lumma | b80c6f12f659fb0dec5beb772438a3ddbce44b0da46eeb71f036bf7b74ee842f

General

Target

Ver.2.2.1_win64_86-en_us_Apinst_2024.7z
Size

314.3MB
MD5

6cef3c8d27e9a14bf2c2a56e4af4e89f
SHA1

35133023c9cce56d5f442fa2475866259cdb6e56
SHA256

b80c6f12f659fb0dec5beb772438a3ddbce44b0da46eeb71f036bf7b74ee842f
SHA512

3ae46090c3091c663f3b12262b63a3eac09213a97120b8c86548de8478d63edde7d02b69bbce02c45f61ef05faa51e4039365ae0daf888ec150df0abb8b96155
SSDEEP

393216:UG7bbpfjO2/2aAYrYJXTFC6IUOGZoPApVtnxW3PK1:Fnp7pfHrYJ8SLZoPApo3S

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

C2

https://geesecreat.shop/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Executes dropped EXE 10 IoCs

pid	Process
1268	Setup.exe
2112	Setup.exe
3232	Setup.exe
208	Setup.exe
908	Setup.exe
3860	Setup.exe
1952	Setup.exe
2412	Setup.exe
4656	Setup.exe
5104	Setup.exe

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
1268	Setup.exe
1268	Setup.exe
2112	Setup.exe
2112	Setup.exe
3232	Setup.exe
3232	Setup.exe
208	Setup.exe
208	Setup.exe
908	Setup.exe
908	Setup.exe
3860	Setup.exe
3860	Setup.exe
1952	Setup.exe
1952	Setup.exe
2412	Setup.exe
2412	Setup.exe
4656	Setup.exe
4656	Setup.exe
5104	Setup.exe
5104	Setup.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1460	7zFM.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	1460	7zFM.exe
Token: 35	1460	7zFM.exe
Token: SeSecurityPrivilege	1460	7zFM.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1460	7zFM.exe
1460	7zFM.exe

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Ver.2.2.1_win64_86-en_us_Apinst_2024.7z"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1460

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4572

C:\Users\Admin\Desktop\Ver.2.2.1_win64_86-en_us_Apinst_2024\Setup.exe
"C:\Users\Admin\Desktop\Ver.2.2.1_win64_86-en_us_Apinst_2024\Setup.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1268

C:\Users\Admin\Desktop\Ver.2.2.1_win64_86-en_us_Apinst_2024\Setup.exe
"C:\Users\Admin\Desktop\Ver.2.2.1_win64_86-en_us_Apinst_2024\Setup.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2112

C:\Users\Admin\Desktop\Ver.2.2.1_win64_86-en_us_Apinst_2024\Setup.exe
"C:\Users\Admin\Desktop\Ver.2.2.1_win64_86-en_us_Apinst_2024\Setup.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3232

C:\Users\Admin\Desktop\Ver.2.2.1_win64_86-en_us_Apinst_2024\Setup.exe
"C:\Users\Admin\Desktop\Ver.2.2.1_win64_86-en_us_Apinst_2024\Setup.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:208

C:\Users\Admin\Desktop\Ver.2.2.1_win64_86-en_us_Apinst_2024\Setup.exe
"C:\Users\Admin\Desktop\Ver.2.2.1_win64_86-en_us_Apinst_2024\Setup.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:908

C:\Users\Admin\Desktop\Ver.2.2.1_win64_86-en_us_Apinst_2024\Setup.exe
"C:\Users\Admin\Desktop\Ver.2.2.1_win64_86-en_us_Apinst_2024\Setup.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3860

C:\Users\Admin\Desktop\Ver.2.2.1_win64_86-en_us_Apinst_2024\Setup.exe
"C:\Users\Admin\Desktop\Ver.2.2.1_win64_86-en_us_Apinst_2024\Setup.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1952

C:\Users\Admin\Desktop\Ver.2.2.1_win64_86-en_us_Apinst_2024\Setup.exe
"C:\Users\Admin\Desktop\Ver.2.2.1_win64_86-en_us_Apinst_2024\Setup.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2412

C:\Users\Admin\Desktop\Ver.2.2.1_win64_86-en_us_Apinst_2024\Setup.exe
"C:\Users\Admin\Desktop\Ver.2.2.1_win64_86-en_us_Apinst_2024\Setup.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4656

C:\Users\Admin\Desktop\Ver.2.2.1_win64_86-en_us_Apinst_2024\Setup.exe
"C:\Users\Admin\Desktop\Ver.2.2.1_win64_86-en_us_Apinst_2024\Setup.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zE4B5C4888\Ver.2.2.1_win64_86-en_us_Apinst_2024\x86\D3Dcompiler_47.dll

Filesize
3.3MB

MD5
e6945cceefc0a122833576a5fc5f88f4

SHA1
2a2f4ed006ba691f28fda1e6b8c66a94b53efe9d

SHA256
fb8d0049f5dd5858c3b1da4836fb4b77d97b72d67ad951edb48f1a3e087ec2b1

SHA512
32d32675f9c5778c01044251abed80f46726a8b5015a3d7b22bbe503954551a59848dacfe730f00e1cd2c183e7ccccb2049cde3bc32c6538ff9eb2763392b8c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zE4B5C4888\Ver.2.2.1_win64_86-en_us_Apinst_2024\x86\libEGL.dll

Filesize
18KB

MD5
379358b4cd4b60137c0807f327531987

SHA1
b0a5f6e3dcd0dbc94726f16ed55d2461d1737b59

SHA256
0ff1d03926f5d9c01d02fae5c5e1f018a87d7f90a1826de47277530bfc7776f8

SHA512
097c08135d654596a19ada814ad360a8c2374d989cbd7094c6acb092e9854abf1f1d878d3da72b66c4c75806586bee7fe04d555a1d82db170725bdbeadea7d50

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zE4B5C4888\Ver.2.2.1_win64_86-en_us_Apinst_2024\x86\libeay32.dll

Filesize
1.1MB

MD5
67130d64a3c2b4b792c4f5f955b37287

SHA1
6f6cae2a74f7e7b0f18b93367821f7b802b3e6cf

SHA256
7581f48b16bd9c959491730e19687656f045afbab59222c0baba52b25d1055be

SHA512
d88c26ec059ad324082c4f654786a3a45ecf9561a522c8ec80905548ad1693075f0ffc93079f0ef94614c95a3ac6bbf59c8516018c71b2e59ec1320ba2b99645

Download Submit
memory/208-71-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/908-77-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/1268-46-0x0000000001FC0000-0x0000000002016000-memory.dmp

Filesize
344KB

Download
memory/1268-49-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/1268-47-0x0000000001FC0000-0x0000000002016000-memory.dmp

Filesize
344KB

Download
memory/1952-89-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/2112-58-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/2412-95-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/3232-62-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/3860-83-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/4656-101-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/5104-107-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download

Analysis

Sharing