lumma | 2a304826f36a9edb28ae07a7da5479f58c0599ef95113467c3cbd5727407aa1e

General

Target

2a304826f36a9edb28ae07a7da5479f58c0599ef95113467c3cbd5727407aa1e.exe
Size

293KB
MD5

67b572b8fed9bb8e91b26c6bd9fec2a3
SHA1

91dd3124155f24c31ba86c6ccd3a13b4d6f6ddab
SHA256

2a304826f36a9edb28ae07a7da5479f58c0599ef95113467c3cbd5727407aa1e
SHA512

6f7edc4c8438b5730cc2b118160266423cba857d9ca8ed0bb16bee40fc84f2e8a1f98b028e50ffaa4f8a3bf67c33da9abcd932bdc2d001b665ef030880f61357
SSDEEP

6144:6bs68FnNynbfZoOzbEWGSHVXWC8lCk1SHM70v9:6bs6anNi3bEWGSHdWCvFM70v9

Score

10^/10

lumma xworm discovery execution persistence rat stealer trojan

Malware Config

Extracted

Family

lumma

C2

https://pillowbrocccolipe.shop/api

https://communicationgenerwo.shop/api

https://diskretainvigorousiw.shop/api

https://affordcharmcropwo.shop/api

https://dismissalcylinderhostw.shop/api

https://enthusiasimtitleow.shop/api

https://worryfillvolcawoi.shop/api

https://cleartotalfisherwo.shop/api

Extracted

Family

xworm

Version

5.0

C2

127.0.0.1:18194

soon-logical.gl.at.ply.gg:18194

Mutex

APoxCrOmNOvTLB4L

Attributes

Install_directory
%Userprofile%
install_file
chrome.exe

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/memory/2540-9-0x0000000000D40000-0x0000000000D50000-memory.dmp	family_xworm
behavioral1/files/0x0007000000012117-6.dat	family_xworm

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1972	powershell.exe
2912	powershell.exe
1792	powershell.exe
672	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.lnk	start.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.lnk	start.exe

Executes dropped EXE 2 IoCs

pid	Process
2540	start.exe
2700	XwormLoader.exe

Loads dropped DLL 3 IoCs

pid	Process
2600	WerFault.exe
2600	WerFault.exe
2600	WerFault.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\chrome = "C:\\Users\\Admin\\chrome.exe"	start.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process
2600	2700	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XwormLoader.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1972	powershell.exe
2912	powershell.exe
1792	powershell.exe
672	powershell.exe
2540	start.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2540	start.exe
Token: SeDebugPrivilege	1972	powershell.exe
Token: SeDebugPrivilege	2912	powershell.exe
Token: SeDebugPrivilege	1792	powershell.exe
Token: SeDebugPrivilege	672	powershell.exe
Token: SeDebugPrivilege	2540	start.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2540	start.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 2812 wrote to memory of 2540	2812	2a304826f36a9edb28ae07a7da5479f58c0599ef95113467c3cbd5727407aa1e.exe	29
PID 2812 wrote to memory of 2540	2812	2a304826f36a9edb28ae07a7da5479f58c0599ef95113467c3cbd5727407aa1e.exe	29
PID 2812 wrote to memory of 2540	2812	2a304826f36a9edb28ae07a7da5479f58c0599ef95113467c3cbd5727407aa1e.exe	29
PID 2812 wrote to memory of 2700	2812	2a304826f36a9edb28ae07a7da5479f58c0599ef95113467c3cbd5727407aa1e.exe	30
PID 2812 wrote to memory of 2700	2812	2a304826f36a9edb28ae07a7da5479f58c0599ef95113467c3cbd5727407aa1e.exe	30
PID 2812 wrote to memory of 2700	2812	2a304826f36a9edb28ae07a7da5479f58c0599ef95113467c3cbd5727407aa1e.exe	30
PID 2812 wrote to memory of 2700	2812	2a304826f36a9edb28ae07a7da5479f58c0599ef95113467c3cbd5727407aa1e.exe	30
PID 2700 wrote to memory of 2600	2700	XwormLoader.exe	32
PID 2700 wrote to memory of 2600	2700	XwormLoader.exe	32
PID 2700 wrote to memory of 2600	2700	XwormLoader.exe	32
PID 2700 wrote to memory of 2600	2700	XwormLoader.exe	32
PID 2540 wrote to memory of 1972	2540	start.exe	33
PID 2540 wrote to memory of 1972	2540	start.exe	33
PID 2540 wrote to memory of 1972	2540	start.exe	33
PID 2540 wrote to memory of 2912	2540	start.exe	35
PID 2540 wrote to memory of 2912	2540	start.exe	35
PID 2540 wrote to memory of 2912	2540	start.exe	35
PID 2540 wrote to memory of 1792	2540	start.exe	37
PID 2540 wrote to memory of 1792	2540	start.exe	37
PID 2540 wrote to memory of 1792	2540	start.exe	37
PID 2540 wrote to memory of 672	2540	start.exe	39
PID 2540 wrote to memory of 672	2540	start.exe	39
PID 2540 wrote to memory of 672	2540	start.exe	39

C:\Users\Admin\AppData\Local\Temp\2a304826f36a9edb28ae07a7da5479f58c0599ef95113467c3cbd5727407aa1e.exe
"C:\Users\Admin\AppData\Local\Temp\2a304826f36a9edb28ae07a7da5479f58c0599ef95113467c3cbd5727407aa1e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2812
- C:\Users\Admin\AppData\Local\Temp\start.exe
  "C:\Users\Admin\AppData\Local\Temp\start.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2540
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\start.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1972
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'start.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2912
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\chrome.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1792
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'chrome.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:672
- C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe
  "C:\Users\Admin\AppData\Local\Temp\XwormLoader.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2700
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2700 -s 128
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\start.exe

Filesize
39KB

MD5
51e4348a35c9b40b0136fa204442f9c2

SHA1
aea47a3a717ca9cce49966093def7d8f5a53709a

SHA256
a8047efe920772b13508683a7d80de379b0cf2dc40b39a9cd37f949de6a90479

SHA512
f15353f1b29ead57efe865935ef0cbd9efa2f0e81e47a92993279a59ea4174fde1e9bb2546c35deda6cfa641cfa0ecd58f8a2f6006f0589ce95553d7debfa3bd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
ebcbf61faf237427419aa64734359482

SHA1
13af82f646a5f0ceadd5ab0f9cfaf00b0ab4eadb

SHA256
31e29b087ddd6577f4e41b38d753ac6a5986a2b6b7dfcc2ff26706bc4855be93

SHA512
00d802e290fe19ea26f9f5e6b47bd4f37c71ee8aec9333566732a4f0ae8d79a4cc3055291c6aba0cfd904e919de6dcc15117513fd9cc76461d7d27bc9dbd865a

Download Submit
\Users\Admin\AppData\Local\Temp\XwormLoader.exe

Filesize
490KB

MD5
9c9245810bad661af3d6efec543d34fd

SHA1
93e4f301156d120a87fe2c4be3aaa28b9dfd1a8d

SHA256
f5f14b9073f86da926a8ed319b3289b893442414d1511e45177f6915fb4e5478

SHA512
90d9593595511e722b733a13c53d2e69a1adc9c79b3349350deead2c1cdfed615921fb503597950070e9055f6df74bb64ccd94a60d7716822aa632699c70b767

Download Submit
memory/672-52-0x00000000021D0000-0x00000000021D8000-memory.dmp

Filesize
32KB

Download
memory/672-51-0x000000001B5F0000-0x000000001B8D2000-memory.dmp

Filesize
2.9MB

Download
memory/1972-31-0x0000000001DA0000-0x0000000001DA8000-memory.dmp

Filesize
32KB

Download
memory/1972-30-0x000000001B6A0000-0x000000001B982000-memory.dmp

Filesize
2.9MB

Download
memory/2540-22-0x000007FEF5D53000-0x000007FEF5D54000-memory.dmp

Filesize
4KB

Download
memory/2540-59-0x000007FEF5D50000-0x000007FEF673C000-memory.dmp

Filesize
9.9MB

Download
memory/2540-9-0x0000000000D40000-0x0000000000D50000-memory.dmp

Filesize
64KB

Download
memory/2540-57-0x000007FEF5D50000-0x000007FEF673C000-memory.dmp

Filesize
9.9MB

Download
memory/2700-21-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/2700-44-0x00000000000E0000-0x000000000012B000-memory.dmp

Filesize
300KB

Download
memory/2700-15-0x00000000000E0000-0x000000000012B000-memory.dmp

Filesize
300KB

Download
memory/2812-20-0x000007FEF5D50000-0x000007FEF673C000-memory.dmp

Filesize
9.9MB

Download
memory/2812-1-0x00000000000D0000-0x0000000000120000-memory.dmp

Filesize
320KB

Download
memory/2812-58-0x000007FEF5D50000-0x000007FEF673C000-memory.dmp

Filesize
9.9MB

Download
memory/2812-0-0x000007FEF5D53000-0x000007FEF5D54000-memory.dmp

Filesize
4KB

Download
memory/2912-38-0x0000000002710000-0x0000000002718000-memory.dmp

Filesize
32KB

Download
memory/2912-37-0x000000001B660000-0x000000001B942000-memory.dmp

Filesize
2.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads