Overview

overview

10

Static

static

1

Loader.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    35s
  • max time network
    36s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-01-2025 04:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Loader.exe

  • Size

    1.0MB

  • MD5

    87728a355bdc7e8f4694e7050f2767d0

  • SHA1

    600f6d3a26927b7a6c0f7bf51dabeda5216b2a6e

  • SHA256

    88e641d524e8d73968100a7ad06644330c487a038f564d4e619b2baad1c6975c

  • SHA512

    6ec45eecfa8117d7713b9f2f0ed8d2c969fc5d4796c57cb98e3bcc0c870d9a795bd682a867eb3b46ae6dcbfa5834ab1bf11e95800e91d0f200b69f424f9c7e97

  • SSDEEP

    24576:DAuugBY2lTVCj2gk4ZOpl3pV9oN86SIcRAsBwZwJIPboTNrcr7Z6p:AyX34ZOf3pV9SpS7R3BwZwJ8kray

Score
10/10
lummadiscoverystealer

Malware Config

Extracted

Family

lumma

C2

https://sailstrangej.cyou/api

Signatures

  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Lumma family
    lumma
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates processes with tasklist 1 TTPs 2 IoCs
    discovery
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Loader.exe
    "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:5084
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c move Late Late.cmd & Late.cmd
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2112
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist
        3⤵
        • Enumerates processes with tasklist
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:1632
      • C:\Windows\SysWOW64\findstr.exe
        findstr /I "opssvc wrsa"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2864
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist
        3⤵
        • Enumerates processes with tasklist
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:1504
      • C:\Windows\SysWOW64\findstr.exe
        findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4976
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c md 29109
        3⤵
        • System Location Discovery: System Language Discovery
        PID:536
      • C:\Windows\SysWOW64\extrac32.exe
        extrac32 /Y /E Islam
        3⤵
        • System Location Discovery: System Language Discovery
        PID:5072
      • C:\Windows\SysWOW64\findstr.exe
        findstr /V "Lease" What
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1876
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c copy /b 29109\Recruitment.com + Reality + Very + Stores + Architectural + Author + Copyrights + Beaches + Window + Bryant + Ecological 29109\Recruitment.com
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1524
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c copy /b ..\Territories + ..\Republican + ..\Rpg + ..\Des + ..\Sherman + ..\Actual + ..\Gamma k
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2504
      • C:\Users\Admin\AppData\Local\Temp\29109\Recruitment.com
        Recruitment.com k
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2480
      • C:\Windows\SysWOW64\choice.exe
        choice /d y /t 5
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3944

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\29109\Recruitment.com
    Filesize

    1KB

    MD5

    8df784a5b9aa188f491d1de559fd1c63

    SHA1

    a6a4498fc21cf9fcf23f206135091fde79493ef7

    SHA256

    cf738663012a32c454d0b2cd1eacbd5cb25ab15eb02afa0933d4e32bb9e6aa01

    SHA512

    789c09417dfb0d0769f728d3b188f673811f28d28165f43ffc5c386893f876cbb33b7a7e971bbd16b1def4c4e4cc1142a6c97c7ae42d373a03482aa1ca610c4d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\29109\Recruitment.com
    Filesize

    925KB

    MD5

    62d09f076e6e0240548c2f837536a46a

    SHA1

    26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

    SHA256

    1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

    SHA512

    32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\29109\k
    Filesize

    458KB

    MD5

    da944f1b8b6be0b09a07a5864e85ae9b

    SHA1

    cdbe0f5bc216820e519d14beb2cb8db3e2f0b81e

    SHA256

    0ca63c0fa82a093ed1094acdbb27496fa2db03490ddb517c05969fb865afa158

    SHA512

    cac5afec6288fb258f87398c3837831c701e5b3ee79972028df773f6d35397b95e6c3c67bc4de466c1de4d84f653e245574d6a8c8fcb2adb1b47f70189f89031

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Actual
    Filesize

    89KB

    MD5

    dce9d21eae9d45a9c38fc10aad21b67e

    SHA1

    3ba7be6c89dde0885cb7dbcb64cb659532840c0b

    SHA256

    72f4f1fc2741786cb68ec75fabae0db5f52fd8d62bf9bf772748a0065600fe24

    SHA512

    26008e1ba0788109f2da139a01cf2314bd45a2a971ac997a53aa3fe55d95298db77509d9ca60f7bf3864322560b4fe98b11d7ffc4639b471d4ea544d917438ef

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Architectural
    Filesize

    127KB

    MD5

    7599ba9d90f771f3e4b0c5b5fbd64342

    SHA1

    c407847b97416281fc43e30d73ca842a42beefec

    SHA256

    b9647a0e9f7297acf017498061344506bd65592ac65d064e634b9400523add4d

    SHA512

    18ef7c2550370915f1d7c852ea426c45baa0e22624d737999ea80a995c5bc94a948e1c006aee7996dbf09cd3d5eecf73942323e39cd6e8aa90d2882be7f8f639

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Author
    Filesize

    75KB

    MD5

    a813660b416b61141fcc7afd99d38377

    SHA1

    e18ee6c6163f6ed1ddafe90bfe4330aa7077cb78

    SHA256

    59a9bd61fdd835f336b743a261a0ec94397befa02bc6f096d9a3b904fe695ec3

    SHA512

    652751afae6097d0ae6f29b1d54df8d81f12213f1a92c2549a1e4eef6af9c957c39a7445fc1d0d6026b698fa12df549f5afe06dd4732f2222a865a27e71a00ba

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Beaches
    Filesize

    71KB

    MD5

    98b2918431a32cf3dcc805d2a31908c4

    SHA1

    3bb6f3c5bf1cfea27f205b9b821ac09b48367ae4

    SHA256

    6cee9c503d4c13c35fbf7f0633d795a3b4b92034084238cdf160f992440e6008

    SHA512

    f0cccc331b85ae102f152ab915eca40d8ad160c43c54f96b3082cc89de733a524c6424e5b49dfc6ebfb2edd7afa65ed0a5e0c2344f3004c6765f050383d0ed2c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Bryant
    Filesize

    73KB

    MD5

    315790bcb79ca9b29a9b2cb73e182167

    SHA1

    3b39a43329ec328752111e2c5eda9de73906cf04

    SHA256

    71080c53797aa05fb3e7ff9b8e3c257c88749080cc817549ae6eb281272c9ad9

    SHA512

    2f2ff27d31f15a4d5ef89f639bb908a4df222de729f292331347f4eeba518e2d3c2331feb05a08a6104fdcf56479dbc80942e91859452e3bd17e44f56f898b4e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Copyrights
    Filesize

    98KB

    MD5

    4095b1d2183f221811f177ffaded7ecf

    SHA1

    d231981c6ae43b9020426abdd71e0e6d6427dea9

    SHA256

    124697a0d5c297ef6a1eae35d34420f154ee0b82de34cdf678a4f0a8e72e6ebf

    SHA512

    59e9e2313c5ff521d554e129898426401b9d34a92197ca8eea17f7ac7aa6b10c917e621104306a5f753139c4bb667ba64a1ce03384f8bf1345756bed28b44559

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Des
    Filesize

    78KB

    MD5

    58478c608113470c85e3726183a4b94f

    SHA1

    7509c9f890e93f7bc8071ea7ef4ccf2f2233326e

    SHA256

    f5ccea03d6edbc5b568f162f9976c79ef4f09b8d4cbc43dcf2062e55e954a434

    SHA512

    1a2ab4ccc399c85a85b6496772cde79a17f4d67825eaae672697387b6d7c8070181ca901dde6e8dd50a983300bd27b2831e93c773239f69e05187dccdfd1637c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Ecological
    Filesize

    100KB

    MD5

    4a0294469a49c4ec22d5576d8de4f39e

    SHA1

    4bb9f23ad80bfa4b8baa5b8279ca9b270da53d25

    SHA256

    cf28e2ba01e1472aaa3666cfcb05b4369c054783d2d9bdac45876a34231d1c8c

    SHA512

    b910eaab22de9f11e81a6da99d6bfc42b7c38ba6912858be4966da31fd7a370656d4830af1807f9377c1a5b3cdebda4c6f6684433b14dc2f72324675c735ac4d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Gamma
    Filesize

    4KB

    MD5

    0366e7bad0ecbae174987320a18d718d

    SHA1

    6771cfde1d8803b4bf4e7d39f940b6d7491858c6

    SHA256

    bd7ea86cc2c79aa038881b2a557d48b2415a8dc7a16c3384bcb770670977e541

    SHA512

    3b11fe0aa47cafb507c996e58b2b13aac29fc836e0c4d59babda29bab7abee97503251557a808adf2b09e95e08429ceb71aa86c8b67b7122fc863f5336670a4b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Islam
    Filesize

    476KB

    MD5

    63cce942b061e197f595b2ef8f2d8fd7

    SHA1

    99b0f13368e95cb1c78890e7f8c933b89bbb50e3

    SHA256

    663e76764ee00c3cdf0655716c83a64d88d7e4cae67cb521ee8c649e0c0fc779

    SHA512

    128205b273a280e175a7fab0293ec39d0dafba0cb1166dc97cb2d6ffac716f60bd8e3097d96d10260bd8caafe5e58751cb7a919cbe769721b01e137bbd3b6b4a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Late
    Filesize

    15KB

    MD5

    ea9c129d5a1c0cc0bbac9048f7d9a43a

    SHA1

    943f69e931e863ad061ae24d0c03584fe24e0dae

    SHA256

    3dc6317b7cf63081fcd3579568aa391aa49c5a58b2bede37d03fe3a11dab1c12

    SHA512

    ed916b32398139bee3c0af1cca36cdab418a460b13693845117467654c1803fdf0a612a7c77e3b38835833487eae262bb6f20a6443c0cd3288a561f06ad5cc5d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Reality
    Filesize

    109KB

    MD5

    b610ffef969d1109ecc5cd333896430b

    SHA1

    677c18a95959c9f4e4e57825a0b61d5ea632d3dc

    SHA256

    eff2c51d0f1e4230befcb32dea0e53b94b5e3e4073807001775644208f59f30d

    SHA512

    cfae6fdc446cdee5e3c52f2a66f421ba4a24279c2fa907bb2f5cb89657a3f35a2938defb54c5c72bca4dd607d2de7e443a674286c8d67f3bafcefd773eb55fea

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Republican
    Filesize

    95KB

    MD5

    149441d1b49970536cfe028c0f1a4cf7

    SHA1

    9ab1bceb231cabe135f8e1399df6243164f1c393

    SHA256

    6bea724e5ce5e91932591ba79f0f0ec3366c8bf0d41d6c4180c2114b1c192cbb

    SHA512

    1070b5fa1362890e1db8a8d3af81412df41c00891dc396e57f9f151f998bbeb9c9f10e4820c0d955d3f198939e2cb0953b8a3b7ebc3c7adf0e5175ba4f515784

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Rpg
    Filesize

    51KB

    MD5

    61b55b792fdabc2455b4520db3864bb7

    SHA1

    072bcd0647ee3ae749fcdd48c96bf68e453054c3

    SHA256

    156f0ae02aa04a93ba027ef4845734fb5ed386b91cdcebac164a0528db028944

    SHA512

    c514401b3cf872052fbb88f8d473ba3d26d26722e6487f39258c00339814789ace5059e6ed6606d9c25b7dde3b8fa2df1e04f6a3a2d87a826d16aa4f8be5f700

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Sherman
    Filesize

    56KB

    MD5

    3e03f6bc6ffc8a4d0858ea190239b1ad

    SHA1

    e374a77afe90ea570da603f006d9ed20e7f18715

    SHA256

    d05319fcc57691f0bfe15cf446260980cc41063ce9b60b6ced60b74ad6b9a487

    SHA512

    67004a1d7320d2a80b723d93558c1ead117bbe701f8cd6cc5656f2d171045812e1874e5906b68ba43c1f1e4511c40b55980e2ce5c933881a08330ff78b4ea83d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Stores
    Filesize

    91KB

    MD5

    1e961b6a7c8ca92fac734266cd228207

    SHA1

    62fb777cf084a53354f5d2a8bd8e5de5e0433140

    SHA256

    245f87889748863c7fb29b2c442c471d941446df93a50ee18dc509e33f0b55f5

    SHA512

    c4ab85536c5ca4632d2cf80fd38f7359a1eeec483f789da1cceb426eca5ea8860f5c5ced8e7db07a760bd9a928f1712e3a7670593f3b6049dcb97e5740e85c8b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Territories
    Filesize

    85KB

    MD5

    8c702914d1797c49e2a65b4db657b19e

    SHA1

    f9ebc6c883f334fe48073759bf9e1553704378d6

    SHA256

    913661aa0ca405f217b47b2f9a9872380fc5e4dd45dcb4011a0f7492854fc61f

    SHA512

    693bfc91782e5d9ed68262a506d50fd2a1dfef941640c6188e8b9dbd06c4311109157188e08b8e0ae10c2e8070f6829fa53a2224748ebe666a32a47216bd80c3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Very
    Filesize

    50KB

    MD5

    43787704d69dc1180082cc45fa8c6438

    SHA1

    647eea60fb3eeadc7a41e54cfae9907328d41013

    SHA256

    7f8d75383434c079ce116d6ffd13a4e413d55b647fe3c1e5565f22d4f8abb40e

    SHA512

    05bfdca50947017ae77878efb54da1c935cbcfb2677b205b89149938543bb69a9c8517a5c031062ab83e2bcea7f13676dd72dbf62435b91ffd0c87eaa493aad7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\What
    Filesize

    1KB

    MD5

    a3070a8c63b705e2e9d8067aef0fcb4e

    SHA1

    2ccb38af97830734b88717fa691fd8940aea2b71

    SHA256

    49f5641950b30be5b0c41e3ca8c1bb1ce9f1b1a15b115dc147627555dc9db347

    SHA512

    3e1df4f51bf194deb3c736b859d5b03956824e10aa776bb174e8b0abc81c7fc69504e85d80ffd5b68d4f12dfe3d821d4afb64d9d7ccd0f1c4829f2a83b3476c2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Window
    Filesize

    129KB

    MD5

    70a5da33b42126bfcdde31fb97b2d8f8

    SHA1

    be0375bad0d2dc375addc72262fffa3cbdffe67c

    SHA256

    8b4ea37e35afb8749c3b8094cd63cd52b047eaba4d1efa1cc14bc90a1a4ef675

    SHA512

    5ff58e48f24e99969b3e04a41e9481dbd17a2055c4ca771cf00eab77c4dcf91e22a0ba05a3abe575d10e2f10f9c36e27fe64c9fab905b59f2294202d411dab2a

    Download Submit

  • memory/2480-70-0x0000000000510000-0x0000000000566000-memory.dmp

    Filesize

    344KB

    Download

  • memory/2480-71-0x0000000000510000-0x0000000000566000-memory.dmp

    Filesize

    344KB

    Download

  • memory/2480-72-0x0000000000510000-0x0000000000566000-memory.dmp

    Filesize

    344KB

    Download

  • memory/2480-74-0x0000000000510000-0x0000000000566000-memory.dmp

    Filesize

    344KB

    Download

  • memory/2480-73-0x0000000000510000-0x0000000000566000-memory.dmp

    Filesize

    344KB

    Download