lumma | 138671f56898c4504a02588c6f9c4de6a3961ce015bb147d579bd54bc454ded1

Analysis

max time kernel
26s
max time network
29s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13/01/2025, 16:21

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

TZProject.exe
Size

686KB
MD5

b6ffc5ab3d9c3d132b0cdb490ed800d2
SHA1

69f55a57d6353649c3f709163bb7d440a3a7eb7f
SHA256

138671f56898c4504a02588c6f9c4de6a3961ce015bb147d579bd54bc454ded1
SHA512

4163a1537f80ef49a9ec9dd17b7bfb442be57afb24519d753ee2e2ba99c443e555b69570218aa1ee3a0e7b6419eb2432089d69f8c9f5771ada0115f2965f0f5d
SSDEEP

12288:rlGQs6nEzMMU1wYwFozDOVhRGHdhdBBmCU0SmegE0wgoNkTzD5NryZI5L36lo+Qv:MEEIDU+acZBxST0bbzD5Nre

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://impend-differ.biz/api

https://print-vexer.biz/api

https://dare-curbys.biz/api

https://covery-mover.biz/api

https://formy-spill.biz/api

https://dwell-exclaim.biz/api

https://zinc-sneark.biz/api

https://se-blurry.biz/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Loads dropped DLL 1 IoCs

pid	Process
1464	TZProject.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1464 set thread context of 3664	1464	TZProject.exe	84

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4256	1464	WerFault.exe	82

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TZProject.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_regiis.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1464 wrote to memory of 3664	1464	TZProject.exe	84
PID 1464 wrote to memory of 3664	1464	TZProject.exe	84
PID 1464 wrote to memory of 3664	1464	TZProject.exe	84
PID 1464 wrote to memory of 3664	1464	TZProject.exe	84
PID 1464 wrote to memory of 3664	1464	TZProject.exe	84
PID 1464 wrote to memory of 3664	1464	TZProject.exe	84
PID 1464 wrote to memory of 3664	1464	TZProject.exe	84
PID 1464 wrote to memory of 3664	1464	TZProject.exe	84
PID 1464 wrote to memory of 3664	1464	TZProject.exe	84
PID 1464 wrote to memory of 3664	1464	TZProject.exe	84
PID 1464 wrote to memory of 3664	1464	TZProject.exe	84
PID 1464 wrote to memory of 3664	1464	TZProject.exe	84
PID 1464 wrote to memory of 3664	1464	TZProject.exe	84
PID 1464 wrote to memory of 3664	1464	TZProject.exe	84
PID 1464 wrote to memory of 3664	1464	TZProject.exe	84

C:\Users\Admin\AppData\Local\Temp\TZProject.exe
"C:\Users\Admin\AppData\Local\Temp\TZProject.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1464
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3664
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1464 -s 1012
  2⤵
  - Program crash
  PID:4256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1464 -ip 1464
1⤵
PID:1984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\gdi32.dll

Filesize
439KB

MD5
eadcfd7c84686da06b4fc381bfc96c72

SHA1
0b7d9f3daf6162d0c710ba51614279b8057b5aa9

SHA256
abb95c10ae4b1ff0aa36895d5001d3259f91dfd1bc5c6dfe77f6194be1b41d4b

SHA512
2d7aeaf802e451ab5d611db82eb1ba2241be6f7c91ed7b732d1784d27dbd6c1e701dc2d9b3c622ddee1299cea688c2f5a128f4af06281d3c3fbe41f926fa90d0

Download Submit
memory/1464-0-0x0000000074D7E000-0x0000000074D7F000-memory.dmp

Filesize
4KB

Download
memory/1464-1-0x0000000000970000-0x0000000000A24000-memory.dmp

Filesize
720KB

Download
memory/1464-2-0x00000000012C0000-0x00000000012C6000-memory.dmp

Filesize
24KB

Download
memory/1464-9-0x0000000074D70000-0x0000000075520000-memory.dmp

Filesize
7.7MB

Download
memory/1464-20-0x0000000074D70000-0x0000000075520000-memory.dmp

Filesize
7.7MB

Download
memory/1464-21-0x0000000074D70000-0x0000000075520000-memory.dmp

Filesize
7.7MB

Download
memory/3664-10-0x0000000000BB0000-0x0000000000C17000-memory.dmp

Filesize
412KB

Download
memory/3664-15-0x0000000000BB0000-0x0000000000C17000-memory.dmp

Filesize
412KB

Download
memory/3664-19-0x0000000000BB0000-0x0000000000C17000-memory.dmp

Filesize
412KB

Download