lumma | 413c17f73a0831d6ae209e491856a66e07e8c0af70e7e06f68a7b7570ccb3a95

Resubmissions

14/01/2025, 02:39

250114-c5d8tstrds 1

14/01/2025, 02:26

250114-cwtxxswpcn 10

Analysis

max time kernel
94s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14/01/2025, 02:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

413c17f73a0831d6ae209e491856a66e07e8c0af70e7e06f68a7b7570ccb3a95.msi
Size

16.1MB
MD5

18577f68754f3e2703cdca2df9ba65ff
SHA1

8d8846470510b1b6f81c0725975c7c3589568bb3
SHA256

413c17f73a0831d6ae209e491856a66e07e8c0af70e7e06f68a7b7570ccb3a95
SHA512

eb238a258b0dfe40716c2a8bc847951abbac4e7224ecefcb13be559a63cc39e6645e406764991cb60b87aa082196b890ff78c3c25c659b851eb02c4064e8eaec
SSDEEP

393216:LPF3zv8Zrqb+CUuubX26jytnTPjnXcBv9k2VvOTp:JzwqNUHytvnMd9Z

Score

10^/10

lumma discovery persistence privilege_escalation stealer

Malware Config

Extracted

Family

lumma

https://impend-differ.biz/api

https://print-vexer.biz/api

https://dare-curbys.biz/api

https://covery-mover.biz/api

https://formy-spill.biz/api

https://dwell-exclaim.biz/api

https://zinc-sneark.biz/api

https://se-blurry.biz/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3992 set thread context of 2268	3992	MSIF208.tmp	98

Drops file in Windows directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSIEF15.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF021.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEE78.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF208.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e57ecb2.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIED1F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{15630F35-AF86-45E7-B3CF-07A0AC07CAF6}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF1A9.tmp	msiexec.exe
File created	C:\Windows\Installer\e57ecb2.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEF83.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF09F.tmp	msiexec.exe

Executes dropped EXE 1 IoCs

pid	Process
3992	MSIF208.tmp

Loads dropped DLL 6 IoCs

pid	Process
4284	MsiExec.exe
4284	MsiExec.exe
4284	MsiExec.exe
4284	MsiExec.exe
4284	MsiExec.exe
4284	MsiExec.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
2368	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dxdiag.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000009fc5eef0dbaffe7c0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800009fc5eef00000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809009fc5eef0000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d9fc5eef0000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000009fc5eef000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3608	msiexec.exe
3608	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2368	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2368	msiexec.exe
Token: SeSecurityPrivilege	3608	msiexec.exe
Token: SeCreateTokenPrivilege	2368	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2368	msiexec.exe
Token: SeLockMemoryPrivilege	2368	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2368	msiexec.exe
Token: SeMachineAccountPrivilege	2368	msiexec.exe
Token: SeTcbPrivilege	2368	msiexec.exe
Token: SeSecurityPrivilege	2368	msiexec.exe
Token: SeTakeOwnershipPrivilege	2368	msiexec.exe
Token: SeLoadDriverPrivilege	2368	msiexec.exe
Token: SeSystemProfilePrivilege	2368	msiexec.exe
Token: SeSystemtimePrivilege	2368	msiexec.exe
Token: SeProfSingleProcessPrivilege	2368	msiexec.exe
Token: SeIncBasePriorityPrivilege	2368	msiexec.exe
Token: SeCreatePagefilePrivilege	2368	msiexec.exe
Token: SeCreatePermanentPrivilege	2368	msiexec.exe
Token: SeBackupPrivilege	2368	msiexec.exe
Token: SeRestorePrivilege	2368	msiexec.exe
Token: SeShutdownPrivilege	2368	msiexec.exe
Token: SeDebugPrivilege	2368	msiexec.exe
Token: SeAuditPrivilege	2368	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2368	msiexec.exe
Token: SeChangeNotifyPrivilege	2368	msiexec.exe
Token: SeRemoteShutdownPrivilege	2368	msiexec.exe
Token: SeUndockPrivilege	2368	msiexec.exe
Token: SeSyncAgentPrivilege	2368	msiexec.exe
Token: SeEnableDelegationPrivilege	2368	msiexec.exe
Token: SeManageVolumePrivilege	2368	msiexec.exe
Token: SeImpersonatePrivilege	2368	msiexec.exe
Token: SeCreateGlobalPrivilege	2368	msiexec.exe
Token: SeBackupPrivilege	2416	vssvc.exe
Token: SeRestorePrivilege	2416	vssvc.exe
Token: SeAuditPrivilege	2416	vssvc.exe
Token: SeBackupPrivilege	3608	msiexec.exe
Token: SeRestorePrivilege	3608	msiexec.exe
Token: SeRestorePrivilege	3608	msiexec.exe
Token: SeTakeOwnershipPrivilege	3608	msiexec.exe
Token: SeRestorePrivilege	3608	msiexec.exe
Token: SeTakeOwnershipPrivilege	3608	msiexec.exe
Token: SeRestorePrivilege	3608	msiexec.exe
Token: SeTakeOwnershipPrivilege	3608	msiexec.exe
Token: SeRestorePrivilege	3608	msiexec.exe
Token: SeTakeOwnershipPrivilege	3608	msiexec.exe
Token: SeRestorePrivilege	3608	msiexec.exe
Token: SeTakeOwnershipPrivilege	3608	msiexec.exe
Token: SeRestorePrivilege	3608	msiexec.exe
Token: SeTakeOwnershipPrivilege	3608	msiexec.exe
Token: SeRestorePrivilege	3608	msiexec.exe
Token: SeTakeOwnershipPrivilege	3608	msiexec.exe
Token: SeRestorePrivilege	3608	msiexec.exe
Token: SeTakeOwnershipPrivilege	3608	msiexec.exe
Token: SeRestorePrivilege	3608	msiexec.exe
Token: SeTakeOwnershipPrivilege	3608	msiexec.exe
Token: SeRestorePrivilege	3608	msiexec.exe
Token: SeTakeOwnershipPrivilege	3608	msiexec.exe
Token: SeRestorePrivilege	3608	msiexec.exe
Token: SeTakeOwnershipPrivilege	3608	msiexec.exe
Token: SeBackupPrivilege	532	srtasks.exe
Token: SeRestorePrivilege	532	srtasks.exe
Token: SeSecurityPrivilege	532	srtasks.exe
Token: SeTakeOwnershipPrivilege	532	srtasks.exe
Token: SeBackupPrivilege	532	srtasks.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2368	msiexec.exe
2368	msiexec.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 3608 wrote to memory of 532	3608	msiexec.exe	94
PID 3608 wrote to memory of 532	3608	msiexec.exe	94
PID 3608 wrote to memory of 4284	3608	msiexec.exe	96
PID 3608 wrote to memory of 4284	3608	msiexec.exe	96
PID 3608 wrote to memory of 4284	3608	msiexec.exe	96
PID 3608 wrote to memory of 3992	3608	msiexec.exe	97
PID 3608 wrote to memory of 3992	3608	msiexec.exe	97
PID 3992 wrote to memory of 2268	3992	MSIF208.tmp	98
PID 3992 wrote to memory of 2268	3992	MSIF208.tmp	98
PID 3992 wrote to memory of 2268	3992	MSIF208.tmp	98
PID 3992 wrote to memory of 2268	3992	MSIF208.tmp	98
PID 3992 wrote to memory of 2268	3992	MSIF208.tmp	98
PID 3992 wrote to memory of 2268	3992	MSIF208.tmp	98
PID 3992 wrote to memory of 2268	3992	MSIF208.tmp	98
PID 3992 wrote to memory of 2268	3992	MSIF208.tmp	98
PID 3992 wrote to memory of 2268	3992	MSIF208.tmp	98
PID 3992 wrote to memory of 2268	3992	MSIF208.tmp	98

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\413c17f73a0831d6ae209e491856a66e07e8c0af70e7e06f68a7b7570ccb3a95.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2368

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3608
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:532
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 3DCD288C346C8ED9C1E151195A866906
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4284
- C:\Windows\Installer\MSIF208.tmp
  "C:\Windows\Installer\MSIF208.tmp"
  2⤵
  - Suspicious use of SetThreadContext
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3992
- - C:\Windows\SysWOW64\dxdiag.exe
    "C:\Windows\SysWOW64\dxdiag.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2268

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57ecb5.rbs

Filesize
923B

MD5
bdf084da1f8452eaffd5fbed516197fb

SHA1
455c4117b16bde27d0eb7649b22f4b69169adf8c

SHA256
841a1a873abe40762b97cea3c3363fd17ce96cdf8c24c61e835bef450a398ee6

SHA512
b0ed61311f8cfd51fe63c8107ce88d615fa06b835ee391e322d6903c68bdbdec567ed0cb48ba5cc4e48014f24dae9874c15b111a521b9e10237dc931670cb0b2

Download Submit
C:\Windows\Installer\MSIED1F.tmp

Filesize
997KB

MD5
ec6ebf65fe4f361a73e473f46730e05c

SHA1
01f946dfbf773f977af5ade7c27fffc7fe311149

SHA256
d3614d7bece53e0d408e31da7d9b0ff2f7285a7dd544c778847ed0c5ded5d52f

SHA512
e4d7aafa75d07a3071d2739d18b4c2b0a3798f754b339c349db9a6004d031bf02f3970b030cec4a5f55b4c19f03794b0ce186a303d936c222e7e6e8726fffff7

Download Submit
C:\Windows\Installer\MSIF021.tmp

Filesize
1.1MB

MD5
03cc8828bb0e0105915b7695b1ec8d88

SHA1
cbf8ec531ea7e3ee58b51bd642f8bfabdc759ee1

SHA256
0e1491ae7344f3a5ec824732648ccdda19b271d6f01471793bf292840fc83b5e

SHA512
593a76166eb6ce2e3537b0d93e216daef12e4ab5b181a194b55a90b39a1af2e0374c4ec3833a000530425319a003cd1a648489640fccaf108061ebea1d9cb1e7

Download Submit
C:\Windows\Installer\MSIF208.tmp

Filesize
12.5MB

MD5
4d82074854750fdba89d76624cc1e6f6

SHA1
1cab8150956317418f64e67692072cac8472b75b

SHA256
019cf1aad1f8d4f1b5dae3aa609b2b53cffc3c7894b58b9f0b225868aed7342d

SHA512
068bd8c1db17c4def612618d463239f002e8f4712691a8fc9163215bdaa7bc5306aa861c396438c647e7b839c2c67c5709b25e0695e1baa668aa100310255f9d

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.1MB

MD5
5c7b952ba172d72e004b42c56cde3bee

SHA1
8c51b7e6c314b028788c590bc2cdb0fb04f35745

SHA256
c1d98d0a59ec6ecc7bdf7ad7f000c0e48b35497ff1c01313d1fad6b955233d90

SHA512
0e0f18b8f37e9c98ab998525780bf5ac974e1e3bc427e152e628da24c954c600347986c9d65159fa191bff655a0063a2dfc192308242c29f074fa230a8a1e753

Download Submit
\??\Volume{f0eec59f-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{3b8391db-a836-448b-97bf-2d6761066034}_OnDiskSnapshotProp

Filesize
6KB

MD5
eee37ebbf068d28fdc0063b67b391b16

SHA1
b56e7481060c52e51db9ac7ddb8368a3715b7a04

SHA256
7bf69ea4b9b3b058ecb977cbe75dbb544cfdd366a2543ba12edc7a2b03cb17e4

SHA512
b2f1d70ae9339d977a49eec0fdb996758fee131ac5723e7ecf2e5b81c9f8f50c7066d88ed7d5cd1791e39c79d09bf7412daceded7525ad5d066dd53b6e64aa66

Download Submit
memory/2268-49-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2268-50-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download