lumma | 7aa257295dc88b4b65d80fa9541bc6b029cf67c47aed445ca4d7ebe7b806e793

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-01-2025 10:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DodSussex.exe
Size

1.6MB
MD5

7d1b12a3e617535c0fe754dabd278393
SHA1

a491a8dfebe21a4e6ffad330bb5a6bdc24cff56a
SHA256

7aa257295dc88b4b65d80fa9541bc6b029cf67c47aed445ca4d7ebe7b806e793
SHA512

6dfd70238014b73a92818fcc637d829a99e05edd7e77a0df9d81f363de1be3cb352da5d340259dff9914cb3dcc601e9de2b9e6cfcff59a6711ddd0c3303e6011
SSDEEP

24576:Eu/J5gf4UvzU8YxX6/hCx3MVpBR60dRpu/A8vRYgxOrDrDvrQy/l5LtElfuatcqX:t/+4U7yS60fQyrEWl5hElfuEoMfJ

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://sordid-snaked.cyou/api

https://awake-weaves.cyou/api

https://wrathful-jammy.cyou/api

https://debonairnukk.xyz/api

https://diffuculttan.xyz/api

https://effecterectz.xyz/api

https://deafeninggeh.biz/api

https://immureprech.biz/api

https://brendon-sharjen.biz/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	DodSussex.exe

Executes dropped EXE 1 IoCs

pid	Process
832	Sally.com

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
4880	tasklist.exe
4200	tasklist.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\NameCord	DodSussex.exe
File opened for modification	C:\Windows\BraBrandon	DodSussex.exe
File opened for modification	C:\Windows\RapidlyMustang	DodSussex.exe
File opened for modification	C:\Windows\IntentHearing	DodSussex.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sally.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DodSussex.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
832	Sally.com
832	Sally.com
832	Sally.com
832	Sally.com
832	Sally.com
832	Sally.com

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4880	tasklist.exe
Token: SeDebugPrivilege	4200	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
832	Sally.com
832	Sally.com
832	Sally.com

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
832	Sally.com
832	Sally.com
832	Sally.com

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 452 wrote to memory of 632	452	DodSussex.exe	83
PID 452 wrote to memory of 632	452	DodSussex.exe	83
PID 452 wrote to memory of 632	452	DodSussex.exe	83
PID 632 wrote to memory of 4880	632	cmd.exe	85
PID 632 wrote to memory of 4880	632	cmd.exe	85
PID 632 wrote to memory of 4880	632	cmd.exe	85
PID 632 wrote to memory of 1976	632	cmd.exe	86
PID 632 wrote to memory of 1976	632	cmd.exe	86
PID 632 wrote to memory of 1976	632	cmd.exe	86
PID 632 wrote to memory of 4200	632	cmd.exe	88
PID 632 wrote to memory of 4200	632	cmd.exe	88
PID 632 wrote to memory of 4200	632	cmd.exe	88
PID 632 wrote to memory of 4308	632	cmd.exe	89
PID 632 wrote to memory of 4308	632	cmd.exe	89
PID 632 wrote to memory of 4308	632	cmd.exe	89
PID 632 wrote to memory of 5016	632	cmd.exe	90
PID 632 wrote to memory of 5016	632	cmd.exe	90
PID 632 wrote to memory of 5016	632	cmd.exe	90
PID 632 wrote to memory of 3580	632	cmd.exe	91
PID 632 wrote to memory of 3580	632	cmd.exe	91
PID 632 wrote to memory of 3580	632	cmd.exe	91
PID 632 wrote to memory of 2152	632	cmd.exe	92
PID 632 wrote to memory of 2152	632	cmd.exe	92
PID 632 wrote to memory of 2152	632	cmd.exe	92
PID 632 wrote to memory of 832	632	cmd.exe	93
PID 632 wrote to memory of 832	632	cmd.exe	93
PID 632 wrote to memory of 832	632	cmd.exe	93
PID 632 wrote to memory of 2248	632	cmd.exe	94
PID 632 wrote to memory of 2248	632	cmd.exe	94
PID 632 wrote to memory of 2248	632	cmd.exe	94

C:\Users\Admin\AppData\Local\Temp\DodSussex.exe
"C:\Users\Admin\AppData\Local\Temp\DodSussex.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:452
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy Richards Richards.cmd && Richards.cmd
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:632
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4880
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "opssvc wrsa"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1976
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4200
- - C:\Windows\SysWOW64\findstr.exe
    findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4308
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 506480
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5016
- - C:\Windows\SysWOW64\findstr.exe
    findstr /V "Concert" Tmp
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3580
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Colombia + ..\Soc + ..\Plate + ..\Reporter + ..\Bar + ..\Lottery + ..\Continent f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2152
- - C:\Users\Admin\AppData\Local\Temp\506480\Sally.com
    Sally.com f
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:832
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\506480\Sally.com

Filesize
925KB

MD5
62d09f076e6e0240548c2f837536a46a

SHA1
26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

SHA256
1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

SHA512
32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

Download Submit
C:\Users\Admin\AppData\Local\Temp\506480\f

Filesize
476KB

MD5
1f949f855725b814f3a7ea748f86e1f4

SHA1
3a47da408a2507f5a466022faab45f8bae08ac04

SHA256
081891fb2a0f8f89a270882e562c3699a76c38b8c592f1218a976d2fab92e37e

SHA512
175ed5c06be096a352d12fff2b7d4771555a93b4b791177dd6fe063f02fc2374c66e3f3c09e5ff3393a2fd8284c94321ccaebec701cadb96e8f7cf4ee7ed5f66

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bar

Filesize
58KB

MD5
1ad3762d9a2e9f7c9c85cae85c885b44

SHA1
c359a13948c7cb048d23bbc5dc1a07e27c27c635

SHA256
63df092c6101513833b688da8a7726490e2979025f447e6bdeedb22eb7a75238

SHA512
e220c398b3695c367a0d44d353ca96a7ad9f4189daf081b45f9038b5ec24223635442e4276828db0d64cf515eb982d354087a73ddf04309871721d8d45510633

Download Submit
C:\Users\Admin\AppData\Local\Temp\Colombia

Filesize
83KB

MD5
041a4a8e5250eb83a858d7a03aba53ee

SHA1
428b23db70aca46fd23a244204800828f90dcf57

SHA256
e0de517faf0f6a45571e8d78e06e18547341778197a7b0668e572e6c7601e71c

SHA512
65c2c7c9dad31bfdc1bd860531b23962316b9a8f3326afa3944bbab892b5caee7d7075293f3abaf2ec3b9c45d291a7223b3de2d8dfe1cf9fa257e05e203e5ff5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Continent

Filesize
11KB

MD5
56965d446b8b3ed71f331829110a0317

SHA1
3a1bf436c4b6339eaeb636c0f447fa0a844a1984

SHA256
b1022db5597f7b1417c9e6091845da10f1e5be348c8b476ecd22647f9f03ad4e

SHA512
3c55eb27417151505724277f19bd51e32fd902690fe7683ccc04eac3bfc0a8e6aeba03f23c3c4b6e8a1bd878d0bdbce6c6e3a1d58492841a52ea7c70d7b9dbcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Designated

Filesize
115KB

MD5
b2df4a56e1e5958dae48bff97dc8aead

SHA1
a15cdb450c252591d99a86531a555957d51648c0

SHA256
3d63854361c945d825d608d2c6e95becfc84c61eba99cc00794a8dbf405edc2a

SHA512
4996b0c06f8f0708275c83551860931de0103b785340d72b1175bf06e73fc050e24976b82979b03b909d3e0f703707a6f8a2eea00249c665a5df0419869883db

Download Submit
C:\Users\Admin\AppData\Local\Temp\Diet

Filesize
120KB

MD5
71708556e25ce367649554b854216213

SHA1
67a404a45755d4d90e86feb92ad5d79619f4136b

SHA256
f563f0c1ca619a68157cc8d08f04a2c7296585784bcc0ed92c8fa051f8894b96

SHA512
7f6ccf7a73fa0ef693367877c28b6366eb389c284934c98ba0ca12d4376b299b92746c9fc4cd050aeba40bd6dac6e7b5d24c4e814f443f5f84ff8a033809449d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ghost

Filesize
114KB

MD5
2116d859c28594a21fe39b67325d5e08

SHA1
58b61b59e554cf67ccab0f4339d4c9c1157d8c09

SHA256
0273a1a578d37b7885c7b2a903d0d9c38e029aaa4bb0a75cc94a2b61ccd5fdfc

SHA512
7f6d05616088561a1b61409112bcdf73550c48a6a5fdfdce50fbdd4f139d1246ff656fe2546f5d0b393c4441994d4d288646a2acec50d1e742117388b1725a5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lighting

Filesize
141KB

MD5
fe316201cd04f114be8e3c768f1a6a80

SHA1
ea8c9359cd0e23810b0fe7fb61f483db2cf27b58

SHA256
abe8e9eda741b2ce6b323a5f7cbfe50c5eabf7134f5cf7fee1651d8e621a4c7b

SHA512
9b41f31223ada6028c5d41aaf54d7d7a00bc5a14c41b0d566f8639174487ac8b9020dab15d0423a68956e2c71ff027eda358619605f5e7f8e032af9851743bf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lottery

Filesize
95KB

MD5
6ef5958f657ef7b6e4f0d63c032fad68

SHA1
9767fa0e554e80a1df9c793cb71cda7ff4da649f

SHA256
5d784fd2bae5208b447ce0c0188caa4fce2ce71d8e7e1ad1f9b8bca41996ad4d

SHA512
ca27822f826d5c60631c744e836293aa8826663c554b75c1792b02a332cc2e79e2d20320bba4a2d90666df6ddae69b448c8e68b9ebaab77b649f06103d79b87a

Download Submit
C:\Users\Admin\AppData\Local\Temp\M

Filesize
53KB

MD5
8997e8fa8a54c9ac2a2d9200621dda87

SHA1
7e9340af09a3062931b47a752a0931d73cb55877

SHA256
65a20fe7070943ded764e5b73a6873e47e06a85a575c5091b58cf67b47196248

SHA512
00dc1472caadfe8691dadcd6dee1363a8b507679b299bf95e74434c0a7f751cfb171052aa1f49d1d7d8fc5b00137b48bba648fda031c9e4cdb5e6cda0f6b87ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Plate

Filesize
57KB

MD5
ae35c579d60caf20b7d597158ad311ba

SHA1
51a1a3a8725665cc15acb243bb84e0bb82e96fd9

SHA256
0f00636438353d74c9141c33cf5cdc1570034c6d6b9b64c183f9b32ac71c7758

SHA512
f2c86c79448425233ee1d008f87a06cf9a6833d5f7fd3f36f94c96643009754691a5a342f73ea950a27e4a6569f6a35ce023b979b4431e673d19667d9bdf42bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Procedures

Filesize
125KB

MD5
1df09ce2e3fd06f524053e2c8f375f4c

SHA1
d748742bb153c24fcb2a62528cd9f1e862570c47

SHA256
ad31a966dadfed0a0eceb4baa3f16b04ba71162ca4e7fe975a4e40fa8b47392e

SHA512
a27f082e95d6321a8696630b384cb580b7df176b2c49a558a5a91e7067a943604bf9d8532eeb594ea6675ec69f7ef97a5aff92f139001cbad79ae23b4c9ccb54

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pvc

Filesize
65KB

MD5
7c1b83f747d65522f2902ffb6d393238

SHA1
5a55fb4c5361ada4cc75beae8837fd55e5e88999

SHA256
e7950b737c4326e8311d5afee2534ec54f07b2453a609961c45dcbeeea5eab0f

SHA512
f29a21ad039f6e5e58c85d0e85377d30ef19e2597bb06c67deab7a57dcc60a09b2e68746d5223eb1d5bb2865b81cf923993e91b2257eeb6b81fa8d52589b0b03

Download Submit
C:\Users\Admin\AppData\Local\Temp\Reflection

Filesize
54KB

MD5
c604c81304f1f1fc98ef6268d92387a8

SHA1
96469c313eb51a440089badf2e0871373c2fd611

SHA256
a389142ee653858c22f03f48c265cd993e35302fe6f229e9995d8aabd25c5eb3

SHA512
c416c6bd81ea909b35699ca1c33e12b4508bb86af54bff1eb3ce601cbe171d9011831386da09a7ec23037b4cd57fffac105d92efe2bcb5abac18676c781d71d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Reporter

Filesize
91KB

MD5
02fadf45f4774292d5a717bf9a48f5c0

SHA1
315e27bd110f5528869c324ba03182ac411089ad

SHA256
07520f6b91f7b845231d1f8addfbcdc0c8436e3d22b3b72d70be9e2706230d66

SHA512
ce127b0962b0cb56eff7cb39ba7637cf9c1a89cc06ce56e8d2a817d898738c4dbe2ed8fec8b90ef5a57e3202fca23b868f6542053b6005ffdd0c2744edfa7acd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Richards

Filesize
16KB

MD5
19347c9378e50e89cce8aff3b4386362

SHA1
fc04cd4ce3f1edabebe8946e0f22c91963deb0e9

SHA256
6f0f5a2d3a9e3c45b74526f44420612dff2cca2c270074fbcedf4e2fb8ed5f5b

SHA512
9571d75e72b51737d5b57ef4297a3d1c787a8a7c31a3ddb6f5a5717ce3f9a1fe1af74e11de162f70402c83913ee90dbd0ee53aeeaa9cba3553d33d2cac9c6a8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sauce

Filesize
64KB

MD5
e8dc1f5fd22b25776f5cb7acd0a58905

SHA1
cb81992b9139c0bc3c2a1577fe5ee1f4e7a78d61

SHA256
c15f40c26b6ebfd6ec81328063e128ac18951ac7d9bce31a4166dbcec4790220

SHA512
35215cfc7ac1c8ccd56658659c84c141f01b5f88843031df6828178fbf8548721e2e8660ea93ab447de4d9af35b4bba068ee1fa05e7b6ec8d745b2c2d97daf24

Download Submit
C:\Users\Admin\AppData\Local\Temp\Soc

Filesize
81KB

MD5
1d1356c390684aba866922e138ad1858

SHA1
1348b49c25e18a2ee6cee60cfef5e1e14d5b65b0

SHA256
d1720bf3248bf97c115712d3f7eff489f4a23c03bd7bda1d8dd738c5e36814c4

SHA512
6621bec0296b542c2a5d95e34218698ddb7ff80c2d3d782e3407a0a9188353f2fcda4fcd59e6a468e7c9ef899410eb56c32be7454b6728d87c70ed00734f570f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Thinkpad

Filesize
73KB

MD5
9e36a5516b4a2927df2c56a253742e2f

SHA1
1b7547b7840b3b91dedce4f0fc558b702826d106

SHA256
1c998af72b77b5ff42d467be77386e4caab80179a6430c6d88a8bd62c4cabfdb

SHA512
338a069fed59ad867464553372705833a160694447e2aee527747ef630c00fcd4263637d9fc2ecb2f4074e4eda0bb0d0a8ee19cf09a36d928e6a46ff60d8baba

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tmp

Filesize
547B

MD5
c6833d266e5a297e203cd411af09dcbe

SHA1
749204195ad8425765fec02dd861903bb5eef5be

SHA256
04eb252ddafea87ac3d5df21c8d6ec9eb39ffc56d9d6c225090178b1c128b4ba

SHA512
2b25dac4fcd31f20ae599f102507c565ef31d1f091192fe29d7e50fb792109dcad9f1c40cf85eed5ca11e68774535ebc99e9938756ee1f37972c1a54a200fe0c

Download Submit
memory/832-427-0x0000000004290000-0x00000000042E8000-memory.dmp

Filesize
352KB

Download
memory/832-429-0x0000000004290000-0x00000000042E8000-memory.dmp

Filesize
352KB

Download
memory/832-432-0x0000000004290000-0x00000000042E8000-memory.dmp

Filesize
352KB

Download
memory/832-428-0x0000000004290000-0x00000000042E8000-memory.dmp

Filesize
352KB

Download
memory/832-431-0x0000000004290000-0x00000000042E8000-memory.dmp

Filesize
352KB

Download
memory/832-430-0x0000000004290000-0x00000000042E8000-memory.dmp

Filesize
352KB

Download