lumma | d4a388cc151fa56379f9ac6ef8b7851b6750c2ecfc2c8f6904ac6002865c4f30

Analysis

max time kernel
95s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-01-2025 08:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

QGFQTHIU.exe
Size

5.4MB
MD5

6e3dc1be717861da3cd7c57e8a1e3911
SHA1

767e39aa9f02592d4234f38a21ea9a0e5aa66c62
SHA256

d4a388cc151fa56379f9ac6ef8b7851b6750c2ecfc2c8f6904ac6002865c4f30
SHA512

da91742e1494c027616e114e42d3333d61eda91379f6ad2ba415dc39e0b5165a25498d60537b3cb12a49267c306dfbec87d3af528e27abc9946cd5fda6b129c1
SSDEEP

98304:UK/ZoaSs+bgcPlK+rSN2xeELJ4g1x3+FbdYapMDrEPxiJVwJyHLcnP6WfwCA+D://uVs+bH9K+OGeIBSHqDIPI7WOLyyWfF

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://cloudewahsj.shop/api

https://rabidcowse.shop/api

https://noisycuttej.shop/api

https://tirepublicerj.shop/api

https://framekgirus.shop/api

https://wholersorie.shop/api

https://abruptyopsn.shop/api

https://nearycrepso.shop/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Executes dropped EXE 3 IoCs

pid	Process
3012	QGFQTHIU.exe
4176	msn.exe
1692	msn.exe

Loads dropped DLL 7 IoCs

pid	Process
3012	QGFQTHIU.exe
4176	msn.exe
4176	msn.exe
4176	msn.exe
1692	msn.exe
1692	msn.exe
1692	msn.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1692 set thread context of 3744	1692	msn.exe	85

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msn.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
4176	msn.exe
1692	msn.exe
1692	msn.exe
3744	cmd.exe
3744	cmd.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
1692	msn.exe
3744	cmd.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2828 wrote to memory of 3012	2828	QGFQTHIU.exe	82
PID 2828 wrote to memory of 3012	2828	QGFQTHIU.exe	82
PID 3012 wrote to memory of 4176	3012	QGFQTHIU.exe	83
PID 3012 wrote to memory of 4176	3012	QGFQTHIU.exe	83
PID 3012 wrote to memory of 4176	3012	QGFQTHIU.exe	83
PID 4176 wrote to memory of 1692	4176	msn.exe	84
PID 4176 wrote to memory of 1692	4176	msn.exe	84
PID 4176 wrote to memory of 1692	4176	msn.exe	84
PID 1692 wrote to memory of 3744	1692	msn.exe	85
PID 1692 wrote to memory of 3744	1692	msn.exe	85
PID 1692 wrote to memory of 3744	1692	msn.exe	85
PID 1692 wrote to memory of 3744	1692	msn.exe	85
PID 3744 wrote to memory of 2152	3744	cmd.exe	96
PID 3744 wrote to memory of 2152	3744	cmd.exe	96
PID 3744 wrote to memory of 2152	3744	cmd.exe	96
PID 3744 wrote to memory of 2152	3744	cmd.exe	96
PID 3744 wrote to memory of 2152	3744	cmd.exe	96

C:\Users\Admin\AppData\Local\Temp\QGFQTHIU.exe
"C:\Users\Admin\AppData\Local\Temp\QGFQTHIU.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2828
- C:\Windows\TEMP\{25F17FA3-DCB6-4CD9-A7AF-CE561D6C61CA}\.cr\QGFQTHIU.exe
  "C:\Windows\TEMP\{25F17FA3-DCB6-4CD9-A7AF-CE561D6C61CA}\.cr\QGFQTHIU.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\QGFQTHIU.exe" -burn.filehandle.attached=596 -burn.filehandle.self=592
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3012
- - C:\Windows\TEMP\{EBA7FA60-3ABA-4887-A5BD-1F71FE38CC80}\.ba\msn.exe
    C:\Windows\TEMP\{EBA7FA60-3ABA-4887-A5BD-1F71FE38CC80}\.ba\msn.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4176
  - - C:\Users\Admin\AppData\Roaming\serviceTlsv3_x86\msn.exe
      C:\Users\Admin\AppData\Roaming\serviceTlsv3_x86\msn.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:1692
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:3744
      - C:\Windows\SysWOW64\explorer.exe
        
        C:\Windows\SysWOW64\explorer.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\f9821bef

Filesize
1.0MB

MD5
7a8922c31034bfbeac642ab3393de792

SHA1
02dba095b128a6b5f384bfb4437fde5ca59a0497

SHA256
ec32f690e98a09682e85c7554479ddae9ffde1d8e893952bcc0e22a2988f4cd0

SHA512
fcc32fb9001a74a6881b76c832a2fc8e5d6b00fbd23e94904eab9db02635aed0c9120ae790ae608bd315af0f6dc0feea6cb4c4563abaca942e200cc275653a64

Download Submit
C:\Windows\TEMP\{EBA7FA60-3ABA-4887-A5BD-1F71FE38CC80}\.ba\bray.xls

Filesize
799KB

MD5
ab2b9ef9cc48c63955a738881a8ca4cc

SHA1
28e5484e1d3cf98d56f764eed95a437c11621a86

SHA256
13177433700e91c2efaf3ec155efe30c1d53f9b5a1fd65e7931c789bf65ffb91

SHA512
7678e02a465c90feaff16d4eeca8e823b5e5289ba86746323bb0323dc9381260a1501da3288c2d358fac5caef950d361256ebbf15aa22fce3b490c3f863c316e

Download Submit
C:\Windows\TEMP\{EBA7FA60-3ABA-4887-A5BD-1F71FE38CC80}\.ba\cerebrotonia.aspx

Filesize
54KB

MD5
9982438cc8eb86ab120ef0a8241f8efc

SHA1
132ed9d13d612bc11ea45bcc8b25e5536e488d08

SHA256
c777b4d375643b20887e8b3dced8eb53d8dae98b94cfca4107da9f446b297e82

SHA512
3e2e816f61b6cbf19556ed4d5690a04ce74b994f9fe684bf29d2ee8078f0254b7a1b905b1f01d4c59977d32b63ce9062eea7c71048851eed164e1b5d70e6abe7

Download Submit
C:\Windows\TEMP\{EBA7FA60-3ABA-4887-A5BD-1F71FE38CC80}\.ba\msidcrl40.dll

Filesize
791KB

MD5
ef66829b99bbfc465b05dc7411b0dcfa

SHA1
c6f6275f92053b4b9fa8f2738ed3e84f45261503

SHA256
257e6489f5b733f2822f0689295a9f47873be3cec5f4a135cd847a2f2c82a575

SHA512
6839b7372e37e67c270a4225f91df21f856158a292849da2101c2978ce37cd08b75923ab30ca39d7360ce896fc6a2a2d646dd88eb2993cef612c43a475fdb2ea

Download Submit
C:\Windows\TEMP\{EBA7FA60-3ABA-4887-A5BD-1F71FE38CC80}\.ba\msvcr80.dll

Filesize
612KB

MD5
43143abb001d4211fab627c136124a44

SHA1
edb99760ae04bfe68aaacf34eb0287a3c10ec885

SHA256
cb8928ff2faf2921b1eddc267dce1bb64e6fee4d15b68cd32588e0f3be116b03

SHA512
ced96ca5d1e2573dbf21875cf98a8fcb86b5bcdca4c041680a9cb87374378e04835f02ab569d5243608c68feb2e9b30ffe39feb598f5081261a57d1ce97556a6

Download Submit
C:\Windows\Temp\{25F17FA3-DCB6-4CD9-A7AF-CE561D6C61CA}\.cr\QGFQTHIU.exe

Filesize
4.8MB

MD5
74302d09606255cb10a7df3a744e6908

SHA1
c64b9de79b68cdd0531219c8be07110caee014bc

SHA256
b040fd107e566c5e4bbd3d84fc51ae33d393fd3a03b33d07772733e36a2eb25d

SHA512
451c91b9b8454755c5a816f88c99b42e228ec21d4ab36938daa72e49b1490e93df6d28c53f6e3f1d97b21cb747714966c144928e141c481e10550b3c7eaea961

Download Submit
C:\Windows\Temp\{EBA7FA60-3ABA-4887-A5BD-1F71FE38CC80}\.ba\Celesta.dll

Filesize
1.4MB

MD5
dad4d39ac979cf5c545116b4f459e362

SHA1
54632d73df4ddf43ab38ed66c00989ee55569f7d

SHA256
c63054e681f9acbec7e12a8ba691bc3657e3279825734517929ccd9f1e43db4d

SHA512
cb81c2a457d7a65a52a0cc03161308aeaa1e39b4cdaeb16e70dfefbe79212d015674e6662bf9d0edbb95a7d4de8b33d0dfdb9da3d214e537cf557f042362811d

Download Submit
C:\Windows\Temp\{EBA7FA60-3ABA-4887-A5BD-1F71FE38CC80}\.ba\contactsUX.dll

Filesize
331KB

MD5
54ee6a204238313dc6aca21c7e036c17

SHA1
531fd1c18e2e4984c72334eb56af78a1048da6c7

SHA256
0abf68b8409046a1555d48ac506fd26fda4b29d8d61e07bc412a4e21de2782fd

SHA512
19a2e371712aab54b75059d39a9aea6e7de2eb69b3ffc0332e60df617ebb9de61571b2ca722cddb75c9cbc79f8200d03f73539f21f69366eae3c7641731c7820

Download Submit
C:\Windows\Temp\{EBA7FA60-3ABA-4887-A5BD-1F71FE38CC80}\.ba\msn.exe

Filesize
5.5MB

MD5
537915708fe4e81e18e99d5104b353ed

SHA1
128ddb7096e5b748c72dc13f55b593d8d20aa3fb

SHA256
6dc7275f2143d1de0ca66c487b0f2ebff3d4c6a79684f03b9619bf23143ecf74

SHA512
9ceaaf7aa5889be9f5606646403133782d004b9d78ef83d7007dfce67c0f4f688d7931aebc74f1fc30aac2f1dd6281bdadfb52bc3ea46aca33b334adb4067ae2

Download Submit
C:\Windows\Temp\{EBA7FA60-3ABA-4887-A5BD-1F71FE38CC80}\.ba\msncore.dll

Filesize
982KB

MD5
ac97328f67d0877e526fb6ac131bf4be

SHA1
9f61ffe3f3ca2463929bfea3292ffe9ca003af18

SHA256
f73e3f3d3fea1a556b8a91680c13b3969136c2abdf9121604b9389bdd1fc58e9

SHA512
d0ac3def81d5def886a2655d61ec6a5481157c4f0d9440df2c175725960f0e06021cd5e43705db0b864760af983d7c6e8d578f086612d0da8c28e4bcc9cfa705

Download Submit
memory/1692-49-0x00000000742F0000-0x000000007446B000-memory.dmp

Filesize
1.5MB

Download
memory/1692-50-0x00007FFF894F0000-0x00007FFF896E5000-memory.dmp

Filesize
2.0MB

Download
memory/1692-51-0x00000000742F0000-0x000000007446B000-memory.dmp

Filesize
1.5MB

Download
memory/2152-61-0x0000000000730000-0x000000000078C000-memory.dmp

Filesize
368KB

Download
memory/2152-62-0x00007FFF894F0000-0x00007FFF896E5000-memory.dmp

Filesize
2.0MB

Download
memory/2152-63-0x0000000000730000-0x000000000078C000-memory.dmp

Filesize
368KB

Download
memory/3744-54-0x00007FFF894F0000-0x00007FFF896E5000-memory.dmp

Filesize
2.0MB

Download
memory/3744-56-0x00000000742F0000-0x000000007446B000-memory.dmp

Filesize
1.5MB

Download
memory/4176-29-0x00007FFF894F0000-0x00007FFF896E5000-memory.dmp

Filesize
2.0MB

Download
memory/4176-28-0x00000000742F0000-0x000000007446B000-memory.dmp

Filesize
1.5MB

Download