lumma | f697d689701ccacd6870c3fc077cf6d12585dc6db60b3ab7db483e3d7180f966

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-01-2025 06:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f697d689701ccacd6870c3fc077cf6d12585dc6db60b3ab7db483e3d7180f966.exe
Size

1.3MB
MD5

bcae44d5bf6fcd34c12ef6a6502faf7c
SHA1

7b383cb56e8070e1595da9d44885f2a9eb8037cf
SHA256

f697d689701ccacd6870c3fc077cf6d12585dc6db60b3ab7db483e3d7180f966
SHA512

9f6229c4c6e3363746499be720d7fa466a6646bfd3adb46f0c66b23af923d9fec91bfcfcd16f8b4e746bfdf64bad807eef5b0250c659e4c3b109ab24c2b4d3b2
SSDEEP

24576:YHHOcwqlg+qnztwE240yrFIrStE5ouCE4g23X/pQIjFvqxFx+vIK/kGM3ESw8bIX:pctt8440yrFIrbd4ls8v9/kGiEhAIX

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://brendon-sharjen.biz/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	f697d689701ccacd6870c3fc077cf6d12585dc6db60b3ab7db483e3d7180f966.exe

Executes dropped EXE 1 IoCs

pid	Process
3648	Thus.com

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
2304	tasklist.exe
3192	tasklist.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\EditorNationally	f697d689701ccacd6870c3fc077cf6d12585dc6db60b3ab7db483e3d7180f966.exe
File opened for modification	C:\Windows\AbandonedRocky	f697d689701ccacd6870c3fc077cf6d12585dc6db60b3ab7db483e3d7180f966.exe
File opened for modification	C:\Windows\ChamberClassification	f697d689701ccacd6870c3fc077cf6d12585dc6db60b3ab7db483e3d7180f966.exe
File opened for modification	C:\Windows\ExpensePlace	f697d689701ccacd6870c3fc077cf6d12585dc6db60b3ab7db483e3d7180f966.exe
File opened for modification	C:\Windows\InterestOpening	f697d689701ccacd6870c3fc077cf6d12585dc6db60b3ab7db483e3d7180f966.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f697d689701ccacd6870c3fc077cf6d12585dc6db60b3ab7db483e3d7180f966.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Thus.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3648	Thus.com
3648	Thus.com
3648	Thus.com
3648	Thus.com
3648	Thus.com
3648	Thus.com

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3192	tasklist.exe
Token: SeDebugPrivilege	2304	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
3648	Thus.com
3648	Thus.com
3648	Thus.com

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
3648	Thus.com
3648	Thus.com
3648	Thus.com

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 216 wrote to memory of 2348	216	f697d689701ccacd6870c3fc077cf6d12585dc6db60b3ab7db483e3d7180f966.exe	84
PID 216 wrote to memory of 2348	216	f697d689701ccacd6870c3fc077cf6d12585dc6db60b3ab7db483e3d7180f966.exe	84
PID 216 wrote to memory of 2348	216	f697d689701ccacd6870c3fc077cf6d12585dc6db60b3ab7db483e3d7180f966.exe	84
PID 2348 wrote to memory of 3192	2348	cmd.exe	86
PID 2348 wrote to memory of 3192	2348	cmd.exe	86
PID 2348 wrote to memory of 3192	2348	cmd.exe	86
PID 2348 wrote to memory of 4984	2348	cmd.exe	87
PID 2348 wrote to memory of 4984	2348	cmd.exe	87
PID 2348 wrote to memory of 4984	2348	cmd.exe	87
PID 2348 wrote to memory of 2304	2348	cmd.exe	89
PID 2348 wrote to memory of 2304	2348	cmd.exe	89
PID 2348 wrote to memory of 2304	2348	cmd.exe	89
PID 2348 wrote to memory of 1460	2348	cmd.exe	90
PID 2348 wrote to memory of 1460	2348	cmd.exe	90
PID 2348 wrote to memory of 1460	2348	cmd.exe	90
PID 2348 wrote to memory of 1312	2348	cmd.exe	91
PID 2348 wrote to memory of 1312	2348	cmd.exe	91
PID 2348 wrote to memory of 1312	2348	cmd.exe	91
PID 2348 wrote to memory of 3908	2348	cmd.exe	92
PID 2348 wrote to memory of 3908	2348	cmd.exe	92
PID 2348 wrote to memory of 3908	2348	cmd.exe	92
PID 2348 wrote to memory of 1900	2348	cmd.exe	93
PID 2348 wrote to memory of 1900	2348	cmd.exe	93
PID 2348 wrote to memory of 1900	2348	cmd.exe	93
PID 2348 wrote to memory of 3648	2348	cmd.exe	94
PID 2348 wrote to memory of 3648	2348	cmd.exe	94
PID 2348 wrote to memory of 3648	2348	cmd.exe	94
PID 2348 wrote to memory of 4940	2348	cmd.exe	95
PID 2348 wrote to memory of 4940	2348	cmd.exe	95
PID 2348 wrote to memory of 4940	2348	cmd.exe	95

C:\Users\Admin\AppData\Local\Temp\f697d689701ccacd6870c3fc077cf6d12585dc6db60b3ab7db483e3d7180f966.exe
"C:\Users\Admin\AppData\Local\Temp\f697d689701ccacd6870c3fc077cf6d12585dc6db60b3ab7db483e3d7180f966.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:216
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c move Sporting Sporting.cmd & Sporting.cmd
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2348
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3192
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "opssvc wrsa"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4984
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2304
- - C:\Windows\SysWOW64\findstr.exe
    findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1460
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 306780
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1312
- - C:\Windows\SysWOW64\findstr.exe
    findstr /V "wallpapers" Broken
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3908
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Nhs + ..\Opposed + ..\Mighty + ..\Pee + ..\Exact + ..\Cheese g
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1900
- - C:\Users\Admin\AppData\Local\Temp\306780\Thus.com
    Thus.com g
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:3648
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\306780\Thus.com

Filesize
925KB

MD5
62d09f076e6e0240548c2f837536a46a

SHA1
26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

SHA256
1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

SHA512
32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

Download Submit
C:\Users\Admin\AppData\Local\Temp\306780\g

Filesize
449KB

MD5
a60d9db58e543ec3c28b130d0e34308f

SHA1
b29a076831af6aa97b78aac211cc02ead3c08c5e

SHA256
8fd5f42b71fac0fd4dce26dd66f12d866ad57449dec6630bc7aac9e86d32b138

SHA512
1299907f67fad3e275afa5352aaec5775594ce180d48bf4c96227a85e9c3e0515a6039dcaf14d81bd0da0ae661d863b56178ee3cf0a1e78abcbfdd4acf052b31

Download Submit
C:\Users\Admin\AppData\Local\Temp\Adam

Filesize
93KB

MD5
86fbe2f2ca2062a4d20c0b1fd379f884

SHA1
62cc1eb1ca9a881605e9b2a7a696e063dfa1cfd8

SHA256
c65a8df4f832013787e2123c5707ebe7ed962bba704c443ad991386f2fca0d28

SHA512
908cdfcb7cbdd0421957c08e28a73b2f0078fef6c706d2da49c3e81d61e11b0b838bcb6444035511d953aa81bc85438ca510004ca08417f23378822bcfcfd377

Download Submit
C:\Users\Admin\AppData\Local\Temp\Apartments

Filesize
145KB

MD5
8bdab09194bcf5d66620dd1a9facf894

SHA1
62a3113668523bfa38697b7a9c7c3f1059636da2

SHA256
2faff363e0710d0161c0c12be67745077ca3e7217828b44b638c84550e3039b3

SHA512
bcd38580bb353c47baeac34ca46b04ff269540a910ce1b88fe05fbfa42f8c7accc098eb9c19cf1ac8408af8c9691296185b88afb631db4b66b08b43f700ed3fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Broken

Filesize
1KB

MD5
8eccc8f820616ce78209b17cd49dcae2

SHA1
b3a50baee8bb942e58541d08f0b46f8d970ee211

SHA256
228304a12f8d53a4412189e7daeb36e91152a559dd5771f8e759671613a72cde

SHA512
94f807098de485976d84e0f2ed910f1dc5a00e0f237e573b68e8c5b3a83f34375e9b221aa9c91ae363fd8e825ba95676ed2e82d17881c71b7079c568decc36bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cashiers

Filesize
109KB

MD5
626544db47deb510641ff5765d07c448

SHA1
79d0e2db7c3cc534b79bc04200c0a08e5e21b8a7

SHA256
f3ad3199ac7c32bbbc38f24aa0ad7b5b3e44faf78f07d252c8a82225c0c3e9eb

SHA512
2cc3f6689ca0ada299e59d560c54e677bf85380d48cf99faf5ac3f564780e3fa10d12cc0968cc45a8820c2e3f8cecd6be07cf90e8b02162fd3d5670649f72087

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cheese

Filesize
72KB

MD5
71291cdb1457619c224b2bdf8f947ea0

SHA1
991208f16a6a57db3e7cbea6c0303ec8e44974b1

SHA256
20bd748fb58ea8ab9777dadb1a7bb337574fab69d6fd3856a04a0d423788d950

SHA512
59913c6d3709b6eaad3a218f9bfa5d36a9064056985f118a4ccd71e20e3571dcab584692242cdbbb24e2bff698387cbff064201d4afa67dc0619d7b049898f7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Exact

Filesize
77KB

MD5
82c5ab2baf653ddc124963ff8703e05b

SHA1
20cd128c297382976bd4e471f5136a92a32eae84

SHA256
a212cb65191970f32c7f94f2ed7b63fdc2cb71c59dd89ab68462156eb99c266c

SHA512
e723cd3ceeef6304d362c2fbe69554f9fcdb94d867055b70503ad3f9f3b85933fd2310e23ceae1779704d1a8be3b6404588bf9b38ef65a3acdd651725821df53

Download Submit
C:\Users\Admin\AppData\Local\Temp\Expert

Filesize
142KB

MD5
41bec8b99d97b29ab8486dbd90b8c18d

SHA1
db062dd94c07aaf03828a22a7ae37b8d3d5a283b

SHA256
5ab707f4a01a1425155d60220c81c4c6b9bf192c6fd00666f8250c4d374c489d

SHA512
9c253ca61a60a3367929a34e4f972ced06e7264a1054e355ce3efbfb5349b04881a91d3239850babfc041c487a7cf460fe8b142528caa64a9e3d27c80a6e311e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lie

Filesize
104KB

MD5
5117ff8a6f809d8f8022230a76bf51d8

SHA1
f8d427a45d409e9a221dfa1836336dab89aa4b70

SHA256
96dd8c9f9a3a47c26ebc7ed191cce55b2d819bd1110d2b20c0f99f97e2f9d758

SHA512
c709bf9dcc5618e092a4eb01e8b3584b09e67cd5979ea6f45465ff10fb3f956abb9c71cfe640c91dccc13d7f7aeba192af79d7a00d6c6f76dd8d4a8887964b3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mighty

Filesize
64KB

MD5
f82466887a60c7ebbc36d971845de219

SHA1
12bda8e847c18f3f3e2dbd952078bd76e5c59118

SHA256
eb30343fcdce51976e366bbb34ece5d23bc41379304b061240fca88453c73ab1

SHA512
91814002dcfaebb129cd5ff669c95fa1b5a66e6f1ddb741f31d6e14a364d0f70727426267450d66811eab977d086b743e05f6392dc49261ebb4e845347cfb993

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nhs

Filesize
93KB

MD5
99a70b64293c43cdc840af3c54583f47

SHA1
3b95bc8d825ffbb3c07721cf0f50275ed5abdab1

SHA256
79a7da521ea3f175a40553d569a3318d80d358da388866f710a8d6debeaaec0f

SHA512
bb7e70271f57114cdad66f4f2435e0f4c65cb0e20f3b2e864a78f1d6a34b571fd142dc70e899a51797ea1321e1565b3cfb726440a7434de9ca156215bf616989

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opposed

Filesize
75KB

MD5
7f30991fcc979b0c2880ca2b1cc7ac86

SHA1
f2f7272c202c43f3ea50c7df06c860d9408d0969

SHA256
77ef860123e7c9f530d64724820edf34c19a3d3e705f5061a8691b03c12ec120

SHA512
8369a8a5c45e6963b2ff0afaffe597a17191326ea5ea37e0ba1f24148a909ac769023b2bc9eecd09c6304b339d9dc63aacc07f4f48d16276ae8a3d776c5d6ffd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pee

Filesize
68KB

MD5
d6656d7a38e0d4c6be1a7a61ff2d066c

SHA1
b9d826b6915d10c80c91a4f43ca6e4f78ee02e61

SHA256
9ec948bcc257babff912d8c949be2ee09f8ada892e02f1a76693c363dc4c3477

SHA512
d80a3eee6f4018b96a7eacf0ed7fd655fcfcd475d797eefefbcb320845944342b7836d9dfbcefb07d28a8ec4fa0b4cd4288b7dc79b07361d4da4be668c98bd31

Download Submit
C:\Users\Admin\AppData\Local\Temp\Similarly

Filesize
145KB

MD5
cb8247d2065626d0eba0e67de7570918

SHA1
59cb956bc2a1b533d2a10f6223da2752509933ed

SHA256
1a65de05ba90141d74b32113b1e750da78fdf01ffbff5e0f01ca1a9533997152

SHA512
a06654a2cf2336d8b418f03b5a5e66010f82be7546a3c41a96e97f0b5bf2156979e87748e99e69e65b71a65055d6ecf5adeb94cca947e0dd5fc100b234cb26b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sporting

Filesize
25KB

MD5
3e5dd12107a5cd41b5eaf18e067bcf18

SHA1
3905dac8cc40d53acf7a09ff2a5e439efa6ef128

SHA256
98bb92982edf7af851f915c2359c35a9003e06e7765cdaa10e8e3d8b436f0f8a

SHA512
4704cb60e561b0fd656b92f47a6133f40a24a1d524dabd6dc5d36608da76a768fe8542d7b73d70ca073a0a9d0fc997eaaac2cf09d4e046d47a7a37821773748b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Spring

Filesize
14KB

MD5
7ae2204a4c1e7de61a10ccd94949b1bb

SHA1
43248be515dc2ec40ca1e69f448b77e5b4eea72f

SHA256
1d1d3c1847f04374420d6cbabe91e193565bc1dbeddecf26bdfafc975484e15e

SHA512
149f383d467c2b7260bbf3022e57ee2b7a0aab0a3166525b2e8ca9abe1191db4e11cfd053a8aca36e8ee89f34d5dd38824fbcf66d91fb2b22306501282a42468

Download Submit
C:\Users\Admin\AppData\Local\Temp\Terrible

Filesize
50KB

MD5
27919eae398af5a4e9fb628faad7dda9

SHA1
fe590d9b57194e3d2f94e3f3c0722d233db3d61a

SHA256
f73e67bb1f85f7d9c40894f9fbb387243f3daeb729fbdd19b66a284a4171dc2d

SHA512
cd4bfd0b71fbf7dd21f08e69b6d316e74404f2759fa29c430b90bb23715a30126ad019847563d9eaea2484f273189706d2fff24fa15ee02143f381f4143be085

Download Submit
C:\Users\Admin\AppData\Local\Temp\Weather

Filesize
121KB

MD5
f14e4ceb8d2725c35da2722bc7662be4

SHA1
20c8321318f8884bfe9e0e15f101705d8b4ec2ac

SHA256
5154d72e374cb7d9f7c77d11c57176b5597f51bb9e273073157eb2e2abf1f3d9

SHA512
90192fcd089682c05e8a1ea8e2a20900e9843519bd3ae6ca4b469a803542b784b8e0fa003ff237b74384e0ec833a1a4961842e90026d72f8560ffb7e0fc7c6b0

Download Submit
memory/3648-43-0x0000000003F90000-0x0000000003FE7000-memory.dmp

Filesize
348KB

Download
memory/3648-45-0x0000000003F90000-0x0000000003FE7000-memory.dmp

Filesize
348KB

Download
memory/3648-42-0x0000000003F90000-0x0000000003FE7000-memory.dmp

Filesize
348KB

Download
memory/3648-47-0x0000000003F90000-0x0000000003FE7000-memory.dmp

Filesize
348KB

Download
memory/3648-46-0x0000000003F90000-0x0000000003FE7000-memory.dmp

Filesize
348KB

Download
memory/3648-44-0x0000000003F90000-0x0000000003FE7000-memory.dmp

Filesize
348KB

Download