lumma | a127a9f08c8d0bc85dc5645820232a408a1daabb6ec2a5b4c77d58b49431a64a

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13-01-2025 07:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

msit.exe
Size

19.2MB
MD5

bb0ca87d28e7c1bfd53e3e592e75e684
SHA1

23be4528fe7dd78243845a6a08a88ce68200d59a
SHA256

d34e7af4d266688eb65118de606ffbeb36d46d488c3be604a5cb240778550cea
SHA512

217effd932ae2b5e21527bcc7a22c0f8a8ae0d89902ef00669ef9cc11463995c8c48d34d0b75b55dd50421c2abf19e8b72289abfbb7757339f825fe6ccdb59a7
SSDEEP

393216:kxVUrUl7eOos7orHgF4n5tZkk5b4EMqbfhYwWMr220ItXVca6cjL6OcaAeEKQHeg:CVUrUl7eOuTg4VkDEMq1YpItB6YOO1Af

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://impend-differ.biz/api

https://print-vexer.biz/api

https://dare-curbys.biz/api

https://covery-mover.biz/api

https://formy-spill.biz/api

https://dwell-exclaim.biz/api

https://zinc-sneark.biz/api

https://se-blurry.biz/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Executes dropped EXE 1 IoCs

pid	Process
4520	MSIFC88.tmp

Loads dropped DLL 18 IoCs

pid	Process
3660	MsiExec.exe
3660	MsiExec.exe
3660	MsiExec.exe
3660	MsiExec.exe
3660	MsiExec.exe
3660	MsiExec.exe
3660	MsiExec.exe
3660	MsiExec.exe
3660	MsiExec.exe
2364	MsiExec.exe
2364	MsiExec.exe
2364	MsiExec.exe
2364	MsiExec.exe
2364	MsiExec.exe
2364	MsiExec.exe
2364	MsiExec.exe
3660	MsiExec.exe
3660	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	msit.exe
File opened (read-only)	\??\M:	msit.exe
File opened (read-only)	\??\P:	msit.exe
File opened (read-only)	\??\Q:	msit.exe
File opened (read-only)	\??\Z:	msit.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	msit.exe
File opened (read-only)	\??\O:	msit.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Y:	msit.exe
File opened (read-only)	\??\G:	msit.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\L:	msit.exe
File opened (read-only)	\??\U:	msit.exe
File opened (read-only)	\??\V:	msit.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\A:	msit.exe
File opened (read-only)	\??\E:	msit.exe
File opened (read-only)	\??\X:	msit.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\B:	msit.exe
File opened (read-only)	\??\K:	msit.exe
File opened (read-only)	\??\S:	msit.exe
File opened (read-only)	\??\T:	msit.exe
File opened (read-only)	\??\W:	msit.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msit.exe
File opened (read-only)	\??\N:	msit.exe
File opened (read-only)	\??\R:	msit.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4520 set thread context of 4556	4520	MSIFC88.tmp	89

Drops file in Windows directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSIFAFE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFB1E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFC49.tmp	msiexec.exe
File created	C:\Windows\Installer\e57f9e1.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFA9D.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFA7D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFB3E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFACD.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFACE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFC88.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e57f9e1.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{15630F35-AF86-45E7-B3CF-07A0AC07CAF6}	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dxdiag.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
740	msiexec.exe
740	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	740	msiexec.exe
Token: SeCreateTokenPrivilege	4380	msit.exe
Token: SeAssignPrimaryTokenPrivilege	4380	msit.exe
Token: SeLockMemoryPrivilege	4380	msit.exe
Token: SeIncreaseQuotaPrivilege	4380	msit.exe
Token: SeMachineAccountPrivilege	4380	msit.exe
Token: SeTcbPrivilege	4380	msit.exe
Token: SeSecurityPrivilege	4380	msit.exe
Token: SeTakeOwnershipPrivilege	4380	msit.exe
Token: SeLoadDriverPrivilege	4380	msit.exe
Token: SeSystemProfilePrivilege	4380	msit.exe
Token: SeSystemtimePrivilege	4380	msit.exe
Token: SeProfSingleProcessPrivilege	4380	msit.exe
Token: SeIncBasePriorityPrivilege	4380	msit.exe
Token: SeCreatePagefilePrivilege	4380	msit.exe
Token: SeCreatePermanentPrivilege	4380	msit.exe
Token: SeBackupPrivilege	4380	msit.exe
Token: SeRestorePrivilege	4380	msit.exe
Token: SeShutdownPrivilege	4380	msit.exe
Token: SeDebugPrivilege	4380	msit.exe
Token: SeAuditPrivilege	4380	msit.exe
Token: SeSystemEnvironmentPrivilege	4380	msit.exe
Token: SeChangeNotifyPrivilege	4380	msit.exe
Token: SeRemoteShutdownPrivilege	4380	msit.exe
Token: SeUndockPrivilege	4380	msit.exe
Token: SeSyncAgentPrivilege	4380	msit.exe
Token: SeEnableDelegationPrivilege	4380	msit.exe
Token: SeManageVolumePrivilege	4380	msit.exe
Token: SeImpersonatePrivilege	4380	msit.exe
Token: SeCreateGlobalPrivilege	4380	msit.exe
Token: SeCreateTokenPrivilege	4380	msit.exe
Token: SeAssignPrimaryTokenPrivilege	4380	msit.exe
Token: SeLockMemoryPrivilege	4380	msit.exe
Token: SeIncreaseQuotaPrivilege	4380	msit.exe
Token: SeMachineAccountPrivilege	4380	msit.exe
Token: SeTcbPrivilege	4380	msit.exe
Token: SeSecurityPrivilege	4380	msit.exe
Token: SeTakeOwnershipPrivilege	4380	msit.exe
Token: SeLoadDriverPrivilege	4380	msit.exe
Token: SeSystemProfilePrivilege	4380	msit.exe
Token: SeSystemtimePrivilege	4380	msit.exe
Token: SeProfSingleProcessPrivilege	4380	msit.exe
Token: SeIncBasePriorityPrivilege	4380	msit.exe
Token: SeCreatePagefilePrivilege	4380	msit.exe
Token: SeCreatePermanentPrivilege	4380	msit.exe
Token: SeBackupPrivilege	4380	msit.exe
Token: SeRestorePrivilege	4380	msit.exe
Token: SeShutdownPrivilege	4380	msit.exe
Token: SeDebugPrivilege	4380	msit.exe
Token: SeAuditPrivilege	4380	msit.exe
Token: SeSystemEnvironmentPrivilege	4380	msit.exe
Token: SeChangeNotifyPrivilege	4380	msit.exe
Token: SeRemoteShutdownPrivilege	4380	msit.exe
Token: SeUndockPrivilege	4380	msit.exe
Token: SeSyncAgentPrivilege	4380	msit.exe
Token: SeEnableDelegationPrivilege	4380	msit.exe
Token: SeManageVolumePrivilege	4380	msit.exe
Token: SeImpersonatePrivilege	4380	msit.exe
Token: SeCreateGlobalPrivilege	4380	msit.exe
Token: SeCreateTokenPrivilege	4380	msit.exe
Token: SeAssignPrimaryTokenPrivilege	4380	msit.exe
Token: SeLockMemoryPrivilege	4380	msit.exe
Token: SeIncreaseQuotaPrivilege	4380	msit.exe
Token: SeMachineAccountPrivilege	4380	msit.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 740 wrote to memory of 3660	740	msiexec.exe	85
PID 740 wrote to memory of 3660	740	msiexec.exe	85
PID 740 wrote to memory of 3660	740	msiexec.exe	85
PID 4380 wrote to memory of 5000	4380	msit.exe	86
PID 4380 wrote to memory of 5000	4380	msit.exe	86
PID 4380 wrote to memory of 5000	4380	msit.exe	86
PID 740 wrote to memory of 2364	740	msiexec.exe	87
PID 740 wrote to memory of 2364	740	msiexec.exe	87
PID 740 wrote to memory of 2364	740	msiexec.exe	87
PID 740 wrote to memory of 4520	740	msiexec.exe	88
PID 740 wrote to memory of 4520	740	msiexec.exe	88
PID 4520 wrote to memory of 4556	4520	MSIFC88.tmp	89
PID 4520 wrote to memory of 4556	4520	MSIFC88.tmp	89
PID 4520 wrote to memory of 4556	4520	MSIFC88.tmp	89
PID 4520 wrote to memory of 4556	4520	MSIFC88.tmp	89
PID 4520 wrote to memory of 4556	4520	MSIFC88.tmp	89
PID 4520 wrote to memory of 4556	4520	MSIFC88.tmp	89
PID 4520 wrote to memory of 4556	4520	MSIFC88.tmp	89
PID 4520 wrote to memory of 4556	4520	MSIFC88.tmp	89
PID 4520 wrote to memory of 4556	4520	MSIFC88.tmp	89
PID 4520 wrote to memory of 4556	4520	MSIFC88.tmp	89

C:\Users\Admin\AppData\Local\Temp\msit.exe
"C:\Users\Admin\AppData\Local\Temp\msit.exe"
1⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4380
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\msit\msit 1.0.1\install\C07CAF6\msit.msi" /qn /norestart AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\msit.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1736513250 "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5000

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:740
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 120C7080D1C460EDF1DB7D41DDF7A64E C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3660
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 128165BDEB16D9F7B534E74EC0C2BC6A
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2364
- C:\Windows\Installer\MSIFC88.tmp
  "C:\Windows\Installer\MSIFC88.tmp"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4520
- - C:\Windows\SysWOW64\dxdiag.exe
    "C:\Windows\SysWOW64\dxdiag.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57f9e4.rbs

Filesize
1KB

MD5
692519254c19ac4ae9d22740b4b57174

SHA1
58aa1f0068a7f2ef9dd833422e905e361dc763ac

SHA256
15cdc2b37d58196fcb3c172c2585617420d463160423ada5a1a6f3451ea3b879

SHA512
bd5967129c2ed800d90fff99694c527a18d4c0482f01b5faa73b59f6bdac8877f815925f8bf75ad6363c3c74c7c9d848233daa5eb0581d5b49f80fb70c53ab40

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIF84B.tmp

Filesize
997KB

MD5
ec6ebf65fe4f361a73e473f46730e05c

SHA1
01f946dfbf773f977af5ade7c27fffc7fe311149

SHA256
d3614d7bece53e0d408e31da7d9b0ff2f7285a7dd544c778847ed0c5ded5d52f

SHA512
e4d7aafa75d07a3071d2739d18b4c2b0a3798f754b339c349db9a6004d031bf02f3970b030cec4a5f55b4c19f03794b0ce186a303d936c222e7e6e8726fffff7

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIF929.tmp

Filesize
1.1MB

MD5
03cc8828bb0e0105915b7695b1ec8d88

SHA1
cbf8ec531ea7e3ee58b51bd642f8bfabdc759ee1

SHA256
0e1491ae7344f3a5ec824732648ccdda19b271d6f01471793bf292840fc83b5e

SHA512
593a76166eb6ce2e3537b0d93e216daef12e4ab5b181a194b55a90b39a1af2e0374c4ec3833a000530425319a003cd1a648489640fccaf108061ebea1d9cb1e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIF95A.tmp

Filesize
886KB

MD5
accd9092a35e468e8af934accd81e9f6

SHA1
3751384e5e586481618002469190e3c1f271ce6d

SHA256
8339a5ee92e53a155828e58e7700fc17d4f3f8ecb11daeb52aa1118ba3141ecd

SHA512
18e49e56ad2f78db7f4bfabab25cc3ecfcc8180beea8ff162a5d80bd0a6db9eb598f9fa1d5167f078a12f382663a2b205d7e512370e4873a60955a174826e8e3

Download Submit
C:\Users\Admin\AppData\Roaming\msit\msit 1.0.1\install\C07CAF6\TeleportPresets.txt

Filesize
740B

MD5
dba29b1cc6a0ac337a02a1b600e59e60

SHA1
efeff3878b981326da4c70be8f9396f0b6020247

SHA256
9331ea0e713c45e2439d7d12709fdd0e1528137c0ef89ae96fb03150d0d9a5de

SHA512
e67a41bec75514ecb47ef2b0fe477cb2240ce9254d1656488f1f0e83b86e43e32b316f9deda9a67e731773928f9479cf80dabcefe88c99ac1f7de5dca795109e

Download Submit
C:\Users\Admin\AppData\Roaming\msit\msit 1.0.1\install\C07CAF6\msit.msi

Filesize
47.1MB

MD5
71b30f6890f9ecf0fabbf1cbbc2427f8

SHA1
41c12abedf033ca0e5d0114520b40f4160a20029

SHA256
5fe2cd05a7cd3783644e141058408f08427f02ddba6b7bc4220f191a43523a85

SHA512
2968e78f4ff28a77b2a6013d70774fed98df3b0cc6496f5d937cf046f37825027e4c2832f9342f0fd61eefda89dd4e1067fd602b9056d9b893be8d0f10628be1

Download Submit
C:\Windows\Installer\MSIFC88.tmp

Filesize
12.5MB

MD5
4d82074854750fdba89d76624cc1e6f6

SHA1
1cab8150956317418f64e67692072cac8472b75b

SHA256
019cf1aad1f8d4f1b5dae3aa609b2b53cffc3c7894b58b9f0b225868aed7342d

SHA512
068bd8c1db17c4def612618d463239f002e8f4712691a8fc9163215bdaa7bc5306aa861c396438c647e7b839c2c67c5709b25e0695e1baa668aa100310255f9d

Download Submit
memory/4556-104-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4556-103-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download