce467b401c60f851183bfd7841ce7c0770

SHA256
51e01e110ad6394a405d1cd7d0f18be9e1566302d54d545ff703c30cee71f5b0

SHA512
f8ed6ec80bb7a0b2b396d7fd99a12718a78aacc0215418434549c2e95c2fb9f0daf0340855ff2923c7cd143cc92f3112841c5dc65bfc4f955fb698ef765c66ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zE422671F7\Nowy folder\apt\postgresql\13\main\pg_subtrans\0000

Filesize
8KB

MD5
0829f71740aab1ab98b33eae21dee122

SHA1
0631457264ff7f8d5fb1edc2c0211992a67c73e6

SHA256
9f1dcbc35c350d6027f98be0f5c8b43b42ca52b7604459c0c42be3aa88913d47

SHA512
18790c279e0ca614c2b57a215fecc23a6c3d2d308ce77f314378cb2d1b0f413acd3a9cd353aa6da86ec9f51916925c7210f7dfabc0ef726779f8d44f227f03b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zE422671F7\Nowy folder\pam\dpkg\triggers\update-default-ispell

Filesize
28B

MD5
652b20cd6ff7c0aff5a74fa3f6fabeff

SHA1
f0d739861692b2a303e4b654bb9de05e251d9e5a

SHA256
b2eb5757b46fc925e6f149607f3aa9ae31755735a438fd9ae3effabab0ebf2ed

SHA512
220368aa428174cd5d01b9c3a6fc0b2bb36a8c81d8b58c6d7a6722da304894dee82eb961fd5e24995f0c624750a2eb2b7ad04a165190331e5d0d0d1fe7c70f0c

Download Submit
memory/3756-2765-0x00000000030F0000-0x00000000030F1000-memory.dmp

Filesize
4KB

Download
memory/3756-2766-0x0000000000890000-0x00000000010EA000-memory.dmp

Filesize
8.4MB

Download
memory/4152-2758-0x00000000008E3000-0x0000000000B64000-memory.dmp

Filesize
2.5MB

Download
memory/4152-2759-0x0000000003230000-0x0000000003231000-memory.dmp

Filesize
4KB

Download
memory/4152-2760-0x0000000000890000-0x00000000010EA000-memory.dmp

Filesize
8.4MB

Download
memory/4152-2762-0x00000000008E3000-0x0000000000B64000-memory.dmp

Filesize
2.5MB

Download
memory/4152-2763-0x0000000000890000-0x00000000010EA000-memory.dmp

Filesize
8.4MB

Download