lumma | 30338f9c85111cfde8e68398db0427f89a549427e0598384744f4a27d9d836d1

Analysis

max time kernel
50s
max time network
54s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
18-01-2025 18:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SoftwareApp.exe
Size

1.1MB
MD5

79027a797eeeed90f0f914f229750eae
SHA1

8e0576501a2a5b873754c6a7f0739bd79510164c
SHA256

30338f9c85111cfde8e68398db0427f89a549427e0598384744f4a27d9d836d1
SHA512

20d77e4c1dac67e5aeab3ec7c61bb5a5aecc10dd6f799ea99f9b8ac5ceb63b6a52d7f6d1089eb7c4c865cd081dc2ce4a2f886d56a159d1b8a41db9461b2c87e3
SSDEEP

24576:ZXOMDyej0BM8I7oRCL7piz5nWXjeZW7nw5X319kSY07C7L:VPWe01RRGwn4jeZW7w13kSYZ

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://powerful-avoids.sbs/api

https://motion-treesz.sbs/api

https://disobey-curly.sbs/api

https://leg-sate-boat.sbs/api

https://story-tense-faz.sbs/api

https://blade-govern.sbs/api

https://occupy-blushi.sbs/api

https://frogs-severz.sbs/api

https://curved-goose.cyou/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Executes dropped EXE 1 IoCs

pid	Process
548	Amendments.com

Loads dropped DLL 1 IoCs

pid	Process
2652	cmd.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
2812	tasklist.exe
2168	tasklist.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\MessageDelayed	SoftwareApp.exe
File opened for modification	C:\Windows\BeveragesJungle	SoftwareApp.exe
File opened for modification	C:\Windows\ZoloftSterling	SoftwareApp.exe
File opened for modification	C:\Windows\MsgstrConfirm	SoftwareApp.exe
File opened for modification	C:\Windows\FinReported	SoftwareApp.exe
File opened for modification	C:\Windows\CrackCongo	SoftwareApp.exe
File opened for modification	C:\Windows\LosChurches	SoftwareApp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SoftwareApp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amendments.com

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
548	Amendments.com
548	Amendments.com
548	Amendments.com

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2812	tasklist.exe
Token: SeDebugPrivilege	2168	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
548	Amendments.com
548	Amendments.com
548	Amendments.com

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
548	Amendments.com
548	Amendments.com
548	Amendments.com

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 816 wrote to memory of 2652	816	SoftwareApp.exe	30
PID 816 wrote to memory of 2652	816	SoftwareApp.exe	30
PID 816 wrote to memory of 2652	816	SoftwareApp.exe	30
PID 816 wrote to memory of 2652	816	SoftwareApp.exe	30
PID 2652 wrote to memory of 2812	2652	cmd.exe	32
PID 2652 wrote to memory of 2812	2652	cmd.exe	32
PID 2652 wrote to memory of 2812	2652	cmd.exe	32
PID 2652 wrote to memory of 2812	2652	cmd.exe	32
PID 2652 wrote to memory of 2948	2652	cmd.exe	33
PID 2652 wrote to memory of 2948	2652	cmd.exe	33
PID 2652 wrote to memory of 2948	2652	cmd.exe	33
PID 2652 wrote to memory of 2948	2652	cmd.exe	33
PID 2652 wrote to memory of 2168	2652	cmd.exe	35
PID 2652 wrote to memory of 2168	2652	cmd.exe	35
PID 2652 wrote to memory of 2168	2652	cmd.exe	35
PID 2652 wrote to memory of 2168	2652	cmd.exe	35
PID 2652 wrote to memory of 2576	2652	cmd.exe	36
PID 2652 wrote to memory of 2576	2652	cmd.exe	36
PID 2652 wrote to memory of 2576	2652	cmd.exe	36
PID 2652 wrote to memory of 2576	2652	cmd.exe	36
PID 2652 wrote to memory of 1212	2652	cmd.exe	37
PID 2652 wrote to memory of 1212	2652	cmd.exe	37
PID 2652 wrote to memory of 1212	2652	cmd.exe	37
PID 2652 wrote to memory of 1212	2652	cmd.exe	37
PID 2652 wrote to memory of 812	2652	cmd.exe	38
PID 2652 wrote to memory of 812	2652	cmd.exe	38
PID 2652 wrote to memory of 812	2652	cmd.exe	38
PID 2652 wrote to memory of 812	2652	cmd.exe	38
PID 2652 wrote to memory of 548	2652	cmd.exe	39
PID 2652 wrote to memory of 548	2652	cmd.exe	39
PID 2652 wrote to memory of 548	2652	cmd.exe	39
PID 2652 wrote to memory of 548	2652	cmd.exe	39
PID 2652 wrote to memory of 2752	2652	cmd.exe	40
PID 2652 wrote to memory of 2752	2652	cmd.exe	40
PID 2652 wrote to memory of 2752	2652	cmd.exe	40
PID 2652 wrote to memory of 2752	2652	cmd.exe	40

C:\Users\Admin\AppData\Local\Temp\SoftwareApp.exe
"C:\Users\Admin\AppData\Local\Temp\SoftwareApp.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:816
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy Pf Pf.cmd && Pf.cmd
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2652
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2812
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "wrsa opssvc"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2948
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2168
- - C:\Windows\SysWOW64\findstr.exe
    findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2576
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 620516
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1212
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Bird + ..\Updated + ..\Inner + ..\Ba + ..\Sc + ..\Spring + ..\Publication I
    3⤵
    - System Location Discovery: System Language Discovery
    PID:812
- - C:\Users\Admin\AppData\Local\Temp\620516\Amendments.com
    Amendments.com I
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:548
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\620516\I

Filesize
466KB

MD5
ba169007ce0879be978ac73959fead79

SHA1
70360c5b73b51c2df523b4e8355ca30c25889c52

SHA256
3f6c265712e7aa53ea6fd14289093e4767f875df8a73c10bf34b1ff260114ad9

SHA512
11da7ef892a050a4f8b7172c841a89eef23a23e9e39e5d5afa309a066819449fb6d9d3caabb3eb265a5535e4df020c61e1989b7d14e1e30ae5f1f3a94bc7b14e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ba

Filesize
59KB

MD5
31ceab7961bf0b6c333fa8ebb28af3eb

SHA1
8e655c50d8b08979d1c3618b874e58047a7e2ed6

SHA256
df222d67dfff592caa344786d56f8bf2b5ba884b7564c942e37ca66965aa8354

SHA512
c6e7d1b1c3e5ad2cadb72eee195562286c41fb409c0f617a2cf4cbca9153a581282221686ed4019898c5c1a572c94cba29bf0bf009d0025a0b9ea70ccf09ee0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bird

Filesize
73KB

MD5
c66e93c50b9fd3ff5702f63c1fe96c56

SHA1
6a2a5dbfb14fc56ee7abba45f4e968dd23de8056

SHA256
862007889c62ae90528de1b1b43b94500c6987250ff1649c145f637454ce1e81

SHA512
cbc39b2c74fe4ccfb3e8a800d9217ee579af1e984316a7049b17b1b7e5477420af0381272f8cab765ddfb91c6deac836872e1547780fd9e3ef4611f91a711086

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab732F.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Inner

Filesize
80KB

MD5
2f8a50211b9db10b743d2006c3203b2c

SHA1
2e7442dd65844297132a554b92777594fdccb455

SHA256
fb57488d1940c03cc4b986653ae5841f50215268b0439d8858a34d26fbdd770b

SHA512
542f03a24bb48ef99a4ca9ffea4ad63a298bbba84e66f8c44866c19a2a8ae96e197e3f233d200fb2d9436450a6f99d7ff8adbb7e72b0c466d926e58c5bdb46b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pf

Filesize
21KB

MD5
bf982ea83590e1e15117dbeb2aaab1b9

SHA1
2baa1e186ae742a87b43cb29c61dfd94ab42f792

SHA256
cf26eeeaa5df066c301c4f34509d187cbad2eeb594aa475c5aca3533bb1eb49a

SHA512
1cbacfeb492fac8c1050d0dda23b120069f2da359afd9d16f55fdc83e3291db9eff37000b69dd1effce840982e461154993f14433a2248f69a9c2ca74c3e3b0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pointing

Filesize
925KB

MD5
62d09f076e6e0240548c2f837536a46a

SHA1
26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

SHA256
1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

SHA512
32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Publication

Filesize
14KB

MD5
f0a4aac3387813744b7265be1558b3c3

SHA1
a70462ab7fc1358cb1fd5cb59813e04a471e693d

SHA256
96800881a41c22f503e0ce7da8dfe2e7f03be16b48fc4ce64a77dbebc702aef6

SHA512
cf564fe1b46376c1057b907359639d67ed3744f702bf04ec950ed05741f7937bb085440a0e90f559a61afe09ffe2d56f001becf44f4c34e3a6a7176fbc8c3fbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sc

Filesize
67KB

MD5
431416797d6b8071301b91118bdac1e8

SHA1
b048b520371e4268be95ca60e0012c97909aabe6

SHA256
627de6ea879484ae23b92da2746d397b1fde20e9192fe3d81f725e2f38bfa30c

SHA512
fb01a189fb8cf0483977e34e98dd768b69819b37c7d4ff3c810a68269ba21c1ece20e254b97f0862e7b78a2342144a712362ed859e45243a8f2a33745473eacd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Spring

Filesize
81KB

MD5
98d4ffdc03883da2ba9d41ad4e210747

SHA1
af2574f7cd2fc830e032819cab163d3afe0e166d

SHA256
5a7e7f49dfcedf551a76074b5a17c4a42c195434144391bf1fd5c222443674c1

SHA512
bbe8c0808c9da1025587f899061c06bfab858448e48c8328b1dc551fae92dccfa8a56fcd7800ef34358c2eb538d247bf0cbf73edeb2343560e9a906f7ce4ca19

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar7361.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Updated

Filesize
92KB

MD5
ed7f4ff5aa27bc1f1f2c40775d06c8c2

SHA1
00e4e8da18c99e09d785c7a5df448f9b5c86b1b4

SHA256
eb988e5bf0b2577a74f7fa0ce801f3dfbde3bc7314e73b9972016d4e07789c95

SHA512
d611e0b4b62181852cb0d81a7043a14abfd158ecac616ca726c3819b7f33a394cf6064722b0adde96b7540509abcdfdeafb45a5f5b850ceef73810560acd00ca

Download Submit
memory/548-500-0x0000000003520000-0x000000000357B000-memory.dmp

Filesize
364KB

Download
memory/548-499-0x0000000003520000-0x000000000357B000-memory.dmp

Filesize
364KB

Download
memory/548-504-0x0000000003520000-0x000000000357B000-memory.dmp

Filesize
364KB

Download
memory/548-503-0x0000000003520000-0x000000000357B000-memory.dmp

Filesize
364KB

Download
memory/548-502-0x0000000003520000-0x000000000357B000-memory.dmp

Filesize
364KB

Download
memory/548-501-0x0000000003520000-0x000000000357B000-memory.dmp

Filesize
364KB

Download