lumma | 2fbecbe7ba6ce56cfe6b6da8e7aaf6127755161a7ef340b7b20c2b061404f022

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-01-2025 10:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

HouseholdsClicking.exe
Size

1.0MB
MD5

c3c0fbe6393929c60e63885bab2603f6
SHA1

09c0cb9efeaa8808710df3f47b3c56fcd323b8bd
SHA256

2fbecbe7ba6ce56cfe6b6da8e7aaf6127755161a7ef340b7b20c2b061404f022
SHA512

6d288c7fe70a1a5fc95347a86dff1ce7fed819e994e56be482383273f58d41ccafe2dfeb9b98d9d4250d58b02545cdc856a642549e1f5ef74b48110af701a37e
SSDEEP

24576:tOwnvrCKVzzbzfafzs68PmgUFDWrE1X7BH/:jnTrJnEsNUFyM7Bf

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://sordid-snaked.cyou/api

https://awake-weaves.cyou/api

https://wrathful-jammy.cyou/api

https://debonairnukk.xyz/api

https://diffuculttan.xyz/api

https://effecterectz.xyz/api

https://deafeninggeh.biz/api

https://immureprech.biz/api

https://ingreem-eilish.biz/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	HouseholdsClicking.exe

Executes dropped EXE 1 IoCs

pid	Process
2864	Appliance.com

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
812	tasklist.exe
2956	tasklist.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ArHuntington	HouseholdsClicking.exe
File opened for modification	C:\Windows\ProductiveRacing	HouseholdsClicking.exe
File opened for modification	C:\Windows\BbsStolen	HouseholdsClicking.exe
File opened for modification	C:\Windows\ScoreAtom	HouseholdsClicking.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Appliance.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HouseholdsClicking.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2864	Appliance.com
2864	Appliance.com
2864	Appliance.com
2864	Appliance.com
2864	Appliance.com
2864	Appliance.com

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	812	tasklist.exe
Token: SeDebugPrivilege	2956	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2864	Appliance.com
2864	Appliance.com
2864	Appliance.com

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2864	Appliance.com
2864	Appliance.com
2864	Appliance.com

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 3296 wrote to memory of 4204	3296	HouseholdsClicking.exe	83
PID 3296 wrote to memory of 4204	3296	HouseholdsClicking.exe	83
PID 3296 wrote to memory of 4204	3296	HouseholdsClicking.exe	83
PID 4204 wrote to memory of 812	4204	cmd.exe	85
PID 4204 wrote to memory of 812	4204	cmd.exe	85
PID 4204 wrote to memory of 812	4204	cmd.exe	85
PID 4204 wrote to memory of 5008	4204	cmd.exe	86
PID 4204 wrote to memory of 5008	4204	cmd.exe	86
PID 4204 wrote to memory of 5008	4204	cmd.exe	86
PID 4204 wrote to memory of 2956	4204	cmd.exe	89
PID 4204 wrote to memory of 2956	4204	cmd.exe	89
PID 4204 wrote to memory of 2956	4204	cmd.exe	89
PID 4204 wrote to memory of 1888	4204	cmd.exe	90
PID 4204 wrote to memory of 1888	4204	cmd.exe	90
PID 4204 wrote to memory of 1888	4204	cmd.exe	90
PID 4204 wrote to memory of 1420	4204	cmd.exe	91
PID 4204 wrote to memory of 1420	4204	cmd.exe	91
PID 4204 wrote to memory of 1420	4204	cmd.exe	91
PID 4204 wrote to memory of 3940	4204	cmd.exe	92
PID 4204 wrote to memory of 3940	4204	cmd.exe	92
PID 4204 wrote to memory of 3940	4204	cmd.exe	92
PID 4204 wrote to memory of 4640	4204	cmd.exe	93
PID 4204 wrote to memory of 4640	4204	cmd.exe	93
PID 4204 wrote to memory of 4640	4204	cmd.exe	93
PID 4204 wrote to memory of 2864	4204	cmd.exe	94
PID 4204 wrote to memory of 2864	4204	cmd.exe	94
PID 4204 wrote to memory of 2864	4204	cmd.exe	94
PID 4204 wrote to memory of 2992	4204	cmd.exe	95
PID 4204 wrote to memory of 2992	4204	cmd.exe	95
PID 4204 wrote to memory of 2992	4204	cmd.exe	95

C:\Users\Admin\AppData\Local\Temp\HouseholdsClicking.exe
"C:\Users\Admin\AppData\Local\Temp\HouseholdsClicking.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3296
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy Highways Highways.cmd && Highways.cmd
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4204
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:812
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "opssvc wrsa"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5008
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2956
- - C:\Windows\SysWOW64\findstr.exe
    findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1888
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 19152
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1420
- - C:\Windows\SysWOW64\findstr.exe
    findstr /V "Bookmarks" Sv
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3940
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Distance + ..\Butt + ..\Roland + ..\July + ..\Islam + ..\Argentina M
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4640
- - C:\Users\Admin\AppData\Local\Temp\19152\Appliance.com
    Appliance.com M
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2864
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\19152\Appliance.com

Filesize
925KB

MD5
62d09f076e6e0240548c2f837536a46a

SHA1
26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

SHA256
1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

SHA512
32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

Download Submit
C:\Users\Admin\AppData\Local\Temp\19152\M

Filesize
450KB

MD5
3d6d45218dac95051441b7e09e8621b3

SHA1
c6a507255b1c846187bcc734699c7b1555924fe6

SHA256
6a82008253e0ceb27673ad23527848e51f58abb6e11666cc5cca8a454e9dd244

SHA512
fbc7fa801ff84ada49e72b342821706fc145bb2208741e264f29b1cd7172ad2b6215fe8a655fb02004483484cc0e5b57c8d4698943450eebccfd62756582a2ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\Argentina

Filesize
35KB

MD5
e1fede06ffa7694324bcf0012bae9fe5

SHA1
cbb60a4df15d7cf7e15096b7532c060a97d894e8

SHA256
a1f87acfe34ec54bc86497054bb85cbb35dafbf9499bd39b46396dd5c7d8f47d

SHA512
101b8d400854ebed2622ed4c01d8ab9e3278720860b8907367fc3716d9b853dad9f209435015e15b0f770776a167b2df704b3163f8d0e31d73b61871f9889b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Brothers

Filesize
66KB

MD5
f7be54e80d09910e992f0918db991bb7

SHA1
28efd6516884dfcec50bfcbff371596f80bbd756

SHA256
849a886e92e8e3c8d73e2faa569f7023c01a40e41c808d80bc8938a4f0cece76

SHA512
b743c0aa129d7d9f606f823dd632e0ae0a8effa746704839e1ed410edc343569e158fa076e6f2ac997c6b185a12044b480a02cd9f032ea95a9571fb02f16cd97

Download Submit
C:\Users\Admin\AppData\Local\Temp\Butt

Filesize
90KB

MD5
973162049ddeb33cd2ba3e2e476f64b0

SHA1
1deac83ab1224975f1e8572b8cbc5b21384b6044

SHA256
b2ac8fbe5d7cb9fab2e3202fe9a0649dec91c7112df587565fac27fbcb18a25e

SHA512
4fe741421804ba73e3c49dfd8449c49aad6c0e398e320d6749b869cbf91d297c59139c0ec3977860b8a4a3bb8419166406c63704a81bb7347683bc9057522696

Download Submit
C:\Users\Admin\AppData\Local\Temp\Distance

Filesize
86KB

MD5
7674cbbcb2aca7b63551861bf75f97d0

SHA1
81ed4da3280bf1abc4d8e3eb9bef10938c64d9c2

SHA256
e2cf3658c672c28d3a8d27f6efeb40a497202b1c4f7aa5851d6471dba5e2083f

SHA512
479cc5e44828c868bb38bc31588894ae08df8d934ddc4ae4cfdb8e93ae864daed74fefa4845f644762bdc0c1e4533f3d90b5e8602d25467cde1b40b431f53123

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folding

Filesize
142KB

MD5
f7ed04c8febd990111b46fa11bdd8d1d

SHA1
15d2525cec051b85cd31f337dbe50dc4aeb8e7ab

SHA256
06dca7dc1d2c82224a78fed7f59fbe4fe94776fe98fdb9d44cc66e9f4f1c2ebd

SHA512
15445c9e187b5b75a8a8b6256eb79571667ae4f3810a122381203e474f33a53dfc16327687f452afdee88e2213476f4dcf262c4a32168685f8ef761bfbfe550d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gently

Filesize
100KB

MD5
304420c62ed1d9cd3f85d86582fcac5c

SHA1
bc0693627b10c59a1a35abbaac45f7286d5fb821

SHA256
e0eca4d4bb96bbf101554d6c9a124607604727c3d80784ca51f17cf0dc7b79ae

SHA512
0c811009fa23f4e9eb9f9c8ffa81cba3ca03abb65d069242534c8cc29b427a3d2b72ff241fd8a41dc22ada94bb547cd10952d49f317df2ad55d85a4285bd9ccc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Highways

Filesize
28KB

MD5
1772a08e66c81359d95f1b6be25c7bc6

SHA1
3ec3d8d9c7af1cb6e89d92b81761e2518844fc79

SHA256
1d3c3c2a3643173a621bffe1ad7deb6752acf927159807cfd1c823773c133a25

SHA512
09b91369a720d9b5df2f89619d29113cd12900e9057b53fa34369e43162be4b4ef6308bd2e5b9bab25e0666960efa90b1c7300ff91a56cb09d07bd28d12df06e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Islam

Filesize
73KB

MD5
c0717eaa23e1b4d8ef42ea9e99b89b69

SHA1
7e6b3b073737732c572642ed689c241d6d8bc077

SHA256
bdbe1d6e61b0115d697b5aa9e80d25b453e7474e4e09e559a1832d2dcfdc8fd1

SHA512
1e75297cfb2e648859b35c4562b0d95c55daf9ba8e4a66af13565a1bebb646a67c680a1e1ac84b1f69f852b64b0f9d736802273b83df7ddea55de19c709a7a31

Download Submit
C:\Users\Admin\AppData\Local\Temp\July

Filesize
68KB

MD5
99fa6f1a532385c89e16fef6f954914e

SHA1
6769f770470df82ad78b32ec1535c345f28fe59c

SHA256
0c52aca520b6875005651503a4d6f2b37430a227e9d84fda93252d2aa094705c

SHA512
11b81b984a43c03ad5eee5167da72d5581d159ea7a3fafe2bd442bb697915f3d598ac52be0a843755d2aff22dfbda580ccae455bbea879e64475b61e24675db2

Download Submit
C:\Users\Admin\AppData\Local\Temp\June

Filesize
65KB

MD5
91cb734d0460ba18254e8ff059d6374f

SHA1
a7a4053a9c934f5023908f1b83a2a20a137d6c16

SHA256
aeb2be9b4e40055826b3f960c271f86e647a92c1db662ed8adf9654ed37c9e82

SHA512
3f5c265f4f651780889a82f5ea08d69e1ba0b22c7d2aec865bfecd456e791744b2d3f21168b6e359b0620ed6df0845813546f702f71cae7118ab12c305350113

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lamp

Filesize
124KB

MD5
f76d99915dad5d1428306d84fd5cef4a

SHA1
07c609bc4e5206607858eb56a43c138ad172f3fb

SHA256
528c4e90ef35fccfa8acacccc6a3a65bf753f211fb7acc277527921606dd63c5

SHA512
9da0f739147c67ab46ba8a896af99a9cbe10b14b8725bdebafc6905dcf5252cc3588250d74a755c380f724e76f968909421858e16ce12075be13709d1069c626

Download Submit
C:\Users\Admin\AppData\Local\Temp\Leslie

Filesize
29KB

MD5
139ecbc61c65eeed2c66a743abac82d0

SHA1
00b2c1a41006975e5d68edea5fcb3203a9f1333a

SHA256
6d0498ec0e7b86b819dd86a54cf13515e4eb50569aff18c9ffc944eefda68251

SHA512
35c59717c001ac5a894ecb635072d8eea157b8558e385b637c97493e35e3c4d962199d1799756a0d6c0a6310a327280f755564b9383acadab83db7b02624f3c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Replacing

Filesize
63KB

MD5
98d45275d84d549cf80b87bd0144d901

SHA1
e321e6915f70857315778fdb7061d98e4b81a4e7

SHA256
48ed90918079afcc3cb658f5898d643c864f2efc7394fc7353d1ca83f19e7761

SHA512
5ba8ef5b24cbf770b3fc07f8251f5cb7beaeabbd03879ccaa0e26a2e529446c8d72fc06a4a40de39516c9df4d893a3a60c682819521a3884fb62724c04a1e149

Download Submit
C:\Users\Admin\AppData\Local\Temp\Roland

Filesize
98KB

MD5
df8fdf5f14b162328c5a1c1a7d883b5a

SHA1
69b6cfe2fbc4196e7f84a9e615e0aa845d5462e8

SHA256
0241ae98f5bc3d7baf64427d3af04029d8fb52362e95c0da931b4a0fdde5d13b

SHA512
177d290979eb7b5d1aa1f0660c98e0c4ef9a2949c32e327d0de439e7b5889cd615830f47c350ed12511a9d58b1ce60299edeef64eaf36ea54ddf22e22e76e79b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Savage

Filesize
141KB

MD5
e1a20c475ec5f88b2f289c1e03d35848

SHA1
12a23b096421755073a19d8f5fbfa031224852c8

SHA256
b64877aeadb747e805c85e4818fc3e667fc7107dfcdc5f3e20b819e1d559efef

SHA512
3fdbef82ebd83deadfa21d26516d0e4b2eca75d1904afcbb0e64d835d0e1a7ce2eef03dae1202321dee7e30cb4dc556c040ec1038f8ae158f122b26826b98cb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Slideshow

Filesize
64KB

MD5
e3c619d6e998064e8e0b65361184ee91

SHA1
e5dc3b5d5746e0bf1338e763f559e3478b970283

SHA256
4ae3270ea08c657550b1fa048e85e786c7e608bd243a2a6e4a6e70428202ca66

SHA512
32c1300c725c3b0c9494bbbba2b0fc87fdd25487e7018f7eac77115301656ec0aefdeafabdf875bcc655967cbeb71d6632fd6f88a4ad03fe9b68dc4f5c6b8831

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sv

Filesize
707B

MD5
fb5e6b5023c95d6b259e8a32c47e4188

SHA1
dd075ef6c1e7161253e79224daec20831aff4cc9

SHA256
61ca18d2f088e4aa315e0e989e6d0630c394765e655f567ed99ea53ad9e5f851

SHA512
7cf610141b7c93ccc7a2f5fa9953a14696a42a0135750c42fb02b4f6bf6ba76a6f5e32b8805fb465173c0d0f87501052e5082497b8e6f7fea299cb6244512e8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Techno

Filesize
130KB

MD5
a2ad31b3b39d97e19767812f46d19ead

SHA1
e1f31beaac4e5c4ff16ebf916e7bf6a2ce2ad99a

SHA256
ee4dedd77c361ec10b10b7a34f727528c0a8c90750088a2658424b8c1569dd5c

SHA512
7db651d15b4612be65bf8ec54aff9a6f5c46964150e3aa96c9c656bfaf064b0c8fdd02e6c47c1ee54945b09061fef395e4c31d027372a76941a91a547b84d5e5

Download Submit
memory/2864-651-0x0000000004860000-0x00000000048B7000-memory.dmp

Filesize
348KB

Download
memory/2864-653-0x0000000004860000-0x00000000048B7000-memory.dmp

Filesize
348KB

Download
memory/2864-652-0x0000000004860000-0x00000000048B7000-memory.dmp

Filesize
348KB

Download
memory/2864-656-0x0000000004860000-0x00000000048B7000-memory.dmp

Filesize
348KB

Download
memory/2864-655-0x0000000004860000-0x00000000048B7000-memory.dmp

Filesize
348KB

Download
memory/2864-654-0x0000000004860000-0x00000000048B7000-memory.dmp

Filesize
348KB

Download