Analysis

  • max time kernel
    95s
  • max time network
    138s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-01-2025 01:26

General

  • Target

    4dbf3891ef5bb0e734b67630fe2b5210035d56307ad663f3867d9ebcdd00497a.exe

  • Size

    70.0MB

  • MD5

    8139ecd1163d5fcc41821dbb61ddc2ff

  • SHA1

    707f18cc33e9ba8f7ada11b202b44876d375cecf

  • SHA256

    4dbf3891ef5bb0e734b67630fe2b5210035d56307ad663f3867d9ebcdd00497a

  • SHA512

    fdadbf19f27dc1c53b06834b1e5e196044cef456fe00a192d33c7fe3fab9ad990768133d006e41e43c2c727e7a2991f1fc5e279d315740a81240c66871ba44ec

  • SSDEEP

    24576:TetiuQ3DguTjn4J5h5CGo9K2Y9iQ0pUIfH5Bk4+aKb7jb7j:qAB3Mcn4JrAVVQ0pVk4+7

Score
10/10

Malware Config

Extracted

Family

lumma

C2

https://cloudewahsj.shop/api

https://rabidcowse.shop/api

https://noisycuttej.shop/api

https://tirepublicerj.shop/api

https://framekgirus.shop/api

https://wholersorie.shop/api

https://abruptyopsn.shop/api

https://nearycrepso.shop/api

Signatures

  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

  • Lumma family
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates processes with tasklist 1 TTPs 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4dbf3891ef5bb0e734b67630fe2b5210035d56307ad663f3867d9ebcdd00497a.exe
    "C:\Users\Admin\AppData\Local\Temp\4dbf3891ef5bb0e734b67630fe2b5210035d56307ad663f3867d9ebcdd00497a.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3784
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c move Manor Manor.cmd & Manor.cmd
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:5036
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist
        3⤵
        • Enumerates processes with tasklist
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2072
      • C:\Windows\SysWOW64\findstr.exe
        findstr /I "opssvc wrsa"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3764
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist
        3⤵
        • Enumerates processes with tasklist
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2088
      • C:\Windows\SysWOW64\findstr.exe
        findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4956
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c md 446130
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3084
      • C:\Windows\SysWOW64\extrac32.exe
        extrac32 /Y /E Relations
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4976
      • C:\Windows\SysWOW64\findstr.exe
        findstr /V "Onto" Lifetime
        3⤵
        • System Location Discovery: System Language Discovery
        PID:784
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c copy /b 446130\Establish.com + Jon + Suggestion + Career + Biz + Build + Getting + Diving + Generation + Crossword + Betting + Lender 446130\Establish.com
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1820
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c copy /b ..\Teen + ..\Alabama + ..\Important + ..\Drawings + ..\Den + ..\Sluts + ..\Names u
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1044
      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\446130\Establish.com
        Establish.com u
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:4484
      • C:\Windows\SysWOW64\choice.exe
        choice /d y /t 5
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4316

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\446130\Establish.com

    Filesize

    1KB

    MD5

    46d7a27e93652899503b2f920a4aef47

    SHA1

    a113ef6717dbbab9a82c318e4072ffd2fdec50bc

    SHA256

    50cc77f4b8765a02f38a9c6d44d061e404badd80d6f62d11be05f1a721838330

    SHA512

    d0e748cd3265caffed85ca1bef79e7ed59a8c26cbfda30195a0e4a11d2f5518175f6fc3755ac03ab34880d7b532e813ce3e3d86788df16693e1a756c0f836714

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\446130\Establish.com

    Filesize

    925KB

    MD5

    62d09f076e6e0240548c2f837536a46a

    SHA1

    26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

    SHA256

    1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

    SHA512

    32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\446130\u

    Filesize

    493KB

    MD5

    7285bf966c220db124ece8bbd9a59b7a

    SHA1

    2bf488418de8c7fc83d97944f71608309027aa7f

    SHA256

    5aa1dc3cf9b455ac03847ef9877caa97a654a34593697fb66489c7acc2dd4aeb

    SHA512

    090a265e4dbf978e9fce4819bd043a7cc14c2eee396f598908aa701061da53e335d41ed6b920c234792ba430ab1d22a0fa93f4e5ac04f8c48d5c6e9df3bea4ca

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Alabama

    Filesize

    98KB

    MD5

    fa299c830e33a1df942763e78a44ff36

    SHA1

    0382fa401fdcd9930bcfd732d2c7c38bdc2fe55b

    SHA256

    ee014925bd3b6332a435a69a3d0a39e7f2bf8d7188173ec8545591f39bcb3f37

    SHA512

    ccdf7ed32ec9248f5b1da891995e5858ea2b3023768191c65b9779f2054acc56b36f40297d4405572125b6727527c63746394cc576803e62f3b83bfb2f081585

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Betting

    Filesize

    100KB

    MD5

    08688c69a031bd4ffd0e656db8483c09

    SHA1

    4a46a871fe6ab806dc386480d6e460e2d53db5c4

    SHA256

    de6a215ab3dcd2a0ad9e49eabf1398dccad75e8c0746292b31830a799408c568

    SHA512

    a017d50df31d07281f20fa60327b5cba584014133020f9f8e214593e5c79195d680db330f1197c9c792c4986d5428c28f84a34ff9a4fc90bca916e59fd814504

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Biz

    Filesize

    127KB

    MD5

    e4a9934dd7473b09aa1509a04bc97507

    SHA1

    f8c9635e842f8b42be417a502eee18a2476aac9d

    SHA256

    d67d531deb3eb63a28e59ed43a9c27916f07ae8ff136692b4b47f0c05f72cce0

    SHA512

    86d6f3a8f8535047f1400238374ffb4e45238406072ffc01ef13119c0335d09e2ac07f87ff542cef85e6348addc71a6432a5fa4366e6010fbbefb536a9d22db2

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Build

    Filesize

    107KB

    MD5

    c48c0679685c473a47c3891e4d02b9b2

    SHA1

    8353aa4a00111a51834d0173666b2b2e12458f54

    SHA256

    ca8fb1c7caf38d7483697762becac0c29af09f2d2705366fbc941c30d53b7262

    SHA512

    307b37655015caa27b06896b27d0eb298272ac57ce00e66e119b1d8f0e87e806f86a6335e522a075f181c01047cca6729569c38e5ec47eddcc37498f5af627a3

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Career

    Filesize

    84KB

    MD5

    4c97b36b018276c1cfea2caf84412819

    SHA1

    2f8f52132a89dd5f2c7ce7b63a010af30cc6bf6a

    SHA256

    37281a1856b71c3ae5ad48cdf5f069c2a37017578925097b52c9c8ae316574d3

    SHA512

    1b6c9833d846bbd9fedb48d156aa40f7dc760e2268c3eeac486c81ddfa6b6cadbeee07350e8e5448ad19689e684b944b77e7f1abe94b0c876eed19cd9272623e

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Crossword

    Filesize

    94KB

    MD5

    6892f6d8aedbfc545aecd2516d291852

    SHA1

    f9ab8142bd021bd6e7d58c26e44517d5c626d09f

    SHA256

    859a1095806fdcb198915c0bcb29da52e9d48f5572e7a5573ef844379bc2abc2

    SHA512

    d9dde62a15f9e16f02bc8693bef93a5d7e633cc188ff63ecf235af388492b055b16df31fb2cf1bba784ec8ee1f74c2459688784d20e306c1226a3623c822796c

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Den

    Filesize

    51KB

    MD5

    5defd3f542122b3a5abd75b165e2cc7b

    SHA1

    af90ba1705c6e747bfa0d55de089016b0727b065

    SHA256

    5eeb8af7e11b5dc69e16c0b844112c5011f1d8968459f6ef35a164c85c023e7c

    SHA512

    1fd0404e890cdf8d3f6ba9daf0d8421898fbff54dfe25e13bc680232bee002acec5df1d1a83a6e5463b40591a1a49bb35ae9e2b774c9cc2ac3f281d35336e4a8

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Diving

    Filesize

    58KB

    MD5

    c2d0e0e738b4403f77dd8cf784f31196

    SHA1

    bfc2a8e631e2bfe96b45b776ff65cb0ddf9c1156

    SHA256

    e73f3dba278020693fe12965b07fba4d65660b3d060c329d109ecbcf31cd70c7

    SHA512

    02b4e4c99c7e4d831fc3feae619ec607be20acd29a73c4d2049fb3855479a40fd38d6fdd727641264d33676d83a58b30b04b52d4532ef1298b666d5de1492a6c

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Drawings

    Filesize

    92KB

    MD5

    6653a3faceb89300be8c6678416e1756

    SHA1

    d98f1f82bc255a10fb3653aa9b6fb794b9b67d19

    SHA256

    c4b45b1caf5665f279b4b23223bfb9248788c254feb22a80553d2e141e068a51

    SHA512

    e0d02ae5486ad3b71567dd0b552b3a8d59704fad96bba68e96f3dbe17238bcd6ad68086adeb7840416dbb90e31eab891ea0b031c6b1cba4094665cc17ebc3044

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Generation

    Filesize

    61KB

    MD5

    95a6c62645f880f16de580f6582466ba

    SHA1

    501a218305b8293669ca446345d7fa9c16f087f1

    SHA256

    8a2ba2eede03cd0c63111055ef9892bb3a745e00359a84010b9726cb95f2760a

    SHA512

    fffc0b9b42edc25417dbdbbd7ea034d3a7f8eff7ee37a5dc79f0774c128914f1922ad00c514a39f3ddf47676f950828dc96603015ae421bbd5b2bea345b8076c

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Getting

    Filesize

    51KB

    MD5

    22061e39a2e5a05cb18ff97072d7df38

    SHA1

    ab6a2106a3d637beb6194ac6483e965b80bf0b6b

    SHA256

    418fd2806d521594fe53d8fd14f6e4db9478c94ea9da3b4b43147dcdd19ffff4

    SHA512

    bc484108ef351e56cba4633fa99b9be837c9946c9d1053dce260f3023d0855eba92ad4aa35261e604c20c33bea0e3dd529df5c457acd147a7f96e932c68b200a

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Important

    Filesize

    80KB

    MD5

    adacc2f80343487d73b16f8123c54b7d

    SHA1

    c3f20a9763ca451fe05bd52d749cdbba72697f99

    SHA256

    b08bbea7033a56f42b720ccfe7998e9420bc9561f5069afe30ca8aaaac908a7b

    SHA512

    d74e712ddb755ebdbf4a1c0b09bbeb59cbf691ebb30f99f7b3abbe953d950b40f4ddae1e5800e3678ff42121b79c130a01e5aa508b80b61a6ed24b01bfdd570a

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Jon

    Filesize

    121KB

    MD5

    8340aa793c44278994245d0e1e22bed3

    SHA1

    46aae2345be087af081f84b12a45b7dd323194b4

    SHA256

    69d62f5b19c8c0559dfe5ee0e8d9c28251187c4970af93e805e6e0680b5556ba

    SHA512

    8f55f581234f7884b6860913d4980334745a6a8b631396fb418001d14fea4c84ae6527bbb481b7e67c173f22411d81a836f480b705f5576ebb906e2b3713c4de

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Lender

    Filesize

    42KB

    MD5

    2e2bd7823f992547cc126f7c518577cb

    SHA1

    336884fe3c4fecb7e25986cf081aef2621063ba5

    SHA256

    6bc170392d6e9b1869771304bf95a29bf79a4e9fba8e649efa3c130660140e2e

    SHA512

    35df4344a247aeeb6acab8abd33feb8381fcc2e5ed93345978e88cae9ed4f58fd44deeb354dcc3cdc52ea0e5f5c80e633aacd48f6c548d6c7b34ef39519ce30e

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Lifetime

    Filesize

    1KB

    MD5

    ae568d06eba40193fca35d5af1264538

    SHA1

    da9102016865cd88bfe3ed642438293655c133de

    SHA256

    ee4f9382261bee98c7f5c3511144985dd79856bf4745665ff59444a754623187

    SHA512

    c58055fa4efe217a3fcd55f11d40bc8ac07a3cd9e587ece49366154eef44c43aa94f3d2b629690b0b7220af3785d8d2d21f89c0f08f2bfba40031fb41045b1e5

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Manor

    Filesize

    16KB

    MD5

    d56c18404768483c2484a502b0da5fc4

    SHA1

    24f46c5cb1ffefc7819429e299131b7ce6c69dbd

    SHA256

    b820146a0717c92007a6c5cde0fbed169576e1e31d3ba5bb456ed04ff9f0e9d3

    SHA512

    ecd6ece095ee49f4f068ec8e66ec89944b7de266205093911db49ae4a3f43a4ff14c724942d57dd5f2abf120e755000f03a1664525a4745b5c410b892df0c200

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Names

    Filesize

    31KB

    MD5

    57b6a485627baecfa5dcfb502302f5a1

    SHA1

    0f36b91d007df089cf64f3ce2b3ac415240e6255

    SHA256

    b136e3405bffb3f933d9d0d2e58d60d7c0f3c9c524ed7bc35ab5e062e507113d

    SHA512

    14be628bc143dbf96166d6ffec1445ce2e403d0504192490f372545fa8315f9b1cdf57aa914fb0b8615cdd2e8d8128d2bb9c0aa0d5ca59f9507b6bcb559d7b8b

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Relations

    Filesize

    477KB

    MD5

    5e0de4f2fd4d38ee81a15ac14ce2c969

    SHA1

    13ee0492ee7045ca06d5d9def2cfab5c07452e58

    SHA256

    7a2a356b7f46e4f37999dd9ce3ecfa7a66ce7dda4fb5a61cfb7dc840489b7fc4

    SHA512

    7c48605f945ed6715c490a8fa17ee906b1e26907862b0e9fc1cbfdbbb19d924367b7af6f3bf5806fa81ed9c84c62e980584cd626582e7bed5939bfdf0f9801c7

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Sluts

    Filesize

    78KB

    MD5

    28d8add8d0a4c5df5c6a4b44dde54d38

    SHA1

    d6686f5086e126744ad9754749afcbd0b0eb6c33

    SHA256

    5f7f9cf7166f9332d99893bdf51ff2e89eb882859ed4a61431753629db9219e7

    SHA512

    99c45bb1611d0472095acb01ef8668c03c84239ee6e187a6e775031b02d2b634a160b3b0413082a34f67513a1d557659f1b5140982ef9fdb745621932e8e81c4

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Suggestion

    Filesize

    78KB

    MD5

    8962d624f9206bc21e436e50875baa4f

    SHA1

    ebbd36c8e978ed1657533721b9b343b9c46b7425

    SHA256

    59393af256c1c55406511c5885b1523681fb035188c6cfcbea4fd84c3747fa67

    SHA512

    05d0ee9074e680d169f6326095eeb70f59b1b27e4fcf0e8197f782d57904b1af18c63d5e485531f8fdf14ce3dd58c0601c333081612514254e81f1ef913fe759

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Teen

    Filesize

    63KB

    MD5

    8a5c1741055d26716c478719663d3b8f

    SHA1

    1c1e3fe682d8dc8d39f4f8cb2d22bd587929e9ef

    SHA256

    44b69842d307c29252bf633b5620763cf03a86802f290b16fc170a0f58072ba0

    SHA512

    5abc98509a21baaaeea94ba6a6cdef963e59b7159e3c88c66a0e3e160fbb2f327d1cd89664691db4e4f135bb63b02047c6f503b59bfe4717740a04fdb50b76fb

  • memory/4484-76-0x0000000004450000-0x00000000044AC000-memory.dmp

    Filesize

    368KB

  • memory/4484-77-0x0000000004450000-0x00000000044AC000-memory.dmp

    Filesize

    368KB

  • memory/4484-78-0x0000000004450000-0x00000000044AC000-memory.dmp

    Filesize

    368KB

  • memory/4484-75-0x0000000004450000-0x00000000044AC000-memory.dmp

    Filesize

    368KB

  • memory/4484-74-0x0000000004450000-0x00000000044AC000-memory.dmp

    Filesize

    368KB