lumma | ffc9ec8e21fc71ca14866897da1ad0402de51d94d17555274d486b79b3e1f8f1

Resubmissions

20-01-2025 08:17

250120-j6swyaznfv 10

20-01-2025 08:15

250120-j5ww7szndt 10

Analysis

max time kernel
45s
max time network
36s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-01-2025 08:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

joas.ps1
Size

563B
MD5

eec107adc7556820c3e5dd605ae5c0e2
SHA1

17678792ec06e9d8e46a2159661206ef4b353bdb
SHA256

ffc9ec8e21fc71ca14866897da1ad0402de51d94d17555274d486b79b3e1f8f1
SHA512

532e1a6e3226ecaad18e0cb498473f2f458e6fefc6362eaa12517bc00f970c05260ee4072b87eda01eab5fb9517d0a1759615262fc408d707d7d435b115f9be5

Score

10^/10

lumma discovery execution stealer

Malware Config

Extracted

Family

lumma

https://mushyomittel.cyou/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Blocklisted process makes network request 2 IoCs

flow	pid	Process
7	3304	powershell.exe
12	3304	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
1704	kutikolo.exe

Loads dropped DLL 1 IoCs

pid	Process
1704	kutikolo.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3304	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kutikolo.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3304	powershell.exe
3304	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3304	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3304 wrote to memory of 1704	3304	powershell.exe	85
PID 3304 wrote to memory of 1704	3304	powershell.exe	85
PID 3304 wrote to memory of 1704	3304	powershell.exe	85

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\joas.ps1
1⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3304
- C:\ProgramData\beguse\kutikolo.exe
  "C:\ProgramData\beguse\kutikolo.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\beguse\kutikolo.exe

Filesize
21KB

MD5
1d5a066d6bcec7eec0c3e0b373f77a4b

SHA1
a28cf6f5effe3e922de41de3c7ba8ec0cb3e9cbc

SHA256
1ffb4f7a3351106fa161a141965a3b1cf31c2467038b2e91fd5ab6a9fb5cbec3

SHA512
89d14849bd81a6d5f1e7addb3cf8972faa097f115f9d713f7eb6bc87d70fa2a9072db4dca83347a559ee917802751bba0befa50aef7e6b984428b5f2e40abdce

Download Submit
C:\ProgramData\beguse\wincr.dll

Filesize
687KB

MD5
a446902ad9925ae7b03eb5103ee03f20

SHA1
1e04a528f7ee85f89681115ab192799e9328aa0a

SHA256
dadb4e4d5b95361f8e310f2cdf95c62ae74c10ce74da09641dbcf89940637cbd

SHA512
1c182ac0612c3c41d9eb2b109e638172363c0fe34e9ca6a2c10812302a9b763cacad3e05ae2c50267b06bcc329ae1b8fa24f11978a17b7c43b806757e642636d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cobopgr0.sa5.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1704-39-0x0000000001560000-0x00000000015BA000-memory.dmp

Filesize
360KB

Download
memory/1704-44-0x0000000000E10000-0x0000000000E1D000-memory.dmp

Filesize
52KB

Download
memory/1704-46-0x0000000001560000-0x00000000015BA000-memory.dmp

Filesize
360KB

Download
memory/1704-45-0x00000000752A0000-0x0000000075353000-memory.dmp

Filesize
716KB

Download
memory/1704-43-0x00000000779F2000-0x00000000779F3000-memory.dmp

Filesize
4KB

Download
memory/1704-38-0x0000000001560000-0x00000000015BA000-memory.dmp

Filesize
360KB

Download
memory/1704-40-0x0000000001560000-0x00000000015BA000-memory.dmp

Filesize
360KB

Download
memory/1704-42-0x0000000001560000-0x00000000015BA000-memory.dmp

Filesize
360KB

Download
memory/1704-37-0x00000000779F2000-0x00000000779F3000-memory.dmp

Filesize
4KB

Download
memory/3304-13-0x000001CBFEE90000-0x000001CBFF636000-memory.dmp

Filesize
7.6MB

Download
memory/3304-34-0x00007FFE54FA0000-0x00007FFE55A61000-memory.dmp

Filesize
10.8MB

Download
memory/3304-18-0x000001CBFC970000-0x000001CBFC97A000-memory.dmp

Filesize
40KB

Download
memory/3304-17-0x000001CBFC990000-0x000001CBFC9A2000-memory.dmp

Filesize
72KB

Download
memory/3304-15-0x00007FFE54FA0000-0x00007FFE55A61000-memory.dmp

Filesize
10.8MB

Download
memory/3304-0-0x00007FFE54FA3000-0x00007FFE54FA5000-memory.dmp

Filesize
8KB

Download
memory/3304-12-0x00007FFE54FA0000-0x00007FFE55A61000-memory.dmp

Filesize
10.8MB

Download
memory/3304-11-0x000001CBFE210000-0x000001CBFE232000-memory.dmp

Filesize
136KB

Download
memory/3304-6-0x00007FFE54FA0000-0x00007FFE55A61000-memory.dmp

Filesize
10.8MB

Download