lumma | ae0db4dee13f262b02514a5e72923c896023417e4d7a61accf102b3b2cec98ea

General

Target

Set-up-edit.exe
Size

2.9MB
MD5

811ccb4cedcdab35c288bec22e32798c
SHA1

4790da91cd98b653f5f7a63d6210941721b1018f
SHA256

ae0db4dee13f262b02514a5e72923c896023417e4d7a61accf102b3b2cec98ea
SHA512

3ff65251a3f6ac1e0f244c65e75605f8f1972f7e331d13e52ad30df6bc3a369f1f638bdeb2ca31f52021eff1271cf868c44472ba7dbb481033438b2b4fcc6dc4
SSDEEP

49152:Ugb/hT+/+pb1kgY3kWxWtWkbHVRv08IV38/3KseT2RNeWOuRQ3Dz7ikNl9Gvi:VDo/4pW3kOWVb1Rv08IVkKvkeIQHmk/1

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

C2

https://joinresperct.shop/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Executes dropped EXE 3 IoCs

pid	Process
1904	Set-up-edit.tmp
2764	Set-up-edit.tmp
2828	VideoSnapsh.exe

Loads dropped DLL 5 IoCs

pid	Process
2976	Set-up-edit.exe
1904	Set-up-edit.tmp
1452	Set-up-edit.exe
2764	Set-up-edit.tmp
2764	Set-up-edit.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VideoSnapsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Set-up-edit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Set-up-edit.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Set-up-edit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Set-up-edit.tmp

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2764	Set-up-edit.tmp
2764	Set-up-edit.tmp
2828	VideoSnapsh.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2764	Set-up-edit.tmp

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2976 wrote to memory of 1904	2976	Set-up-edit.exe	31
PID 2976 wrote to memory of 1904	2976	Set-up-edit.exe	31
PID 2976 wrote to memory of 1904	2976	Set-up-edit.exe	31
PID 2976 wrote to memory of 1904	2976	Set-up-edit.exe	31
PID 2976 wrote to memory of 1904	2976	Set-up-edit.exe	31
PID 2976 wrote to memory of 1904	2976	Set-up-edit.exe	31
PID 2976 wrote to memory of 1904	2976	Set-up-edit.exe	31
PID 1904 wrote to memory of 1452	1904	Set-up-edit.tmp	32
PID 1904 wrote to memory of 1452	1904	Set-up-edit.tmp	32
PID 1904 wrote to memory of 1452	1904	Set-up-edit.tmp	32
PID 1904 wrote to memory of 1452	1904	Set-up-edit.tmp	32
PID 1904 wrote to memory of 1452	1904	Set-up-edit.tmp	32
PID 1904 wrote to memory of 1452	1904	Set-up-edit.tmp	32
PID 1904 wrote to memory of 1452	1904	Set-up-edit.tmp	32
PID 1452 wrote to memory of 2764	1452	Set-up-edit.exe	33
PID 1452 wrote to memory of 2764	1452	Set-up-edit.exe	33
PID 1452 wrote to memory of 2764	1452	Set-up-edit.exe	33
PID 1452 wrote to memory of 2764	1452	Set-up-edit.exe	33
PID 1452 wrote to memory of 2764	1452	Set-up-edit.exe	33
PID 1452 wrote to memory of 2764	1452	Set-up-edit.exe	33
PID 1452 wrote to memory of 2764	1452	Set-up-edit.exe	33
PID 2764 wrote to memory of 2828	2764	Set-up-edit.tmp	34
PID 2764 wrote to memory of 2828	2764	Set-up-edit.tmp	34
PID 2764 wrote to memory of 2828	2764	Set-up-edit.tmp	34
PID 2764 wrote to memory of 2828	2764	Set-up-edit.tmp	34

C:\Users\Admin\AppData\Local\Temp\Set-up-edit.exe
"C:\Users\Admin\AppData\Local\Temp\Set-up-edit.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2976
- C:\Users\Admin\AppData\Local\Temp\is-SNIH0.tmp\Set-up-edit.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-SNIH0.tmp\Set-up-edit.tmp" /SL5="$400DC,2538135,133120,C:\Users\Admin\AppData\Local\Temp\Set-up-edit.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1904
- - C:\Users\Admin\AppData\Local\Temp\Set-up-edit.exe
    "C:\Users\Admin\AppData\Local\Temp\Set-up-edit.exe" /VERYSILENT
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1452
  - - C:\Users\Admin\AppData\Local\Temp\is-OH87S.tmp\Set-up-edit.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-OH87S.tmp\Set-up-edit.tmp" /SL5="$500DC,2538135,133120,C:\Users\Admin\AppData\Local\Temp\Set-up-edit.exe" /VERYSILENT
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:2764
    - - C:\Users\Admin\AppData\Local\Temp\is-RSU2Q.tmp\VideoSnapsh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-RSU2Q.tmp\VideoSnapsh.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cab46B3.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar46D5.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Local\Temp\is-1Q73O.tmp\_isetup\_isdecmp.dll

Filesize
29KB

MD5
fd4743e2a51dd8e0d44f96eae1853226

SHA1
646cef384e949aaf61e6d0b243d8d84ab04e79b7

SHA256
6535ba91fcca7174c3974b19d9ab471f322c2bf49506ef03424517310080be1b

SHA512
4587c853871624414e957f083713ec62d50c46b7041f83faa45dbf99b99b8399fc08d586d240e4bccee5eb0d09e1cdcb3fd013f07878adf4defcc312712e468d

Download Submit
\Users\Admin\AppData\Local\Temp\is-SNIH0.tmp\Set-up-edit.tmp

Filesize
1.1MB

MD5
7214dad1b9dd1ced2667de92c7c8e078

SHA1
9295ba2b3cac9657b32822bfba3a630748dbf008

SHA256
ba0d49ab7a1bca57e56839e20f6d223ab292b9cfa47dd18888d50c31ae6f1b11

SHA512
685caf77eb47662ae8c6cca1b760444b361fedc79eddb6bdeb37e88ffb4a8a0cd053e4f848a8f68a044d585fdd5139f659534ae9589d82622c4a7000321fd00b

Download Submit
memory/1452-84-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1452-15-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1452-37-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1904-8-0x0000000000400000-0x0000000000530000-memory.dmp

Filesize
1.2MB

Download
memory/1904-18-0x0000000000400000-0x0000000000530000-memory.dmp

Filesize
1.2MB

Download
memory/2764-38-0x0000000000400000-0x0000000000530000-memory.dmp

Filesize
1.2MB

Download
memory/2764-82-0x0000000000400000-0x0000000000530000-memory.dmp

Filesize
1.2MB

Download
memory/2828-40-0x0000000000350000-0x00000000003A4000-memory.dmp

Filesize
336KB

Download
memory/2976-2-0x0000000000401000-0x0000000000412000-memory.dmp

Filesize
68KB

Download
memory/2976-20-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2976-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing