lumma | 469fbee829e69894f23aa921e86480cfe18b116b873fedf03a9227ec1d57bb80

Analysis

max time kernel
92s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-01-2025 10:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CondosGold_nopump.exe
Size

1.3MB
MD5

412db12259a7d002a629959260898ea7
SHA1

4a8a563c534c4399d2f2dec2575c6268c2cbe898
SHA256

469fbee829e69894f23aa921e86480cfe18b116b873fedf03a9227ec1d57bb80
SHA512

0edcc32a29f2d4cdb5afda89dfcce0681d093ea32a3c85bc1e34f7279e82facdbb922461a6a0c6e5976d0be3d7a2559b8e328f0e2464e94ba9090aae3af96e8f
SSDEEP

24576:yeO8eaBw8wu2vlgPhX49nuMUvLap9HMdCVPPhoJF9SCHCsKKgHQ34d8fr4:YCBwRu2NgPh8uR+jlPhs3SCFgw34C4

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://brendon-sharjen.biz/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	CondosGold_nopump.exe

Executes dropped EXE 1 IoCs

pid	Process
1164	Cassette.com

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
3692	tasklist.exe
5116	tasklist.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\FlowerDesired	CondosGold_nopump.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cassette.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CondosGold_nopump.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1164	Cassette.com
1164	Cassette.com
1164	Cassette.com
1164	Cassette.com
1164	Cassette.com
1164	Cassette.com

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3692	tasklist.exe
Token: SeDebugPrivilege	5116	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1164	Cassette.com
1164	Cassette.com
1164	Cassette.com

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1164	Cassette.com
1164	Cassette.com
1164	Cassette.com

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 2956 wrote to memory of 2944	2956	CondosGold_nopump.exe	83
PID 2956 wrote to memory of 2944	2956	CondosGold_nopump.exe	83
PID 2956 wrote to memory of 2944	2956	CondosGold_nopump.exe	83
PID 2944 wrote to memory of 3692	2944	cmd.exe	85
PID 2944 wrote to memory of 3692	2944	cmd.exe	85
PID 2944 wrote to memory of 3692	2944	cmd.exe	85
PID 2944 wrote to memory of 1792	2944	cmd.exe	86
PID 2944 wrote to memory of 1792	2944	cmd.exe	86
PID 2944 wrote to memory of 1792	2944	cmd.exe	86
PID 2944 wrote to memory of 5116	2944	cmd.exe	88
PID 2944 wrote to memory of 5116	2944	cmd.exe	88
PID 2944 wrote to memory of 5116	2944	cmd.exe	88
PID 2944 wrote to memory of 1876	2944	cmd.exe	89
PID 2944 wrote to memory of 1876	2944	cmd.exe	89
PID 2944 wrote to memory of 1876	2944	cmd.exe	89
PID 2944 wrote to memory of 3528	2944	cmd.exe	90
PID 2944 wrote to memory of 3528	2944	cmd.exe	90
PID 2944 wrote to memory of 3528	2944	cmd.exe	90
PID 2944 wrote to memory of 3396	2944	cmd.exe	91
PID 2944 wrote to memory of 3396	2944	cmd.exe	91
PID 2944 wrote to memory of 3396	2944	cmd.exe	91
PID 2944 wrote to memory of 2736	2944	cmd.exe	92
PID 2944 wrote to memory of 2736	2944	cmd.exe	92
PID 2944 wrote to memory of 2736	2944	cmd.exe	92
PID 2944 wrote to memory of 2012	2944	cmd.exe	93
PID 2944 wrote to memory of 2012	2944	cmd.exe	93
PID 2944 wrote to memory of 2012	2944	cmd.exe	93
PID 2944 wrote to memory of 1164	2944	cmd.exe	94
PID 2944 wrote to memory of 1164	2944	cmd.exe	94
PID 2944 wrote to memory of 1164	2944	cmd.exe	94
PID 2944 wrote to memory of 2844	2944	cmd.exe	95
PID 2944 wrote to memory of 2844	2944	cmd.exe	95
PID 2944 wrote to memory of 2844	2944	cmd.exe	95

C:\Users\Admin\AppData\Local\Temp\CondosGold_nopump.exe
"C:\Users\Admin\AppData\Local\Temp\CondosGold_nopump.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2956
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c move Drives Drives.cmd & Drives.cmd
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2944
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3692
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "opssvc wrsa"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1792
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:5116
- - C:\Windows\SysWOW64\findstr.exe
    findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1876
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 352348
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3528
- - C:\Windows\SysWOW64\extrac32.exe
    extrac32 /Y /E Fat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3396
- - C:\Windows\SysWOW64\findstr.exe
    findstr /V "CERTAIN" Panties
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2736
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Singapore + ..\Vegetarian + ..\Dating + ..\Wings + ..\Audit + ..\Relates + ..\Trip E
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2012
- - C:\Users\Admin\AppData\Local\Temp\352348\Cassette.com
    Cassette.com E
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1164
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\352348\Cassette.com

Filesize
925KB

MD5
62d09f076e6e0240548c2f837536a46a

SHA1
26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

SHA256
1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

SHA512
32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

Download Submit
C:\Users\Admin\AppData\Local\Temp\352348\E

Filesize
464KB

MD5
ac79c3191fbb88552a7dbd4d875df09e

SHA1
5f6c3bc0ecd09f79c4e9fee81cfefe6e85ff2516

SHA256
fb335ecac71dc089da72d7fa000547fdbf62e2fc0f37ede8f052f85ed747ae09

SHA512
1507600b66e99fe7ed16f2508085de7c7fdc1d92b3c76b9fee0c48bd8a4ac264b8de9bf7dce88ad56933a104e8d6351b00dafd933530ad34831033edd267bff7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Assessment

Filesize
109KB

MD5
10305a41a60be9b67325c94a31f8edaf

SHA1
c8c38ac6b1d2042d3041119f054a94ec1f377124

SHA256
81f31ec76dfcea3139efb84a07e0faa5b1cbb68c799c33dc9c87575a1aabcb2d

SHA512
1547a465a11df6fef6512f7d0d33325beb1b1dc35242f72a5e1c43bbc78c474569e7fedcbd02926e3d030c161300d2644a9f34d47b27a00a0257d82ee0b6dc1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Audit

Filesize
68KB

MD5
8d75fc9991189a412d3e1fa1dfd75163

SHA1
ee3d42335c7b504800b095d8f31bd97e1e0efdbf

SHA256
3c1e37ab0c3f14af16961dfde9cbc76742b1400026758dffe4afec1e32e17caf

SHA512
8c12b8fb35d090ffc3f1ab845777aef0fc711cfc802da47580841d019e6532cd3b53b88f7c5f0cef87ea6fe208678abe1c1b1e7526c06b006f1e2d5bdce21cb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Casio

Filesize
41KB

MD5
8cb45aeea40a56da7ec6ac468c6a20f2

SHA1
94c462d5c9f1081c26529b23af82c493bef6052e

SHA256
f07f84b2f7417a14e3e36a0e0b31a18eacd8af1b38aef4dfc7183010995b81b0

SHA512
3b160360ffc3080ea0b37d84a30c8bddc546b062771d31776788bde03ab62d9686402d7938cfed5fd695c26c583453e960ed326d2782188210ac601eedd55175

Download Submit
C:\Users\Admin\AppData\Local\Temp\Copying

Filesize
145KB

MD5
479b7faacc9bc81acb0922a5eb05be14

SHA1
39fd7fe93204ae9ed2a97e0413bef832b17a853f

SHA256
9629df2ed5e6ed7a485724c006f31f4a50cb315f495c769ffec3245787430ca5

SHA512
60c427bb99c0a5ecc8b33d7c9cd81932a4c849541414bb0bef6daa6a13366a8a8dfe83fa7d70011ecebddb9b310a85f1ab20a7c1464a67ac790e4d495ed3ca7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dating

Filesize
82KB

MD5
260503c7cfdc29544356d517366eb586

SHA1
b491d547f5299812c226c6ba41c24288569950a0

SHA256
b1e3ae6b8bb1470e30953021c06a5aa5b7bfbe6af83fa3d45174f03b839c1eb0

SHA512
5f78810b768687fd7276d7a3afac38f2ff5c09f55359710aeb932cf59dfeef0ef00c3b211a070e537e12596870e74be65a346a681daecc3895acde60329c22bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Drives

Filesize
15KB

MD5
f09b25054b1b0532b076879548ec89c8

SHA1
59094e8c99412ec6a2435cbcbbe8059446355032

SHA256
0d23dc5bd965715543363d5374d18011f15d9e06dbbab6ecb62a3938dd12ee4d

SHA512
16dd8b6f48df2c48a0e989cf481ae9deff0ecf49ef899cdbe9c4cee53bfee48d45c85d2ec1d57b1c3b5be34af9c5476402135b2deb07739ba47ad8e984fb65bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ethical

Filesize
144KB

MD5
4886fa52250b2ea113ccd6bcc6994015

SHA1
fc455b281ac2e1550b267f5245475445b4869ece

SHA256
7dab6c65adfb8f1a05b50a480c1ed040a2f9ca77276c15d40b221bbb6e8fad0b

SHA512
940a6d363f0beadd72415c6b78296ef663d2bc2b69f6106155198a959be39218a0edfb3004b1cfbb28dd65d872f5e3969cc6c060cd1697ea84f2788032fb4c49

Download Submit
C:\Users\Admin\AppData\Local\Temp\Examinations

Filesize
55KB

MD5
aa7580cf47c4fa4d135e86158e14819d

SHA1
b97c10e1883f50b6d27e319c823588c68a70c04a

SHA256
220106fe5f865fe588a2d20bd3fd2a78e9fe421bfaef9af688b7bc2f6fb3c719

SHA512
7e39d27ae73fdfdde959c19b05d3d57ad36047de2d8b4409e2f59f5f30701c6d4afd60fdc6f53fffb092b4091ed1aa5dc900973915f4dbac39ed656205398459

Download Submit
C:\Users\Admin\AppData\Local\Temp\Excuse

Filesize
103KB

MD5
84fc0f80d9cdf138f56f00284e961f02

SHA1
ca2dbe9175a654eade7ac4a0608b73751d47c090

SHA256
5b66e7b1a42b9fcc9488aaa2f3cd933b39bb3e737e7f8a1593a2dfbdde24456b

SHA512
caeafb8f84747616dd271e8fdf31600e0fb7e49363b69f82269b4b65a422d47ade8d9a40523cbf63247b73f39996d15235fe5c7fd4efa119d03159823c00fbae

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fat

Filesize
477KB

MD5
62b44863280e1cb88ab21293e8bea0f5

SHA1
4fc9446cb8f4a4135162809ba8bf6eb773879080

SHA256
5fe98335afef943933f4839521765b3325abe9e1c3032577026481946bbe61c9

SHA512
c3882b8cc019faf5804223d7e38d9129fe44b7933dc6f390aed0327b66bb4a794bda424788c029e0c06798b0c851b7872f96493653844bf6791bbe135ecd8510

Download Submit
C:\Users\Admin\AppData\Local\Temp\Meters

Filesize
83KB

MD5
fae8caab7bf628714bcda7a14650c8a9

SHA1
e99c919713de03e4b0420678826699d962b05480

SHA256
f9602b60e6b34a44af7ab43da832e47956485d6e952b0fefba79bec382f4158a

SHA512
141d0275651598f50fc3685d2c663fc37218dbcdc77a78f4529e61046196a09e128911379d75b2448e264e70f760dbc2db3edf0db0d330921a6a605b274f45b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mrs

Filesize
84KB

MD5
d8384b26a2535c0417e7aa1087dc171d

SHA1
a2be1dce8c974d3ba17e20845bc39969219728dd

SHA256
8916199c5c994eba1cc99a8440d0836d87bc06af203c68484e979fd3375b6ed8

SHA512
1fa573faa54ec9dbbadc0462eade5bcc869e6cc63cda14df22396aa3a5cd7e3b9e7922898ad9859cbfc8a90da3f257ca07ddb3e8295d169b00711dab86e2e36a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Panties

Filesize
202B

MD5
8d7bebe90d83c02282f2b37902d47609

SHA1
8528721237432c9cb70956f3861a2fbf6ab174c5

SHA256
8ae79c5433ba0b1feaf8ca4e4547ba0366bd4120a15caaba853cc578931ba0c1

SHA512
47d963b1cddd904e011cec1d1a6521cb1c6fb5b5f762504ae5ccb3fe890ca1b0c6fb6a9f8cc9e6b6aa0ffa96d65cc0f1957411420c4bf4532aa30c89b054d6b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pst

Filesize
89KB

MD5
82b9de69c5590dc95d9af421ce8ad0fe

SHA1
5c8c50d6512c7e914b29e9a7fedd32830ed43a28

SHA256
ee5b15e38e3ba19ba9249b794ab669a875137818cbc6e2ac9f1388d5fe574e39

SHA512
2fec14247d7c6a6c060b8904a99c86d2b39a43e54c2384d3ed2d2d8c1921f8e0f40db85374043ce4327af19c14bb6bff91e6ded3105ccae8168849f02ebe9fdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Relates

Filesize
62KB

MD5
228b3cba5d32e858e0cf61aee28c2602

SHA1
27fd03a6f2f60e9437c820ee56973b149bde74ff

SHA256
66f2071971da2660a980a358c665a81e0456054b7ef240cf02b5efbf9495854c

SHA512
8153e2f43d5a1ae294d816378143af7acc291abab7adabc3e326bb284b609e19a0fc2ebac97a747612595e7ce2f94862893db73299b1d489f3cd7f7b80a504df

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sharon

Filesize
71KB

MD5
406dc257ecc2c7b7b85236291dd52401

SHA1
44dd1450a357a6ee606d379e48447d69908c2fc5

SHA256
d7d3378ed777d309bea183208de1c1b283a15262b4d39d29fb5c5df4d738a268

SHA512
9e91e16b65a080ef57b35c9b9fed182ac56a81226efa19fc382755247547f800908586263b21b1b6176699416baf841f6849b3c2e32bb4f4801e81b1b98443d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Singapore

Filesize
71KB

MD5
e7a35d1689f9e4df278775799501706a

SHA1
8c6df65201f038a584d10847d42eaee40ccc1642

SHA256
000545ea8097a390cb269326658782385d851c7c6e33354ebbe00f3879a7231f

SHA512
fd2bbb471aaba4bcff75758ceaf26ea094804539775cca4fcb60f869fe6de32b6bdb76a35afdadfd0c1213421334f14cb3d1e69376f51a77f7db8f7fc814c2f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Trip

Filesize
40KB

MD5
f15ad1d41f690f4541bae39f2b9fffd3

SHA1
49af965ba99791be68f143449532a0019eb24c95

SHA256
23011ff4e4aa99f55ed45256758d565c4aafabae1b5c5f77dbc1d98a0b4b90e5

SHA512
dcea021626792075175e329c44252b499917ec164ce9838ba4024bd676a7a39e92c521630650d21d7bcf8bbea355b1391fc8707d80aba66d47757ab7cfe642ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Vegetarian

Filesize
85KB

MD5
dd05ed191465579e96916c50a7cc7419

SHA1
d2482a24757311976588f8d28db830e6f5bd9df5

SHA256
670abcc677b35e21d6ae9efa6f4094b2f13a0bfb82bcf82d0ec9994a6ce4d7ee

SHA512
57eaffb89bb4e456198143f1cdc6c418cd579d8b4e50a8a1e1df83e35de5d76ac74f2666ac5b86d99da36392c737bf6359d8b6ebd244d20f7c5eea7fb7810371

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wings

Filesize
56KB

MD5
7c8b6b59d68d7c48cd20b146bc8975ff

SHA1
b54d2938c915d9331cb1cc1fa70221bfa6505756

SHA256
dd83e07857f67230562721745a62d2f0577abdf56d896a5d89917d5ac112651d

SHA512
70fb87a1c94cb4339da7a94c93b638f39b2fcae18b40c4ab4006473f05d8e9b017ca322d83059a0e4725250907f7ffed20688ed77184e79045b8345cd192330a

Download Submit
memory/1164-70-0x0000000000A30000-0x0000000000A85000-memory.dmp

Filesize
340KB

Download
memory/1164-72-0x0000000000A30000-0x0000000000A85000-memory.dmp

Filesize
340KB

Download
memory/1164-71-0x0000000000A30000-0x0000000000A85000-memory.dmp

Filesize
340KB

Download
memory/1164-73-0x0000000000A30000-0x0000000000A85000-memory.dmp

Filesize
340KB

Download
memory/1164-74-0x0000000000A30000-0x0000000000A85000-memory.dmp

Filesize
340KB

Download