lumma | 8cdbf4c71eccc7065c76b28cae6df27e3967d9c660852399af837735a0060d69

Analysis

max time kernel
439s
max time network
445s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241211-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
13/01/2025, 13:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

EcheIon.zip
Size

56.1MB
MD5

52ccdaefd042307bbd1b2f53155aabc2
SHA1

675a7321f6f3291352926eaa550711d9cc71f6b0
SHA256

8cdbf4c71eccc7065c76b28cae6df27e3967d9c660852399af837735a0060d69
SHA512

2b0bb561619c520c97a5cf9b16aaefa402af2a69a56d77562478847443aafa4aa0312555290d6d7a14e4d31cb35e03ab8ef7148fa4d7ecfd8dd02f3db70b9940
SSDEEP

1572864:R3i5dzVOsoNxmP6E7IALTK/D0Y0TBIH3adpnkK5zWuiK1:RS5dzcNgyzAi/DyTBwODl/iK1

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://cloudewahsj.shop/api

https://rabidcowse.shop/api

https://noisycuttej.shop/api

https://tirepublicerj.shop/api

https://framekgirus.shop/api

https://wholersorie.shop/api

https://abruptyopsn.shop/api

https://nearycrepso.shop/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Executes dropped EXE 2 IoCs

pid	Process
420	Echelon.exe
2016	Echelon.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Echelon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Echelon.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000_Classes\Local Settings	7zFM.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
4768	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3276	7zFM.exe
3276	7zFM.exe
420	Echelon.exe
420	Echelon.exe
3276	7zFM.exe
3276	7zFM.exe
2016	Echelon.exe
2016	Echelon.exe
3276	7zFM.exe
3276	7zFM.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3276	7zFM.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeRestorePrivilege	3276	7zFM.exe
Token: 35	3276	7zFM.exe
Token: SeSecurityPrivilege	3276	7zFM.exe
Token: SeSecurityPrivilege	3276	7zFM.exe
Token: SeSecurityPrivilege	3276	7zFM.exe
Token: SeSecurityPrivilege	3276	7zFM.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
3276	7zFM.exe
3276	7zFM.exe
3276	7zFM.exe
3276	7zFM.exe
3276	7zFM.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3276 wrote to memory of 420	3276	7zFM.exe	95
PID 3276 wrote to memory of 420	3276	7zFM.exe	95
PID 3276 wrote to memory of 420	3276	7zFM.exe	95
PID 3276 wrote to memory of 4768	3276	7zFM.exe	97
PID 3276 wrote to memory of 4768	3276	7zFM.exe	97
PID 3276 wrote to memory of 2016	3276	7zFM.exe	98
PID 3276 wrote to memory of 2016	3276	7zFM.exe	98
PID 3276 wrote to memory of 2016	3276	7zFM.exe	98

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\EcheIon.zip"
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3276
- C:\Users\Admin\AppData\Local\Temp\7zOCCC0CB28\Echelon.exe
  "C:\Users\Admin\AppData\Local\Temp\7zOCCC0CB28\Echelon.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:420
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zOCCC9D868\HowUse.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:4768
- C:\Users\Admin\AppData\Local\Temp\7zOCCCB32B8\Echelon.exe
  "C:\Users\Admin\AppData\Local\Temp\7zOCCCB32B8\Echelon.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2016

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zOCCC0CB28\Echelon.exe

Filesize
2.8MB

MD5
744d976d5410b66062c88e5f91c957c7

SHA1
28475d40bdc8522f23d7e20c156f87db0ca6ac1c

SHA256
9826dac19113485c882821fe767407955dc8eec684a362f56e05133dd1047c53

SHA512
8d1d8e4cb92e6383510f44db1c79ee5d68d936397025685925c6a9418eb9b7518e5473f908c3ce8de4f0e8e672dabc21da6c1d089b402aa570216ae0eca2a380

Download Submit
memory/420-31-0x0000000000400000-0x00000000006D1000-memory.dmp

Filesize
2.8MB

Download
memory/420-47-0x0000000000400000-0x00000000006D1000-memory.dmp

Filesize
2.8MB

Download
memory/420-48-0x00000000025D0000-0x0000000002629000-memory.dmp

Filesize
356KB

Download
memory/420-52-0x0000000000400000-0x00000000006D1000-memory.dmp

Filesize
2.8MB

Download
memory/2016-53-0x0000000000400000-0x00000000006D1000-memory.dmp

Filesize
2.8MB

Download
memory/2016-56-0x0000000000400000-0x00000000006D1000-memory.dmp

Filesize
2.8MB

Download