Analysis Overview
SHA256
06384a97225d303a36c0fe0bc6f49e6d03dce0bc5f437ae8ac8a4a432ff68b61
Threat Level: Known bad
The file lummm_lzmb.exe was found to be: Known bad.
Malicious Activity Summary
Lumma family
Suspicious use of NtCreateUserProcessOtherParentProcess
Lumma Stealer, LummaC
Suspicious use of SetThreadContext
Unsigned PE
System Location Discovery: System Language Discovery
Program crash
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-01-15 16:24
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-01-15 16:24
Reported
2025-01-15 16:26
Platform
win7-20241010-en
Max time kernel
19s
Max time network
18s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\lummm_lzmb.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\lummm_lzmb.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\lummm_lzmb.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\lummm_lzmb.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\lummm_lzmb.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2108 wrote to memory of 4868 | N/A | C:\Users\Admin\AppData\Local\Temp\lummm_lzmb.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2108 wrote to memory of 4868 | N/A | C:\Users\Admin\AppData\Local\Temp\lummm_lzmb.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2108 wrote to memory of 4868 | N/A | C:\Users\Admin\AppData\Local\Temp\lummm_lzmb.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2108 wrote to memory of 4868 | N/A | C:\Users\Admin\AppData\Local\Temp\lummm_lzmb.exe | C:\Windows\SysWOW64\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\lummm_lzmb.exe
"C:\Users\Admin\AppData\Local\Temp\lummm_lzmb.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2108 -s 1728
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | u1.grapplereturnunstamped.shop | udp |
| US | 104.21.78.33:443 | u1.grapplereturnunstamped.shop | tcp |
Files
memory/2108-0-0x0000000074D4E000-0x0000000074D4F000-memory.dmp
memory/2108-1-0x0000000000A80000-0x0000000000B5A000-memory.dmp
memory/2108-2-0x0000000074D40000-0x000000007542E000-memory.dmp
memory/2108-3-0x00000000003F0000-0x00000000003F8000-memory.dmp
memory/2108-4-0x00000000004F0000-0x00000000004F6000-memory.dmp
memory/2108-5-0x00000000063E0000-0x0000000006508000-memory.dmp
memory/2108-6-0x00000000063E0000-0x0000000006502000-memory.dmp
memory/2108-21-0x00000000063E0000-0x0000000006502000-memory.dmp
memory/2108-35-0x00000000063E0000-0x0000000006502000-memory.dmp
memory/2108-33-0x00000000063E0000-0x0000000006502000-memory.dmp
memory/2108-32-0x00000000063E0000-0x0000000006502000-memory.dmp
memory/2108-29-0x00000000063E0000-0x0000000006502000-memory.dmp
memory/2108-27-0x00000000063E0000-0x0000000006502000-memory.dmp
memory/2108-25-0x00000000063E0000-0x0000000006502000-memory.dmp
memory/2108-23-0x00000000063E0000-0x0000000006502000-memory.dmp
memory/2108-19-0x00000000063E0000-0x0000000006502000-memory.dmp
memory/2108-17-0x00000000063E0000-0x0000000006502000-memory.dmp
memory/2108-15-0x00000000063E0000-0x0000000006502000-memory.dmp
memory/2108-13-0x00000000063E0000-0x0000000006502000-memory.dmp
memory/2108-11-0x00000000063E0000-0x0000000006502000-memory.dmp
memory/2108-9-0x00000000063E0000-0x0000000006502000-memory.dmp
memory/2108-7-0x00000000063E0000-0x0000000006502000-memory.dmp
memory/2108-43-0x00000000063E0000-0x0000000006502000-memory.dmp
memory/2108-69-0x00000000063E0000-0x0000000006502000-memory.dmp
memory/2108-67-0x00000000063E0000-0x0000000006502000-memory.dmp
memory/2108-65-0x00000000063E0000-0x0000000006502000-memory.dmp
memory/2108-63-0x00000000063E0000-0x0000000006502000-memory.dmp
memory/2108-62-0x00000000063E0000-0x0000000006502000-memory.dmp
memory/2108-59-0x00000000063E0000-0x0000000006502000-memory.dmp
memory/2108-58-0x00000000063E0000-0x0000000006502000-memory.dmp
memory/2108-55-0x00000000063E0000-0x0000000006502000-memory.dmp
memory/2108-53-0x00000000063E0000-0x0000000006502000-memory.dmp
memory/2108-51-0x00000000063E0000-0x0000000006502000-memory.dmp
memory/2108-49-0x00000000063E0000-0x0000000006502000-memory.dmp
memory/2108-47-0x00000000063E0000-0x0000000006502000-memory.dmp
memory/2108-45-0x00000000063E0000-0x0000000006502000-memory.dmp
memory/2108-41-0x00000000063E0000-0x0000000006502000-memory.dmp
memory/2108-39-0x00000000063E0000-0x0000000006502000-memory.dmp
memory/2108-37-0x00000000063E0000-0x0000000006502000-memory.dmp
memory/2108-1328-0x0000000074D4E000-0x0000000074D4F000-memory.dmp
memory/2108-1329-0x0000000074D40000-0x000000007542E000-memory.dmp
memory/2108-1330-0x0000000074D40000-0x000000007542E000-memory.dmp
memory/2108-1331-0x00000000053C0000-0x0000000005442000-memory.dmp
memory/2108-1332-0x0000000005B80000-0x0000000005C00000-memory.dmp
memory/2108-1333-0x0000000004F30000-0x0000000004F7C000-memory.dmp
memory/2108-1335-0x0000000004FF0000-0x0000000005044000-memory.dmp
memory/2108-1334-0x0000000074D40000-0x000000007542E000-memory.dmp
memory/2108-1336-0x0000000074D40000-0x000000007542E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-01-15 16:24
Reported
2025-01-15 16:26
Platform
win10v2004-20241007-en
Max time kernel
96s
Max time network
143s
Command Line
Signatures
Lumma Stealer, LummaC
Lumma family
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 2836 created 3428 | N/A | C:\Users\Admin\AppData\Local\Temp\lummm_lzmb.exe | C:\Windows\Explorer.EXE |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2836 set thread context of 2384 | N/A | C:\Users\Admin\AppData\Local\Temp\lummm_lzmb.exe | C:\Users\Admin\AppData\Local\Temp\lummm_lzmb.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\lummm_lzmb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\lummm_lzmb.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\lummm_lzmb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\lummm_lzmb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\lummm_lzmb.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\lummm_lzmb.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\lummm_lzmb.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\lummm_lzmb.exe
"C:\Users\Admin\AppData\Local\Temp\lummm_lzmb.exe"
C:\Users\Admin\AppData\Local\Temp\lummm_lzmb.exe
"C:\Users\Admin\AppData\Local\Temp\lummm_lzmb.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | u1.grapplereturnunstamped.shop | udp |
| US | 104.21.78.33:443 | u1.grapplereturnunstamped.shop | tcp |
| US | 8.8.8.8:53 | 60.153.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 33.78.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.173.78.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | burnressert.shop | udp |
| US | 104.21.67.165:443 | burnressert.shop | tcp |
| US | 8.8.8.8:53 | bloodyswif.lat | udp |
| US | 8.8.8.8:53 | washyceehsu.lat | udp |
| US | 8.8.8.8:53 | leggelatez.lat | udp |
| US | 8.8.8.8:53 | miniatureyu.lat | udp |
| US | 8.8.8.8:53 | 165.67.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | kickykiduz.lat | udp |
| US | 8.8.8.8:53 | savorraiykj.lat | udp |
| US | 8.8.8.8:53 | shoefeatthe.lat | udp |
| US | 8.8.8.8:53 | finickypwk.lat | udp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 23.214.143.155:443 | steamcommunity.com | tcp |
| US | 8.8.8.8:53 | 155.143.214.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.153.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
memory/2836-0-0x0000000074CAE000-0x0000000074CAF000-memory.dmp
memory/2836-1-0x0000000000560000-0x000000000063A000-memory.dmp
memory/2836-2-0x0000000074CA0000-0x0000000075450000-memory.dmp
memory/2836-3-0x0000000004F30000-0x0000000004F38000-memory.dmp
memory/2836-4-0x0000000004FF0000-0x0000000004FF6000-memory.dmp
memory/2836-5-0x0000000006190000-0x00000000062B8000-memory.dmp
memory/2836-6-0x00000000068B0000-0x0000000006E54000-memory.dmp
memory/2836-7-0x0000000006400000-0x0000000006492000-memory.dmp
memory/2836-27-0x0000000006190000-0x00000000062B2000-memory.dmp
memory/2836-9-0x0000000006190000-0x00000000062B2000-memory.dmp
memory/2836-41-0x0000000006190000-0x00000000062B2000-memory.dmp
memory/2836-51-0x0000000006190000-0x00000000062B2000-memory.dmp
memory/2836-69-0x0000000006190000-0x00000000062B2000-memory.dmp
memory/2836-67-0x0000000006190000-0x00000000062B2000-memory.dmp
memory/2836-65-0x0000000006190000-0x00000000062B2000-memory.dmp
memory/2836-63-0x0000000006190000-0x00000000062B2000-memory.dmp
memory/2836-61-0x0000000006190000-0x00000000062B2000-memory.dmp
memory/2836-59-0x0000000006190000-0x00000000062B2000-memory.dmp
memory/2836-57-0x0000000006190000-0x00000000062B2000-memory.dmp
memory/2836-55-0x0000000006190000-0x00000000062B2000-memory.dmp
memory/2836-49-0x0000000006190000-0x00000000062B2000-memory.dmp
memory/2836-47-0x0000000006190000-0x00000000062B2000-memory.dmp
memory/2836-45-0x0000000006190000-0x00000000062B2000-memory.dmp
memory/2836-44-0x0000000006190000-0x00000000062B2000-memory.dmp
memory/2836-39-0x0000000006190000-0x00000000062B2000-memory.dmp
memory/2836-71-0x0000000006190000-0x00000000062B2000-memory.dmp
memory/2836-53-0x0000000006190000-0x00000000062B2000-memory.dmp
memory/2836-37-0x0000000006190000-0x00000000062B2000-memory.dmp
memory/2836-35-0x0000000006190000-0x00000000062B2000-memory.dmp
memory/2836-34-0x0000000006190000-0x00000000062B2000-memory.dmp
memory/2836-31-0x0000000006190000-0x00000000062B2000-memory.dmp
memory/2836-29-0x0000000006190000-0x00000000062B2000-memory.dmp
memory/2836-25-0x0000000006190000-0x00000000062B2000-memory.dmp
memory/2836-23-0x0000000006190000-0x00000000062B2000-memory.dmp
memory/2836-21-0x0000000006190000-0x00000000062B2000-memory.dmp
memory/2836-19-0x0000000006190000-0x00000000062B2000-memory.dmp
memory/2836-17-0x0000000006190000-0x00000000062B2000-memory.dmp
memory/2836-15-0x0000000006190000-0x00000000062B2000-memory.dmp
memory/2836-13-0x0000000006190000-0x00000000062B2000-memory.dmp
memory/2836-11-0x0000000006190000-0x00000000062B2000-memory.dmp
memory/2836-8-0x0000000006190000-0x00000000062B2000-memory.dmp
memory/2836-1330-0x0000000074CA0000-0x0000000075450000-memory.dmp
memory/2836-1331-0x00000000064A0000-0x0000000006522000-memory.dmp
memory/2836-1332-0x0000000006520000-0x00000000065A0000-memory.dmp
memory/2836-1333-0x0000000006650000-0x000000000669C000-memory.dmp
memory/2836-1334-0x0000000006800000-0x0000000006854000-memory.dmp
memory/2836-1335-0x0000000074CA0000-0x0000000075450000-memory.dmp
memory/2836-1339-0x0000000074CA0000-0x0000000075450000-memory.dmp
memory/2836-1346-0x0000000074CA0000-0x0000000075450000-memory.dmp
memory/2384-1349-0x0000000000400000-0x0000000000457000-memory.dmp
memory/2836-1342-0x0000000074CA0000-0x0000000075450000-memory.dmp
memory/2836-1341-0x0000000074CA0000-0x0000000075450000-memory.dmp
memory/2836-1347-0x0000000074CAE000-0x0000000074CAF000-memory.dmp
memory/2836-1348-0x0000000074CA0000-0x0000000075450000-memory.dmp