lumma | 384bf5ea71114839e9a56810b7e32a89e678cd80387cad1ff4a9b9766a6674f5

Analysis

max time kernel
95s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
02-01-2025 01:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-02_d6e31d250c883d0d3cb64cccde6be8f8_hijackloader_luca-stealer_magniber_metamorfo.exe
Size

36.2MB
MD5

d6e31d250c883d0d3cb64cccde6be8f8
SHA1

384c8df3c3bf7a461242f60b014883556d10cd72
SHA256

384bf5ea71114839e9a56810b7e32a89e678cd80387cad1ff4a9b9766a6674f5
SHA512

0d97b7ef5bb666c761a7447c46c9890405b7fcdd1b44e2aaf46af65fe50081fb367dbbf2e4f5c64dde01877483922fe93e47d1a6d41b3989e9111147b2769a71
SSDEEP

786432:vKZYengQODTqpkH7a0+RQCI4ZUXKNZMpSxW1IjOZU3ZzBvSix:/TC0+RQCIoMpSxTZFvSix

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://servicedny.site/api

https://authorisev.site/api

https://faulteyotk.site/api

https://dilemmadu.site/api

https://contemteny.site/api

https://goalyfeastz.site/api

https://opposezmny.site/api

https://seallysl.site/api

https://studentyjw.cyou/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	2025-01-02_d6e31d250c883d0d3cb64cccde6be8f8_hijackloader_luca-stealer_magniber_metamorfo.exe

Executes dropped EXE 1 IoCs

pid	Process
3652	Cleveland.pif

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
4920	tasklist.exe
2380	tasklist.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ExpectsNbc	2025-01-02_d6e31d250c883d0d3cb64cccde6be8f8_hijackloader_luca-stealer_magniber_metamorfo.exe
File opened for modification	C:\Windows\ReynoldsWeed	2025-01-02_d6e31d250c883d0d3cb64cccde6be8f8_hijackloader_luca-stealer_magniber_metamorfo.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-01-02_d6e31d250c883d0d3cb64cccde6be8f8_hijackloader_luca-stealer_magniber_metamorfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cleveland.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3652	Cleveland.pif
3652	Cleveland.pif
3652	Cleveland.pif
3652	Cleveland.pif
3652	Cleveland.pif
3652	Cleveland.pif

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2380	tasklist.exe
Token: SeDebugPrivilege	4920	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
3652	Cleveland.pif
3652	Cleveland.pif
3652	Cleveland.pif

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
3652	Cleveland.pif
3652	Cleveland.pif
3652	Cleveland.pif

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 2808 wrote to memory of 728	2808	2025-01-02_d6e31d250c883d0d3cb64cccde6be8f8_hijackloader_luca-stealer_magniber_metamorfo.exe	85
PID 2808 wrote to memory of 728	2808	2025-01-02_d6e31d250c883d0d3cb64cccde6be8f8_hijackloader_luca-stealer_magniber_metamorfo.exe	85
PID 2808 wrote to memory of 728	2808	2025-01-02_d6e31d250c883d0d3cb64cccde6be8f8_hijackloader_luca-stealer_magniber_metamorfo.exe	85
PID 728 wrote to memory of 2380	728	cmd.exe	87
PID 728 wrote to memory of 2380	728	cmd.exe	87
PID 728 wrote to memory of 2380	728	cmd.exe	87
PID 728 wrote to memory of 3080	728	cmd.exe	88
PID 728 wrote to memory of 3080	728	cmd.exe	88
PID 728 wrote to memory of 3080	728	cmd.exe	88
PID 728 wrote to memory of 4920	728	cmd.exe	90
PID 728 wrote to memory of 4920	728	cmd.exe	90
PID 728 wrote to memory of 4920	728	cmd.exe	90
PID 728 wrote to memory of 468	728	cmd.exe	91
PID 728 wrote to memory of 468	728	cmd.exe	91
PID 728 wrote to memory of 468	728	cmd.exe	91
PID 728 wrote to memory of 4108	728	cmd.exe	92
PID 728 wrote to memory of 4108	728	cmd.exe	92
PID 728 wrote to memory of 4108	728	cmd.exe	92
PID 728 wrote to memory of 1560	728	cmd.exe	93
PID 728 wrote to memory of 1560	728	cmd.exe	93
PID 728 wrote to memory of 1560	728	cmd.exe	93
PID 728 wrote to memory of 2964	728	cmd.exe	94
PID 728 wrote to memory of 2964	728	cmd.exe	94
PID 728 wrote to memory of 2964	728	cmd.exe	94
PID 728 wrote to memory of 3652	728	cmd.exe	95
PID 728 wrote to memory of 3652	728	cmd.exe	95
PID 728 wrote to memory of 3652	728	cmd.exe	95
PID 728 wrote to memory of 4436	728	cmd.exe	96
PID 728 wrote to memory of 4436	728	cmd.exe	96
PID 728 wrote to memory of 4436	728	cmd.exe	96

C:\Users\Admin\AppData\Local\Temp\2025-01-02_d6e31d250c883d0d3cb64cccde6be8f8_hijackloader_luca-stealer_magniber_metamorfo.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-02_d6e31d250c883d0d3cb64cccde6be8f8_hijackloader_luca-stealer_magniber_metamorfo.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2808
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy Charleston Charleston.bat & Charleston.bat
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:728
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2380
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "wrsa opssvc"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3080
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4920
- - C:\Windows\SysWOW64\findstr.exe
    findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:468
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 217924
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4108
- - C:\Windows\SysWOW64\findstr.exe
    findstr /V "CSoughtCharacteristicsSupply" Speaker
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1560
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Filing + ..\Enterprises + ..\Brook + ..\Platform + ..\Authority + ..\Motors + ..\Attributes + ..\Alex E
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2964
- - C:\Users\Admin\AppData\Local\Temp\217924\Cleveland.pif
    Cleveland.pif E
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:3652
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\217924\Cleveland.pif

Filesize
872KB

MD5
18ce19b57f43ce0a5af149c96aecc685

SHA1
1bd5ca29fc35fc8ac346f23b155337c5b28bbc36

SHA256
d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd

SHA512
a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558

Download Submit
C:\Users\Admin\AppData\Local\Temp\217924\E

Filesize
497KB

MD5
99e3a96ee307946656d19f7e1c8fad30

SHA1
2d7395413f12846ddf575f566f1e4efae06cfced

SHA256
3648bdd0a9c116ffc1df40f7bdd1ffe766b39f8ef69805cbac8d243f1cdd0dfd

SHA512
e513468b1ee8aefa810d0c94de4e8860dc149901d1edeb86905382cf1e23fb032f9072bcfdf134e6ff4115094d69d88dafe28028f783828b964aa6c7550f6117

Download Submit
C:\Users\Admin\AppData\Local\Temp\Alex

Filesize
8KB

MD5
6dd972723905a11984ee7cf0234bca83

SHA1
3ac9ac87306f657a5b7778f36533636fc814e230

SHA256
844a33d095259ea32b1ba5cc722700f551054dad160064af1f14c6919f76dc75

SHA512
c87cfff747aa4336107a18fb64f375d017030674be0524cde6236bc21051279e0eb12add6b7792e74e32d3b5905d2493aaa8ff468592d2afb4fbf1581e84716a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Attributes

Filesize
56KB

MD5
197389331100003ca19861f3652827d7

SHA1
57718a1bf66be009b14e888ccc286e16288a403b

SHA256
6a87be05a3ac9ea10fada9ae9804675ec9a3eae6c9b905ebaef57d9041c6bbcd

SHA512
d2409f577fad8461be8519ecf43135383cd22249b3717f0862629d2fc10fbebe54af25103bdb293324aea8b32d7825b127925af30c0e2551e4c80ecb757df953

Download Submit
C:\Users\Admin\AppData\Local\Temp\Authority

Filesize
65KB

MD5
58fd63b4a0cf48d6299540613c97afc8

SHA1
0d03229b4b8da358b4cab1749c46e957e71e5b56

SHA256
31d67f368295d73bdf7302d0075f86329281e9ea15bf4bec22b167f5b798232f

SHA512
2e4edf9aa0c1131006ea1186a169d02b12d7d880ccde2960cad4d1c5522c01d26e147811005c3d61262517384c2aa7a79f6e952bf722421083ec1eb4e4e9f90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Brook

Filesize
89KB

MD5
5032faf4c31d3e5aa0f8089b4fc94ab6

SHA1
570222489199e4d75696822bf0168f82b631333d

SHA256
a664f295b89bee2f55d28debbe07fa60057e514803964d1c93f5323717447a7d

SHA512
48d3f74b6c4f48b4fc6cd96ed0555f057f7568b871048600e6f545a4a4c8173f7ab1ff5cf18c996c2c747a63535d3ce1b3a1634645eaad9a980edee31b1a3d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\Certificates

Filesize
866KB

MD5
a2d20b7570f81ed67af98bd19eb88343

SHA1
92e03a2072bb698d0646ad00570c44d37ab0cb7c

SHA256
9357b71f6a2c788763df92c104c066f2ad87a1cf4d13edd14257b332d3b8c373

SHA512
47356ee4e54a968c5966d19a53af9c654fbc13a838644aee1dc8b8905cc570d398fbac10ae59bbbe0e934adc3f1d84fd42af3afd6058386d8879bb16815adfff

Download Submit
C:\Users\Admin\AppData\Local\Temp\Charleston

Filesize
9KB

MD5
2de7944a72e02242c6f4b20e9e25da61

SHA1
a2bd1215b1c3a5f449c2458999904e61a37056c3

SHA256
6cbfeaad4089172cda1a6365643df08caa729c74cb28991d1d5e57ed7c3cfbf4

SHA512
1bbc62dc8b7b1ea6c1e7271383ea4c834ebe36da3644aee9d0a2b8dac28251795e60dd97191d6ab82c5f143e3a52a18ffa45fc88493baf50fc613fab1502706e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Enterprises

Filesize
96KB

MD5
374942554eee74f72c21a29212aca854

SHA1
16df472816b05b7aa1184993af59c1448d554ea6

SHA256
92ccb70a23fa534ac5810b25cfdc325181addc8aebe91ca2976623a2bcec0fd4

SHA512
ae8c24893b3140454159945365569dc26fe98f3190fe7aa53ce67d9be9260696a624987659659dda90121a2cbba294cdc65253c2e0eab02faeebb9d55e1030ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\Filing

Filesize
58KB

MD5
04f12d158f148b3389ac80a1eca9584e

SHA1
a40608ba7ef5f8d67d3e459bb175ada89b14343e

SHA256
295d7b4b28095895356cb3dc9942b7dc78bd462bd8b67d0f37d7e41753cd50ea

SHA512
a5340061965498076647a7df9207b9871b17aa6f132b4150738fd313d8a84082fcf372bedf35c513842a2869e1041a8c2920bcd8cf6177ea3e80cea815db512b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Motors

Filesize
52KB

MD5
97cb8ec0cb1a5c2234beda03f16601ca

SHA1
64dc30616de0c7da767dab5cc99f9e7ca91ab958

SHA256
89dc9532acf65214a5cc7302f451279380a0499a4a9ac7d4fba8ad8721da949b

SHA512
8dbd6de13788f9dc83ebf791196a53567e1b4962b5b1393127add75cd2afac26995c55a452eb55de5ba72ee94409530b5bef96c3cb37d8ba98627cd3598e15b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Platform

Filesize
73KB

MD5
b1bb6182216b4ea296be9288e3cbdd35

SHA1
dea141130b601c5f7b6659bc3386905232d30eb6

SHA256
e70f75e09f9ab75c20bd29bada208c618c86bb08fc628d50180350f755ed5df1

SHA512
432ff775a6226e87bf30ecb32108c9a56dcc5f6483a7fc4227207c4e320e2abe89d67749f230c6cef01c26aa628d3ad8b1f1bf09623ec0956c62f103af14ba26

Download Submit
C:\Users\Admin\AppData\Local\Temp\Speaker

Filesize
6KB

MD5
f07e175609d17f91e0cd48bd8cd4bed7

SHA1
7d648fa9feeefa6c869a4bea019c79454228d4d1

SHA256
5e98ff2378c7a69ee0f2a231e8499f3f21cbddfa018745c1d6adc4d54aac6480

SHA512
1924b62a53520cb458df1b4c4e6c3a406ff6dd5ff0fb4b7537af7624205a15c5f17b7b631f6d92b36219ab53d2fe87c05e8a42ea07cec089ca2edf67074018b8

Download Submit
memory/3652-256-0x0000000000440000-0x000000000049C000-memory.dmp

Filesize
368KB

Download
memory/3652-257-0x0000000000440000-0x000000000049C000-memory.dmp

Filesize
368KB

Download
memory/3652-258-0x0000000000440000-0x000000000049C000-memory.dmp

Filesize
368KB

Download
memory/3652-259-0x0000000000440000-0x000000000049C000-memory.dmp

Filesize
368KB

Download
memory/3652-260-0x0000000000440000-0x000000000049C000-memory.dmp

Filesize
368KB

Download