lumma | 52451b93d5e879140e221207a60b84bf368f86c3f66db41ea9d8650c21329c05

Sharing

Copy URL

Twitter E-mail

General

Target

Panel.zip
Size

962KB
Sample

250105-22qj5aylbs
MD5

410febcceab220a2389bcfb8e525d2bc
SHA1

8d84ee01573155d35267cf32f043a4b1790219fa
SHA256

52451b93d5e879140e221207a60b84bf368f86c3f66db41ea9d8650c21329c05
SHA512

b61c97df1a951240a959400f565941616b717014562030959e2588876e3322c8c5ea67b93c5f0b8ffba77e9a401595443180d24e778d89f7dc5474c1eefa2df2
SSDEEP

24576:04fk6kt+MwuhEdKJ1eqKtwIhKDPn90PLycV:/8D+7uSdKWFtfS0PLycV

Score

10^/10

Malware Config

Extracted

Family

lumma

https://servicedny.site/api

https://authorisev.site/api

https://faulteyotk.site/api

https://dilemmadu.site/api

https://contemteny.site/api

https://goalyfeastz.site/api

https://opposezmny.site/api

https://seallysl.site/api

https://forbidstow.site/api

Targets

- Target
  
  Panel.exe
- Size
  
  71.1MB
- MD5
  
  50c9ab0b2423ac229c46cc00fe90bc3c
- SHA1
  
  e0bee49bc0120aa8f84b65a26cb2d25e943e5b79
- SHA256
  
  b4ddfe40ced34d89fc71db575c2a68c17c79551338411f012a2f28764c09a870
- SHA512
  
  de0c0c2bb751c7fddbf8c5502dbc6b88414754b839f66fa7930c8e6788b69e2394b4040b0dfcad4b3add97dee9094b2f97fa2b1b5dd11165eb59bfe6714ac4f9
- SSDEEP
  
  3072:Dc69mBoayt0cg6rlagjm2lXImnS7meRtZUBRPhutDFdM3fkdJ41:D/m2a7cxx59nxGtZykDFdIB
Score

8^/10

execution persistence
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  WindowsManager.dll
- Size
  
  433KB
- MD5
  
  5b7211145cb919b8cac505949d35caa8
- SHA1
  
  6373c7181bfc64cf140630219db2aefbca2c9f62
- SHA256
  
  29363cf4cd506dcfbfa2f3d954e2130b85db8068c0a8acae7982a6f1fa657c90
- SHA512
  
  b553730dc97cfa5e3e920b2484d157757539c7728c693bbce189f911deb5e3697c12eb4bb847d714fc8f83bf481245574ded807e88317b2dd039c97a71384571
- SSDEEP
  
  12288:CI11++JcRZtddofKKrzHPJ3ii0bL7E6t7y22a:CIKRZtddoPrjR3sP7RtuS
Score

1^/10
behavioral3 behavioral4
- Target
  
  assets/TapInstaller.dll
- Size
  
  25KB
- MD5
  
  9cac1ad2f768d22e4aaae577097df7f3
- SHA1
  
  b059d99cdd50c46948bd6e4ac264c2fe53169b22
- SHA256
  
  9c050c82c065fe5e7553e73393e59d0b3ca3372e6d590d6eb074b014dab0ea78
- SHA512
  
  22d59282a9b2aab81884ad1b1391c16755e895b2b79466fc163f30a8e9035498b371781ea0fab40b6e79313a9a54fe90b8903ecb8ad29471eebd02ce269a0be4
- SSDEEP
  
  384:hxB7Wf+NkjZwWqXteRRUUmi/6XLNrtMQJK2+Katf5kKFKjqfvGBkSG00:/kjSoghrW29skKFKcMkP00
Score

1^/10
behavioral5 behavioral6
- Target
  
  assets/WSearchMigPlugin.dll
- Size
  
  134KB
- MD5
  
  b74eb945013d95409a3e071c4029cb02
- SHA1
  
  d087775c3f00e9c27842cc44bcb27c0f334a865b
- SHA256
  
  2bdbbd40df3b199cd8ebfc359be451971527e602ab999e23fae524f8edab0ef1
- SHA512
  
  3c1e8d24a4d0eadec0beb7c3288bbb290d018ddaa104df9e65db0de0d7543ab77c4139de6b20382925e35bb1ee303dca12b2ea418770c70dde33f26be06a1c48
- SSDEEP
  
  3072:PBBD02DY32F5K7lxgtRx3aHCHGA+48xgJJ5x5N3DPZtQ68f69ru:PBBD02U32F5K7KRxKiHGAP37QXfS
Score

7^/10

persistence privilege_escalation
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
behavioral7
- Target
  
  assets/WpcMigration.Uplevel.dll
- Size
  
  231KB
- MD5
  
  c92661b900b934ce4e4b7d047aba74e5
- SHA1
  
  abf1d9b1058fb1f14a091985bd3fa3c2e9140702
- SHA256
  
  85302fc70223988f2e94c5b443afe8c95f73695f60778bdc8cd5e1316a701841
- SHA512
  
  34921fccfc07d4080c22d7ff056e92df2bfee61f82212501c9c86d532131c43b2b3655e101439396b887a53180159cb372b222e649bcd7d48ed9952df0a22f6d
- SSDEEP
  
  3072:aqJFmRDHgpg2Ri14Myz56tvi8UKLBWAUG/+vufW4369gNbv6K9kd+GAmA8C/y:a0otLkMVizsBXUi6qNdkd+GAmA8
Score

1^/10
behavioral8
- Target
  
  assets/WsUpgrade.dll
- Size
  
  201KB
- MD5
  
  9d99b0e88cc4eaa43141dea9e31ed3be
- SHA1
  
  442e48476650e97cfac8e8088a7315b9804be0c1
- SHA256
  
  061de26f44da62a17eecb71f078ef90a9c8784e7c58500984314c74b32c12e46
- SHA512
  
  2a0cd7adf67e535cf4a40988d6da4ee69970694875504ea7f7e68cef19e01675557bd3021d867c2bb837d1c3e8287d710259c921967324255c53d0351c6d48df
- SSDEEP
  
  3072:a0qV+qDh/7k8Rr92ZSbTP6c27UxDOUreaNQbmOhG7/tfxvharBjnt:a0qVHV1IwTPrFtOe/tzarB7
Score

7^/10

persistence privilege_escalation
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
behavioral9
- Target
  
  library/ARSoft.Tools.Net.dll
- Size
  
  302KB
- MD5
  
  452def66509f01d15b43e4c57176d1d8
- SHA1
  
  fb3438a1b191fb75c76d22023c3478a585756463
- SHA256
  
  f1fe59774bf1fd914aea33459631837569d78e2c1a68d8c544cb498fcdbbef10
- SHA512
  
  c5ded39b6f8961bf9e1b77fb07fc41ac321f2e5b9e7a0c4d3a55cf7debb483384b51a8abade6edb9601ea2871cfba65886582cceefcc5010f45c819ec30c625e
- SSDEEP
  
  6144:/AUw1rf4dPEliWDLdQCc88UviewobzUY+GsKAZ:qbiy3Zc88UtFfU
Score

1^/10
behavioral10 behavioral11
- Target
  
  library/Autofac.dll
- Size
  
  236KB
- MD5
  
  f879f97c67c2d03cd47bb7ab1e6dfd51
- SHA1
  
  a65ec6943e9eb3ca7001f7bc310475709a949d08
- SHA256
  
  02c445f70273eff02d30055c83e77ce7434dd24f6da485b0231e88b2675795dc
- SHA512
  
  882db30f98796339a610ce5e5ddd8ad161e231fdd75c5ebd3e552fbb44a618faa09904b01c7c7dcf5834a350a2170c516838bc5de363a89a3a01bb6e0171970a
- SSDEEP
  
  3072:g36EQo/nAmrSwxl6g6o9We/Bwdc2lSG+qR/EWJS6A6g73yRhxgByGP/aw4cQSOhZ:gBclGKpT6zbcZAhdPSVuoxnBDPTS
Score

1^/10
behavioral12 behavioral13
- Target
  
  library/GalaSoft.MvvmLight.Platform.dll
- Size
  
  23KB
- MD5
  
  99a0483ce79d57b52b6a1eacd5f86a12
- SHA1
  
  443fc60ab490eefea76859cd263fafa15fed26a1
- SHA256
  
  16a051d25e5256348affa9f64a0919f69efd860c8fd3c3b28cea0a9fa126cd4f
- SHA512
  
  977719f32b0a4bd10f584a0ee82e7c69664a2a75533f1a3c7799eb89bd5d7c98cece830538372fb7e2263f3c99942ada1e90de50e0ba0e59dfacb8ab8e66d20c
- SSDEEP
  
  384:2KKUx+mQv787wr/igP39cVT0ojR97dKRSX8iPyZA3gs/bHMQJK2+KatfzNKFKjqI:DKnW3g/oTZjR97dJXTPyA3gs/bk29+Nn
Score

1^/10
behavioral14 behavioral15
- Target
  
  library/GalaSoft.MvvmLight.dll
- Size
  
  50KB
- MD5
  
  0fe3d6671024ea3d78aa18dd5adfa613
- SHA1
  
  3dfdfa5a20c3ded2908198c85aa04b9dae024441
- SHA256
  
  3baba32bdbcd1f2e715724e41ad97878bdb9fb7b7f85dfadc2f98d6cd68932fb
- SHA512
  
  84b7a7104ea5cce7c713c6bc2e8c686a684b78fe4949367db6652d285d3d01ebe594070cc993456fac9a21ac2f7a39180ecaf6013d674fce4e42206d0c1c6c55
- SSDEEP
  
  768:5nVF+heuJxTH6yaDSpAyYZbT0gJHTCNQYRWCiD5MaIN7UAifpzNJ2Ox/KpEsD+KQ:5VKLY5T0gUNQQiltEifpv2sCWRyIr
Score

1^/10
behavioral16 behavioral17

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Downloads MZ/PE file

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Command and Scripting Interpreter: PowerShell

Suspicious use of SetThreadContext

Event Triggered Execution: Component Object Model Hijacking

Event Triggered Execution: Component Object Model Hijacking

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17