lumma | bceb986397dc19b258f4be0fd2559d67b10875430b31296e263e05ee3b9a0247

Analysis

max time kernel
94s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-01-2025 14:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup.exe
Size

1.1MB
MD5

d630944d759e73848965cf7dbd9c89e3
SHA1

4f91c583c9961c9c891d2fb63d3a709b41fe97f0
SHA256

bceb986397dc19b258f4be0fd2559d67b10875430b31296e263e05ee3b9a0247
SHA512

63b9f74815d869d6ca86989e5be9d4ac4aad88773c217d33465de2b756453f03c000bd200b3691e4e3fdf4cbd3cea55cd96ad626a347ff451a71e44d650a99c5
SSDEEP

24576:jjBtLjvnr3blqsEQHKD+fFJy9jAeEaNPqUEE1FCrhiO1x53w3:vPv3bHfzyJAw7ERF3w3

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://twigbestug.shop/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Setup.exe

Executes dropped EXE 1 IoCs

pid	Process
1512	Faq.com

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
2588	tasklist.exe
2932	tasklist.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\BbcArms	Setup.exe
File opened for modification	C:\Windows\EffectivelyStick	Setup.exe
File opened for modification	C:\Windows\TerryContinue	Setup.exe
File opened for modification	C:\Windows\RollRegular	Setup.exe
File opened for modification	C:\Windows\InsertionTwisted	Setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Faq.com

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1512	Faq.com
1512	Faq.com
1512	Faq.com
1512	Faq.com
1512	Faq.com
1512	Faq.com

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2588	tasklist.exe
Token: SeDebugPrivilege	2932	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1512	Faq.com
1512	Faq.com
1512	Faq.com

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1512	Faq.com
1512	Faq.com
1512	Faq.com

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2472 wrote to memory of 60	2472	Setup.exe	83
PID 2472 wrote to memory of 60	2472	Setup.exe	83
PID 2472 wrote to memory of 60	2472	Setup.exe	83
PID 60 wrote to memory of 2588	60	cmd.exe	85
PID 60 wrote to memory of 2588	60	cmd.exe	85
PID 60 wrote to memory of 2588	60	cmd.exe	85
PID 60 wrote to memory of 1900	60	cmd.exe	86
PID 60 wrote to memory of 1900	60	cmd.exe	86
PID 60 wrote to memory of 1900	60	cmd.exe	86
PID 60 wrote to memory of 2932	60	cmd.exe	89
PID 60 wrote to memory of 2932	60	cmd.exe	89
PID 60 wrote to memory of 2932	60	cmd.exe	89
PID 60 wrote to memory of 3460	60	cmd.exe	90
PID 60 wrote to memory of 3460	60	cmd.exe	90
PID 60 wrote to memory of 3460	60	cmd.exe	90
PID 60 wrote to memory of 3348	60	cmd.exe	91
PID 60 wrote to memory of 3348	60	cmd.exe	91
PID 60 wrote to memory of 3348	60	cmd.exe	91
PID 60 wrote to memory of 1488	60	cmd.exe	92
PID 60 wrote to memory of 1488	60	cmd.exe	92
PID 60 wrote to memory of 1488	60	cmd.exe	92
PID 60 wrote to memory of 2252	60	cmd.exe	93
PID 60 wrote to memory of 2252	60	cmd.exe	93
PID 60 wrote to memory of 2252	60	cmd.exe	93
PID 60 wrote to memory of 4444	60	cmd.exe	94
PID 60 wrote to memory of 4444	60	cmd.exe	94
PID 60 wrote to memory of 4444	60	cmd.exe	94
PID 60 wrote to memory of 4960	60	cmd.exe	95
PID 60 wrote to memory of 4960	60	cmd.exe	95
PID 60 wrote to memory of 4960	60	cmd.exe	95
PID 60 wrote to memory of 1512	60	cmd.exe	96
PID 60 wrote to memory of 1512	60	cmd.exe	96
PID 60 wrote to memory of 1512	60	cmd.exe	96
PID 60 wrote to memory of 3920	60	cmd.exe	97
PID 60 wrote to memory of 3920	60	cmd.exe	97
PID 60 wrote to memory of 3920	60	cmd.exe	97

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2472
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c move Aurora Aurora.cmd & Aurora.cmd
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:60
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2588
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "opssvc wrsa"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1900
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2932
- - C:\Windows\SysWOW64\findstr.exe
    findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3460
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 740515
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3348
- - C:\Windows\SysWOW64\extrac32.exe
    extrac32 /Y /E Barbara
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1488
- - C:\Windows\SysWOW64\findstr.exe
    findstr /V "learned" Valley
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2252
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b 740515\Faq.com + Landing + Viral + Grenada + Jake + Master + Booty + Responding + Supports + Listing 740515\Faq.com
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4444
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Ages + ..\Folder + ..\Postposted + ..\Involves + ..\Styles + ..\Safe + ..\Completion b
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4960
- - C:\Users\Admin\AppData\Local\Temp\740515\Faq.com
    Faq.com b
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1512
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\740515\Faq.com

Filesize
1KB

MD5
240fec03a76839e0270b555f3e38cacd

SHA1
ea229454926296b4c1640b4e322e98fd0fa2057b

SHA256
833d2b85b0cc5b8d6d5327af78dbf7cb8122c3a67e2b26847ce4bc26b61ca6ec

SHA512
188a6a31163984674818580c546bc402bc74cc5ab7ceb9929beaa9ab4b94772b16eeef640d8f62000996ff06e532e8a35dc90f659727a2f06583bf6699e3ef70

Download Submit
C:\Users\Admin\AppData\Local\Temp\740515\Faq.com

Filesize
925KB

MD5
62d09f076e6e0240548c2f837536a46a

SHA1
26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

SHA256
1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

SHA512
32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

Download Submit
C:\Users\Admin\AppData\Local\Temp\740515\b

Filesize
499KB

MD5
d32e4be5ef68ab91ac438377c929ccbb

SHA1
2a02bf4f8a145ea351a6ed726534d64f58decb63

SHA256
71635109b4e0d8d84e24456c0a39d4d04c2ca3130e46ced4f3a247116e0992da

SHA512
c72bd008e11263597adca77b595c08402baadf4f969168d9c9b9c2cfd1cf170d9e25f47027df9c3d544b75ca5d66b0fe84ccd7f640af3a9b705ac77b6a0cb398

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ages

Filesize
60KB

MD5
668b4f85d16a36d1764aeb156cd7dba0

SHA1
da3638dd914367f163b7966187cb1c477f9141f1

SHA256
88dbcd42ebc88490c01ade9be8c1b69b505a2ff347dc1f72629fcd7c4fc1b9af

SHA512
036f9abd67b4efa84252368668c05ba937bc1c4ed0d51b01e929b4976cb1fea43fa022c31edaceedbb5effe7217b9f11539644af8861f7b92c23b81a93cdbe18

Download Submit
C:\Users\Admin\AppData\Local\Temp\Aurora

Filesize
23KB

MD5
198b05f46a6fd63ad6aa063c6b696dd9

SHA1
7e59d9d9ab208163e316ef6c8b614ba041dd8b79

SHA256
b78c248e2d30e5caa61b4276ac0943c5690277d5a4d25a3938ea3fc4c34ef61e

SHA512
e890d0709cbe4c8f9bbcf0a44d49fd16207e1b81780e8e52f7f1a3327fc13afff0952138562307f19e6099b653734a42e02acadd68049a1c61bb7202f583162d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Barbara

Filesize
477KB

MD5
97995c5975a7fffda942c55ca2be8668

SHA1
652f0961d0162a6d26fef5478a33118473b0acd3

SHA256
44fba0dd56223e8678a4f18e496764c91f2706f94937f6c98a495ca3f14ffa7b

SHA512
4e30256aa77ba46ffab0e944efa86bea868e0f6083904f5bee019af507805da1716f60dd9e5f1bce953c937ec7e4bb353ddb58a8d3d487199eb77c708dd1fbeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Booty

Filesize
72KB

MD5
51756b538784e6843b0329c25bd8e2ad

SHA1
7eab446c1ffcbfbcc7d9fad920c035f071caaf71

SHA256
a9da18f002df4ce3421135b125fc3de1d1c36b101c9bd177871b839332fcce4f

SHA512
644a9680d578b9ddc1ab4bacfec2e33a40b5afc37f1309563aa3fcde97a745a8b20e7086075c86f03514c16def878d9999e2547e6ed264cf6d232f4d8dd50a49

Download Submit
C:\Users\Admin\AppData\Local\Temp\Completion

Filesize
14KB

MD5
cf2e628b388f0952e0d4ceb48702eeb0

SHA1
27bd8f739c3c31d2b2781a2e25dd20df07f881f9

SHA256
550249fe4ef7e3ddee2c34901e342d1391118a80d77da2468ec00a64db1a4c86

SHA512
4d5ddc8c76a21d8a5bccbfaa4d449ee8109f4097d20caf7b92678ffc43af7b44479069bb22d86b47f008b7aae7bf94c6999b105166c519b30a441861472d6728

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder

Filesize
75KB

MD5
e98687da24867f8aa1b4fdb087c2d207

SHA1
080be55f2aab34d530f788cb3009fde5b3d6ada8

SHA256
c03404888337e8c3ae8f9188c59ca72b40786d16ab13d8856d0bf23a9aeaeea5

SHA512
f38323d5874f82f9f492b640ff05b01bb0947a4c89057e3f12e6c014842dc6bb37f7d8d61ea0b393dde7d56c07ea76b7d4fb4e869d1df5da0d155626b1027aaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Grenada

Filesize
106KB

MD5
a1d1d86203f66fcdb1b16d0632130cbe

SHA1
ad452738dd2785966aa3835bf39c3111878b4b02

SHA256
1ec4bf66966fb245e2e94b3310ad45068e9dc812bd842493243072eb6f4e2741

SHA512
b53543adeb912fae1ded8567efaf1f58cdb5d09a23d3ab1e4148af0f8aefacc3c5b6212d8cf45c57d92a3017733091b9d19a2ec88f9dd198b39a7606553db8e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Involves

Filesize
81KB

MD5
cad1517bf3622c591ad865c10a881fd3

SHA1
ae1a88ff20ec1269e8a4fb70044195fec3eb4543

SHA256
7423184d2c04d4de4d6e8e5a89d398979354a46d001f614386fea83aed785eeb

SHA512
f18b3b5a92348b20bb44e61312af7c4496e93c9a99112f4bd2cc1d8ee58c33f884ccdda6bcb7ed98b23790547c8fd6f8cc5a3eb35c23df83ac55c3479c557ab7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Jake

Filesize
83KB

MD5
0b5a63a9bc69adfa2521ceb3dc56317a

SHA1
2ac104fd476f7c3e7478472273387887a4788dd9

SHA256
2325c49a1780daf4997f5e28bcc04839882e377a1cb54690ad90aea1eb18c314

SHA512
7908ca50d8f296e8f2ca70a154bb522de9bcd807ee4bf4061fb02c474a98a9f7cbbfa317b757d82f239cdb92b9ef18b7d665ea386da9ca62fb0b89d98871e8ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\Landing

Filesize
125KB

MD5
2492f7bac8ec6420cfb739731ed8d1ea

SHA1
19a60a60febfc3ba9f2c8492022d3fd7ca4d5a57

SHA256
d3b8768dbc48489f154456a38e44a1395097bd4add1d8b3b850b2a6e8029015d

SHA512
f4d39aee6ea9abd1196d7d117d1773b510432596e7de397db1b3e1db0e04cc78700f15121cf4f62c0627b72f3128b9cd9b0ecd1381f39ed800cd592b919c5b66

Download Submit
C:\Users\Admin\AppData\Local\Temp\Listing

Filesize
49KB

MD5
a96cb9b1271fa65ba59063a1b14320c6

SHA1
da46610f8a15bf8b66f5253f606df257e3f0b187

SHA256
b2ea39a599b5cccc74af5cb19a7b62561bdbc2fd15adeeeba1610172a696296a

SHA512
3e33d3e05801cab2944246bf935c9528d1bc4e4426c94d1f570946bf84a85f56e1074d7eba6a57c6006f2a2b60f9aaa5eaf8828d01a379de3c90c369f0584807

Download Submit
C:\Users\Admin\AppData\Local\Temp\Master

Filesize
114KB

MD5
79f200aac919971c492936d85350b40f

SHA1
890ca8d984f7712a371121aa251c6ffc48408634

SHA256
6d1cac8ee0bdd4d41e675bc0dba1fea85e7663eb743bac84f089da7f4c9d8823

SHA512
31e3353514cb4eb7da1c7779663876d304548f174b63316e6a6558c4791e5ecab9198752c10b126c70aca1cdbf1705791591204b6cc9f740277d800432969dcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Postposted

Filesize
85KB

MD5
fc40c3b278730053254a9cd838056cb9

SHA1
9beabe0b138aa13d790cc9c2dc31810735afe674

SHA256
d5993664e88b8d6ead06134ea9b8594b3419ddde916a599e78d3711d07f71fb1

SHA512
36389245e9e97ad64c186189a56af5b6bc6f0688256ff492841c0e5ad8fbf011667d938e33f450238494c48441edf3d8c9523faf46f95d5a787368cdd8d0cf22

Download Submit
C:\Users\Admin\AppData\Local\Temp\Responding

Filesize
144KB

MD5
d4302d5ba1f5165ae0b808359a60fd06

SHA1
db84db1b34ad7c270f3fde6fc676a70ffa1584ad

SHA256
856aaee08962d5088c725ab2d80c674c8a685cf826b6d805dffd65a971037132

SHA512
3b68b434ed06be3ed67695e0eecf28070af28f1e0dcf5cdd98c58a30d8f165c741297d5efb66a937f222a39284719f8551e037e6b65289b3e0d6cab244008586

Download Submit
C:\Users\Admin\AppData\Local\Temp\Safe

Filesize
98KB

MD5
11dbdb44b37e311a23720f482d8bc43d

SHA1
359fee2e80090b400a820ea95571f003c99bd56f

SHA256
ab9496ef4bc1e6703145ae2b288d43601aab1e50080a87d45416f293993034c6

SHA512
d84d2f47bb60542f4e300f3ce6c6f9840d2cc2d7c0db8bc90241bcc868b9efdec9accc9e99d56840eb43b336ed5598d7dfab7c76d4a001c4a46d88e1fb6fdcd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Styles

Filesize
86KB

MD5
66076aea0aef9bfa535f1db293bffc97

SHA1
70c4391a36995c6e68d3dc91d8c0954d62437936

SHA256
96e7bc4a42e07d707561b4fe5621711b643d5b72d0c201e27e5391cb147ff16b

SHA512
ba1debe7d5b87e413f3ebbc169b2a732f4a20a88ad1f26c35ab25bca10c143505dcedc18c056a418e35e75da51a881a6b2fac42d1af40e7a9aa658a4633f5fe2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Supports

Filesize
139KB

MD5
caca9d3d3db583ab8ffc53e433b1b983

SHA1
07adb80ffea889e9d8bb96f3295f7376094e63ec

SHA256
82100c989a49951f4f101e36ed8c5e0c2cef1dcda84ccfd4e90b13d4c111c92e

SHA512
21dae90c43531152dbb2b2386601231ce252c28bbbeca6562adbae9a7cd595ad01cef40be021ef117ce79560d4d42d5f110f898a5413fb7249e6a0ee33055678

Download Submit
C:\Users\Admin\AppData\Local\Temp\Valley

Filesize
1KB

MD5
3d5b388595b71d966122304d69c75123

SHA1
491fdd36f66dbcd0d643402ae6296321e6c9b2c8

SHA256
41027fc94a55b8a42dd8a36b7215caa51ced5f83aaccd3ede9bdb86a089a9390

SHA512
0d13127ea776aa1b945403d60201723bc10fa0b30bbda93fbd29cd542d3767e2925c446ce81c24ba8f672baf830e67f3c894db1406b4721e8aa984b2468ec74c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Viral

Filesize
91KB

MD5
a5f244475586d32641f9ede8f51e72dc

SHA1
354824585979f55e9553dca370056b5d6bd71080

SHA256
353f3081e717538815bf91b281e7377f732d4a4d6f5c8b45a6d479d947f08aa7

SHA512
364d3c1ad10ab74a16238ce630f9f8224f0e054deb6ed52585b9c08dd2fcc90f78ee078416791744b739e9d668135c6bb754752feb68c8dc9f6e7b5fb9443ed7

Download Submit
memory/1512-66-0x00000000042F0000-0x0000000004347000-memory.dmp

Filesize
348KB

Download
memory/1512-67-0x00000000042F0000-0x0000000004347000-memory.dmp

Filesize
348KB

Download
memory/1512-69-0x00000000042F0000-0x0000000004347000-memory.dmp

Filesize
348KB

Download
memory/1512-70-0x00000000042F0000-0x0000000004347000-memory.dmp

Filesize
348KB

Download
memory/1512-68-0x00000000042F0000-0x0000000004347000-memory.dmp

Filesize
348KB

Download