lumma | d34e7af4d266688eb65118de606ffbeb36d46d488c3be604a5cb240778550cea

Analysis

max time kernel
92s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13-01-2025 07:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

msit.exe
Size

19.2MB
MD5

bb0ca87d28e7c1bfd53e3e592e75e684
SHA1

23be4528fe7dd78243845a6a08a88ce68200d59a
SHA256

d34e7af4d266688eb65118de606ffbeb36d46d488c3be604a5cb240778550cea
SHA512

217effd932ae2b5e21527bcc7a22c0f8a8ae0d89902ef00669ef9cc11463995c8c48d34d0b75b55dd50421c2abf19e8b72289abfbb7757339f825fe6ccdb59a7
SSDEEP

393216:kxVUrUl7eOos7orHgF4n5tZkk5b4EMqbfhYwWMr220ItXVca6cjL6OcaAeEKQHeg:CVUrUl7eOuTg4VkDEMq1YpItB6YOO1Af

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://impend-differ.biz/api

https://print-vexer.biz/api

https://dare-curbys.biz/api

https://covery-mover.biz/api

https://formy-spill.biz/api

https://dwell-exclaim.biz/api

https://zinc-sneark.biz/api

https://se-blurry.biz/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Executes dropped EXE 1 IoCs

pid	Process
3456	MSI7ECD.tmp

Loads dropped DLL 18 IoCs

pid	Process
3388	MsiExec.exe
3388	MsiExec.exe
3388	MsiExec.exe
3388	MsiExec.exe
3388	MsiExec.exe
3388	MsiExec.exe
3388	MsiExec.exe
3388	MsiExec.exe
3388	MsiExec.exe
4448	MsiExec.exe
4448	MsiExec.exe
4448	MsiExec.exe
4448	MsiExec.exe
4448	MsiExec.exe
4448	MsiExec.exe
4448	MsiExec.exe
3388	MsiExec.exe
3388	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	msit.exe
File opened (read-only)	\??\M:	msit.exe
File opened (read-only)	\??\U:	msit.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Q:	msit.exe
File opened (read-only)	\??\R:	msit.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\I:	msit.exe
File opened (read-only)	\??\J:	msit.exe
File opened (read-only)	\??\T:	msit.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\H:	msit.exe
File opened (read-only)	\??\N:	msit.exe
File opened (read-only)	\??\O:	msit.exe
File opened (read-only)	\??\P:	msit.exe
File opened (read-only)	\??\V:	msit.exe
File opened (read-only)	\??\X:	msit.exe
File opened (read-only)	\??\Y:	msit.exe
File opened (read-only)	\??\E:	msit.exe
File opened (read-only)	\??\G:	msit.exe
File opened (read-only)	\??\L:	msit.exe
File opened (read-only)	\??\S:	msit.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msit.exe
File opened (read-only)	\??\W:	msit.exe
File opened (read-only)	\??\Z:	msit.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\K:	msit.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3456 set thread context of 3508	3456	MSI7ECD.tmp	89

Drops file in Windows directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI7D22.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7D53.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7D64.tmp	msiexec.exe
File created	C:\Windows\Installer\e577c54.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e577c54.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7CD1.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7D11.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7EAD.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\SourceHash{15630F35-AF86-45E7-B3CF-07A0AC07CAF6}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7D33.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7ECD.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7CF1.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dxdiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msit.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1640	msiexec.exe
1640	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1640	msiexec.exe
Token: SeCreateTokenPrivilege	4072	msit.exe
Token: SeAssignPrimaryTokenPrivilege	4072	msit.exe
Token: SeLockMemoryPrivilege	4072	msit.exe
Token: SeIncreaseQuotaPrivilege	4072	msit.exe
Token: SeMachineAccountPrivilege	4072	msit.exe
Token: SeTcbPrivilege	4072	msit.exe
Token: SeSecurityPrivilege	4072	msit.exe
Token: SeTakeOwnershipPrivilege	4072	msit.exe
Token: SeLoadDriverPrivilege	4072	msit.exe
Token: SeSystemProfilePrivilege	4072	msit.exe
Token: SeSystemtimePrivilege	4072	msit.exe
Token: SeProfSingleProcessPrivilege	4072	msit.exe
Token: SeIncBasePriorityPrivilege	4072	msit.exe
Token: SeCreatePagefilePrivilege	4072	msit.exe
Token: SeCreatePermanentPrivilege	4072	msit.exe
Token: SeBackupPrivilege	4072	msit.exe
Token: SeRestorePrivilege	4072	msit.exe
Token: SeShutdownPrivilege	4072	msit.exe
Token: SeDebugPrivilege	4072	msit.exe
Token: SeAuditPrivilege	4072	msit.exe
Token: SeSystemEnvironmentPrivilege	4072	msit.exe
Token: SeChangeNotifyPrivilege	4072	msit.exe
Token: SeRemoteShutdownPrivilege	4072	msit.exe
Token: SeUndockPrivilege	4072	msit.exe
Token: SeSyncAgentPrivilege	4072	msit.exe
Token: SeEnableDelegationPrivilege	4072	msit.exe
Token: SeManageVolumePrivilege	4072	msit.exe
Token: SeImpersonatePrivilege	4072	msit.exe
Token: SeCreateGlobalPrivilege	4072	msit.exe
Token: SeCreateTokenPrivilege	4072	msit.exe
Token: SeAssignPrimaryTokenPrivilege	4072	msit.exe
Token: SeLockMemoryPrivilege	4072	msit.exe
Token: SeIncreaseQuotaPrivilege	4072	msit.exe
Token: SeMachineAccountPrivilege	4072	msit.exe
Token: SeTcbPrivilege	4072	msit.exe
Token: SeSecurityPrivilege	4072	msit.exe
Token: SeTakeOwnershipPrivilege	4072	msit.exe
Token: SeLoadDriverPrivilege	4072	msit.exe
Token: SeSystemProfilePrivilege	4072	msit.exe
Token: SeSystemtimePrivilege	4072	msit.exe
Token: SeProfSingleProcessPrivilege	4072	msit.exe
Token: SeIncBasePriorityPrivilege	4072	msit.exe
Token: SeCreatePagefilePrivilege	4072	msit.exe
Token: SeCreatePermanentPrivilege	4072	msit.exe
Token: SeBackupPrivilege	4072	msit.exe
Token: SeRestorePrivilege	4072	msit.exe
Token: SeShutdownPrivilege	4072	msit.exe
Token: SeDebugPrivilege	4072	msit.exe
Token: SeAuditPrivilege	4072	msit.exe
Token: SeSystemEnvironmentPrivilege	4072	msit.exe
Token: SeChangeNotifyPrivilege	4072	msit.exe
Token: SeRemoteShutdownPrivilege	4072	msit.exe
Token: SeUndockPrivilege	4072	msit.exe
Token: SeSyncAgentPrivilege	4072	msit.exe
Token: SeEnableDelegationPrivilege	4072	msit.exe
Token: SeManageVolumePrivilege	4072	msit.exe
Token: SeImpersonatePrivilege	4072	msit.exe
Token: SeCreateGlobalPrivilege	4072	msit.exe
Token: SeCreateTokenPrivilege	4072	msit.exe
Token: SeAssignPrimaryTokenPrivilege	4072	msit.exe
Token: SeLockMemoryPrivilege	4072	msit.exe
Token: SeIncreaseQuotaPrivilege	4072	msit.exe
Token: SeMachineAccountPrivilege	4072	msit.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1640 wrote to memory of 3388	1640	msiexec.exe	84
PID 1640 wrote to memory of 3388	1640	msiexec.exe	84
PID 1640 wrote to memory of 3388	1640	msiexec.exe	84
PID 4072 wrote to memory of 3036	4072	msit.exe	85
PID 4072 wrote to memory of 3036	4072	msit.exe	85
PID 4072 wrote to memory of 3036	4072	msit.exe	85
PID 1640 wrote to memory of 4448	1640	msiexec.exe	86
PID 1640 wrote to memory of 4448	1640	msiexec.exe	86
PID 1640 wrote to memory of 4448	1640	msiexec.exe	86
PID 1640 wrote to memory of 3456	1640	msiexec.exe	87
PID 1640 wrote to memory of 3456	1640	msiexec.exe	87
PID 3456 wrote to memory of 4624	3456	MSI7ECD.tmp	88
PID 3456 wrote to memory of 4624	3456	MSI7ECD.tmp	88
PID 3456 wrote to memory of 4624	3456	MSI7ECD.tmp	88
PID 3456 wrote to memory of 3508	3456	MSI7ECD.tmp	89
PID 3456 wrote to memory of 3508	3456	MSI7ECD.tmp	89
PID 3456 wrote to memory of 3508	3456	MSI7ECD.tmp	89
PID 3456 wrote to memory of 3508	3456	MSI7ECD.tmp	89
PID 3456 wrote to memory of 3508	3456	MSI7ECD.tmp	89
PID 3456 wrote to memory of 3508	3456	MSI7ECD.tmp	89
PID 3456 wrote to memory of 3508	3456	MSI7ECD.tmp	89
PID 3456 wrote to memory of 3508	3456	MSI7ECD.tmp	89
PID 3456 wrote to memory of 3508	3456	MSI7ECD.tmp	89
PID 3456 wrote to memory of 3508	3456	MSI7ECD.tmp	89

C:\Users\Admin\AppData\Local\Temp\msit.exe
"C:\Users\Admin\AppData\Local\Temp\msit.exe"
1⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4072
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\msit\msit 1.0.1\install\C07CAF6\msit.msi" /qn /norestart AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\msit.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1736512979 "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3036

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1640
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 09E5D79383FDF2D85E5D37CBDC24EB89 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3388
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding DBDDCC65B07963B188F24CFB0062C15F
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4448
- C:\Windows\Installer\MSI7ECD.tmp
  "C:\Windows\Installer\MSI7ECD.tmp"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:3456
- - C:\Windows\SysWOW64\dxdiag.exe
    "C:\Windows\SysWOW64\dxdiag.exe"
    3⤵
    PID:4624
- - C:\Windows\SysWOW64\dxdiag.exe
    "C:\Windows\SysWOW64\dxdiag.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e577c57.rbs

Filesize
1KB

MD5
ffe8d8772db5a779cf6f7023dedbb630

SHA1
cf5898223a5de618d72e58520c830687d1da8a49

SHA256
f779a0ea964c171df9864f6954c69f8a8058cff9b39bd90c59371f075708f2b8

SHA512
61961f7eb05d2abb66c242d78b80697d8bad7117ea0526852e94129fcc4a03269177fadf97e295992443b315ed0d5efedc68c4063ca4daf78824d2de90a7d797

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI7ABF.tmp

Filesize
997KB

MD5
ec6ebf65fe4f361a73e473f46730e05c

SHA1
01f946dfbf773f977af5ade7c27fffc7fe311149

SHA256
d3614d7bece53e0d408e31da7d9b0ff2f7285a7dd544c778847ed0c5ded5d52f

SHA512
e4d7aafa75d07a3071d2739d18b4c2b0a3798f754b339c349db9a6004d031bf02f3970b030cec4a5f55b4c19f03794b0ce186a303d936c222e7e6e8726fffff7

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI7B9C.tmp

Filesize
1.1MB

MD5
03cc8828bb0e0105915b7695b1ec8d88

SHA1
cbf8ec531ea7e3ee58b51bd642f8bfabdc759ee1

SHA256
0e1491ae7344f3a5ec824732648ccdda19b271d6f01471793bf292840fc83b5e

SHA512
593a76166eb6ce2e3537b0d93e216daef12e4ab5b181a194b55a90b39a1af2e0374c4ec3833a000530425319a003cd1a648489640fccaf108061ebea1d9cb1e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI7BCC.tmp

Filesize
886KB

MD5
accd9092a35e468e8af934accd81e9f6

SHA1
3751384e5e586481618002469190e3c1f271ce6d

SHA256
8339a5ee92e53a155828e58e7700fc17d4f3f8ecb11daeb52aa1118ba3141ecd

SHA512
18e49e56ad2f78db7f4bfabab25cc3ecfcc8180beea8ff162a5d80bd0a6db9eb598f9fa1d5167f078a12f382663a2b205d7e512370e4873a60955a174826e8e3

Download Submit
C:\Users\Admin\AppData\Roaming\msit\msit 1.0.1\install\C07CAF6\TeleportPresets.txt

Filesize
740B

MD5
dba29b1cc6a0ac337a02a1b600e59e60

SHA1
efeff3878b981326da4c70be8f9396f0b6020247

SHA256
9331ea0e713c45e2439d7d12709fdd0e1528137c0ef89ae96fb03150d0d9a5de

SHA512
e67a41bec75514ecb47ef2b0fe477cb2240ce9254d1656488f1f0e83b86e43e32b316f9deda9a67e731773928f9479cf80dabcefe88c99ac1f7de5dca795109e

Download Submit
C:\Users\Admin\AppData\Roaming\msit\msit 1.0.1\install\C07CAF6\msit.msi

Filesize
47.1MB

MD5
71b30f6890f9ecf0fabbf1cbbc2427f8

SHA1
41c12abedf033ca0e5d0114520b40f4160a20029

SHA256
5fe2cd05a7cd3783644e141058408f08427f02ddba6b7bc4220f191a43523a85

SHA512
2968e78f4ff28a77b2a6013d70774fed98df3b0cc6496f5d937cf046f37825027e4c2832f9342f0fd61eefda89dd4e1067fd602b9056d9b893be8d0f10628be1

Download Submit
C:\Windows\Installer\MSI7ECD.tmp

Filesize
12.5MB

MD5
4d82074854750fdba89d76624cc1e6f6

SHA1
1cab8150956317418f64e67692072cac8472b75b

SHA256
019cf1aad1f8d4f1b5dae3aa609b2b53cffc3c7894b58b9f0b225868aed7342d

SHA512
068bd8c1db17c4def612618d463239f002e8f4712691a8fc9163215bdaa7bc5306aa861c396438c647e7b839c2c67c5709b25e0695e1baa668aa100310255f9d

Download Submit
memory/3508-107-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3508-106-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download