lumma | 20b27b89797acc64cf602900667eecf81148a77938af21f6c0c10fcf96527e61

Analysis

max time kernel
117s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07-01-2025 00:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AdobeSync.exe
Size

1.2MB
MD5

f778e9136ab0db9de9802a7043de50a7
SHA1

850dca074534a14fdb9ada6afaceea88558764e0
SHA256

90803a583e9f693de5e7b8a196832436f6f648b27fb82e55904c256f30cc8b3a
SHA512

cd6c5c3537f05ad5826d503e38b8e6ef2eaf668616bec15ba51ad3d81e0337a72779d7ca6af9e8ebee12d713891b30c0b73bf34718552bc9f4e7d8909b998156
SSDEEP

24576:+heavSigvk0vhkzswHD4/V3OQdnYKYc4wXUyuy1:qP710vezrj4dJYFYUyuy1

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://hummskitnj.buzz/api

https://cashfuzysao.buzz/api

https://appliacnesot.buzz/api

https://screwamusresz.buzz/api

https://inherineau.buzz/api

https://scentniej.buzz/api

https://rebuildeso.buzz/api

https://prisonyfork.buzz/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Executes dropped EXE 1 IoCs

pid	Process
2240	AdobeSync.exe

Loads dropped DLL 4 IoCs

pid	Process
2688	AdobeSync.exe
2240	AdobeSync.exe
2240	AdobeSync.exe
2240	AdobeSync.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2240 set thread context of 2908	2240	AdobeSync.exe	31

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdobeSync.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdobeSync.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2688	AdobeSync.exe
2240	AdobeSync.exe
2240	AdobeSync.exe
2908	cmd.exe
2908	cmd.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2240	AdobeSync.exe
2908	cmd.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2688 wrote to memory of 2240	2688	AdobeSync.exe	30
PID 2688 wrote to memory of 2240	2688	AdobeSync.exe	30
PID 2688 wrote to memory of 2240	2688	AdobeSync.exe	30
PID 2688 wrote to memory of 2240	2688	AdobeSync.exe	30
PID 2240 wrote to memory of 2908	2240	AdobeSync.exe	31
PID 2240 wrote to memory of 2908	2240	AdobeSync.exe	31
PID 2240 wrote to memory of 2908	2240	AdobeSync.exe	31
PID 2240 wrote to memory of 2908	2240	AdobeSync.exe	31
PID 2240 wrote to memory of 2908	2240	AdobeSync.exe	31
PID 2908 wrote to memory of 2832	2908	cmd.exe	34
PID 2908 wrote to memory of 2832	2908	cmd.exe	34
PID 2908 wrote to memory of 2832	2908	cmd.exe	34
PID 2908 wrote to memory of 2832	2908	cmd.exe	34
PID 2908 wrote to memory of 2832	2908	cmd.exe	34
PID 2908 wrote to memory of 2832	2908	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\AdobeSync.exe
"C:\Users\Admin\AppData\Local\Temp\AdobeSync.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2688
- C:\Users\Admin\AppData\Roaming\ultraadvanced\AdobeSync.exe
  C:\Users\Admin\AppData\Roaming\ultraadvanced\AdobeSync.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2240
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\SysWOW64\cmd.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:2908
  - - C:\Windows\SysWOW64\explorer.exe
      C:\Windows\SysWOW64\explorer.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:2832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cab7300.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar7322.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\b0f3a33b

Filesize
1023KB

MD5
1bd2def42eb239073f043e3971621428

SHA1
746af515b3a2a41f718e8748abd3e67ab83431fa

SHA256
8a54c3509c7d1f24369208f30e5e9b7d43ce832bbea197a32cc76f6f4df5a813

SHA512
54c8e54f69b7e7c07d31444c86721b3220a7450b38771cd283ec777d3fe1de2fc824f612c6468a0b6f6031cf8ebeab4c509f6741b913f3d37eeffef6e95ab25a

Download Submit
C:\Users\Admin\AppData\Roaming\ultraadvanced\AXE8SharedExpat.dll

Filesize
165KB

MD5
c8c0cd5ae41f0ca14b008d1d367fc438

SHA1
ea249f15b6cb7bd34c2b164a9a7de9d53faae579

SHA256
85a6260a81c8fbc3897ae84199b0c19ad52c1aa20eccd16bc1bff87ab4232f0e

SHA512
e3b4c2727a013a9e546926db9c8719fff02c99c5e37aabaf2d5e781e0c413e4ec5373518d5222b27a9d40055a09126ccd14188ad8eea57825197b794db974862

Download Submit
C:\Users\Admin\AppData\Roaming\ultraadvanced\BIB.dll

Filesize
107KB

MD5
759d71fc9442ab5a9b5749c0f6c0c263

SHA1
07a68c6922d443eb9d6d445da18ae8a6d92f7ac6

SHA256
109647f58e7e8386a4c025f2c8175a4d638e5c0e62768953390764010ea22a2e

SHA512
e3efe66c76ea81285ba01b1978fdb3e807eb0bf2cfe0373bb6fef06f2fd7d9ddc3269acf0d87517cbf9bea5fa09b2703a03792491dc8265d26b724d7dca106c7

Download Submit
C:\Users\Admin\AppData\Roaming\ultraadvanced\austral.wav

Filesize
783KB

MD5
d577f2aec0dfaa1614db20ee110da000

SHA1
131b1bf456b399140cfaa14e3bc3eafc1628cd02

SHA256
8d21a1b5060fb8e601037bcfcee715cfae3dfb8412c2aa063bb0dff31f6ec427

SHA512
837a6a456d7be965e85ef09181da2d912759769861d29ceb04974050b3caf5cbfce595747a7fc417c12f481791cce1260cf9e62b6fc3a623be0a893a42052d6f

Download Submit
C:\Users\Admin\AppData\Roaming\ultraadvanced\delft.mov

Filesize
26KB

MD5
4983038214bad6dc024c52b6b38e1b25

SHA1
a341ca52d4f57576380267de939e2c86e8673ab5

SHA256
848300f74e3fac2a68ff57dd804c83aa017c89b74e66145614d597dd56aadddd

SHA512
eeffda90fbd44d9f4407233d9881a55bbd6e8debecacff38c740b75c74bc588de0d3322fcf0d43d445ea79ab802348efb81a669beb77cd78da4f792ac2d5a62a

Download Submit
C:\Users\Admin\AppData\Roaming\ultraadvanced\sqlite.dll

Filesize
243KB

MD5
596439b3a9f9ea44ff28e2974f69ab07

SHA1
a2074cd3d39045902f82a072455420ab7101a036

SHA256
8cc91d57d45b46b3439eaa017bf1deb8e177f15245ba6f18ebcf2bd0a173a4f3

SHA512
1de8d41fec0844999b88c0cb738aac71c0ae895a51e91f6465afaa864537e692e4576e6699b4976e62aa2c38ef9125d9aaf09a72acaa068a0c2b05d413af858a

Download Submit
\Users\Admin\AppData\Roaming\ultraadvanced\AdobeSync.exe

Filesize
1.2MB

MD5
f778e9136ab0db9de9802a7043de50a7

SHA1
850dca074534a14fdb9ada6afaceea88558764e0

SHA256
90803a583e9f693de5e7b8a196832436f6f648b27fb82e55904c256f30cc8b3a

SHA512
cd6c5c3537f05ad5826d503e38b8e6ef2eaf668616bec15ba51ad3d81e0337a72779d7ca6af9e8ebee12d713891b30c0b73bf34718552bc9f4e7d8909b998156

Download Submit
memory/2240-22-0x0000000074D30000-0x0000000074EA4000-memory.dmp

Filesize
1.5MB

Download
memory/2240-23-0x0000000077830000-0x00000000779D9000-memory.dmp

Filesize
1.7MB

Download
memory/2240-24-0x0000000074D43000-0x0000000074D45000-memory.dmp

Filesize
8KB

Download
memory/2240-25-0x0000000074D30000-0x0000000074EA4000-memory.dmp

Filesize
1.5MB

Download
memory/2240-28-0x0000000074D30000-0x0000000074EA4000-memory.dmp

Filesize
1.5MB

Download
memory/2688-0-0x0000000074D90000-0x0000000074F04000-memory.dmp

Filesize
1.5MB

Download
memory/2688-1-0x0000000077830000-0x00000000779D9000-memory.dmp

Filesize
1.7MB

Download
memory/2832-36-0x0000000077830000-0x00000000779D9000-memory.dmp

Filesize
1.7MB

Download
memory/2832-37-0x0000000000130000-0x0000000000189000-memory.dmp

Filesize
356KB

Download
memory/2832-40-0x0000000000130000-0x0000000000189000-memory.dmp

Filesize
356KB

Download
memory/2832-75-0x0000000000130000-0x0000000000189000-memory.dmp

Filesize
356KB

Download
memory/2908-33-0x0000000074D30000-0x0000000074EA4000-memory.dmp

Filesize
1.5MB

Download
memory/2908-35-0x0000000074D30000-0x0000000074EA4000-memory.dmp

Filesize
1.5MB

Download
memory/2908-32-0x0000000074D30000-0x0000000074EA4000-memory.dmp

Filesize
1.5MB

Download
memory/2908-31-0x0000000077830000-0x00000000779D9000-memory.dmp

Filesize
1.7MB

Download
memory/2908-29-0x0000000074D30000-0x0000000074EA4000-memory.dmp

Filesize
1.5MB

Download