lumma | 6e866c0894ebce4f67a2a315695dfd3ce79c00ddb9c65dde041722378cb8e80b

Analysis

max time kernel
34s
max time network
38s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
15-01-2025 11:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

appFile.exe
Size

842.2MB
MD5

32631b6cbedddd18e184919eac89fb59
SHA1

2247e2e6c5fe57c5ca3ee850730dc44b1e7bffa2
SHA256

6e866c0894ebce4f67a2a315695dfd3ce79c00ddb9c65dde041722378cb8e80b
SHA512

d2842292ab92084e26abce206bdc7ac78ce71d65a1cc005c4503c97c0e4e8dd518b9ece69d547a9a1c86312e303a6620ec1730297a9c2fa20d3681c502e2d582
SSDEEP

393216:mopK6oL+cFVb/luYc8iIMKfvAw72b79xrsxLSageNfmsY8LizNP9B1jvXMfReg68:mogVVbdBASom0MUB19Bd8

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://craveinjuur.shop/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	appFile.exe

Executes dropped EXE 1 IoCs

pid	Process
2484	Wonderful.com

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
1280	tasklist.exe
1940	tasklist.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\OriginsWarm	appFile.exe
File opened for modification	C:\Windows\AwfulMarks	appFile.exe
File opened for modification	C:\Windows\NaNextel	appFile.exe
File opened for modification	C:\Windows\StructuralLace	appFile.exe
File opened for modification	C:\Windows\RequiringGulf	appFile.exe
File opened for modification	C:\Windows\ScrewTears	appFile.exe
File opened for modification	C:\Windows\LimitEngland	appFile.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	appFile.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wonderful.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2484	Wonderful.com
2484	Wonderful.com
2484	Wonderful.com
2484	Wonderful.com
2484	Wonderful.com
2484	Wonderful.com

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1280	tasklist.exe
Token: SeDebugPrivilege	1940	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2484	Wonderful.com
2484	Wonderful.com
2484	Wonderful.com

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2484	Wonderful.com
2484	Wonderful.com
2484	Wonderful.com

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1832 wrote to memory of 3588	1832	appFile.exe	84
PID 1832 wrote to memory of 3588	1832	appFile.exe	84
PID 1832 wrote to memory of 3588	1832	appFile.exe	84
PID 3588 wrote to memory of 1280	3588	cmd.exe	86
PID 3588 wrote to memory of 1280	3588	cmd.exe	86
PID 3588 wrote to memory of 1280	3588	cmd.exe	86
PID 3588 wrote to memory of 1584	3588	cmd.exe	87
PID 3588 wrote to memory of 1584	3588	cmd.exe	87
PID 3588 wrote to memory of 1584	3588	cmd.exe	87
PID 3588 wrote to memory of 1940	3588	cmd.exe	90
PID 3588 wrote to memory of 1940	3588	cmd.exe	90
PID 3588 wrote to memory of 1940	3588	cmd.exe	90
PID 3588 wrote to memory of 4712	3588	cmd.exe	91
PID 3588 wrote to memory of 4712	3588	cmd.exe	91
PID 3588 wrote to memory of 4712	3588	cmd.exe	91
PID 3588 wrote to memory of 2164	3588	cmd.exe	92
PID 3588 wrote to memory of 2164	3588	cmd.exe	92
PID 3588 wrote to memory of 2164	3588	cmd.exe	92
PID 3588 wrote to memory of 2980	3588	cmd.exe	93
PID 3588 wrote to memory of 2980	3588	cmd.exe	93
PID 3588 wrote to memory of 2980	3588	cmd.exe	93
PID 3588 wrote to memory of 2168	3588	cmd.exe	94
PID 3588 wrote to memory of 2168	3588	cmd.exe	94
PID 3588 wrote to memory of 2168	3588	cmd.exe	94
PID 3588 wrote to memory of 2112	3588	cmd.exe	95
PID 3588 wrote to memory of 2112	3588	cmd.exe	95
PID 3588 wrote to memory of 2112	3588	cmd.exe	95
PID 3588 wrote to memory of 5048	3588	cmd.exe	96
PID 3588 wrote to memory of 5048	3588	cmd.exe	96
PID 3588 wrote to memory of 5048	3588	cmd.exe	96
PID 3588 wrote to memory of 2484	3588	cmd.exe	97
PID 3588 wrote to memory of 2484	3588	cmd.exe	97
PID 3588 wrote to memory of 2484	3588	cmd.exe	97
PID 3588 wrote to memory of 4476	3588	cmd.exe	98
PID 3588 wrote to memory of 4476	3588	cmd.exe	98
PID 3588 wrote to memory of 4476	3588	cmd.exe	98

C:\Users\Admin\AppData\Local\Temp\appFile.exe
"C:\Users\Admin\AppData\Local\Temp\appFile.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1832
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c move Suppliers Suppliers.cmd & Suppliers.cmd
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3588
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1280
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "opssvc wrsa"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1584
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1940
- - C:\Windows\SysWOW64\findstr.exe
    findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4712
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 253941
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2164
- - C:\Windows\SysWOW64\extrac32.exe
    extrac32 /Y /E Continental
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2980
- - C:\Windows\SysWOW64\findstr.exe
    findstr /V "OBSERVER" Five
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2168
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b 253941\Wonderful.com + Examined + Scheduling + Notebooks + Pasta + Microwave + Blood + Restrictions + Reseller + Chevy + Adds 253941\Wonderful.com
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2112
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Pharmaceutical + ..\Dive + ..\Wine + ..\Naked + ..\Diamond + ..\Future p
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5048
- - C:\Users\Admin\AppData\Local\Temp\253941\Wonderful.com
    Wonderful.com p
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2484
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\253941\Wonderful.com

Filesize
131KB

MD5
50d4076b89a0e35320464b4b98595dae

SHA1
fb930dd2b827c6f5e23caacad34348396beeb8bf

SHA256
63784e9d75b6633dee62d2a2e9cf45ba9cb6721205fd1f1841698a371a192e29

SHA512
20833cc5dece2f3493a4ca828e4ca2fc0eb3f278f79aadf455b1c4b38fa5266fc91adad2310609733a148baf945bea10830076811cbc47f54aae3faafab4ebed

Download Submit
C:\Users\Admin\AppData\Local\Temp\253941\Wonderful.com

Filesize
925KB

MD5
62d09f076e6e0240548c2f837536a46a

SHA1
26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

SHA256
1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

SHA512
32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

Download Submit
C:\Users\Admin\AppData\Local\Temp\253941\p

Filesize
461KB

MD5
2f0ab0cf3f48740d8c30e8a227f67cad

SHA1
85ce9510552b2ee1ed56f7efde8e181368e6dcbc

SHA256
1f831dce6e046d08b7d60b1cfb7f7a1bb1fa07961afa7ea4456e57641336bce8

SHA512
a7446599c14bde795403953f00ed2366b83ad819b9773eed07b022a1f4b4c1c39e3003b6f7faf4c87fba54b3ce7c791af1e94d074e248a46b8f03bfb205bee21

Download Submit
C:\Users\Admin\AppData\Local\Temp\Adds

Filesize
1KB

MD5
6802fa3aab1cb5972a3deac17bad6a50

SHA1
4fc2ddd4d1ba3a9ed59c387faaeaf503d5018c54

SHA256
00c9053e486f5ca78eb73fe53003adfa07419f4252dec1cfaeadd1eea3b09f92

SHA512
79a680e221c2642fff0a857ad76066877ed0cd9d23345cbc6f2a1eceacf3e3946cb2a44c4de06414991e01cd8811b2cec8434f7b3108ded91cfe589a4ee79cce

Download Submit
C:\Users\Admin\AppData\Local\Temp\Blood

Filesize
97KB

MD5
24742eadab3491144d699c71190c3848

SHA1
ec0301019df82e8b6ad6c7f14b65cc2d122c4135

SHA256
e4b8ae3a3d7f5f1464661196089ff2841aebfb59a4c8ec3830a7746cd0220d17

SHA512
b5ce75c125fcc3abdbebccaddfbf5abcc49569d94bc065d1db6677f27365c46650b6f294ba6b5e5cf5dc79842f20ee8caaa509fcba0cff03d54c215df8008638

Download Submit
C:\Users\Admin\AppData\Local\Temp\Chevy

Filesize
71KB

MD5
bc943b6b136171c3e3ed440a6921a9a9

SHA1
9602f1c2a0dc403b34a77958e49c8115114a3fe6

SHA256
41f21c1c3417745ac8b1b05fd64b3409cd74ba30f8df221e970b7b7b1256e29a

SHA512
e2ff31645a14ed46bbdcf0c4a36a07354797c7765f708705bca51eb1d9edd851cfa2a82cafeebd929b300b6b6567bdd3eea85a45a855a1c2041b388bbddae9c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Continental

Filesize
478KB

MD5
dca58a3d9b62e53b988e585ced8e86bf

SHA1
0ed67a5401ceabb3b85d4a651dfec88ab5ab370b

SHA256
f515694a0ebb7c0444c7491146e3fd54f3b6bd338dc746485964aa0500598a9a

SHA512
013f7b84a67b9b94a2766f1cc014a9d35a59701195ee2136b8c8f71fa4207a681a5e116dcd5037c15774f4738f75ec2266a4e389999e0f4442a73af4c1beb8c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Diamond

Filesize
84KB

MD5
8285770e17ffeae69d1b9f55716f26a3

SHA1
cdfa8c433e8bb2fd89f5d8008c8d6b0008cd9f21

SHA256
d56f9df4ce25ffcb61acb8e3e99c22dbf3f8faa842eea06881614afe25861f4e

SHA512
cae3edb04b41152cb92d29ddb3c4f50dd4e943443f4b341117f285045ea7fc03b782b6a13a3a87b4b2c4635cba9d6385246352e3af336121860fade8eb3e7fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dive

Filesize
77KB

MD5
ba0db84db7d1dc5c31720e96faad8baa

SHA1
44b566c2a011a00c09d2516a0fe606d01cd25561

SHA256
2fb47ac90d1ac59b5419c0b670a317ca8f2219fcc679820c44f3876381711d93

SHA512
1ea502d6b49517040f41c78c25ca1446ff681fbd3cb8795fa50a71a8ba14e9aa280c4333670aceb77af822bbce72dae27bcc8c73211a838dfb1c466aeb12ee6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Examined

Filesize
130KB

MD5
89ace9d67138e061b6a91ace0b66a1d5

SHA1
69f8bc1c1786d13848516cc1bf4840877b7d93b0

SHA256
50488df3077ee5e2d979169a7a22435402e441b99f5e5d1fff7782363edf81ad

SHA512
0ab2ec8ae403c9c22dfe207efc67d16172d944989777d711b7690eadb71761a3816419b5e8a1b74a934be9c2594cb519ea328a6747eaba7ebb3f50eab8513dd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Five

Filesize
1KB

MD5
185e8962d646d1743483fcd07a44300d

SHA1
376c4f67d666758f8091d569115598635ed0fd10

SHA256
ab170b07d71f015c0b871bc881af6ea8556521f304ac26f69572cb58a3679a9b

SHA512
616b095fe7f2884ac0a93a2ed9d2ab0ccabbe14cf15afa110058cd788a888ee39f1f5114dc982efe30fc88b54e4aef379218a6a124f0e038178d8253afa9594f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Future

Filesize
69KB

MD5
dcba8362a398c12d6f35051742c572b6

SHA1
367c28e06890cd0fd595674d723cbb7f910684bd

SHA256
59fc70979083d81827cc3a974b0d40c70b7ec1ed93927e3e509f0eaff3cc1dbb

SHA512
7b22c4c89446be211955d0cfe6a0f76d1281aed228c37aa9cddf5970d99127cf931792d692b63656eeb0bd751267450c8242c0ed41643f67d9cee7bdd0d35a99

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microwave

Filesize
88KB

MD5
a7eb2e0157088b3fce20ba16006a5352

SHA1
7894ff20f3e2c5ed9c34b92c8e68047399e4653c

SHA256
141add2bc9f03078fad3232c64a207cc6edd639b3e5a186fe9b050654d97370c

SHA512
01dda4e1bd100fab888a85cc7cfda0362a5bc22408a06f1964c020c45bb6924b6f9feca769b25dc4f9e6eff7769746ee40030fa57eb431200be009dc48a852ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\Naked

Filesize
73KB

MD5
3a07386a3c1336945d0c44222a2b69c0

SHA1
f765b39444f1f354d625bf052a9405ea44a94066

SHA256
8770d22ca2535829abf2605212d40a9bde221f792034a46fe1c808866149dbf1

SHA512
a86b34f9b3985af12be697c69c6c82e47aed62c8c51155369c8b99da4d05f0ca1002a2b9c3eafb69740b3a3449ee1ceb323d34b21a0c1987889cd2cd56bb5235

Download Submit
C:\Users\Admin\AppData\Local\Temp\Notebooks

Filesize
103KB

MD5
02d9e650f5699a75d9f5f037a527e602

SHA1
ad5b51842aacfafaf8e370d0269d5b53f085fea0

SHA256
f2ad129cccbdac3f2c88d610a9d329bd4c5686bcef87bdcce1e099114b078d36

SHA512
9aee4edd34573a137e0fd136d9c2df80c989737d6cb14c5e8178e95f4fd4c644af7a6bdaff1a14af15e21443fc00fe3ff5e511d2f6c1b55fe3496564837aa84e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pasta

Filesize
114KB

MD5
639a3bc12aeb55aaf31af44b285fac82

SHA1
3146d3a2bb6d6b1f6693be915579a6af2b4387b8

SHA256
94fd3619c4505b0051bfbe76129ee0456f693687001985e8ccf70d353e0b1bda

SHA512
d632c349ee54d414b6fc9b4564fc0a1fd2f10ed11009fde9552f23875e22f97e51d986b970e2425fffac1c54da0710f3e13ab458d135fb1e8e170448504646d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pharmaceutical

Filesize
62KB

MD5
8ff3d152e7540cec8d7175fc4d8a1d2a

SHA1
0bc79a87059c4d6bebdbdbc996eaca5a17d8aef2

SHA256
1b11f5b26ba23b099c5b9c9f65948abd4e04aa54136167e430d23a87b0e2d97f

SHA512
62a5290db91c174f5a22552db3a9283acfb94f529b41ca9ad58b1888bea5fced0a5dcaba10fdd6d4460cae9c292fb166bfc9b9a613ce158aac1c5e49070e76ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\Reseller

Filesize
126KB

MD5
7d4be8a8a51f4235378bb22303f91a8b

SHA1
c3a1b73bfb0acf37e1c9805c72aa9fa695f9e961

SHA256
1e1170ab4bd77d5dc7015e301c530607cff1929c75ffa374d4d90a8f26f3ad43

SHA512
a1cc7ee05e35d74cfcb419365c0174f0659c690718216b961a08e70cab3e11f52ada3b9da2372f68344a2d256c64e696cc0cd569028ff517e8c1567664075a93

Download Submit
C:\Users\Admin\AppData\Local\Temp\Restrictions

Filesize
90KB

MD5
c48c12b003c7aa8497809c2de4c68aa6

SHA1
db20c84e8b73eed342dfc1ab7bb657271081a57f

SHA256
edf3209286f30386cc7f9eea38f237906394453ed88aa39b4c91af71c9abb603

SHA512
20982a102e18e1487b7a5cf5c02c08c50981c751b3b7cec3fe76852f77dba74fd5ca00ef00d5cfa4b86f9e9602211fd74629096bb3d262ccf91570fbf83c4d92

Download Submit
C:\Users\Admin\AppData\Local\Temp\Scheduling

Filesize
103KB

MD5
1ef9f42df5d7b3d0811db124aae53049

SHA1
9d855d464cba5738e4defb78c51216401895f101

SHA256
2e977d04093278e7a5bc086c0e5d60be23ce499d49edd69af40044b51319062c

SHA512
7cdf1a6ac36e16c451189b9a20e420a32e5970fdd63e5231438d76307c5aa59e342374cace1bc136661ffc1fac403e08327573dc32641e67ca4115efe6890c8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Suppliers

Filesize
15KB

MD5
83869b0a151eff5eb989fc5709f99197

SHA1
3fad32dac3c5a9c7656cd63eddfe50b51fa24bfe

SHA256
6c76cd65c66c57bf7fd68625fc0068e7029b91c3eaa8d35f5771087e74a141f2

SHA512
0fa7c116b49aa470947475bb6f8bc86d4a1f768be4def61e4b4f287d9a4f59d7bc7778fd5a57ec348726518f96041f8a9dfb02583661b648d0c731b9728b8cd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wine

Filesize
96KB

MD5
b7d74aee48a92a35f80ff9f3bf4811ad

SHA1
986d12e322e98f0ccf3babe2a78fd5b68b2e6f0e

SHA256
c06f496b637b5d6abe9f5e23b4cc7fe0d6e432b85885b5a1aa30ec4167020fde

SHA512
0b3de1862ceb1b1ab5f505e4597449eb5a0719ab4f829605c70e814baa2e7c7785956c2143934fad3c2734441b12140687e08221d50fedbb96aeddb100244d09

Download Submit
memory/2484-69-0x00000000040E0000-0x0000000004137000-memory.dmp

Filesize
348KB

Download
memory/2484-68-0x00000000040E0000-0x0000000004137000-memory.dmp

Filesize
348KB

Download
memory/2484-72-0x00000000040E0000-0x0000000004137000-memory.dmp

Filesize
348KB

Download
memory/2484-71-0x00000000040E0000-0x0000000004137000-memory.dmp

Filesize
348KB

Download
memory/2484-70-0x00000000040E0000-0x0000000004137000-memory.dmp

Filesize
348KB

Download