lumma | 346d55b4ff926148b5920a8bc6a43081986f2aed5cf350f93b89899fa16f8a68

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
07-01-2025 00:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Crypto Seed Checker 2024 version.exe
Size

646KB
MD5

07feca81b29907ce6550288a7d2b8821
SHA1

6252d362fe96293254a1f284a95355440a2dc2cc
SHA256

eb28c83590f742bb8a12d01f4692421786b6a04dcf9fcc31df93de6d0068b717
SHA512

add0f86c572a83d4d2baa8a3d79db1ce321ae846aa02afe559abc91da0bd8ca6bd3969f4e75372ea606057436fc5e3353c71d23feef843340c41be9d0b72d800
SSDEEP

12288:J4CD99jUhaQS/Aby46x4YFFR5WQ/Ee4vbDAt8G+DiBezmm72kiz5iIrSEO:Osbkaqx6xDR5BEe4X2jnBeKPIt

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://cloudewahsj.shop/api

https://rabidcowse.shop/api

https://noisycuttej.shop/api

https://tirepublicerj.shop/api

https://framekgirus.shop/api

https://wholersorie.shop/api

https://abruptyopsn.shop/api

https://nearycrepso.shop/api

https://fancywaxxers.shop/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.exe	JvUlTLOksc.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.exe	JvUlTLOksc.exe

Executes dropped EXE 4 IoCs

pid	Process
2140	JvUlTLOksc.exe
2764	NICK8cm5L0.exe
1556	NICK8cm5L0.exe
276	NICK8cm5L0.exe

Loads dropped DLL 9 IoCs

pid	Process
2568	Crypto Seed Checker 2024 version.exe
2568	Crypto Seed Checker 2024 version.exe
2764	NICK8cm5L0.exe
2764	NICK8cm5L0.exe
2624	WerFault.exe
2624	WerFault.exe
2624	WerFault.exe
2624	WerFault.exe
2624	WerFault.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1672 set thread context of 2568	1672	Crypto Seed Checker 2024 version.exe	35
PID 2764 set thread context of 1556	2764	NICK8cm5L0.exe	41

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2580	1672	WerFault.exe	30
2624	2764	WerFault.exe	38

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Crypto Seed Checker 2024 version.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Crypto Seed Checker 2024 version.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NICK8cm5L0.exe

Suspicious use of WriteProcessMemory 53 IoCs

description	pid	Process	procid_target
PID 1672 wrote to memory of 2364	1672	Crypto Seed Checker 2024 version.exe	32
PID 1672 wrote to memory of 2364	1672	Crypto Seed Checker 2024 version.exe	32
PID 1672 wrote to memory of 2364	1672	Crypto Seed Checker 2024 version.exe	32
PID 1672 wrote to memory of 2364	1672	Crypto Seed Checker 2024 version.exe	32
PID 1672 wrote to memory of 2092	1672	Crypto Seed Checker 2024 version.exe	33
PID 1672 wrote to memory of 2092	1672	Crypto Seed Checker 2024 version.exe	33
PID 1672 wrote to memory of 2092	1672	Crypto Seed Checker 2024 version.exe	33
PID 1672 wrote to memory of 2092	1672	Crypto Seed Checker 2024 version.exe	33
PID 1672 wrote to memory of 2360	1672	Crypto Seed Checker 2024 version.exe	34
PID 1672 wrote to memory of 2360	1672	Crypto Seed Checker 2024 version.exe	34
PID 1672 wrote to memory of 2360	1672	Crypto Seed Checker 2024 version.exe	34
PID 1672 wrote to memory of 2360	1672	Crypto Seed Checker 2024 version.exe	34
PID 1672 wrote to memory of 2568	1672	Crypto Seed Checker 2024 version.exe	35
PID 1672 wrote to memory of 2568	1672	Crypto Seed Checker 2024 version.exe	35
PID 1672 wrote to memory of 2568	1672	Crypto Seed Checker 2024 version.exe	35
PID 1672 wrote to memory of 2568	1672	Crypto Seed Checker 2024 version.exe	35
PID 1672 wrote to memory of 2568	1672	Crypto Seed Checker 2024 version.exe	35
PID 1672 wrote to memory of 2568	1672	Crypto Seed Checker 2024 version.exe	35
PID 1672 wrote to memory of 2568	1672	Crypto Seed Checker 2024 version.exe	35
PID 1672 wrote to memory of 2568	1672	Crypto Seed Checker 2024 version.exe	35
PID 1672 wrote to memory of 2568	1672	Crypto Seed Checker 2024 version.exe	35
PID 1672 wrote to memory of 2568	1672	Crypto Seed Checker 2024 version.exe	35
PID 1672 wrote to memory of 2568	1672	Crypto Seed Checker 2024 version.exe	35
PID 1672 wrote to memory of 2580	1672	Crypto Seed Checker 2024 version.exe	36
PID 1672 wrote to memory of 2580	1672	Crypto Seed Checker 2024 version.exe	36
PID 1672 wrote to memory of 2580	1672	Crypto Seed Checker 2024 version.exe	36
PID 1672 wrote to memory of 2580	1672	Crypto Seed Checker 2024 version.exe	36
PID 2568 wrote to memory of 2140	2568	Crypto Seed Checker 2024 version.exe	37
PID 2568 wrote to memory of 2140	2568	Crypto Seed Checker 2024 version.exe	37
PID 2568 wrote to memory of 2140	2568	Crypto Seed Checker 2024 version.exe	37
PID 2568 wrote to memory of 2140	2568	Crypto Seed Checker 2024 version.exe	37
PID 2568 wrote to memory of 2764	2568	Crypto Seed Checker 2024 version.exe	38
PID 2568 wrote to memory of 2764	2568	Crypto Seed Checker 2024 version.exe	38
PID 2568 wrote to memory of 2764	2568	Crypto Seed Checker 2024 version.exe	38
PID 2568 wrote to memory of 2764	2568	Crypto Seed Checker 2024 version.exe	38
PID 2764 wrote to memory of 276	2764	NICK8cm5L0.exe	40
PID 2764 wrote to memory of 276	2764	NICK8cm5L0.exe	40
PID 2764 wrote to memory of 276	2764	NICK8cm5L0.exe	40
PID 2764 wrote to memory of 276	2764	NICK8cm5L0.exe	40
PID 2764 wrote to memory of 1556	2764	NICK8cm5L0.exe	41
PID 2764 wrote to memory of 1556	2764	NICK8cm5L0.exe	41
PID 2764 wrote to memory of 1556	2764	NICK8cm5L0.exe	41
PID 2764 wrote to memory of 1556	2764	NICK8cm5L0.exe	41
PID 2764 wrote to memory of 1556	2764	NICK8cm5L0.exe	41
PID 2764 wrote to memory of 1556	2764	NICK8cm5L0.exe	41
PID 2764 wrote to memory of 1556	2764	NICK8cm5L0.exe	41
PID 2764 wrote to memory of 1556	2764	NICK8cm5L0.exe	41
PID 2764 wrote to memory of 1556	2764	NICK8cm5L0.exe	41
PID 2764 wrote to memory of 1556	2764	NICK8cm5L0.exe	41
PID 2764 wrote to memory of 2624	2764	NICK8cm5L0.exe	42
PID 2764 wrote to memory of 2624	2764	NICK8cm5L0.exe	42
PID 2764 wrote to memory of 2624	2764	NICK8cm5L0.exe	42
PID 2764 wrote to memory of 2624	2764	NICK8cm5L0.exe	42

C:\Users\Admin\AppData\Local\Temp\Crypto Seed Checker 2024 version.exe
"C:\Users\Admin\AppData\Local\Temp\Crypto Seed Checker 2024 version.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1672
- C:\Users\Admin\AppData\Local\Temp\Crypto Seed Checker 2024 version.exe
  "C:\Users\Admin\AppData\Local\Temp\Crypto Seed Checker 2024 version.exe"
  2⤵
  PID:2364
- C:\Users\Admin\AppData\Local\Temp\Crypto Seed Checker 2024 version.exe
  "C:\Users\Admin\AppData\Local\Temp\Crypto Seed Checker 2024 version.exe"
  2⤵
  PID:2092
- C:\Users\Admin\AppData\Local\Temp\Crypto Seed Checker 2024 version.exe
  "C:\Users\Admin\AppData\Local\Temp\Crypto Seed Checker 2024 version.exe"
  2⤵
  PID:2360
- C:\Users\Admin\AppData\Local\Temp\Crypto Seed Checker 2024 version.exe
  "C:\Users\Admin\AppData\Local\Temp\Crypto Seed Checker 2024 version.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2568
- - C:\Users\Admin\AppData\Roaming\JvUlTLOksc.exe
    "C:\Users\Admin\AppData\Roaming\JvUlTLOksc.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    PID:2140
- - C:\Users\Admin\AppData\Roaming\NICK8cm5L0.exe
    "C:\Users\Admin\AppData\Roaming\NICK8cm5L0.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2764
  - - C:\Users\Admin\AppData\Roaming\NICK8cm5L0.exe
      "C:\Users\Admin\AppData\Roaming\NICK8cm5L0.exe"
      4⤵
      Executes dropped EXE
      PID:276
  - - C:\Users\Admin\AppData\Roaming\NICK8cm5L0.exe
      "C:\Users\Admin\AppData\Roaming\NICK8cm5L0.exe"
      4⤵
      Executes dropped EXE
      PID:1556
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2764 -s 512
      4⤵
      Loads dropped DLL
      Program crash
      PID:2624
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1672 -s 528
  2⤵
  - Program crash
  PID:2580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\JvUlTLOksc.exe

Filesize
11KB

MD5
5afb8ce4dd3923219bd69bd7b5168d91

SHA1
e06283294510284af9082eb67d368e6d88d9e232

SHA256
f727bba8d917fa3f129d71745e0741a8511f940b1a6817ff5130aa2f3ae85c79

SHA512
8135efb34c768a9c292b54bc25845dd9b388e98f9f0b67918fbf5887c8e1d3da81bb84e044eebdf0868c40a685bd157daafb4789b373dea3e273c5275ebd0740

Download Submit
\Users\Admin\AppData\Roaming\NICK8cm5L0.exe

Filesize
381KB

MD5
a609440ff44e49322c92cbc9b081b665

SHA1
bfe2f35ea18a797b4048c4f6b8b2435a8801c225

SHA256
9e5e374fc7bd6937b1e35249b7c70cdefdb44e1aae7d9bb35c3bb67c1ef864dd

SHA512
a0c283daa88dd39a92031f5bba68523563a647f7a5f7e8dacfcdbe74ee2e41db9e304284e5fdd6e1ac7a8c8767febd0c193224b41c86af9b2d62e2759c036b6b

Download Submit
memory/1556-46-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1556-42-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1556-36-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1556-38-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1556-40-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1556-44-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1556-47-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1556-49-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1672-0-0x000000007475E000-0x000000007475F000-memory.dmp

Filesize
4KB

Download
memory/1672-58-0x0000000074750000-0x0000000074E3E000-memory.dmp

Filesize
6.9MB

Download
memory/1672-1-0x0000000000120000-0x00000000001C6000-memory.dmp

Filesize
664KB

Download
memory/1672-15-0x0000000074750000-0x0000000074E3E000-memory.dmp

Filesize
6.9MB

Download
memory/2140-56-0x0000000000E80000-0x0000000000E88000-memory.dmp

Filesize
32KB

Download
memory/2568-16-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/2568-7-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/2568-28-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/2568-12-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/2568-6-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/2568-14-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/2568-5-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/2568-9-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2568-30-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/2568-13-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/2568-8-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/2568-3-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/2568-4-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/2764-32-0x0000000001070000-0x00000000010D4000-memory.dmp

Filesize
400KB

Download