Analysis
-
max time kernel
12s -
max time network
13s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
06-01-2025 21:58
Behavioral task
behavioral1
Sample
lumma.exe
Resource
win7-20241010-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
lumma.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
1 signatures
150 seconds
General
-
Target
lumma.exe
-
Size
364KB
-
MD5
91b18efc2fb34ea1330d7077c96736e6
-
SHA1
bc014e0f942989f5f52a0709ba1116dec4133a98
-
SHA256
d82059006cdeb0720d687852ce85370d395a445cf66f2577eabc78c747ed9689
-
SHA512
b6e672a6b7690dd34f6aa8a779432757f2e4f1f5c980d3798ccffea5f9598db8a885621cc2ad9d25f54fcb0a766eb866416a079cd96efe65dde8d80b6899c040
-
SSDEEP
6144:jA6xKh6ckttv2vzCYaF82Dx6AU/AbMQTKhCVnltn43J7:8kKh6c5bCYaF824EMQ+hCZlq
Score
3/10
Malware Config
Signatures
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\MINIE iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{64C67EB1-CC79-11EF-B666-DEF96DC0BBD1} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2580 taskmgr.exe 2580 taskmgr.exe 2580 taskmgr.exe 2580 taskmgr.exe 2580 taskmgr.exe 2580 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2580 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2580 taskmgr.exe -
Suspicious use of FindShellTrayWindow 33 IoCs
pid Process 2580 taskmgr.exe 2580 taskmgr.exe 2580 taskmgr.exe 2580 taskmgr.exe 2580 taskmgr.exe 2580 taskmgr.exe 2580 taskmgr.exe 2580 taskmgr.exe 2580 taskmgr.exe 2580 taskmgr.exe 2580 taskmgr.exe 2580 taskmgr.exe 2580 taskmgr.exe 2580 taskmgr.exe 2580 taskmgr.exe 2580 taskmgr.exe 2580 taskmgr.exe 2580 taskmgr.exe 2580 taskmgr.exe 2580 taskmgr.exe 2580 taskmgr.exe 2580 taskmgr.exe 2580 taskmgr.exe 2580 taskmgr.exe 2580 taskmgr.exe 2580 taskmgr.exe 2580 taskmgr.exe 2580 taskmgr.exe 2580 taskmgr.exe 2580 taskmgr.exe 2580 taskmgr.exe 2580 taskmgr.exe 368 iexplore.exe -
Suspicious use of SendNotifyMessage 32 IoCs
pid Process 2580 taskmgr.exe 2580 taskmgr.exe 2580 taskmgr.exe 2580 taskmgr.exe 2580 taskmgr.exe 2580 taskmgr.exe 2580 taskmgr.exe 2580 taskmgr.exe 2580 taskmgr.exe 2580 taskmgr.exe 2580 taskmgr.exe 2580 taskmgr.exe 2580 taskmgr.exe 2580 taskmgr.exe 2580 taskmgr.exe 2580 taskmgr.exe 2580 taskmgr.exe 2580 taskmgr.exe 2580 taskmgr.exe 2580 taskmgr.exe 2580 taskmgr.exe 2580 taskmgr.exe 2580 taskmgr.exe 2580 taskmgr.exe 2580 taskmgr.exe 2580 taskmgr.exe 2580 taskmgr.exe 2580 taskmgr.exe 2580 taskmgr.exe 2580 taskmgr.exe 2580 taskmgr.exe 2580 taskmgr.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 368 iexplore.exe 368 iexplore.exe 2220 IEXPLORE.EXE 2220 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 368 wrote to memory of 2220 368 iexplore.exe 33 PID 368 wrote to memory of 2220 368 iexplore.exe 33 PID 368 wrote to memory of 2220 368 iexplore.exe 33 PID 368 wrote to memory of 2220 368 iexplore.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\lumma.exe"C:\Users\Admin\AppData\Local\Temp\lumma.exe"1⤵PID:2308
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2580
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:368 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:368 CREDAT:275457 /prefetch:22⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2220
-