lumma | a2338d0fb90c8e190571b32d5e5fce6b943b9fd10d8900c82d39ee1335183e0e

Analysis

max time kernel
93s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-01-2025 10:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DangerousMidlands.exe
Size

1.2MB
MD5

e4ae7d2d997ad9cdb1e4c138e4dd10df
SHA1

fc1755d4bf9e0ae7e6ae1cfd4f2100388523ee8c
SHA256

a2338d0fb90c8e190571b32d5e5fce6b943b9fd10d8900c82d39ee1335183e0e
SHA512

43ef9c12da2a160b9c961f8d2282786357acc21ad42d2e4afa24f6d0b4b3830b60af3cf2c2e71a79a93ee967fded7b6a21db3a3a6e5db3ae2abd308bb0799aa1
SSDEEP

24576:Kd0HzzFvwGLyNRCqplgMxKJDFd+CTqO+I:e09wGLyNRChMxaF4CTH

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://spellshagey.biz/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	DangerousMidlands.exe

Executes dropped EXE 1 IoCs

pid	Process
1744	Provider.com

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
2580	tasklist.exe
2320	tasklist.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ConvincedTuning	DangerousMidlands.exe
File opened for modification	C:\Windows\PocketHall	DangerousMidlands.exe
File opened for modification	C:\Windows\BrosPasses	DangerousMidlands.exe
File opened for modification	C:\Windows\VesselsFactors	DangerousMidlands.exe
File opened for modification	C:\Windows\LincolnCentury	DangerousMidlands.exe
File opened for modification	C:\Windows\IdentifiedPotatoes	DangerousMidlands.exe
File opened for modification	C:\Windows\HighlandVary	DangerousMidlands.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DangerousMidlands.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Provider.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1744	Provider.com
1744	Provider.com
1744	Provider.com
1744	Provider.com
1744	Provider.com
1744	Provider.com

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2580	tasklist.exe
Token: SeDebugPrivilege	2320	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1744	Provider.com
1744	Provider.com
1744	Provider.com

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1744	Provider.com
1744	Provider.com
1744	Provider.com

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 3596	2156	DangerousMidlands.exe	83
PID 2156 wrote to memory of 3596	2156	DangerousMidlands.exe	83
PID 2156 wrote to memory of 3596	2156	DangerousMidlands.exe	83
PID 3596 wrote to memory of 2580	3596	cmd.exe	85
PID 3596 wrote to memory of 2580	3596	cmd.exe	85
PID 3596 wrote to memory of 2580	3596	cmd.exe	85
PID 3596 wrote to memory of 512	3596	cmd.exe	86
PID 3596 wrote to memory of 512	3596	cmd.exe	86
PID 3596 wrote to memory of 512	3596	cmd.exe	86
PID 3596 wrote to memory of 2320	3596	cmd.exe	89
PID 3596 wrote to memory of 2320	3596	cmd.exe	89
PID 3596 wrote to memory of 2320	3596	cmd.exe	89
PID 3596 wrote to memory of 2668	3596	cmd.exe	90
PID 3596 wrote to memory of 2668	3596	cmd.exe	90
PID 3596 wrote to memory of 2668	3596	cmd.exe	90
PID 3596 wrote to memory of 2212	3596	cmd.exe	91
PID 3596 wrote to memory of 2212	3596	cmd.exe	91
PID 3596 wrote to memory of 2212	3596	cmd.exe	91
PID 3596 wrote to memory of 4320	3596	cmd.exe	92
PID 3596 wrote to memory of 4320	3596	cmd.exe	92
PID 3596 wrote to memory of 4320	3596	cmd.exe	92
PID 3596 wrote to memory of 4788	3596	cmd.exe	93
PID 3596 wrote to memory of 4788	3596	cmd.exe	93
PID 3596 wrote to memory of 4788	3596	cmd.exe	93
PID 3596 wrote to memory of 1744	3596	cmd.exe	94
PID 3596 wrote to memory of 1744	3596	cmd.exe	94
PID 3596 wrote to memory of 1744	3596	cmd.exe	94
PID 3596 wrote to memory of 3308	3596	cmd.exe	95
PID 3596 wrote to memory of 3308	3596	cmd.exe	95
PID 3596 wrote to memory of 3308	3596	cmd.exe	95

C:\Users\Admin\AppData\Local\Temp\DangerousMidlands.exe
"C:\Users\Admin\AppData\Local\Temp\DangerousMidlands.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c move Winds Winds.cmd & Winds.cmd
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3596
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2580
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "opssvc wrsa"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:512
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2320
- - C:\Windows\SysWOW64\findstr.exe
    findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2668
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 243744
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2212
- - C:\Windows\SysWOW64\findstr.exe
    findstr /V "Hawaiian" Higher
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4320
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Decorative + ..\Properties + ..\Restricted + ..\Journey + ..\Respiratory + ..\Stations + ..\Flush x
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4788
- - C:\Users\Admin\AppData\Local\Temp\243744\Provider.com
    Provider.com x
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1744
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\243744\Provider.com

Filesize
925KB

MD5
62d09f076e6e0240548c2f837536a46a

SHA1
26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

SHA256
1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

SHA512
32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

Download Submit
C:\Users\Admin\AppData\Local\Temp\243744\x

Filesize
469KB

MD5
ccff1c842a7be2adb62a7798303ac102

SHA1
a41749c1fe6fdb9af57b2a1e7d51809e4d8cafd6

SHA256
4d63ed24f3ec7a908bd6ab5f50a281b22d6d9e50a4daacdcfc674c6a0330d260

SHA512
3ab6bb4794327497b0117d36b5372c59be969de4eb858d73183af1f975570fed5263fdb4e2fde5e1b3b77e4411a929466c667d229bcb489d76d30d343e16cdad

Download Submit
C:\Users\Admin\AppData\Local\Temp\Carolina

Filesize
144KB

MD5
dc929f37378e213e4dc1b0826fb74898

SHA1
a69e81714004fe12e4693dfdf24d8c83d5b7f068

SHA256
64b5c7a58d07fb10f42ac199f9046182d3ce0ef42498d2626e3c28263f49dfc7

SHA512
c7df6a8934b0807fc22e481b95ba30be92f4b3cb3b24391c9a31efc3a2d04600b0e4a4993825c5895df212d1c7c691afa791375ba446aec34e58b1c1de6a6eb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cheque

Filesize
93KB

MD5
71cbecf5584bfc8b9346e3fe0a43accf

SHA1
25073c60daa0ec28b5e76ad6ad9c35875d7b6849

SHA256
7f3031d667c30a2fc62edb0a56f4cfd21320921bef9f3b2725c90b633b3ee37a

SHA512
c6f3c72ce0cf8ea7008f02df2a6507a6a6d5fc6ecff421500ce9f1db97fd10b6caaa8b82e6589c837ef3e8334c00eedc92c68cfd564473d067e04c6e61308e2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\College

Filesize
134KB

MD5
638c2d1c19311968ec6bfc046351d617

SHA1
eb379983e76e174a1683a624fc5692f81c78db68

SHA256
35d0ce6c16a2c20be07646bac9ac3259ae25ce50f294c536cf4d76331696412e

SHA512
b767c634453b3fc7a39dbd7c5b1f69eb8a3291ed0b37aeb6857cd0bfdbb92de1154288f8d6ed9edcd2afe93640d396c3537e35ea256107523c7917cbc9ad9ce8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Decorative

Filesize
73KB

MD5
94f9eaafc205b6c78656295c491b421c

SHA1
effe02799c7bf9555500688804019a0c6e554069

SHA256
b8d00124ea438f2d867cfdc01168f30e697b15639def134ab2f886c75f7c9dea

SHA512
5e18d34de030e157a7175442add8f30f07790e7941686a7aa0842d7d82ec65c9b01ed18796602daa9c5e65e279f185927ad515b5bf0698db3d0fb1991d54ebf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Flush

Filesize
30KB

MD5
6e195afbb009162b963d86d3093dc9e6

SHA1
74f3dd30d7320d82088da4c99b6cff2dba64e3ff

SHA256
e14150275a35c6f9707e8c86cd172b7a5edfd5d00dc75aed0cb2e0cb5561a999

SHA512
3b34da382477890fe12932e9054c221551f8d70031768b0bbdc6bd7bda442c77a4084bf61a4a9987dbe9b4c84c2b6c146c0b1517821353d1d3d1bedb54335f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Higher

Filesize
2KB

MD5
0928c31ddf50e741da974c5f82b97877

SHA1
83885458be15c85f7de8e9a46dcb11a2d94cdd73

SHA256
0adf235125f7761dd8aa466903faa0512c60806db20c830031450f71aebe83f0

SHA512
4a6e0e4bc5cd1c8277542fc9565fd9145b405b29b413b68d3fa44847092c8e27c4f28da1415f44cfc28027784ab67375e4319ddbb04fd8dffb1eeedf096dce45

Download Submit
C:\Users\Admin\AppData\Local\Temp\Initiatives

Filesize
87KB

MD5
2d27a00e0478620a373a7d06452dd7a5

SHA1
76e6a8a7697b80ee22534d3d08c125b9252d3cd8

SHA256
bac544fb084f7aa2a5ad3ab35d5017c16654775ccae1813100f55b9214c0b58a

SHA512
56fd8e5b58d7ffb9f641adca79c5b9e4b84c81c6ecfbba0615d23c5ebe07b63cb16491ce6d16b76b3249c4231d9b47fcfb3e52fcd9644e2f6b32bd5bd16f22a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Journey

Filesize
83KB

MD5
89e88c858a03bd5a6de374e80a224aea

SHA1
e175dcecf146c60431c4a972cd88acf482511367

SHA256
06746aa0952ab17a8b300d08402ed041e23947678e39b054748751586266ee67

SHA512
56668a082fc0c37f4819428b6cda761b071c7052d134712f6d4934bb9a917e39ef79a1e32f8bac995ab83f0572b817d0929bdbbe0497b8a5b788a09633da836c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Outlet

Filesize
113KB

MD5
099455c137087bdde548653451591c5f

SHA1
9f24f2bfe2fdb233b68c119d4f2640dacda4f7b4

SHA256
f6fd37c0370e316eef9894d797b2d7eb6581d6871fdc36bcd9abe538d70bfff1

SHA512
78e13c74baa56475bba24e6a7003f2add3d84bb084310df3ed5436d99aaa18dc9f856c11039fd0a50d5a3e3242d87b01f60eb4c2c3120f7acf31d5565f31c0f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Properties

Filesize
52KB

MD5
42744df3d5f328d0e4adf75ecb84ae01

SHA1
f79f66118832ca26c61877c0fcf50e82ce1206b0

SHA256
2aba7d10fcb586c7a9f6f8aa366c8d905962cadefebdebdf40262b3861964bc9

SHA512
c453f41ca3bc7effbdbfc73ab4f5d0a829a84156818a98dcd46c588f54af48e2eccb8f5182ebd884aed1a2afd965770e88b5f5e8bdac6897c9628feb049169ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Respiratory

Filesize
65KB

MD5
1c7d09a2823f7721b1bcbaab272c7769

SHA1
7f6ea5fcefbe39d47a7abe32a04e417d949afb3e

SHA256
66a3bd71f206c8728c1852c2e98546f673f22117d828b99648a68cbe828c3e2f

SHA512
8cd1b96d16e92037e862a20a6b60f7ade7b89d18d77c15ba643e241f1eecdeef8e1bacd26a24909f8fed03ca5b90dd50043fe744288f975cf32aca8e2508a80a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Restricted

Filesize
92KB

MD5
b4244a9e46d4b64dd56234864e5b721c

SHA1
f1d69c64d2ad10c2c89044a5500f6522019305d2

SHA256
c0b207f6049b94b641e32053970df8fbd99d0539447281c8af5c55cdc3339f3d

SHA512
23f5d7f09ef5c875ce57c5cacf63ca534d032fcd1de0a0bdff24b9c3f326ca79646bd2b99608817343298d6ddb9912a5e53c6f6c9d064c1d393e9020fccddcf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Stations

Filesize
74KB

MD5
1ee234f30b4027f57c70065b52cc92bf

SHA1
e4a6d4e53c39787cc399d81e74360c177065a256

SHA256
e32fc368261f27e66ef7d985747337f70575ec941381adfecad33e93b0bd9e2e

SHA512
2583a6373e19a1e499b7c229159203ad15288e69c5790c1223a59af4117cfc0f2645c4fd13ce69ed0135e89ed2f720ca642acf366cbdac406ca23daf1060f5a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tobago

Filesize
81KB

MD5
b2dbc762459e3eaf29095374a2b5ec0b

SHA1
570a3dde0ecb5f2cd7d4d6f993b0f2366daf113c

SHA256
c1b063a68fe6eb8b0a0ce8a1c3f4c12b04e9654d4a9947f4a1beddd2682b423c

SHA512
42b321ef781e27b3939c255d1d245060cbbf3fe7abadcba2123ba9d1a9effd33ec1083a931b48d4f913c7fe429d2b1cb0f98767a44845ca7c0de647bb18d3cb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Toll

Filesize
94KB

MD5
b54b81d6ff5835691e471815ad6ac529

SHA1
df77bf36d1ddfdf633b1c2d90902cbaa164d2b3d

SHA256
2f35a3e8cf1b4ff4a1b1b6e0bf0528f5b3e4893e5b9de11149c0b9d9894b5f90

SHA512
8e878c4dd9f2914246fda4a96b422daa91fbd87e2439af0af7d5d167c6eafc2a9df6af0a212923f033214d902c09563d264a392db44e52c2a823da186cbcd10e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Violent

Filesize
94KB

MD5
dd6237162ba6e2648f4d111980507b94

SHA1
73a85f1962375b48ca015a0a25d1325ce387334b

SHA256
81fe7b33f68ff82682039b4d647f75fff71407afb08883f0464357ce070280c8

SHA512
4a55b0790e1887c83df82025bac5f79ce7542bbcdfb8d4a01ed4913822aac462eaecdfe967d227d850bf7b50a594d4e12a16dac65c7eade67d597d7019b79879

Download Submit
C:\Users\Admin\AppData\Local\Temp\Winds

Filesize
26KB

MD5
d353d15e539cd507f7fc381a8ca10e09

SHA1
fab6ebcbc6d869b72c05f1e9dbaebe39a1a81abb

SHA256
143de3efb5fffe4746ebfdf13a082de16129cfba040434188a93d49e40963caf

SHA512
80a1b63f063b88e3c88e62668778209ec28e446bcea347838035f6544480c2099a0f9106b86296d79b1fa8f40e21b33aa812c959d286f14f52f099c15f595268

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wyoming

Filesize
83KB

MD5
f2c8eeca01cc54c87ce44804ef31f4f6

SHA1
07301c1548162acc98bebc9c155563644ac10971

SHA256
0bed453d8d06c358ea9fdcda0bc3538d7c21b3b5eefb3d7c83ce324a501bf782

SHA512
82907789042d33d753c2ac44b44bd8ef11fb9728998577c34e461c309e1cce01ade194b99e0e222637ac8d9efd5a4b1d8264f6fe1409cd0363a5031e5b67d116

Download Submit
memory/1744-44-0x0000000004C30000-0x0000000004C86000-memory.dmp

Filesize
344KB

Download
memory/1744-45-0x0000000004C30000-0x0000000004C86000-memory.dmp

Filesize
344KB

Download
memory/1744-46-0x0000000004C30000-0x0000000004C86000-memory.dmp

Filesize
344KB

Download
memory/1744-48-0x0000000004C30000-0x0000000004C86000-memory.dmp

Filesize
344KB

Download
memory/1744-47-0x0000000004C30000-0x0000000004C86000-memory.dmp

Filesize
344KB

Download