lumma | 9788c54a4fe6470d201289875a8fdc3310b57d2fcc0a8e44900e0b883bb20676

General

Target

Releases-x64.zip
Size

19.6MB
MD5

4e50772eafafbf5b3d0009b0d870b355
SHA1

6e7cf08d4772e47e6956cbcfb2571013f135cf73
SHA256

9788c54a4fe6470d201289875a8fdc3310b57d2fcc0a8e44900e0b883bb20676
SHA512

c79c119b748fe4af2c0422c3747c8fe773bed39fe643c56ea80329c2a45ac4ff6a55b9649f27e66c897e4d2bb4634bd6cd3201cba6139ddfdfd1721c37e9b90b
SSDEEP

393216:TX6Of7IojkL2l+XSaCxgIF3rHM6R0lADUH/E5TFjYO4bBv3Ma36uTx0zlsIfZ:TX60IGl+XSddMAuymgTFjYO4bpl36uTU

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

C2

https://cloudewahsj.shop/api

https://rabidcowse.shop/api

https://noisycuttej.shop/api

https://tirepublicerj.shop/api

https://framekgirus.shop/api

https://wholersorie.shop/api

https://abruptyopsn.shop/api

https://nearycrepso.shop/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Executes dropped EXE 1 IoCs

pid	Process
4936	Bootstrapper.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2932	4936	WerFault.exe	77

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bootstrapper.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	7zFM.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
4768	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3604	7zFM.exe
3604	7zFM.exe
3604	7zFM.exe
3604	7zFM.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3604	7zFM.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeRestorePrivilege	3604	7zFM.exe
Token: 35	3604	7zFM.exe
Token: SeSecurityPrivilege	3604	7zFM.exe
Token: SeSecurityPrivilege	3604	7zFM.exe
Token: SeSecurityPrivilege	3604	7zFM.exe
Token: SeSecurityPrivilege	3604	7zFM.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
3604	7zFM.exe
3604	7zFM.exe
3604	7zFM.exe
3604	7zFM.exe
3604	7zFM.exe
3604	7zFM.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 3604 wrote to memory of 4936	3604	7zFM.exe	77
PID 3604 wrote to memory of 4936	3604	7zFM.exe	77
PID 3604 wrote to memory of 4936	3604	7zFM.exe	77
PID 3604 wrote to memory of 4768	3604	7zFM.exe	83
PID 3604 wrote to memory of 4768	3604	7zFM.exe	83

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Releases-x64.zip"
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3604
- C:\Users\Admin\AppData\Local\Temp\7zO41E59BD7\Bootstrapper.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO41E59BD7\Bootstrapper.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4936
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4936 -s 1288
    3⤵
    - Program crash
    PID:2932
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zO41E3A718\config.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:4768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4936 -ip 4936
1⤵
PID:3260

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3248

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost
1⤵
PID:4704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zO41E3A718\config.txt

Filesize
220KB

MD5
96c673c9e9dedefec5fd5e27284e4f29

SHA1
1b5865f8998749a1fd61f62e6357d19dedcc9a2c

SHA256
d92b9e01e24935e1cc6144734c0b39379edef1e3c06aedbd547dc304e7334d77

SHA512
4ac805e8528f1003911960ce317150d186022a30dc31c479a54e1f6adbbf9cbce882da4b46f8cf0991c9e07fb4239f970d07c1538e4d16c79b560b5b272e5b83

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO41E59BD7\Bootstrapper.exe

Filesize
304KB

MD5
f9c50fc17bd4aa04434a72c3b393c79b

SHA1
d76b02462e904b25e9d50c2e4b8822e298780ef7

SHA256
2d995ee3fef7304be486ec676f123e23f0c39e2db4fa9f5e52cbbd1f0288b3f8

SHA512
6f455cba3ea1798641e50c5cdc0b24e4c5e39a5f35b218716a9f1c6afe47171544afe23b5dbba05e1f3e62681cc300634302df03013e2d47e2685b31407389bc

Download Submit
memory/4936-9-0x00000000022C0000-0x00000000022EE000-memory.dmp

Filesize
184KB

Download
memory/4936-10-0x00000000022F0000-0x000000000233D000-memory.dmp

Filesize
308KB

Download
memory/4936-11-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4936-12-0x00000000022C0000-0x00000000022EE000-memory.dmp

Filesize
184KB

Download
memory/4936-13-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4936-14-0x00000000022F0000-0x000000000233D000-memory.dmp

Filesize
308KB

Download

Analysis

Sharing