lumma | a674b5bd6be3ce552fb0851d40c1a99f35bf316fa65b2080c220cbdc3b70b005

Analysis

max time kernel
22s
max time network
23s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
07-01-2025 20:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PASS-1234.zip
Size

36.9MB
MD5

73a0f77096be00e01d614a177b9d3a41
SHA1

5d09c5ca5d5b34abcca68ae4110e738e40a0fde8
SHA256

a674b5bd6be3ce552fb0851d40c1a99f35bf316fa65b2080c220cbdc3b70b005
SHA512

4cb51bd63fd48acc954b770e8fa097119f518addcd7c03e248b32b35e81204e41217283e030ebafc3225c251efa7458096bb69de91c3fa3a886d89e8603224ef
SSDEEP

786432:nJ8nuq+CaDeprnuq+CaDepAnuq+CaDeplnuq+CaDepCnuq+CaDepXnuq+CaDepcs:nv3Caap63CaapJ3CaapQ3CaapP3Caapp

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://cloudewahsj.shop/api

https://rabidcowse.shop/api

https://noisycuttej.shop/api

https://tirepublicerj.shop/api

https://framekgirus.shop/api

https://wholersorie.shop/api

https://abruptyopsn.shop/api

https://nearycrepso.shop/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Executes dropped EXE 11 IoCs

pid	Process
440	PASS-1234.exe
3828	PASS-1234.exe
4604	PASS-1234.exe
4468	PASS-1234.exe
1472	PASS-1234.exe
4404	PASS-1234.exe
4764	PASS-1234.exe
4176	PASS-1234.exe
3900	PASS-1234.exe
1084	PASS-1234.exe
1356	PASS-1234.exe

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 440 set thread context of 4604	440	PASS-1234.exe	82
PID 440 set thread context of 4468	440	PASS-1234.exe	83
PID 1472 set thread context of 4404	1472	PASS-1234.exe	90
PID 1472 set thread context of 4764	1472	PASS-1234.exe	91
PID 4176 set thread context of 3900	4176	PASS-1234.exe	96
PID 4176 set thread context of 1356	4176	PASS-1234.exe	98

Program crash 3 IoCs

pid	pid_target	Process	procid_target
2168	440	WerFault.exe	77
2340	1472	WerFault.exe	88
792	4176	WerFault.exe	94

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PASS-1234.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PASS-1234.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PASS-1234.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PASS-1234.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PASS-1234.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PASS-1234.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PASS-1234.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PASS-1234.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PASS-1234.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings	7zFM.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
4904	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
1960	7zFM.exe
1960	7zFM.exe
1960	7zFM.exe
1960	7zFM.exe
1960	7zFM.exe
1960	7zFM.exe
1960	7zFM.exe
1960	7zFM.exe
1960	7zFM.exe
1960	7zFM.exe
1960	7zFM.exe
1960	7zFM.exe
1960	7zFM.exe
1960	7zFM.exe
1960	7zFM.exe
1960	7zFM.exe
1960	7zFM.exe
1960	7zFM.exe
1960	7zFM.exe
1960	7zFM.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1960	7zFM.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeRestorePrivilege	1960	7zFM.exe
Token: 35	1960	7zFM.exe
Token: SeSecurityPrivilege	1960	7zFM.exe
Token: SeSecurityPrivilege	1960	7zFM.exe
Token: SeSecurityPrivilege	1960	7zFM.exe
Token: SeSecurityPrivilege	1960	7zFM.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
1960	7zFM.exe
1960	7zFM.exe
1960	7zFM.exe
1960	7zFM.exe
1960	7zFM.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1960 wrote to memory of 440	1960	7zFM.exe	77
PID 1960 wrote to memory of 440	1960	7zFM.exe	77
PID 1960 wrote to memory of 440	1960	7zFM.exe	77
PID 440 wrote to memory of 3828	440	PASS-1234.exe	81
PID 440 wrote to memory of 3828	440	PASS-1234.exe	81
PID 440 wrote to memory of 3828	440	PASS-1234.exe	81
PID 440 wrote to memory of 4604	440	PASS-1234.exe	82
PID 440 wrote to memory of 4604	440	PASS-1234.exe	82
PID 440 wrote to memory of 4604	440	PASS-1234.exe	82
PID 440 wrote to memory of 4604	440	PASS-1234.exe	82
PID 440 wrote to memory of 4604	440	PASS-1234.exe	82
PID 440 wrote to memory of 4604	440	PASS-1234.exe	82
PID 440 wrote to memory of 4604	440	PASS-1234.exe	82
PID 440 wrote to memory of 4604	440	PASS-1234.exe	82
PID 440 wrote to memory of 4604	440	PASS-1234.exe	82
PID 440 wrote to memory of 4468	440	PASS-1234.exe	83
PID 440 wrote to memory of 4468	440	PASS-1234.exe	83
PID 440 wrote to memory of 4468	440	PASS-1234.exe	83
PID 440 wrote to memory of 4468	440	PASS-1234.exe	83
PID 440 wrote to memory of 4468	440	PASS-1234.exe	83
PID 440 wrote to memory of 4468	440	PASS-1234.exe	83
PID 440 wrote to memory of 4468	440	PASS-1234.exe	83
PID 440 wrote to memory of 4468	440	PASS-1234.exe	83
PID 440 wrote to memory of 4468	440	PASS-1234.exe	83
PID 1960 wrote to memory of 4904	1960	7zFM.exe	87
PID 1960 wrote to memory of 4904	1960	7zFM.exe	87
PID 1960 wrote to memory of 1472	1960	7zFM.exe	88
PID 1960 wrote to memory of 1472	1960	7zFM.exe	88
PID 1960 wrote to memory of 1472	1960	7zFM.exe	88
PID 1472 wrote to memory of 4404	1472	PASS-1234.exe	90
PID 1472 wrote to memory of 4404	1472	PASS-1234.exe	90
PID 1472 wrote to memory of 4404	1472	PASS-1234.exe	90
PID 1472 wrote to memory of 4404	1472	PASS-1234.exe	90
PID 1472 wrote to memory of 4404	1472	PASS-1234.exe	90
PID 1472 wrote to memory of 4404	1472	PASS-1234.exe	90
PID 1472 wrote to memory of 4404	1472	PASS-1234.exe	90
PID 1472 wrote to memory of 4404	1472	PASS-1234.exe	90
PID 1472 wrote to memory of 4404	1472	PASS-1234.exe	90
PID 1472 wrote to memory of 4764	1472	PASS-1234.exe	91
PID 1472 wrote to memory of 4764	1472	PASS-1234.exe	91
PID 1472 wrote to memory of 4764	1472	PASS-1234.exe	91
PID 1472 wrote to memory of 4764	1472	PASS-1234.exe	91
PID 1472 wrote to memory of 4764	1472	PASS-1234.exe	91
PID 1472 wrote to memory of 4764	1472	PASS-1234.exe	91
PID 1472 wrote to memory of 4764	1472	PASS-1234.exe	91
PID 1472 wrote to memory of 4764	1472	PASS-1234.exe	91
PID 1472 wrote to memory of 4764	1472	PASS-1234.exe	91
PID 1960 wrote to memory of 4176	1960	7zFM.exe	94
PID 1960 wrote to memory of 4176	1960	7zFM.exe	94
PID 1960 wrote to memory of 4176	1960	7zFM.exe	94
PID 4176 wrote to memory of 3900	4176	PASS-1234.exe	96
PID 4176 wrote to memory of 3900	4176	PASS-1234.exe	96
PID 4176 wrote to memory of 3900	4176	PASS-1234.exe	96
PID 4176 wrote to memory of 3900	4176	PASS-1234.exe	96
PID 4176 wrote to memory of 3900	4176	PASS-1234.exe	96
PID 4176 wrote to memory of 3900	4176	PASS-1234.exe	96
PID 4176 wrote to memory of 3900	4176	PASS-1234.exe	96
PID 4176 wrote to memory of 3900	4176	PASS-1234.exe	96
PID 4176 wrote to memory of 3900	4176	PASS-1234.exe	96
PID 4176 wrote to memory of 1084	4176	PASS-1234.exe	97
PID 4176 wrote to memory of 1084	4176	PASS-1234.exe	97
PID 4176 wrote to memory of 1084	4176	PASS-1234.exe	97
PID 4176 wrote to memory of 1356	4176	PASS-1234.exe	98
PID 4176 wrote to memory of 1356	4176	PASS-1234.exe	98

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\PASS-1234.zip"
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1960
- C:\Users\Admin\AppData\Local\Temp\7zO8A7D9DA7\PASS-1234.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO8A7D9DA7\PASS-1234.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:440
- - C:\Users\Admin\AppData\Local\Temp\7zO8A7D9DA7\PASS-1234.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO8A7D9DA7\PASS-1234.exe"
    3⤵
    - Executes dropped EXE
    PID:3828
- - C:\Users\Admin\AppData\Local\Temp\7zO8A7D9DA7\PASS-1234.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO8A7D9DA7\PASS-1234.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4604
- - C:\Users\Admin\AppData\Local\Temp\7zO8A7D9DA7\PASS-1234.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO8A7D9DA7\PASS-1234.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4468
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 440 -s 816
    3⤵
    - Program crash
    PID:2168
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zO8A7D3087\PASS1234.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:4904
- C:\Users\Admin\AppData\Local\Temp\7zO8A75AD97\PASS-1234.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO8A75AD97\PASS-1234.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1472
- - C:\Users\Admin\AppData\Local\Temp\7zO8A75AD97\PASS-1234.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO8A75AD97\PASS-1234.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4404
- - C:\Users\Admin\AppData\Local\Temp\7zO8A75AD97\PASS-1234.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO8A75AD97\PASS-1234.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4764
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1472 -s 160
    3⤵
    - Program crash
    PID:2340
- C:\Users\Admin\AppData\Local\Temp\7zO8A70DAE7\PASS-1234.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO8A70DAE7\PASS-1234.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4176
- - C:\Users\Admin\AppData\Local\Temp\7zO8A70DAE7\PASS-1234.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO8A70DAE7\PASS-1234.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3900
- - C:\Users\Admin\AppData\Local\Temp\7zO8A70DAE7\PASS-1234.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO8A70DAE7\PASS-1234.exe"
    3⤵
    - Executes dropped EXE
    PID:1084
- - C:\Users\Admin\AppData\Local\Temp\7zO8A70DAE7\PASS-1234.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO8A70DAE7\PASS-1234.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1356
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4176 -s 808
    3⤵
    - Program crash
    PID:792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 440 -ip 440
1⤵
PID:3796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1472 -ip 1472
1⤵
PID:2780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 4176 -ip 4176
1⤵
PID:1100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zO8A7D3087\PASS1234.txt

Filesize
30B

MD5
02f7180b86ed355ba487659c1336911f

SHA1
fc8a821e78ab3d2003ca8eb1fa2ed835422fc4ee

SHA256
495799c6bfe4eda1f77e7b86a9cdb503acf637a849e78eb94037d71ae08e7c54

SHA512
ca99c3f103645994eab40cc45a91a97fe32baa9719e7f46f0aa0615db0b3ef0418502d0d05f4149586b40bc3b9d0e93d444d1949253274ff0b5f0e8e6542ea78

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO8A7D9DA7\PASS-1234.exe

Filesize
341KB

MD5
156ee988599f61cafdcae6b6bf181e77

SHA1
1424a9f42280fac62181aceee0e5461ebc3e7921

SHA256
fbce33b16234b8bcf6cfe8c44b18d472f022f95894431e98e607ff37607b1176

SHA512
15e0321452365ba130246f366724ae7751720b8fdea84f8f5c227b822cf9c63e04b65d9acd0d09cd37404ef8a63c4ac8d3de2a601cefd3014d8a556b37a18c22

Download Submit
memory/440-12-0x00000000748EE000-0x00000000748EF000-memory.dmp

Filesize
4KB

Download
memory/440-13-0x0000000000490000-0x00000000004EE000-memory.dmp

Filesize
376KB

Download
memory/440-14-0x0000000005440000-0x00000000059E6000-memory.dmp

Filesize
5.6MB

Download
memory/440-25-0x00000000748E0000-0x0000000075091000-memory.dmp

Filesize
7.7MB

Download
memory/4468-26-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4604-20-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4604-17-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4604-27-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download