lumma | 1bd09dad3359a821385639f51431006b663dc30f6dd8aa2630d4bdf4f12ce282

Analysis

max time kernel
100s
max time network
139s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241211-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
12-01-2025 19:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BootstrapperV2.exe
Size

150.0MB
MD5

ff9ecb042a95c9076b683c69d9d0310e
SHA1

07c9486bd6424dedcac4e16e5d10ecee69be1c9a
SHA256

572ab5e1c62b3fbc5bc0b5e7886a101beb89c5a4d074ee6d1c4bc037bdb5cf73
SHA512

d1bb1961698e6ae5070254270204c28ac99dfcc987eb295c9368fccbf9f62c014cb8e3194c35469161fd4bd73b642bbe8ff7598f149702325b89c1fb1d4acb91
SSDEEP

24576:fcpoY4ocmpX9j2UlWW915b8/cIAwVX+o5U+tITb71b7j:JY0sX9j2UAOjIEIAwN0+tS

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://jubbenjusk.biz/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2366345620-3342093254-3461191856-1000\Control Panel\International\Geo\Nation	BootstrapperV2.exe

Executes dropped EXE 1 IoCs

pid	Process
2152	Collection.com

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
4136	tasklist.exe
3932	tasklist.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\PublishedSs	BootstrapperV2.exe
File opened for modification	C:\Windows\CoinConverter	BootstrapperV2.exe
File opened for modification	C:\Windows\MorganPass	BootstrapperV2.exe
File opened for modification	C:\Windows\WvEstablished	BootstrapperV2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BootstrapperV2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Collection.com

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2152	Collection.com
2152	Collection.com
2152	Collection.com
2152	Collection.com
2152	Collection.com
2152	Collection.com

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3932	tasklist.exe
Token: SeDebugPrivilege	4136	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2152	Collection.com
2152	Collection.com
2152	Collection.com

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2152	Collection.com
2152	Collection.com
2152	Collection.com

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 3412 wrote to memory of 4992	3412	BootstrapperV2.exe	81
PID 3412 wrote to memory of 4992	3412	BootstrapperV2.exe	81
PID 3412 wrote to memory of 4992	3412	BootstrapperV2.exe	81
PID 4992 wrote to memory of 3932	4992	cmd.exe	86
PID 4992 wrote to memory of 3932	4992	cmd.exe	86
PID 4992 wrote to memory of 3932	4992	cmd.exe	86
PID 4992 wrote to memory of 4660	4992	cmd.exe	87
PID 4992 wrote to memory of 4660	4992	cmd.exe	87
PID 4992 wrote to memory of 4660	4992	cmd.exe	87
PID 4992 wrote to memory of 4136	4992	cmd.exe	88
PID 4992 wrote to memory of 4136	4992	cmd.exe	88
PID 4992 wrote to memory of 4136	4992	cmd.exe	88
PID 4992 wrote to memory of 2928	4992	cmd.exe	89
PID 4992 wrote to memory of 2928	4992	cmd.exe	89
PID 4992 wrote to memory of 2928	4992	cmd.exe	89
PID 4992 wrote to memory of 2856	4992	cmd.exe	90
PID 4992 wrote to memory of 2856	4992	cmd.exe	90
PID 4992 wrote to memory of 2856	4992	cmd.exe	90
PID 4992 wrote to memory of 3248	4992	cmd.exe	91
PID 4992 wrote to memory of 3248	4992	cmd.exe	91
PID 4992 wrote to memory of 3248	4992	cmd.exe	91
PID 4992 wrote to memory of 1824	4992	cmd.exe	92
PID 4992 wrote to memory of 1824	4992	cmd.exe	92
PID 4992 wrote to memory of 1824	4992	cmd.exe	92
PID 4992 wrote to memory of 1988	4992	cmd.exe	93
PID 4992 wrote to memory of 1988	4992	cmd.exe	93
PID 4992 wrote to memory of 1988	4992	cmd.exe	93
PID 4992 wrote to memory of 4740	4992	cmd.exe	94
PID 4992 wrote to memory of 4740	4992	cmd.exe	94
PID 4992 wrote to memory of 4740	4992	cmd.exe	94
PID 4992 wrote to memory of 2152	4992	cmd.exe	95
PID 4992 wrote to memory of 2152	4992	cmd.exe	95
PID 4992 wrote to memory of 2152	4992	cmd.exe	95
PID 4992 wrote to memory of 1660	4992	cmd.exe	96
PID 4992 wrote to memory of 1660	4992	cmd.exe	96
PID 4992 wrote to memory of 1660	4992	cmd.exe	96

C:\Users\Admin\AppData\Local\Temp\BootstrapperV2.exe
"C:\Users\Admin\AppData\Local\Temp\BootstrapperV2.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3412
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c move Twist Twist.cmd & Twist.cmd
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4992
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3932
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "opssvc wrsa"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4660
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4136
- - C:\Windows\SysWOW64\findstr.exe
    findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2928
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 637575
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2856
- - C:\Windows\SysWOW64\extrac32.exe
    extrac32 /Y /E According
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3248
- - C:\Windows\SysWOW64\findstr.exe
    findstr /V "Corporation" Coastal
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1824
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b 637575\Collection.com + Innovation + Trinity + Walks + Cleveland + Followed + Britain + Told + Executed + Zinc 637575\Collection.com
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1988
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Campaigns + ..\App + ..\Minister + ..\Timeline + ..\Journalists + ..\Attachments + ..\Complement y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4740
- - C:\Users\Admin\AppData\Local\Temp\637575\Collection.com
    Collection.com y
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2152
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\637575\Collection.com

Filesize
383B

MD5
ae367865f0be0758371b71120a86c6d1

SHA1
d4f37284dbf667bac9cc16f551f7cc573fd2f641

SHA256
39c02827133e674e5425ca11186ade42c493b4107694c0eaf2301d855b84686d

SHA512
4e17fd8c69926dd7712123826b71deae408ece5e033e4703bf75e39379f1b904ec7ce4d7e4370b94dad9e3428184f66b43028ff1179d201cb5399f816db105e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\637575\Collection.com

Filesize
925KB

MD5
62d09f076e6e0240548c2f837536a46a

SHA1
26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

SHA256
1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

SHA512
32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

Download Submit
C:\Users\Admin\AppData\Local\Temp\637575\y

Filesize
473KB

MD5
509388799038828408168e8936c1006e

SHA1
3d64f0b9f7ef995f9dccbead2a5a633fbaebad67

SHA256
d1153d48c90ed43ea397d0502c8fb6963a8d47883bebf8d63d539c35465d755b

SHA512
6aa34ff63de9817e4b778511236554d8d18664dda67d76aba8fef6db69a267c5bb00eb8878ac7098bdc1828faab9d2a769a8af9ce268f622f3619df6fb912a21

Download Submit
C:\Users\Admin\AppData\Local\Temp\According

Filesize
477KB

MD5
c6da22e953f5d6e194c182ef9d398214

SHA1
05b020ab430337d34fcf010581bcf0a01658decf

SHA256
aad8f066433c5ddb5ce40ad640bf8d2ddc96abbc09eb1a8d815e1c59218144ce

SHA512
d51bd0bf6dc62baa9000dd6634292667d864044d8eed1d6680207496c493a9a5b17d98e4aa08027716932bd94b04b35b166c7d7ac7542b43d3184f70c5e962b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\App

Filesize
69KB

MD5
30dfb5b3f6e74fbc6b8393854dffa8fc

SHA1
018c9219f53d44182b4a4565d4ea9515af53690e

SHA256
f2e5a15a9e755df57d44737ed14d6589a0e8293c4c205b2e1c922cc3cb8489bd

SHA512
54431bc6958eda2b45e633e7427886d5d447b99d0f0a24a5186fb7fe2fbc71c7f4df6246b224b3a7b71c396e440312f235f9ce643cf42522511a22d754b5f824

Download Submit
C:\Users\Admin\AppData\Local\Temp\Attachments

Filesize
73KB

MD5
4ddaaf7c1b3447594ea19331cec96e8c

SHA1
3989b67d528dc9ce5ed840daa5f5ff946f943b0c

SHA256
fe8c010b699cf73b4d828d3d86509ccf1d822bddda115de390eca8c59cf1b564

SHA512
befc9523812d616f07dda8862291b316694163b5ec43ac3be6a48c551778259ce48efbd42dcdcb50053643266b4cd2954db4a273d6e3ce6a7577f6eefd358201

Download Submit
C:\Users\Admin\AppData\Local\Temp\Britain

Filesize
101KB

MD5
97f8c42016f1ff671e108ba556a185d3

SHA1
13d6ae5a3102fa4d6b1c4897f37a6c1b0e843cc5

SHA256
8e99918a8e44917b13546d33cdaa371e43f9ef8f0ee5d9fa17aa5b359606317b

SHA512
b787cab551c976eed623827e90d57659f0baac3fd36d09cb9a642068db475094ffdd6a73a308b3c5beab888666917235cb4163fd838444f8043c1f46e457fc6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Campaigns

Filesize
67KB

MD5
98319c11c8c1cd78a529fadc5998020c

SHA1
a79a10708d3e11c73365aebf5c5ca00fa4a4f9a9

SHA256
b4a6242b27a6711e575fbd88b300c0086debdd962973ce82c5f8d273cbaf457a

SHA512
f9eb3c5776665d2e593b3bc754c4cbb641f2658cc80c33d937296c042c03989153bcda71bbaf6f4ba0004889138e79c24d035497d567cdd66bf6f0fb11798c15

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cleveland

Filesize
100KB

MD5
d1e90dff5e9e0afad50831e58de8aa9c

SHA1
31e4159a95a708b024cb9219aa600c61dedf8cc5

SHA256
c30264610f3e8f40381b984d0c9e74505e006f0fd284bd7b1fb695225f547d67

SHA512
661c0a7b17cae9a27f2ca2a71e153482bd20cc0bedde9c9a964fce61d66bb4c8a53c7723ab6db0d6894f0351448ecbe74806a3bc977adcd9cc3f8252764d6895

Download Submit
C:\Users\Admin\AppData\Local\Temp\Coastal

Filesize
394B

MD5
4083b97b69cdb6a691cb6bb78eac8170

SHA1
a53bd406f388ffc16fa9b11ed23e1f5c48e1145c

SHA256
c25a5c19747a6aaeb00e8a97800d630485a01867199e0ae7d10af6c5b409cebb

SHA512
f8c10aeb63fd7b8fe3ebe0db23505c1b518bfb54db569ffc25390e4f1502fdd8500e0d86fba4bbecda081aaa1eac488ba0d396c3fcb6aa1da1fee9df1a9a9698

Download Submit
C:\Users\Admin\AppData\Local\Temp\Complement

Filesize
27KB

MD5
d9896a432eae409d87fd0bd3407c9cb5

SHA1
b396ed85d3907d3e4edee98c9576c9a3873ad8ca

SHA256
b93e2ae91147e8a634e26bfe792ce7f93c48a89c6a674d9b746090fe7c1163e2

SHA512
e756f79cd46348c55df07c8fd2a4ccddd4dd1dae2fa8b846e461c8f5e1b9d207a1a98aac110c4d970c6f4ac0d97aa5eb97bb016f085cee3b17d38e0ad3723672

Download Submit
C:\Users\Admin\AppData\Local\Temp\Executed

Filesize
82KB

MD5
f608b9cbea2cac45955ada1b58ddae70

SHA1
6f13fc21cd80c3145bf9dbc8a062f4a2e8d2d04d

SHA256
25915c752cf9504a08245ea20e9a7bfa8094bf725a7bf60f527ef9f13549148f

SHA512
f0daac5912ba8177ac19ab7b06a3f2a208289a8976448435b188205905aeddf12f3b5ee8ce35f283a685b849ad4d357868c044144f4eb5cee2dbdc78a26273e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Followed

Filesize
134KB

MD5
29934db735f8f100d167a2b004a3d1e2

SHA1
8821e1ee70e4aa54505a1ae980898d6aad6d6dae

SHA256
f1a0e5e38e828d53c23d6dd2a557ee91b5d0cc3afb04eeadea9ea55bec42455c

SHA512
bd9baf1fbecec4a7fbd32f86fe4c90b8bb95dc65b943f5c84fbc043f4f04733be23bd36c9969ad68d8e89d65f6c70f47b672b86765e83e4138885a66542aa1c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Innovation

Filesize
137KB

MD5
3c3988fa795265441ad9390d4ee171a6

SHA1
ca5cbcb893fb7b0dc82e09d2a5b41d0c933bcaac

SHA256
00c97189910776c057ca5b15fbc90c1a9afc168592df9fb1b472cda863df6a70

SHA512
784f11254633f2201423f7b3e89b300bf0b7a6fc057792f089b5a89b71b61ac209e0380d5f6e0d180b7e0156b72372f3481b0c37beb73fd7697aeb5f6a574c8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Journalists

Filesize
87KB

MD5
c9fec4408155f6006827eba35af1f384

SHA1
73d30e220475271881c71911cb283ad24bf26363

SHA256
fb679686cc2f1c6f4e8ebfc53402567efaa2e2a82cb0efed8966f50db80d9644

SHA512
46bbcd49292d2a56a644d2b15deb4c907ca2112b118df2eacc4df168285ea4eb72343aabe2e72db0a7fe0d354623e6dad6431770431fd67d5c47b2f50e3767dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Minister

Filesize
91KB

MD5
ff290a5754c961c72f2f625a900fa12b

SHA1
b2545c332bf50e20ece97cc99e6f9b7ec808b48e

SHA256
7f2ff05067b45bf807b79f9ce0015891b43e95c528824345e69ec378c27c9013

SHA512
a03b2ec0c2476982b6f990a4463d3e9ad50caae66ef811cce832a4efda2403d6be5dcf26b5bba4d32420aff642b924a91086331cb6e1f3cea659b8026ea76c1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Timeline

Filesize
59KB

MD5
b865fc7d2fa5620441067d180b445037

SHA1
2b73153e445d233a21c43d55694947cfcbfa2b04

SHA256
c8e76d4e23dc79939ea46fb4a88409458d78fa05cb86420f57d41132dba1b33f

SHA512
53d44273255b6c7e377b3d7ba5f64283bfd3d4fbf2db90997de5740d3704ce4ffe27cfa6494c0ebc62036f9770b8ca8b23a3bd086b74e322bcc38c9bf9627539

Download Submit
C:\Users\Admin\AppData\Local\Temp\Told

Filesize
109KB

MD5
acd623793bacd5cc52a489f80cad0309

SHA1
d18e0976805d510c368521c62e70a56d56e623e0

SHA256
8015a23ab93c815d7a215cc412974b09f1315062848a66582c9f311609d62b97

SHA512
19dde7ba632334a450bacd8f63b2ab310406881a9e2db202eb1dc76671dff52bf4f228cf19d1a952a41390c6bbc169b790cb1b017a648c454b3fa7d2774430b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Trinity

Filesize
120KB

MD5
a34fec3e5094608cfae0d656d0f67a99

SHA1
eaf36199a41e3ca14295e00c27730a7551ce7662

SHA256
9f38e5a64b0de0826b1139b20f703412e49d9184cb1056b318a2ab9877922185

SHA512
899f93ce7f8d4e3e3dabae7cdc45f6f79ba64621e9e2997b4db2acd55438ccb675b181d9a467fd81984c4a42bde3bfb1b6370ffeda8b38e528107f0e0bb359e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Twist

Filesize
20KB

MD5
de3bf90712e3dfb0e23bda22153b0fdd

SHA1
34be286fbb26b021f5fd8cf2594c6a5e87d2a507

SHA256
1a323e91936ee0dd4d48dbbf8231f84c34b0fdb4dc310d1495736b986852501d

SHA512
24880e1394650cc878a50d744bc240c8c27fc5b21f12c43ab53090b459be8acdf532acf8eebba24b1e79ce367884651add527f1b62c8ab6cf12eb5bf6b91d46b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Walks

Filesize
79KB

MD5
751e192a63079f6a7bcab8899f0265d6

SHA1
970b793e09161bde610b2b084dca98cede20aaf9

SHA256
a2b91e0e35acf3ea5273c148699ee29b8f1a03a3f1481aa183125ab8ee1aac27

SHA512
13a57ec35e1acef2f8da2ae611c7cec176fbdac3367dfb60f7ae8cff61d834d220eaf8047eefbd5243daa29dec384381cc572701493aab602c64d32dfc8f704d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zinc

Filesize
62KB

MD5
d301984e153779482174711095453c4d

SHA1
4ba42b2a34f0c2d46e85706cbd1b442c65869962

SHA256
b9da2398a39e17358eb02b823799cab55c33504584224ee29fe29a409ee66ca5

SHA512
2e628a7864056eb316b56d8a78f84968d7d6c774913c657d312bd0d2e1d0275dd2667d1cbe7121b988118c3e9a0cdf090802a1fcae919f4e7ded7e5bfac668a6

Download Submit
memory/2152-66-0x0000000004FD0000-0x0000000005028000-memory.dmp

Filesize
352KB

Download
memory/2152-68-0x0000000004FD0000-0x0000000005028000-memory.dmp

Filesize
352KB

Download
memory/2152-67-0x0000000004FD0000-0x0000000005028000-memory.dmp

Filesize
352KB

Download
memory/2152-69-0x0000000004FD0000-0x0000000005028000-memory.dmp

Filesize
352KB

Download
memory/2152-70-0x0000000004FD0000-0x0000000005028000-memory.dmp

Filesize
352KB

Download