lumma | 53e135d7af8ed00e2819b9dd44210d3b9980df8ff2f52652bb27d69cd37c0196

Analysis

max time kernel
100s
max time network
115s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241211-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
06-01-2025 19:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup.exe
Size

70.0MB
MD5

a54611d7c28886682009becc3bbb6888
SHA1

a9e11545cb9a6f86c6858f098ed56f1f72a970d8
SHA256

cc1a9c470713c663d93d5c15406553926d8472bf7511ca82b5e4c31df9802d7f
SHA512

9e2c45c17264c1e31ddfc31b0faa0b0e244a9d37ac564812ebe4e4890c2efb12cf466353476418c70bbd2f4cd0872bfb04362acc0b127cec06cf5bd2cfd24501
SSDEEP

24576:k9cwUdP4s82RZeDeb7i1dyaYkfACBvl0NMg+KUBqaZPihwjU:jEfceDdYkxl0cFZPS

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://cloudewahsj.shop/api

https://rabidcowse.shop/api

https://noisycuttej.shop/api

https://tirepublicerj.shop/api

https://framekgirus.shop/api

https://wholersorie.shop/api

https://abruptyopsn.shop/api

https://nearycrepso.shop/api

https://displayclubby.sbs/api

Extracted

Family

lumma

https://wholersorie.shop/api

https://framekgirus.shop/api

https://tirepublicerj.shop/api

https://noisycuttej.shop/api

https://rabidcowse.shop/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3506525125-3566313221-3651816328-1000\Control Panel\International\Geo\Nation	Setup.exe

Executes dropped EXE 1 IoCs

pid	Process
3184	Types.com

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
2592	tasklist.exe
2212	tasklist.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\CautionWent	Setup.exe
File opened for modification	C:\Windows\CoralFlorist	Setup.exe
File opened for modification	C:\Windows\ImpressiveLung	Setup.exe
File opened for modification	C:\Windows\TransmittedReset	Setup.exe
File opened for modification	C:\Windows\FocusingVital	Setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Types.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3184	Types.com
3184	Types.com
3184	Types.com
3184	Types.com
3184	Types.com
3184	Types.com

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2592	tasklist.exe
Token: SeDebugPrivilege	2212	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
3184	Types.com
3184	Types.com
3184	Types.com

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
3184	Types.com
3184	Types.com
3184	Types.com

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 4344 wrote to memory of 2468	4344	Setup.exe	82
PID 4344 wrote to memory of 2468	4344	Setup.exe	82
PID 4344 wrote to memory of 2468	4344	Setup.exe	82
PID 2468 wrote to memory of 2592	2468	cmd.exe	86
PID 2468 wrote to memory of 2592	2468	cmd.exe	86
PID 2468 wrote to memory of 2592	2468	cmd.exe	86
PID 2468 wrote to memory of 5036	2468	cmd.exe	87
PID 2468 wrote to memory of 5036	2468	cmd.exe	87
PID 2468 wrote to memory of 5036	2468	cmd.exe	87
PID 2468 wrote to memory of 2212	2468	cmd.exe	89
PID 2468 wrote to memory of 2212	2468	cmd.exe	89
PID 2468 wrote to memory of 2212	2468	cmd.exe	89
PID 2468 wrote to memory of 4860	2468	cmd.exe	90
PID 2468 wrote to memory of 4860	2468	cmd.exe	90
PID 2468 wrote to memory of 4860	2468	cmd.exe	90
PID 2468 wrote to memory of 1984	2468	cmd.exe	92
PID 2468 wrote to memory of 1984	2468	cmd.exe	92
PID 2468 wrote to memory of 1984	2468	cmd.exe	92
PID 2468 wrote to memory of 848	2468	cmd.exe	93
PID 2468 wrote to memory of 848	2468	cmd.exe	93
PID 2468 wrote to memory of 848	2468	cmd.exe	93
PID 2468 wrote to memory of 4076	2468	cmd.exe	94
PID 2468 wrote to memory of 4076	2468	cmd.exe	94
PID 2468 wrote to memory of 4076	2468	cmd.exe	94
PID 2468 wrote to memory of 3552	2468	cmd.exe	95
PID 2468 wrote to memory of 3552	2468	cmd.exe	95
PID 2468 wrote to memory of 3552	2468	cmd.exe	95
PID 2468 wrote to memory of 4568	2468	cmd.exe	96
PID 2468 wrote to memory of 4568	2468	cmd.exe	96
PID 2468 wrote to memory of 4568	2468	cmd.exe	96
PID 2468 wrote to memory of 3184	2468	cmd.exe	97
PID 2468 wrote to memory of 3184	2468	cmd.exe	97
PID 2468 wrote to memory of 3184	2468	cmd.exe	97
PID 2468 wrote to memory of 4984	2468	cmd.exe	98
PID 2468 wrote to memory of 4984	2468	cmd.exe	98
PID 2468 wrote to memory of 4984	2468	cmd.exe	98

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4344
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c move Rocket Rocket.cmd & Rocket.cmd
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2468
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2592
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "opssvc wrsa"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5036
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2212
- - C:\Windows\SysWOW64\findstr.exe
    findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4860
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 563418
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1984
- - C:\Windows\SysWOW64\extrac32.exe
    extrac32 /Y /E Violent
    3⤵
    - System Location Discovery: System Language Discovery
    PID:848
- - C:\Windows\SysWOW64\findstr.exe
    findstr /V "THEFT" Differences
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4076
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b 563418\Types.com + Structural + Fossil + Representation + Correlation + Lung + Jo + Camps + Planned + Surveillance 563418\Types.com
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3552
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Elect + ..\Rest + ..\Scientists + ..\Lift + ..\Three + ..\Generating B
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4568
- - C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\563418\Types.com
    Types.com B
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:3184
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\563418\B

Filesize
453KB

MD5
ce763188af85572a2d7899878d8ee287

SHA1
3fe386dd25b3e577e325a2302c5f417eb31c46e8

SHA256
79088f1e64c902778b27e0801480458718869f0763817edfd13562053e62a07a

SHA512
afd9d1a60dd87ded17591e2b272f482c815ef87b00d1f81286799959dfb6a3913173b10cebb3169329195691132c3cc74572dca413c708d026e26f5e7ac8bd79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\563418\Types.com

Filesize
444B

MD5
a23fecfc91a28b475b9687f17eb24961

SHA1
86776218b3ae339380caa7eb63a6c80ada8428f4

SHA256
3d3087b79a58c75b62cdf080a9a7b568da6b6c66e73ba5bcf364c659e5cfce97

SHA512
e45ba2aa014e9e8caa170b786672d1531b175c97d5894609fbe9494cd2fd9f924dccbbe70774068c91c105b0f4630b2859ac7c4fd06309aba954195bea6c326c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\563418\Types.com

Filesize
925KB

MD5
62d09f076e6e0240548c2f837536a46a

SHA1
26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

SHA256
1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

SHA512
32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Camps

Filesize
134KB

MD5
f9f97b3f9265044aff2416a663ead90d

SHA1
8b066eba5c4094097f7d79d25220970178549e2e

SHA256
637af9a4b34868553c06c018c6c2a43a7228386013f493a027cc424b195c4851

SHA512
20e9199bf9927f541d4135971d33474c6a465a34d7e1abb06d1fab3b3051c658f94712100ae78a717c95fe7dda4687fbdd2f4ea1d97b1e3272b94732f230d884

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Correlation

Filesize
61KB

MD5
9556cd2d01bf1932e5a4465b6d9b50f8

SHA1
4042734bf402bd5f26ac9e59d7f725187f2336c1

SHA256
97208edbff3168f5b7e6aa6ed5b1334ebe3e557e83085683098c772b278439c3

SHA512
6f576446ea574323c9e9bd570145cc3bf4f67b49171fbf049e2b53cd100b147d23e6cf91d02470f4abc0147ac598fce1c9a9a88d90cd7ba65d03d7944771eadc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Differences

Filesize
449B

MD5
ed93b72d1ee586aab8e3af31d5b6d6ab

SHA1
94d7b9a199a275ba745c0eff4d7e25625ed9228f

SHA256
a2f5940aa385f593054d11da0480227ce228d7cbfd4d2b96977b3ba801722fb6

SHA512
fdf1e27a3c44cd1d7da0328e605a827407c830be7b0e8eae7aa984e5ef326622223811dc5329f41d98159c0018669f8113a6812d1a745e111c0e72b9ff4553d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Elect

Filesize
99KB

MD5
edad09ec3da7e031b75d711a8168b630

SHA1
408d4ae59838dfabdfe8a0304e10a9439993aba1

SHA256
2a2ed1222616f9c5390bc4a73523b3277c64df346de6e4281d66e8acd612a288

SHA512
7cb2dbd512ffc82ee646094beb191c6d266c274c1445a3f3bc3260241dbfb794b380418110643367785ebf57a1e227d4271f9b902fc69f840b8e60801e31b27c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Fossil

Filesize
140KB

MD5
6bbd58cd3714048abfbf6da7eb49cf72

SHA1
03cbdeb5453d12c0cd0318fff26ed34bf2ca866f

SHA256
9661274a3cd055195f3a505612b464e2f44e622e2be615d16da3aed16980254d

SHA512
48a24d6b703dd9f49ad591864d4e41f3d0455101a552df6ba6542c6d78cca8359de58c2d728db924d6f88a50ea6ee5f04370350d0a90588085d01706f40a52a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Generating

Filesize
30KB

MD5
82b70444aa9f8357adaaf31271f8e4a4

SHA1
e1abf021623e712d8247f8fedf73d2ecdde6e825

SHA256
fb354b3c6975e2e200d1339413c5bf2950bd96348bd65a9f6cd79f6aa4f8b81a

SHA512
ce84abb5e414c73a8c66af34e52bc71df9fbafa53b9d9f7a89ef422b9cfeceaf3c9203d7eb0402b6bbed972e9deaed6130cd782b6730225bb7fe40b9d42596dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Jo

Filesize
141KB

MD5
be98376c43b6e77c84dc8bceb9fb867c

SHA1
a8d68f5a4e0cb7254227429b489aa476645be378

SHA256
99dc672aba695a5c2d3687fef987210e6e0bb98f6537a0aea528d62c9f0db076

SHA512
c8562a7455e3494cdfcf1e02902594371502c48b02a85b28825ce605750731b9c374e4e8059b7e76153e5b2b4d51e2ae7686e21c5d772855ac8deb9801d6144c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Lift

Filesize
98KB

MD5
efdce92cab1725799cd6c932911962c0

SHA1
fc97f264d126f2a49bd599d9d26ad8a1295f5c1d

SHA256
f93cbb7b1ace97940920d5a16a37b3c63a846b9267fdf9a63aec03afcab1b723

SHA512
cdce3c3beb4a4445e513856347812b3e1d40d673be209f2e14179509b76633949e620ffd6e8e8e296780675a576baec79931eb1ef8e5017276b0cfc6a836ea44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Lung

Filesize
120KB

MD5
e253ee71caf8e75ed1eeef89666e3024

SHA1
fa49dbb2631acb29fb6706cd984c970c437692b0

SHA256
9c98a8ac9f592b03f86293be2ed8f850bf65ccf554e2f7e81f900bfae150a2ed

SHA512
e1d6a09d56f0621828af2a52b841b4c7d4950f10986b9cac818c7a7ac85b2c1f7120c929cb35f62c5d88c4aeee02cc3d0f742aa5ee9522cf1951558ef19a7663

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Planned

Filesize
100KB

MD5
650b533486bb97f1294ffca7a90cc99d

SHA1
378a53a5795e91df99233f39366157f3bc9277b0

SHA256
f0f4b946ba3a0bd5dac12d4073f7728a87db52581ddf36cf0170bcdef7b396ed

SHA512
d41750cf4e20f770d5e1f2767194eea25f59052b1b5e7b7a178f4fd2db7329c67f1645c4ea46bd1a0bd7664c474287f35c7ca7d595afb00fe681357f3ab1b06b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Representation

Filesize
96KB

MD5
ee51e9173ea033256ae71ddef06002a7

SHA1
9faa3aac3237f3c8104ccd6b1442258013c0d416

SHA256
2b79e22c4ef109efb4696a49325b231cfd7620eb803cdd1a3329ef3f419bf97d

SHA512
67fc63b35cbf3f07e7eb8017ed2e4a45de5e6141926445320641d1e9c4ba552536590b142c0511f84327825e0a835e30fb019b112923ef875734119d29dbd96a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Rest

Filesize
82KB

MD5
a45df4a76e66e132990239834593f008

SHA1
71f22c922855091a050c16e7f6cd0244ab94a60e

SHA256
dfa64a6be425cfb4dadc67ce1f2fa3f7da7a5a3e25dbb3faa072592167c501c4

SHA512
c14a27ea7f23078fe0d3a3ca4ef5d5d172a4e64f70d8fc84b007ff1589780a1d698d572b1d0069f67ac50303d70dd15535716607f6ce260c81b93fd1786d7b9d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Rocket

Filesize
13KB

MD5
342fb29e355cfe8a067cc3d2c150273f

SHA1
563f2c51eb22ce131c09f91b34bcef1dc5a4da75

SHA256
00e2a387887e4584dc2fabda5a974626d3e988dc7f9f1296202e2c6aa9788b9c

SHA512
a1d2f0ebef867bbcf2caec8f1c3f2bccf438f583ac9d3404d00f5e4f9c5730499046dcf78e7e987c9006b86f9d6321a582991807cdf2f26bfaa7c73f7f30c668

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Scientists

Filesize
82KB

MD5
a4bec35fb270d1b09c1ae44b53228459

SHA1
6d776de16eab28231245e23d4cba59494991282b

SHA256
a16f57ddc9e472b38626789a1d633d2d13697d0f2a95de2f0e5f8571988d78c8

SHA512
b0eec15f2ab6fb0a99c667a2178cfee4e427c49b94770b6f14ba04b042b58232ca65c9b3bd4711b429a3c8e2d73f2e8753a32ac809c29634ac43dadab7db96a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Structural

Filesize
96KB

MD5
c547d43e138d6cf2d3ff1c38ff414da1

SHA1
81de83bb236d4be125f6d0a9c5cfc853a036f0a6

SHA256
76683d45c58556b05b8e59effc3a9e157ddb1f4685f3ac19d4b5fd1172a87e15

SHA512
4b31e1c03aa348c6f72b338fad39b70ad8d6008c526ee713d0aa25260af7687d78b168b56e243c97500bade729e3cb0c2243c2ffc83fbe37fb1020d1ee3ed3a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Surveillance

Filesize
36KB

MD5
24310ec60fedc38da8edc515aa118b5c

SHA1
526f9048e0971cd292a44dded1747cf29a27e33e

SHA256
df7f9ed08c1af4e37685647d11152c734030abe61e21f7cf73b87c4aab0d8a6e

SHA512
0a173a0c914c4b4fa701c77966f71e5ede65ca04600e7df062d823c5e44c27652819a902213535d66556526abca578c37e91ea65f894631426fe7f1fc3ff7bb6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Three

Filesize
62KB

MD5
645c07675bc6f6a339c6129be8ee1d01

SHA1
33a023a3b6025c4785c00b4c9f9f091acc0ec50a

SHA256
15dafb3c8b4c7c897e17b75287f1a342142a8b2178de1ec02e04d3b5c8d3b46a

SHA512
572f03b1649d84251e8b022b39b08e5cb7ade2ced912c29be0caa961a90a6902745e8fc7c78f87892421311725e8c26fba9548fb24ef0e2d74df8bc1fd73e510

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Violent

Filesize
477KB

MD5
22e569096835ca8af1ab0b5955e9e61a

SHA1
98cb358b3c3269ec650401e5bf200364b6cc5dd7

SHA256
34ccc3d32cd309557e54af3a1237661c34791ea4f70603fb69315d699b2e90d0

SHA512
1a47c0e3d8541eab4346f2ff6711444d837902de78349680a9117a0548ec04f170b592fbe6737c5eae8f87e60340f40da34aeaeb5b2feb1e3280dac01c1bfcbc

Download Submit
memory/3184-64-0x0000000004EE0000-0x0000000004F3B000-memory.dmp

Filesize
364KB

Download
memory/3184-66-0x0000000004EE0000-0x0000000004F3B000-memory.dmp

Filesize
364KB

Download
memory/3184-65-0x0000000004EE0000-0x0000000004F3B000-memory.dmp

Filesize
364KB

Download
memory/3184-67-0x0000000004EE0000-0x0000000004F3B000-memory.dmp

Filesize
364KB

Download
memory/3184-68-0x0000000004EE0000-0x0000000004F3B000-memory.dmp

Filesize
364KB

Download