lumma | 5281883011b847e4ab3f68c7488a47fb8489ac802c558a2cb1e5bef588f06269

General

Target

Release-x64.zip
Size

19.6MB
MD5

25493ab271580066a0d5e8d43b25e055
SHA1

f2a8336d1e6a75233f796fe37ec00aa204fb6907
SHA256

5281883011b847e4ab3f68c7488a47fb8489ac802c558a2cb1e5bef588f06269
SHA512

41728fc89da12faca4fa738f5ef48cd1d7fd1c9b82151f9d011f4079611d0e7fdc7a06503a07a469a89b9de0424404b547bd89e5678da73a8dfa89668932deb1
SSDEEP

393216:oyzn8HaG+RVYNVwS8+1Kd7qI2R/Ri977qCWEyeEcTeuoIJKxoJe4B2:Zn8yV2Vw7+10qbKzEcquoAKxogM2

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

C2

https://cloudewahsj.shop/api

https://rabidcowse.shop/api

https://noisycuttej.shop/api

https://tirepublicerj.shop/api

https://framekgirus.shop/api

https://wholersorie.shop/api

https://abruptyopsn.shop/api

https://nearycrepso.shop/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Executes dropped EXE 5 IoCs

pid	Process
868	Bootstrapp.exe
4444	Bootstrapp.exe
3816	Bootstrapp.exe
4008	Bootstrapp.exe
3788	Bootstrapp.exe

Program crash 5 IoCs

pid	pid_target	Process	procid_target
3968	868	WerFault.exe	78
2392	4444	WerFault.exe	84
1160	3816	WerFault.exe	87
3468	4008	WerFault.exe	97
8	3788	WerFault.exe	100

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bootstrapp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bootstrapp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bootstrapp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bootstrapp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bootstrapp.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	7zFM.exe
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	7zFM.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4480	7zFM.exe
4480	7zFM.exe
4480	7zFM.exe
4480	7zFM.exe
4480	7zFM.exe
4480	7zFM.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4480	7zFM.exe
4552	7zFM.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeRestorePrivilege	4480	7zFM.exe
Token: 35	4480	7zFM.exe
Token: SeSecurityPrivilege	4480	7zFM.exe
Token: SeSecurityPrivilege	4480	7zFM.exe
Token: SeSecurityPrivilege	4480	7zFM.exe
Token: SeRestorePrivilege	4552	7zFM.exe
Token: 35	4552	7zFM.exe
Token: SeSecurityPrivilege	4480	7zFM.exe
Token: SeBackupPrivilege	2360	svchost.exe
Token: SeRestorePrivilege	2360	svchost.exe
Token: SeSecurityPrivilege	2360	svchost.exe
Token: SeTakeOwnershipPrivilege	2360	svchost.exe
Token: 35	2360	svchost.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
4480	7zFM.exe
4480	7zFM.exe
4480	7zFM.exe
4480	7zFM.exe
4552	7zFM.exe
4480	7zFM.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3156	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4480 wrote to memory of 868	4480	7zFM.exe	78
PID 4480 wrote to memory of 868	4480	7zFM.exe	78
PID 4480 wrote to memory of 868	4480	7zFM.exe	78
PID 4480 wrote to memory of 4444	4480	7zFM.exe	84
PID 4480 wrote to memory of 4444	4480	7zFM.exe	84
PID 4480 wrote to memory of 4444	4480	7zFM.exe	84
PID 4480 wrote to memory of 3816	4480	7zFM.exe	87
PID 4480 wrote to memory of 3816	4480	7zFM.exe	87
PID 4480 wrote to memory of 3816	4480	7zFM.exe	87

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Release-x64.zip"
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4480
- C:\Users\Admin\AppData\Local\Temp\7zO081115A7\Bootstrapp.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO081115A7\Bootstrapp.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:868
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 868 -s 1432
    3⤵
    - Program crash
    PID:3968
- C:\Users\Admin\AppData\Local\Temp\7zO081232F7\Bootstrapp.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO081232F7\Bootstrapp.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4444
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 1400
    3⤵
    - Program crash
    PID:2392
- C:\Users\Admin\AppData\Local\Temp\7zO081BA428\Bootstrapp.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO081BA428\Bootstrapp.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3816
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3816 -s 872
    3⤵
    - Program crash
    PID:1160

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 868 -ip 868
1⤵
PID:1456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4444 -ip 4444
1⤵
PID:2700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3816 -ip 3816
1⤵
PID:2892

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c82192ee-6cb5-4bc0-9ef0-fb818773790a} -Embedding
1⤵
PID:2412

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4552

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SDRSVC
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2360

C:\Users\Admin\Desktop\Bootstrapp.exe
"C:\Users\Admin\Desktop\Bootstrapp.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4008
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4008 -s 1500
  2⤵
  - Program crash
  PID:3468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4008 -ip 4008
1⤵
PID:4236

C:\Users\Admin\Desktop\Bootstrapp.exe
"C:\Users\Admin\Desktop\Bootstrapp.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3788
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3788 -s 1264
  2⤵
  - Program crash
  PID:8

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3788 -ip 3788
1⤵
PID:1200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zO081115A7\Bootstrapp.exe

Filesize
303KB

MD5
8b4b611f189dc2c0da8f0418a4f75a48

SHA1
67da157c8da2ee1deb30472e06cacca5c1918d5f

SHA256
c06c92f33a0f706400bac3cb9174e27d95a995bd69886bd7e779638813483c78

SHA512
93cd273d5d0525e92340434cb4a255c8d2dad8db24a2cbb0d78a1a5be41ecdafd835971bed638e98e546bfdcd59151a8d2219a4fc307a50b8e22b6b928136e58

Download Submit
memory/868-9-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3788-44-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3816-29-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4008-42-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4444-19-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download

Analysis

Sharing