lumma | ae0db4dee13f262b02514a5e72923c896023417e4d7a61accf102b3b2cec98ea

General

Target

Set-up-edit.exe
Size

2.9MB
MD5

811ccb4cedcdab35c288bec22e32798c
SHA1

4790da91cd98b653f5f7a63d6210941721b1018f
SHA256

ae0db4dee13f262b02514a5e72923c896023417e4d7a61accf102b3b2cec98ea
SHA512

3ff65251a3f6ac1e0f244c65e75605f8f1972f7e331d13e52ad30df6bc3a369f1f638bdeb2ca31f52021eff1271cf868c44472ba7dbb481033438b2b4fcc6dc4
SSDEEP

49152:Ugb/hT+/+pb1kgY3kWxWtWkbHVRv08IV38/3KseT2RNeWOuRQ3Dz7ikNl9Gvi:VDo/4pW3kOWVb1Rv08IVkKvkeIQHmk/1

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

C2

https://joinresperct.shop/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	Set-up-edit.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	Set-up-edit.tmp

Executes dropped EXE 3 IoCs

pid	Process
2408	Set-up-edit.tmp
4856	Set-up-edit.tmp
2156	VideoSnapsh.exe

Loads dropped DLL 4 IoCs

pid	Process
2408	Set-up-edit.tmp
2408	Set-up-edit.tmp
4856	Set-up-edit.tmp
4856	Set-up-edit.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Set-up-edit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Set-up-edit.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Set-up-edit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Set-up-edit.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VideoSnapsh.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4856	Set-up-edit.tmp
4856	Set-up-edit.tmp
2156	VideoSnapsh.exe
2156	VideoSnapsh.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4856	Set-up-edit.tmp

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4768 wrote to memory of 2408	4768	Set-up-edit.exe	83
PID 4768 wrote to memory of 2408	4768	Set-up-edit.exe	83
PID 4768 wrote to memory of 2408	4768	Set-up-edit.exe	83
PID 2408 wrote to memory of 3892	2408	Set-up-edit.tmp	84
PID 2408 wrote to memory of 3892	2408	Set-up-edit.tmp	84
PID 2408 wrote to memory of 3892	2408	Set-up-edit.tmp	84
PID 3892 wrote to memory of 4856	3892	Set-up-edit.exe	85
PID 3892 wrote to memory of 4856	3892	Set-up-edit.exe	85
PID 3892 wrote to memory of 4856	3892	Set-up-edit.exe	85
PID 4856 wrote to memory of 2156	4856	Set-up-edit.tmp	92
PID 4856 wrote to memory of 2156	4856	Set-up-edit.tmp	92
PID 4856 wrote to memory of 2156	4856	Set-up-edit.tmp	92

C:\Users\Admin\AppData\Local\Temp\Set-up-edit.exe
"C:\Users\Admin\AppData\Local\Temp\Set-up-edit.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4768
- C:\Users\Admin\AppData\Local\Temp\is-3U85P.tmp\Set-up-edit.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-3U85P.tmp\Set-up-edit.tmp" /SL5="$50262,2538135,133120,C:\Users\Admin\AppData\Local\Temp\Set-up-edit.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2408
- - C:\Users\Admin\AppData\Local\Temp\Set-up-edit.exe
    "C:\Users\Admin\AppData\Local\Temp\Set-up-edit.exe" /VERYSILENT
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3892
  - - C:\Users\Admin\AppData\Local\Temp\is-0I04A.tmp\Set-up-edit.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-0I04A.tmp\Set-up-edit.tmp" /SL5="$501CC,2538135,133120,C:\Users\Admin\AppData\Local\Temp\Set-up-edit.exe" /VERYSILENT
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:4856
    - - C:\Users\Admin\AppData\Local\Temp\is-N78IR.tmp\VideoSnapsh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-N78IR.tmp\VideoSnapsh.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-3U85P.tmp\Set-up-edit.tmp

Filesize
1.1MB

MD5
7214dad1b9dd1ced2667de92c7c8e078

SHA1
9295ba2b3cac9657b32822bfba3a630748dbf008

SHA256
ba0d49ab7a1bca57e56839e20f6d223ab292b9cfa47dd18888d50c31ae6f1b11

SHA512
685caf77eb47662ae8c6cca1b760444b361fedc79eddb6bdeb37e88ffb4a8a0cd053e4f848a8f68a044d585fdd5139f659534ae9589d82622c4a7000321fd00b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-HS224.tmp\_isetup\_isdecmp.dll

Filesize
29KB

MD5
fd4743e2a51dd8e0d44f96eae1853226

SHA1
646cef384e949aaf61e6d0b243d8d84ab04e79b7

SHA256
6535ba91fcca7174c3974b19d9ab471f322c2bf49506ef03424517310080be1b

SHA512
4587c853871624414e957f083713ec62d50c46b7041f83faa45dbf99b99b8399fc08d586d240e4bccee5eb0d09e1cdcb3fd013f07878adf4defcc312712e468d

Download Submit
memory/2156-49-0x0000000002500000-0x0000000002554000-memory.dmp

Filesize
336KB

Download
memory/2408-19-0x0000000000400000-0x0000000000530000-memory.dmp

Filesize
1.2MB

Download
memory/2408-6-0x0000000000400000-0x0000000000530000-memory.dmp

Filesize
1.2MB

Download
memory/3892-34-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3892-59-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3892-15-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3892-17-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4768-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4768-22-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4768-2-0x0000000000401000-0x0000000000412000-memory.dmp

Filesize
68KB

Download
memory/4856-31-0x0000000000400000-0x0000000000530000-memory.dmp

Filesize
1.2MB

Download
memory/4856-37-0x0000000000400000-0x0000000000530000-memory.dmp

Filesize
1.2MB

Download
memory/4856-51-0x0000000000400000-0x0000000000530000-memory.dmp

Filesize
1.2MB

Download
memory/4856-56-0x0000000000400000-0x0000000000530000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing