lumma | 6c1aebbf3ca02f341c5c1780855da45130d749d3c49f8d35f9f115fe7ef779f8

General

Target

0PENM3.zip
Size

415KB
MD5

6360f16fc357154d539ea645bd770275
SHA1

9b4b81df7499bd09be8ae34740252998608e8797
SHA256

6c1aebbf3ca02f341c5c1780855da45130d749d3c49f8d35f9f115fe7ef779f8
SHA512

f374b966cc221c44ceae82af7e518920b7494d91c42e7fc39a36fd9bd4e19813bffdfbfa58b02b8855f821fbc2c9b2365ae01f0c2acbcc16699b53d839f1ff27
SSDEEP

12288:dhxWN97tvj/drrcYsfgz1yCyZlz93uyXo18d4lRYqa:dhxYLrc74zsCazuhGcRYr

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

C2

https://toemagnifuy.biz/api

https://fraggielek.biz/api

https://grandiouseziu.biz/api

https://littlenotii.biz/api

https://marketlumpe.biz/api

https://nuttyshopr.biz/api

https://punishzement.biz/api

https://spookycappy.biz/api

https://truculengisau.biz/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Executes dropped EXE 5 IoCs

pid	Process
4184	BootstrapperV2.exe
4716	BootstrapperV2.exe
3968	BootstrapperV2.exe
2700	BootstrapperV2.exe
440	BootstrapperV2.exe

Program crash 5 IoCs

pid	pid_target	Process	procid_target
5088	4184	WerFault.exe	88
3032	4716	WerFault.exe	97
4536	3968	WerFault.exe	100
2564	2700	WerFault.exe	101
1300	440	WerFault.exe	102

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BootstrapperV2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BootstrapperV2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BootstrapperV2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BootstrapperV2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BootstrapperV2.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2366345620-3342093254-3461191856-1000_Classes\Local Settings	7zFM.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
4872	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
4236	7zFM.exe
4236	7zFM.exe
4236	7zFM.exe
4236	7zFM.exe
4236	7zFM.exe
4236	7zFM.exe
4236	7zFM.exe
4236	7zFM.exe
4236	7zFM.exe
4236	7zFM.exe
4236	7zFM.exe
4236	7zFM.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4236	7zFM.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeRestorePrivilege	4236	7zFM.exe
Token: 35	4236	7zFM.exe
Token: SeSecurityPrivilege	4236	7zFM.exe
Token: SeSecurityPrivilege	4236	7zFM.exe
Token: SeSecurityPrivilege	4236	7zFM.exe
Token: SeSecurityPrivilege	4236	7zFM.exe
Token: SeSecurityPrivilege	4236	7zFM.exe
Token: SeSecurityPrivilege	4236	7zFM.exe
Token: SeDebugPrivilege	680	taskmgr.exe
Token: SeSystemProfilePrivilege	680	taskmgr.exe
Token: SeCreateGlobalPrivilege	680	taskmgr.exe
Token: 33	680	taskmgr.exe
Token: SeIncBasePriorityPrivilege	680	taskmgr.exe

Suspicious use of FindShellTrayWindow 48 IoCs

pid	Process
4236	7zFM.exe
4236	7zFM.exe
4236	7zFM.exe
4236	7zFM.exe
4236	7zFM.exe
4236	7zFM.exe
4236	7zFM.exe
4236	7zFM.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe

Suspicious use of SendNotifyMessage 39 IoCs

pid	Process
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe
680	taskmgr.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 4236 wrote to memory of 4184	4236	7zFM.exe	88
PID 4236 wrote to memory of 4184	4236	7zFM.exe	88
PID 4236 wrote to memory of 4184	4236	7zFM.exe	88
PID 4236 wrote to memory of 4872	4236	7zFM.exe	95
PID 4236 wrote to memory of 4872	4236	7zFM.exe	95
PID 4236 wrote to memory of 4716	4236	7zFM.exe	97
PID 4236 wrote to memory of 4716	4236	7zFM.exe	97
PID 4236 wrote to memory of 4716	4236	7zFM.exe	97
PID 4236 wrote to memory of 3968	4236	7zFM.exe	100
PID 4236 wrote to memory of 3968	4236	7zFM.exe	100
PID 4236 wrote to memory of 3968	4236	7zFM.exe	100
PID 4236 wrote to memory of 2700	4236	7zFM.exe	101
PID 4236 wrote to memory of 2700	4236	7zFM.exe	101
PID 4236 wrote to memory of 2700	4236	7zFM.exe	101
PID 4236 wrote to memory of 440	4236	7zFM.exe	102
PID 4236 wrote to memory of 440	4236	7zFM.exe	102
PID 4236 wrote to memory of 440	4236	7zFM.exe	102

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\0PENM3.zip"
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4236
- C:\Users\Admin\AppData\Local\Temp\7zOC8086EC7\BootstrapperV2.exe
  "C:\Users\Admin\AppData\Local\Temp\7zOC8086EC7\BootstrapperV2.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4184
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4184 -s 1380
    3⤵
    - Program crash
    PID:5088
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zOC802B687\README.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:4872
- C:\Users\Admin\AppData\Local\Temp\7zOC804D5B7\BootstrapperV2.exe
  "C:\Users\Admin\AppData\Local\Temp\7zOC804D5B7\BootstrapperV2.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4716
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4716 -s 864
    3⤵
    - Program crash
    PID:3032
- C:\Users\Admin\AppData\Local\Temp\7zOC803B378\BootstrapperV2.exe
  "C:\Users\Admin\AppData\Local\Temp\7zOC803B378\BootstrapperV2.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3968
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3968 -s 1232
    3⤵
    - Program crash
    PID:4536
- C:\Users\Admin\AppData\Local\Temp\7zOC80DD008\BootstrapperV2.exe
  "C:\Users\Admin\AppData\Local\Temp\7zOC80DD008\BootstrapperV2.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2700
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2700 -s 1272
    3⤵
    - Program crash
    PID:2564
- C:\Users\Admin\AppData\Local\Temp\7zOC8025708\BootstrapperV2.exe
  "C:\Users\Admin\AppData\Local\Temp\7zOC8025708\BootstrapperV2.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:440
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 440 -s 1220
    3⤵
    - Program crash
    PID:1300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4184 -ip 4184
1⤵
PID:2104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4716 -ip 4716
1⤵
PID:1128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3968 -ip 3968
1⤵
PID:2012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 2700 -ip 2700
1⤵
PID:2188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 440 -ip 440
1⤵
PID:100

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zOC802B687\README.txt

Filesize
124B

MD5
3b4bb14e17a60137e3e93c7adac41bcb

SHA1
de09ed28df13d9325e816d0c656582a929077876

SHA256
bde691c014e6a2527d5ef783d065edf14bcfe83b20c1ff97c22d280633b5287e

SHA512
ec76f39b6ab4c6f822a1777c78212d659d86760458da9f050fba48bef12cba054573f25fc96278b49cdb163bed41a157123c01d3897226584cd1b57a653dfb50

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zOC8086EC7\BootstrapperV2.exe

Filesize
415KB

MD5
fc2e0446721487d644058a889879600a

SHA1
41b59c8f80831d095919cda022b4b65253e2e727

SHA256
2a74a6655521ad0737e85cba5ad9d9f6d82122824fda7ab862524f2e7457613b

SHA512
f00c9a9f0d83c232c00733a42ab491788f563c923469d0c8a992c0124f5efe554e318e7d8c02601306adc1630ba61b56ef086cd99745c8612384c6bc39c229c9

Download Submit
memory/440-81-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/680-93-0x0000022B31630000-0x0000022B31631000-memory.dmp

Filesize
4KB

Download
memory/680-91-0x0000022B31630000-0x0000022B31631000-memory.dmp

Filesize
4KB

Download
memory/680-92-0x0000022B31630000-0x0000022B31631000-memory.dmp

Filesize
4KB

Download
memory/680-83-0x0000022B31630000-0x0000022B31631000-memory.dmp

Filesize
4KB

Download
memory/680-90-0x0000022B31630000-0x0000022B31631000-memory.dmp

Filesize
4KB

Download
memory/680-94-0x0000022B31630000-0x0000022B31631000-memory.dmp

Filesize
4KB

Download
memory/680-82-0x0000022B31630000-0x0000022B31631000-memory.dmp

Filesize
4KB

Download
memory/680-89-0x0000022B31630000-0x0000022B31631000-memory.dmp

Filesize
4KB

Download
memory/680-88-0x0000022B31630000-0x0000022B31631000-memory.dmp

Filesize
4KB

Download
memory/680-84-0x0000022B31630000-0x0000022B31631000-memory.dmp

Filesize
4KB

Download
memory/2700-80-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/3968-78-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/4184-18-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4184-17-0x0000000002270000-0x00000000022BF000-memory.dmp

Filesize
316KB

Download
memory/4184-16-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/4184-15-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4184-14-0x0000000002270000-0x00000000022BF000-memory.dmp

Filesize
316KB

Download
memory/4184-13-0x00000000004F0000-0x00000000005F0000-memory.dmp

Filesize
1024KB

Download
memory/4716-39-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download

Analysis

Sharing