lumma | 2d93225c3029a377e3dd2a4d4e808ff3e327c2ab533266cba6602dd87ddd14b4

Analysis

max time kernel
144s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-01-2025 20:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TSConfig.exe
Size

1.8MB
MD5

e367ccd75b44a581b76040040df16eea
SHA1

127c1fae3f28ddcecf09050ad7191cd9c6b7f482
SHA256

d364a62a725b5f5d6ff6b3ffcaf3bf5086e80ee3ecb8d7e182876fce557579b2
SHA512

89ea1143aaf28253c6a6e044a92b7822923a95fc7b08142028f8b8b64166e32c2c6deb68f48b84170b907809c7ecbcea6d7eadb97d827b7f99b663a4dac65060
SSDEEP

24576:cA+yMgvxQWLCMhXMS8tzkXmPVUo4xSF9YxOnV7HwplZeQlBH9+IZCXjLQ4Lpp7eG:dx2MhXMa9+IeQ4+0uXOdmQHKPeB

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://abnomrmakio.cyou/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1028 set thread context of 4876	1028	TSConfig.exe	83

Executes dropped EXE 1 IoCs

pid	Process
1028	TSConfig.exe

Loads dropped DLL 8 IoCs

pid	Process
1028	TSConfig.exe
1028	TSConfig.exe
1028	TSConfig.exe
1028	TSConfig.exe
1028	TSConfig.exe
1028	TSConfig.exe
1028	TSConfig.exe
1028	TSConfig.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TSConfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TSConfig.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1236	TSConfig.exe
1028	TSConfig.exe
1028	TSConfig.exe
4876	cmd.exe
4876	cmd.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
1028	TSConfig.exe
4876	cmd.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1236 wrote to memory of 1028	1236	TSConfig.exe	82
PID 1236 wrote to memory of 1028	1236	TSConfig.exe	82
PID 1236 wrote to memory of 1028	1236	TSConfig.exe	82
PID 1028 wrote to memory of 4876	1028	TSConfig.exe	83
PID 1028 wrote to memory of 4876	1028	TSConfig.exe	83
PID 1028 wrote to memory of 4876	1028	TSConfig.exe	83
PID 1028 wrote to memory of 4876	1028	TSConfig.exe	83
PID 4876 wrote to memory of 1136	4876	cmd.exe	85
PID 4876 wrote to memory of 1136	4876	cmd.exe	85
PID 4876 wrote to memory of 1136	4876	cmd.exe	85
PID 4876 wrote to memory of 1136	4876	cmd.exe	85
PID 4876 wrote to memory of 1136	4876	cmd.exe	85

C:\Users\Admin\AppData\Local\Temp\TSConfig.exe
"C:\Users\Admin\AppData\Local\Temp\TSConfig.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1236
- C:\Users\Admin\AppData\Roaming\WY_Signv2\TSConfig.exe
  C:\Users\Admin\AppData\Roaming\WY_Signv2\TSConfig.exe
  2⤵
  - Suspicious use of SetThreadContext
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1028
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\SysWOW64\cmd.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:4876
  - - C:\Windows\SysWOW64\explorer.exe
      C:\Windows\SysWOW64\explorer.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:1136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\65b9ed47

Filesize
1.0MB

MD5
9ea2169d72026413bcb343224c3924da

SHA1
fcb58819e7b0abd0626cdb754a7b8299d462286c

SHA256
d6bccb3a48b137cf674e9af0ef80b16736e7520684c26cf6ea98c6d0499a7248

SHA512
21a6505ec50b4755632462b32876f13a9b9994344b23d6e38968ebf8b6d75d170a4c8bfca36abb7f29b5299b12bb91b3c707852217029561aac0d7852a23fec4

Download Submit
C:\Users\Admin\AppData\Roaming\WY_Signv2\FNP_Act_Installer.dll

Filesize
3.3MB

MD5
bd1341856f0f5f8db5d54401c0d3261c

SHA1
b6f9287fd2da120e3a69aefdbcce8230582542af

SHA256
4c08963572d2e9d80782221c2a0d7633c72e6eb3ed8d364b8a512441ec5d774f

SHA512
42e816fc9a630831453f4ce5080586500a415e098b2e2a14005e9c39a4c5b87cd1682f3060cba7490dc42117f53ec5951f2dc14181981017455cb1a14e93c06b

Download Submit
C:\Users\Admin\AppData\Roaming\WY_Signv2\ISUIServices.dll

Filesize
7.7MB

MD5
3b81ed520d9dde9c78a9aa9ec5bcc205

SHA1
25a9730125f20232bebd09bf17c224647a04dce9

SHA256
276f328fdf9df6c5094bee29f10576bbb3b78dc853fb4cd344038ed857099dbd

SHA512
1a2cbfd7c422428dcd2ff7ed684c52abfb307f61ebdfaf64bdcddbfa36ef97092c6e52b9c9ec0c001ab5d6f7b92453b7099499ace333530b414a8a6ccf221bb5

Download Submit
C:\Users\Admin\AppData\Roaming\WY_Signv2\MSIMG32.dll

Filesize
3KB

MD5
ae2fb3295fd4bee1e651b7b6639d7bfe

SHA1
4ac939d67002aabccf7a5878302a37b8079dda12

SHA256
c1f88d099af72cae6f6baaf7473da78279dc50b112f7fb68f93b5c3f29051c45

SHA512
90c2adc288547a2fec7bf6865b1341f2708ecf1e9ca78e0e440de008c5b032192998a42de0359f267e51d7ed8ee6a8e3ecc007d002d394cc5629cb81d94e9db9

Download Submit
C:\Users\Admin\AppData\Roaming\WY_Signv2\TSConfig.exe

Filesize
1.8MB

MD5
e367ccd75b44a581b76040040df16eea

SHA1
127c1fae3f28ddcecf09050ad7191cd9c6b7f482

SHA256
d364a62a725b5f5d6ff6b3ffcaf3bf5086e80ee3ecb8d7e182876fce557579b2

SHA512
89ea1143aaf28253c6a6e044a92b7822923a95fc7b08142028f8b8b64166e32c2c6deb68f48b84170b907809c7ecbcea6d7eadb97d827b7f99b663a4dac65060

Download Submit
C:\Users\Admin\AppData\Roaming\WY_Signv2\ToolkitPro2200vc170U.dll

Filesize
10.5MB

MD5
8a7fb716d57df2d2ed06be3b72f49bcc

SHA1
a9736b0ad1c9369bb3b470fa7901599eac4c1ba2

SHA256
1c2d5be623c48e8564c5d3bd44ad729e4b70b961891b7144208561b3a989baba

SHA512
560c2106275adc4741f84e35d870de91695e26c0ae252b026a8641cd630c79dfe4d49dfb60fea0d62319b9e55f9be5ee07cce6cd28991a7f28405dda46bb835f

Download Submit
C:\Users\Admin\AppData\Roaming\WY_Signv2\VCRUNTIME140.dll

Filesize
88KB

MD5
1d4ff3cf64ab08c66ae9a4013c89a3ac

SHA1
f9ee15d0e9b0b7e04ff4c8a5de5afcffe8b2527b

SHA256
65f620bc588d95fe2ed236d1602e49f89077b434c83102549eed137c7fdc7220

SHA512
65fbd68843280e933620c470e524fba993ab4c48ede4bc0917b4ebe25da0408d02daec3f5afcd44a3ff8aba676d2eff2dda3f354029d27932ef39c9fdea51c26

Download Submit
C:\Users\Admin\AppData\Roaming\WY_Signv2\cashew.dwg

Filesize
64KB

MD5
e503e0ba8b4d79b2819b7baa42722434

SHA1
be43d0403a586ccea8de1d81d0f82680377258b1

SHA256
c91505d28daa0f562316b004fe32c7dbd00369d9b6d032cbf12a2c888957d9af

SHA512
d47b4edbe802edaf4c056c71827e84edec3471fa1691ac3c5a0bc9bc38ee7f3d14355ac0c145acc9990ac02d0d5d53a8d9a8ec440d3ed1ade3a308349312d315

Download Submit
C:\Users\Admin\AppData\Roaming\WY_Signv2\dishful.wmv

Filesize
799KB

MD5
c40ab6b34c7d721fd131762879b56286

SHA1
33e6d6988e3a0ae32fc3efb61da64fcb5debc83c

SHA256
568459b5a59243d37efe2722b352c508a87520b08dbb940066c2ebba4e9bce08

SHA512
2d1b7351d0ea7c6883e73a65392f0deb8212178cc64c61c338a2356002883843b2a4c1953a537c6285127eaa9d9228b149f1bf7591fa24a63095be102b31d590

Download Submit
C:\Users\Admin\AppData\Roaming\WY_Signv2\mfc140u.dll

Filesize
4.6MB

MD5
266c6a0adda7ca07753636b1f8a69f7f

SHA1
996cc22086168cd47a19384117ee61e9eb03f99a

SHA256
3f8176bbc33f75fbcc429800461d84bcdb92d766d968220a9cc31f4cf6987271

SHA512
016c3197a089e68145741a74d6fb2749d45d0760cdb471c9c4efc17b365b0c0dfddd7ca331d5a6fad441485c382b382eab6ed9aca80640a540fed36c6905125c

Download Submit
C:\Users\Admin\AppData\Roaming\WY_Signv2\msvcp140.dll

Filesize
437KB

MD5
dc739066c9d0ca961cba2f320cade28e

SHA1
81ed5f7861e748b90c7ae2d18da80d1409d1fa05

SHA256
74e9268a68118bb1ac5154f8f327887715960ccc37ba9dabbe31ecd82dcbaa55

SHA512
4eb181984d989156b8703fd8bb8963d7a5a3b7f981fe747c6992993b7a1395a21f45dbedf08c1483d523e772bdf41330753e1771243b53da36d2539c01171cf1

Download Submit
memory/1028-33-0x0000000002480000-0x0000000002C2C000-memory.dmp

Filesize
7.7MB

Download
memory/1028-38-0x0000000073160000-0x00000000732DB000-memory.dmp

Filesize
1.5MB

Download
memory/1028-39-0x00007FFD53370000-0x00007FFD53565000-memory.dmp

Filesize
2.0MB

Download
memory/1028-40-0x0000000073160000-0x00000000732DB000-memory.dmp

Filesize
1.5MB

Download
memory/1136-46-0x00007FFD53370000-0x00007FFD53565000-memory.dmp

Filesize
2.0MB

Download
memory/1136-51-0x0000000000840000-0x000000000089C000-memory.dmp

Filesize
368KB

Download
memory/1136-50-0x0000000000840000-0x000000000089C000-memory.dmp

Filesize
368KB

Download
memory/1136-47-0x0000000000840000-0x000000000089C000-memory.dmp

Filesize
368KB

Download
memory/1236-0-0x00000000024C0000-0x0000000002C6C000-memory.dmp

Filesize
7.7MB

Download
memory/1236-3-0x0000000073160000-0x00000000732DB000-memory.dmp

Filesize
1.5MB

Download
memory/1236-4-0x00007FFD53370000-0x00007FFD53565000-memory.dmp

Filesize
2.0MB

Download
memory/4876-44-0x0000000073160000-0x00000000732DB000-memory.dmp

Filesize
1.5MB

Download
memory/4876-43-0x00007FFD53370000-0x00007FFD53565000-memory.dmp

Filesize
2.0MB

Download