lumma | 3350d611b51cebd812bb182308596540849f3424d85b8982bc09ef84d61a9f3b

Analysis

max time kernel
211s
max time network
212s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-01-2025 15:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

#Pa$$w0rD__6654--0peɴ_Set-Up#$.7z
Size

14.7MB
MD5

bd3d69eee6c586f371bba421c57b8513
SHA1

5cf3ff7a27c43cddf350f8d12320ed2934936c3a
SHA256

c9b8e74f330a39b46141d6411fee9d64d6a20d14547ccafee13924d4443d1337
SHA512

74d6284fa5b7ab553b597165280e1f9ee4553230cc617e2e17f18156cca1e6f84e0350e7e3d68ea51814ca5e5f69fc7b474c826990819e7c8766eb8a43ce7fc1
SSDEEP

393216:O6EDhiWkMm2gPYCGItVOZplHasTGODNL4RUzn:O5hhk/3YCGzpl6siOpkR4

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://rhythmsellk.cyou/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Executes dropped EXE 1 IoCs

pid	Process
3132	Set-up.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
3332	3132	WerFault.exe	106
3052	3132	WerFault.exe	106
1016	3132	WerFault.exe	106

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Set-up.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	7zG.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	7zG.exe

Suspicious behavior: EnumeratesProcesses 40 IoCs

pid	Process
3132	Set-up.exe
3132	Set-up.exe
3132	Set-up.exe
3132	Set-up.exe
3132	Set-up.exe
3132	Set-up.exe
3132	Set-up.exe
3132	Set-up.exe
3132	Set-up.exe
3132	Set-up.exe
3132	Set-up.exe
3132	Set-up.exe
3132	Set-up.exe
3132	Set-up.exe
3132	Set-up.exe
3132	Set-up.exe
3132	Set-up.exe
3132	Set-up.exe
3132	Set-up.exe
3132	Set-up.exe
3132	Set-up.exe
3132	Set-up.exe
3132	Set-up.exe
3132	Set-up.exe
3132	Set-up.exe
3132	Set-up.exe
3132	Set-up.exe
3132	Set-up.exe
3132	Set-up.exe
3132	Set-up.exe
3132	Set-up.exe
3132	Set-up.exe
3132	Set-up.exe
3132	Set-up.exe
3132	Set-up.exe
3132	Set-up.exe
3132	Set-up.exe
3132	Set-up.exe
3132	Set-up.exe
3132	Set-up.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeRestorePrivilege	4436	7zFM.exe
Token: 35	4436	7zFM.exe
Token: SeRestorePrivilege	1488	7zG.exe
Token: 35	1488	7zG.exe
Token: SeSecurityPrivilege	1488	7zG.exe
Token: SeSecurityPrivilege	1488	7zG.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4436	7zFM.exe
1488	7zG.exe

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\#Pa$$w0rD__6654--0peɴ_Set-Up#$.7z"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4436

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1852

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\#Pa$$w0rD__6654--0peɴ_Set-Up#$\" -ad -an -ai#7zMap27646:138:7zEvent27793
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1488

C:\Users\Admin\AppData\Local\Temp\asdfasdf\#Pa$$w0rD__6654--0peɴ_Set-Up#$\Set-up.exe
"C:\Users\Admin\AppData\Local\Temp\asdfasdf\#Pa$$w0rD__6654--0peɴ_Set-Up#$\Set-up.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3132
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3132 -s 1484
  2⤵
  - Program crash
  PID:3332
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3132 -s 1508
  2⤵
  - Program crash
  PID:3052
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3132 -s 1492
  2⤵
  - Program crash
  PID:1016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3132 -ip 3132
1⤵
PID:3368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3132 -ip 3132
1⤵
PID:3172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3132 -ip 3132
1⤵
PID:3480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3132-110-0x00000000006C0000-0x00000000016C0000-memory.dmp

Filesize
16.0MB

Download