lumma | e885e9dcfc014ec389fa2f9ba8ec67a09ceedefa5d69a6762d56763eb8688453

Analysis

max time kernel
52s
max time network
53s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03-01-2025 00:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

UNIVERSAL-HWID-SPOOFER-main.zip
Size

1.5MB
MD5

2bbe2d72f5b6b19caa86eeec5ea7b77d
SHA1

1691d32667f9d8a7812b1e19f626b53e315fb5cf
SHA256

e885e9dcfc014ec389fa2f9ba8ec67a09ceedefa5d69a6762d56763eb8688453
SHA512

bf2c2d5cb10855b50b87d0f7d8783cfb5cbb7ef514ad09c2e0c73f71841bd52d1e4aa720b5d0e8b060645c61df8aaaecda16da88ba28507abf949d6504a76169
SSDEEP

24576:Ut5tkNOsn4XeITV8wQhvdGZc+brES9GxiXfliyRNqpE2I0gxiO521UcgazBG6h:UtaOleIThOvEZcIroxmfsjB22L/h

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://covvercilverow.shop/api

https://surroundeocw.shop/api

https://abortinoiwiam.shop/api

https://pumpkinkwquo.shop/api

https://priooozekw.shop/api

https://deallyharvenw.shop/api

https://defenddsouneuw.shop/api

https://racedsuitreow.shop/api

https://roaddrermncomplai.shop/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Executes dropped EXE 4 IoCs

pid	Process
2456	UniversalSpoofer.exe
1052	UniversalSpoofer.exe
2180	UniversalSpoofer.exe
2472	UniversalSpoofer.exe

Loads dropped DLL 4 IoCs

pid	Process
2456	UniversalSpoofer.exe
1052	UniversalSpoofer.exe
2180	UniversalSpoofer.exe
2472	UniversalSpoofer.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2456 set thread context of 3100	2456	UniversalSpoofer.exe	99
PID 1052 set thread context of 3364	1052	UniversalSpoofer.exe	103
PID 2180 set thread context of 1620	2180	UniversalSpoofer.exe	114
PID 2472 set thread context of 1624	2472	UniversalSpoofer.exe	118

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UniversalSpoofer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_regiis.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UniversalSpoofer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_regiis.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UniversalSpoofer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_regiis.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UniversalSpoofer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_regiis.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	3972	7zFM.exe
Token: 35	3972	7zFM.exe
Token: SeSecurityPrivilege	3972	7zFM.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3972	7zFM.exe
3972	7zFM.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2456 wrote to memory of 3100	2456	UniversalSpoofer.exe	99
PID 2456 wrote to memory of 3100	2456	UniversalSpoofer.exe	99
PID 2456 wrote to memory of 3100	2456	UniversalSpoofer.exe	99
PID 2456 wrote to memory of 3100	2456	UniversalSpoofer.exe	99
PID 2456 wrote to memory of 3100	2456	UniversalSpoofer.exe	99
PID 2456 wrote to memory of 3100	2456	UniversalSpoofer.exe	99
PID 2456 wrote to memory of 3100	2456	UniversalSpoofer.exe	99
PID 2456 wrote to memory of 3100	2456	UniversalSpoofer.exe	99
PID 2456 wrote to memory of 3100	2456	UniversalSpoofer.exe	99
PID 1052 wrote to memory of 3364	1052	UniversalSpoofer.exe	103
PID 1052 wrote to memory of 3364	1052	UniversalSpoofer.exe	103
PID 1052 wrote to memory of 3364	1052	UniversalSpoofer.exe	103
PID 1052 wrote to memory of 3364	1052	UniversalSpoofer.exe	103
PID 1052 wrote to memory of 3364	1052	UniversalSpoofer.exe	103
PID 1052 wrote to memory of 3364	1052	UniversalSpoofer.exe	103
PID 1052 wrote to memory of 3364	1052	UniversalSpoofer.exe	103
PID 1052 wrote to memory of 3364	1052	UniversalSpoofer.exe	103
PID 1052 wrote to memory of 3364	1052	UniversalSpoofer.exe	103
PID 2180 wrote to memory of 1620	2180	UniversalSpoofer.exe	114
PID 2180 wrote to memory of 1620	2180	UniversalSpoofer.exe	114
PID 2180 wrote to memory of 1620	2180	UniversalSpoofer.exe	114
PID 2180 wrote to memory of 1620	2180	UniversalSpoofer.exe	114
PID 2180 wrote to memory of 1620	2180	UniversalSpoofer.exe	114
PID 2180 wrote to memory of 1620	2180	UniversalSpoofer.exe	114
PID 2180 wrote to memory of 1620	2180	UniversalSpoofer.exe	114
PID 2180 wrote to memory of 1620	2180	UniversalSpoofer.exe	114
PID 2180 wrote to memory of 1620	2180	UniversalSpoofer.exe	114
PID 2472 wrote to memory of 1624	2472	UniversalSpoofer.exe	118
PID 2472 wrote to memory of 1624	2472	UniversalSpoofer.exe	118
PID 2472 wrote to memory of 1624	2472	UniversalSpoofer.exe	118
PID 2472 wrote to memory of 1624	2472	UniversalSpoofer.exe	118
PID 2472 wrote to memory of 1624	2472	UniversalSpoofer.exe	118
PID 2472 wrote to memory of 1624	2472	UniversalSpoofer.exe	118
PID 2472 wrote to memory of 1624	2472	UniversalSpoofer.exe	118
PID 2472 wrote to memory of 1624	2472	UniversalSpoofer.exe	118
PID 2472 wrote to memory of 1624	2472	UniversalSpoofer.exe	118

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\UNIVERSAL-HWID-SPOOFER-main.zip"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3972

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4728

C:\Users\Admin\Desktop\UNIVERSAL-HWID-SPOOFER-main\UniversalSpoofer.exe
"C:\Users\Admin\Desktop\UNIVERSAL-HWID-SPOOFER-main\UniversalSpoofer.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2456
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3100

C:\Users\Admin\Desktop\UNIVERSAL-HWID-SPOOFER-main\UniversalSpoofer.exe
"C:\Users\Admin\Desktop\UNIVERSAL-HWID-SPOOFER-main\UniversalSpoofer.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1052
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3364

C:\Users\Admin\Desktop\UNIVERSAL-HWID-SPOOFER-main\UniversalSpoofer.exe
"C:\Users\Admin\Desktop\UNIVERSAL-HWID-SPOOFER-main\UniversalSpoofer.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1620

C:\Users\Admin\Desktop\UNIVERSAL-HWID-SPOOFER-main\UniversalSpoofer.exe
"C:\Users\Admin\Desktop\UNIVERSAL-HWID-SPOOFER-main\UniversalSpoofer.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2472
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\UniversalSpoofer.exe.log

Filesize
42B

MD5
84cfdb4b995b1dbf543b26b86c863adc

SHA1
d2f47764908bf30036cf8248b9ff5541e2711fa2

SHA256
d8988d672d6915b46946b28c06ad8066c50041f6152a91d37ffa5cf129cc146b

SHA512
485f0ed45e13f00a93762cbf15b4b8f996553baa021152fae5aba051e3736bcd3ca8f4328f0e6d9e3e1f910c96c4a9ae055331123ee08e3c2ce3a99ac2e177ce

Download Submit
C:\Users\Admin\AppData\Roaming\msvcp110.dll

Filesize
642KB

MD5
9bc424be13dca227268ab018dca9ef0c

SHA1
f6f42e926f511d57ef298613634f3a186ec25ddc

SHA256
59d3999d0989c9c91dae93c26499f5a14b837a0fe56e6fc29f57456f54a1f8a2

SHA512
70a1abb35bd95efc40af6653d5db2e155fab9a8575b7ae5b69ab3fbcd60925c66a675dac6cba57564a430e9b92f1a2ea9e912c4d7f356b82696ed77e92b52715

Download Submit
C:\Users\Admin\Desktop\UNIVERSAL-HWID-SPOOFER-main\UniversalSpoofer.exe

Filesize
550KB

MD5
ee6be1648866b63fd7f860fa0114f368

SHA1
42cab62fff29eb98851b33986b637514fc904f4b

SHA256
e17bf83e09457d8cecd1f3e903fa4c9770e17e823731650a453bc479591ac511

SHA512
d6492d3b3c1d94d6c87b77a9a248e8c46b889d2e23938ddb8a8e242caccb23e8cd1a1fbeffee6b140cf6fd3ea7e8da89190286a912032ce4a671257bd8e3e28a

Download Submit
memory/2456-90-0x0000000074ADE000-0x0000000074ADF000-memory.dmp

Filesize
4KB

Download
memory/2456-91-0x0000000000DD0000-0x0000000000E60000-memory.dmp

Filesize
576KB

Download
memory/2456-98-0x0000000074AD0000-0x0000000075280000-memory.dmp

Filesize
7.7MB

Download
memory/2456-99-0x0000000074AD0000-0x0000000075280000-memory.dmp

Filesize
7.7MB

Download
memory/2456-109-0x0000000074AD0000-0x0000000075280000-memory.dmp

Filesize
7.7MB

Download
memory/3100-100-0x0000000000620000-0x0000000000685000-memory.dmp

Filesize
404KB

Download
memory/3100-108-0x0000000000620000-0x0000000000685000-memory.dmp

Filesize
404KB

Download
memory/3100-105-0x0000000000620000-0x0000000000685000-memory.dmp

Filesize
404KB

Download
memory/3364-119-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download