lumma | 413c17f73a0831d6ae209e491856a66e07e8c0af70e7e06f68a7b7570ccb3a95

Analysis

max time kernel
92s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13-01-2025 07:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

msit.msi
Size

16.1MB
MD5

18577f68754f3e2703cdca2df9ba65ff
SHA1

8d8846470510b1b6f81c0725975c7c3589568bb3
SHA256

413c17f73a0831d6ae209e491856a66e07e8c0af70e7e06f68a7b7570ccb3a95
SHA512

eb238a258b0dfe40716c2a8bc847951abbac4e7224ecefcb13be559a63cc39e6645e406764991cb60b87aa082196b890ff78c3c25c659b851eb02c4064e8eaec
SSDEEP

393216:LPF3zv8Zrqb+CUuubX26jytnTPjnXcBv9k2VvOTp:JzwqNUHytvnMd9Z

Score

10^/10

lumma discovery persistence privilege_escalation stealer

Malware Config

Extracted

Family

lumma

https://impend-differ.biz/api

https://print-vexer.biz/api

https://dare-curbys.biz/api

https://covery-mover.biz/api

https://formy-spill.biz/api

https://dwell-exclaim.biz/api

https://zinc-sneark.biz/api

https://se-blurry.biz/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2672 set thread context of 428	2672	MSIBEE2.tmp	94

Drops file in Windows directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSIBB12.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBCFA.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\e57baa5.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57baa5.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBDB7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBEC2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBEE2.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBC5C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBCCA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBD78.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{15630F35-AF86-45E7-B3CF-07A0AC07CAF6}	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe

Executes dropped EXE 1 IoCs

pid	Process
2672	MSIBEE2.tmp

Loads dropped DLL 6 IoCs

pid	Process
4196	MsiExec.exe
4196	MsiExec.exe
4196	MsiExec.exe
4196	MsiExec.exe
4196	MsiExec.exe
4196	MsiExec.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
4496	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dxdiag.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000f914d34881601a250000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000f914d3480000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900f914d348000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1df914d348000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000f914d34800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3812	msiexec.exe
3812	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4496	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4496	msiexec.exe
Token: SeSecurityPrivilege	3812	msiexec.exe
Token: SeCreateTokenPrivilege	4496	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4496	msiexec.exe
Token: SeLockMemoryPrivilege	4496	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4496	msiexec.exe
Token: SeMachineAccountPrivilege	4496	msiexec.exe
Token: SeTcbPrivilege	4496	msiexec.exe
Token: SeSecurityPrivilege	4496	msiexec.exe
Token: SeTakeOwnershipPrivilege	4496	msiexec.exe
Token: SeLoadDriverPrivilege	4496	msiexec.exe
Token: SeSystemProfilePrivilege	4496	msiexec.exe
Token: SeSystemtimePrivilege	4496	msiexec.exe
Token: SeProfSingleProcessPrivilege	4496	msiexec.exe
Token: SeIncBasePriorityPrivilege	4496	msiexec.exe
Token: SeCreatePagefilePrivilege	4496	msiexec.exe
Token: SeCreatePermanentPrivilege	4496	msiexec.exe
Token: SeBackupPrivilege	4496	msiexec.exe
Token: SeRestorePrivilege	4496	msiexec.exe
Token: SeShutdownPrivilege	4496	msiexec.exe
Token: SeDebugPrivilege	4496	msiexec.exe
Token: SeAuditPrivilege	4496	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4496	msiexec.exe
Token: SeChangeNotifyPrivilege	4496	msiexec.exe
Token: SeRemoteShutdownPrivilege	4496	msiexec.exe
Token: SeUndockPrivilege	4496	msiexec.exe
Token: SeSyncAgentPrivilege	4496	msiexec.exe
Token: SeEnableDelegationPrivilege	4496	msiexec.exe
Token: SeManageVolumePrivilege	4496	msiexec.exe
Token: SeImpersonatePrivilege	4496	msiexec.exe
Token: SeCreateGlobalPrivilege	4496	msiexec.exe
Token: SeBackupPrivilege	2652	vssvc.exe
Token: SeRestorePrivilege	2652	vssvc.exe
Token: SeAuditPrivilege	2652	vssvc.exe
Token: SeBackupPrivilege	3812	msiexec.exe
Token: SeRestorePrivilege	3812	msiexec.exe
Token: SeRestorePrivilege	3812	msiexec.exe
Token: SeTakeOwnershipPrivilege	3812	msiexec.exe
Token: SeRestorePrivilege	3812	msiexec.exe
Token: SeTakeOwnershipPrivilege	3812	msiexec.exe
Token: SeRestorePrivilege	3812	msiexec.exe
Token: SeTakeOwnershipPrivilege	3812	msiexec.exe
Token: SeRestorePrivilege	3812	msiexec.exe
Token: SeTakeOwnershipPrivilege	3812	msiexec.exe
Token: SeRestorePrivilege	3812	msiexec.exe
Token: SeTakeOwnershipPrivilege	3812	msiexec.exe
Token: SeRestorePrivilege	3812	msiexec.exe
Token: SeTakeOwnershipPrivilege	3812	msiexec.exe
Token: SeRestorePrivilege	3812	msiexec.exe
Token: SeTakeOwnershipPrivilege	3812	msiexec.exe
Token: SeRestorePrivilege	3812	msiexec.exe
Token: SeTakeOwnershipPrivilege	3812	msiexec.exe
Token: SeRestorePrivilege	3812	msiexec.exe
Token: SeTakeOwnershipPrivilege	3812	msiexec.exe
Token: SeRestorePrivilege	3812	msiexec.exe
Token: SeTakeOwnershipPrivilege	3812	msiexec.exe
Token: SeRestorePrivilege	3812	msiexec.exe
Token: SeTakeOwnershipPrivilege	3812	msiexec.exe
Token: SeBackupPrivilege	3376	srtasks.exe
Token: SeRestorePrivilege	3376	srtasks.exe
Token: SeSecurityPrivilege	3376	srtasks.exe
Token: SeTakeOwnershipPrivilege	3376	srtasks.exe
Token: SeBackupPrivilege	3376	srtasks.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4496	msiexec.exe
4496	msiexec.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 3812 wrote to memory of 3376	3812	msiexec.exe	90
PID 3812 wrote to memory of 3376	3812	msiexec.exe	90
PID 3812 wrote to memory of 4196	3812	msiexec.exe	92
PID 3812 wrote to memory of 4196	3812	msiexec.exe	92
PID 3812 wrote to memory of 4196	3812	msiexec.exe	92
PID 3812 wrote to memory of 2672	3812	msiexec.exe	93
PID 3812 wrote to memory of 2672	3812	msiexec.exe	93
PID 2672 wrote to memory of 428	2672	MSIBEE2.tmp	94
PID 2672 wrote to memory of 428	2672	MSIBEE2.tmp	94
PID 2672 wrote to memory of 428	2672	MSIBEE2.tmp	94
PID 2672 wrote to memory of 428	2672	MSIBEE2.tmp	94
PID 2672 wrote to memory of 428	2672	MSIBEE2.tmp	94
PID 2672 wrote to memory of 428	2672	MSIBEE2.tmp	94
PID 2672 wrote to memory of 428	2672	MSIBEE2.tmp	94
PID 2672 wrote to memory of 428	2672	MSIBEE2.tmp	94
PID 2672 wrote to memory of 428	2672	MSIBEE2.tmp	94
PID 2672 wrote to memory of 428	2672	MSIBEE2.tmp	94

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\msit.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4496

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3812
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3376
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 818AC78F20233D1E813856E19018E76B
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4196
- C:\Windows\Installer\MSIBEE2.tmp
  "C:\Windows\Installer\MSIBEE2.tmp"
  2⤵
  - Suspicious use of SetThreadContext
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2672
- - C:\Windows\SysWOW64\dxdiag.exe
    "C:\Windows\SysWOW64\dxdiag.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:428

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57baa8.rbs

Filesize
863B

MD5
79a0460d47a12d87af965755fa6da98c

SHA1
c245a545f4a082de3bea262fd3042041c7a54341

SHA256
fc097b02cfee09706bfc0b1a61de1e98e6925ea57db369bf4a5f2238c0cad9df

SHA512
4a1d1274ad6eb5c2d472703773e555b9aa01cdb8fefee2db8d87fe5cc91a7c647a979ea1d30cca79d9b2e336d3ed82ef4059066bb141d7cc7e967eff1bdba6dd

Download Submit
C:\Windows\Installer\MSIBB12.tmp

Filesize
997KB

MD5
ec6ebf65fe4f361a73e473f46730e05c

SHA1
01f946dfbf773f977af5ade7c27fffc7fe311149

SHA256
d3614d7bece53e0d408e31da7d9b0ff2f7285a7dd544c778847ed0c5ded5d52f

SHA512
e4d7aafa75d07a3071d2739d18b4c2b0a3798f754b339c349db9a6004d031bf02f3970b030cec4a5f55b4c19f03794b0ce186a303d936c222e7e6e8726fffff7

Download Submit
C:\Windows\Installer\MSIBD78.tmp

Filesize
1.1MB

MD5
03cc8828bb0e0105915b7695b1ec8d88

SHA1
cbf8ec531ea7e3ee58b51bd642f8bfabdc759ee1

SHA256
0e1491ae7344f3a5ec824732648ccdda19b271d6f01471793bf292840fc83b5e

SHA512
593a76166eb6ce2e3537b0d93e216daef12e4ab5b181a194b55a90b39a1af2e0374c4ec3833a000530425319a003cd1a648489640fccaf108061ebea1d9cb1e7

Download Submit
C:\Windows\Installer\MSIBEE2.tmp

Filesize
12.5MB

MD5
4d82074854750fdba89d76624cc1e6f6

SHA1
1cab8150956317418f64e67692072cac8472b75b

SHA256
019cf1aad1f8d4f1b5dae3aa609b2b53cffc3c7894b58b9f0b225868aed7342d

SHA512
068bd8c1db17c4def612618d463239f002e8f4712691a8fc9163215bdaa7bc5306aa861c396438c647e7b839c2c67c5709b25e0695e1baa668aa100310255f9d

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.1MB

MD5
d5ace65832c083031794d1eb084f794f

SHA1
d6d0933a9970ec2bffb6351ca743147797e439c7

SHA256
976f15a2da3c318b26f49b697ea7d0cfed370ee2f28b992349d61cb41047c79a

SHA512
239c8ea6edceba8f5867173a7211216da23acdee448ea6ccc33b6c27971df86ee2dceb11aab9734b95d1154d0b23a7010778453f77c9f3a96b9eeef9c32f613d

Download Submit
\??\Volume{48d314f9-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{3e907ba8-686a-424a-b179-05e83d5c2e27}_OnDiskSnapshotProp

Filesize
6KB

MD5
e5c609f9427e4619a115a4c3724489cf

SHA1
9d8acffdfefc7655c886be73abc6bbe55b0ca540

SHA256
6fcfe8f4b5516446db2eef00963904749ce53d2546d9b738f1b7fb4c8c8f66b7

SHA512
7ae087784a96fde41a74e61efff0384c9b73960732e249fb872d245d2ef8b6c14a93867400c9e2fca2cf31978b5707153b8e9a3e1b8f052f235ad393ba605889

Download Submit
memory/428-46-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/428-47-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download