lumma | c7b72d815d7f0cb35a77b0dc49181376e84f5d849223f761d55a034009d661fa

Analysis

max time kernel
93s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-01-2025 21:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

script.ps1
Size

2KB
MD5

693de5c0e94d35e8353960bcac6ede81
SHA1

37b35dfe458c8de86bde29daf4a3347d9b44f73e
SHA256

c7b72d815d7f0cb35a77b0dc49181376e84f5d849223f761d55a034009d661fa
SHA512

141cbfe5bb35cc66fc8aced0a62247952d8814566c24937bd1bb3708f9e35fb7ac1f0733461f09d67e2562fe3e90bc2516e0efcc09401f48796f903a4a083580

Score

10^/10

lumma discovery execution stealer

Malware Config

Extracted

Family

lumma

https://impolitewearr.biz/api

https://toppyneedus.biz/api

https://lightdeerysua.biz/api

https://suggestyuoz.biz/api

https://hoursuhouy.biz/api

https://mixedrecipew.biz/api

https://affordtempyo.biz/api

https://pleasedcfrown.biz/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Blocklisted process makes network request 1 IoCs

flow	pid	Process
7	2156	powershell.exe

Executes dropped EXE 2 IoCs

pid	Process
3676	steamerrorreporter.exe
5012	steamerrorreporter.exe

Loads dropped DLL 4 IoCs

pid	Process
3676	steamerrorreporter.exe
3676	steamerrorreporter.exe
5012	steamerrorreporter.exe
5012	steamerrorreporter.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5012 set thread context of 4740	5012	steamerrorreporter.exe	89

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2156	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	steamerrorreporter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	steamerrorreporter.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2156	powershell.exe
2156	powershell.exe
3676	steamerrorreporter.exe
5012	steamerrorreporter.exe
5012	steamerrorreporter.exe
4740	cmd.exe
4740	cmd.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
5012	steamerrorreporter.exe
4740	cmd.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2156	powershell.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 3084	2156	powershell.exe	84
PID 2156 wrote to memory of 3084	2156	powershell.exe	84
PID 3084 wrote to memory of 1484	3084	csc.exe	85
PID 3084 wrote to memory of 1484	3084	csc.exe	85
PID 2156 wrote to memory of 3676	2156	powershell.exe	87
PID 2156 wrote to memory of 3676	2156	powershell.exe	87
PID 2156 wrote to memory of 3676	2156	powershell.exe	87
PID 3676 wrote to memory of 5012	3676	steamerrorreporter.exe	88
PID 3676 wrote to memory of 5012	3676	steamerrorreporter.exe	88
PID 3676 wrote to memory of 5012	3676	steamerrorreporter.exe	88
PID 5012 wrote to memory of 4740	5012	steamerrorreporter.exe	89
PID 5012 wrote to memory of 4740	5012	steamerrorreporter.exe	89
PID 5012 wrote to memory of 4740	5012	steamerrorreporter.exe	89
PID 5012 wrote to memory of 4740	5012	steamerrorreporter.exe	89
PID 4740 wrote to memory of 4784	4740	cmd.exe	103
PID 4740 wrote to memory of 4784	4740	cmd.exe	103
PID 4740 wrote to memory of 4784	4740	cmd.exe	103
PID 4740 wrote to memory of 4784	4740	cmd.exe	103

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\script.ps1
1⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lqqcjcxh\lqqcjcxh.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3084
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFD5B.tmp" "c:\Users\Admin\AppData\Local\Temp\lqqcjcxh\CSC66E97099B83D4C1EA52D13429EFDDAE.TMP"
    3⤵
    PID:1484
- C:\Users\Admin\AppData\Local\Temp\extract1\steamerrorreporter.exe
  "C:\Users\Admin\AppData\Local\Temp\extract1\steamerrorreporter.exe" -ExecutionPolicy Bypass
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3676
- - C:\Users\Admin\AppData\Roaming\Checkbrowser\steamerrorreporter.exe
    "C:\Users\Admin\AppData\Roaming\Checkbrowser\steamerrorreporter.exe" -ExecutionPolicy Bypass
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:5012
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\SysWOW64\cmd.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:4740
    - - C:\Windows\SysWOW64\explorer.exe
        
        "C:\Windows\SysWOW64\explorer.exe" -ExecutionPolicy Bypass
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESFD5B.tmp

Filesize
1KB

MD5
3f3524d6bc4df72fc8e13053f4a8c031

SHA1
0076cb93391757b85249692a8e6b9643a701e317

SHA256
cd1a4f06533f912bdeec046deff3572fcfe777abf53393bd6dd5ac9effe38f27

SHA512
ddef62956baf1ee22ccdae631e5f90cc542196646bc98fd451b0b3887291a26f3c2d805e6bdc272777302b5f0a1d437de7f9ace90b57a9f6b1d74032e0545564

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_c3sddy42.mth.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\d4c141b5

Filesize
1.0MB

MD5
8aaa4c822ba0b7ff15f85aa31d4e8e66

SHA1
885499a9a005a5b51c36432140c46dad8be98b03

SHA256
6f2962586cf4934ad496b42b1e42fea991b20ddbc303b002719ea378efbf6281

SHA512
b5fcc85729de71fd7faf30398d79f23440fdb311ae3758f20649fcc46e2efbd20c6c3f444d4e3269328a51e6b488f7fcb44407b474adb167c854d832358bfdf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\extract1\oidium.gif

Filesize
32KB

MD5
24cda8535a0071f656739ce838daaffd

SHA1
0b339890b6a5412af3a6995cab7ea6725c8c18f0

SHA256
a70c4a464dd9b850713b95f880891697cc2d7c9a1d86236a9d2bd8d685dadb56

SHA512
e04bb582f2f1369ef2799152b3608d0bae7f1cc7ebac50ffff7243f8faf1f514790990caea9f19818701f73fb1ccb56fb279f55e5312acd162634d74d4c02ac6

Download Submit
C:\Users\Admin\AppData\Local\Temp\extract1\steamerrorreporter.exe

Filesize
560KB

MD5
dc1681b98049f1df46dd10d7f4c26045

SHA1
4c7f5cf7c00b6139979f8aa41f46979666369224

SHA256
594f9853124e0a81deeaaecb8ec3d192169e7393778214ef6d8f6460450ef080

SHA512
c9a2086326acbab8aba801da0d8bd2aa06951ec7fd7f32a3150f9521498c0b6711552695fbf9d0de7668503630c508bcd68e1d715796ef34f9945035da3fe1ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\extract1\tier0_s.dll

Filesize
330KB

MD5
3595e056e5a313b21b9d58bf0af1e776

SHA1
c3fbe0e13209d7a6ce663b72243e1ec5080a7ae3

SHA256
897fc8d953661d3836aee0ea3bbf5fed1a47f330c70bfe18f1f608ac746d9f30

SHA512
36fadf5a3c18e79b3c00c65c2a6dce6306ec85ca5662e5e5769a961cfccac92790c11cbfb821db25e090b2043df5444a4e06d5249f381f4f7e7beb1881b38247

Download Submit
C:\Users\Admin\AppData\Local\Temp\extract1\vstdlib_s.dll

Filesize
530KB

MD5
bf433279dfa1820d93ef9417fceaf306

SHA1
21dfda7d0ce11dba8f786c72d0a4db1dd3a82308

SHA256
3fa60435cba38c85310eeba1032bf1d305aeea2e4cf890c17966366d63d43963

SHA512
dd1823f68a25cb9d25d125267e9ea4fb0803ec0133b5fd183cf0d832ad1dceca53a8a7d4d79b94ce0b67ef3050334373ec80c211fa1ff8888c4a724d64a1b250

Download Submit
C:\Users\Admin\AppData\Local\Temp\extract1\wincey.tif

Filesize
807KB

MD5
53d8516376e27c4ac2207b990e903e58

SHA1
494ca94b0a9184c48fc1e1424e9a62b91cbb3205

SHA256
7bf30ef224ccfc4fd594dbf0bebd52a23d04bd5516234aaff3db6499f572a1ba

SHA512
5590c9eeff62332b779e284e0cb6eaa537287626ec813c61098e0cc23ec9d2709146335bf411d16d54c2652f8994965068e5924cc017d5437fab4bfb551fba2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\lqqcjcxh\lqqcjcxh.dll

Filesize
3KB

MD5
193dc6df73e243d0c9a0379e8d2f57a7

SHA1
2a6f9640256f416ded3a507dc5be2246f9adf299

SHA256
3283784a9a335615861ae0447da0f47c4c56d81a7fd697d00740f6d718840002

SHA512
2c4fdd5253da6d9a0c00e63a52e095dcafca5471e98a462eebc93dc17224539255d24258d1c5306025f880b9718b323ad1214cbe98fd02f8e051ca15dbdc878e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lqqcjcxh\CSC66E97099B83D4C1EA52D13429EFDDAE.TMP

Filesize
652B

MD5
b6dddb2ed513c3b5f3c381c37ae1f0ab

SHA1
06da596c125297f4be1f36268184518da17f5044

SHA256
3b466948d4639a36bf58093e1ef382c7c221f961bf57762b8a57be46d8285b62

SHA512
0a6b10b97c60f859103ff33375f1a4b56ab72b7915124f66be50420b2d5809ac913dfcceb9897d2fbfec7833f91723f43a149a493793e7faeae161fd491ab976

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lqqcjcxh\lqqcjcxh.0.cs

Filesize
263B

MD5
7ef2dc814f5c082336d1fbe487a53299

SHA1
47cd4aac3e19115385f1e3e9c9f43736133c5a4c

SHA256
89bdfb37bad7981cb859d457c6da2ac99d1f6b3c8c3324b46c569f2cec1124b3

SHA512
c9e75f7c5b9d4e1156dfd52f9660ee1c3b5e0a8502de4149282d5ec8ae541d4a64a69d8a9f9027768d8fdcb17a89a7613b5a56902f66ed217c8d195e1851ddc9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lqqcjcxh\lqqcjcxh.cmdline

Filesize
369B

MD5
b0ae75282f496093389555e382e8660f

SHA1
6e326074eca3b4c08d1be9b7b6c0aee0a679d940

SHA256
ba204aed7d4f327a45e5f3f24d204da0f73165400111bab7b3738140b43d621f

SHA512
e7a74e81b574bebbc86648012a4fafa91fd6d37ec4fc1e528f5f877d32b77b96dde7fcd92ab9e7ffd753cfb5b41371fb392708072e7ea2c8ceea187636c19401

Download Submit
memory/2156-29-0x000001B1709F0000-0x000001B1709FA000-memory.dmp

Filesize
40KB

Download
memory/2156-72-0x000001B1710B0000-0x000001B171272000-memory.dmp

Filesize
1.8MB

Download
memory/2156-12-0x00007FFCD4140000-0x00007FFCD4C01000-memory.dmp

Filesize
10.8MB

Download
memory/2156-27-0x00007FFCD4140000-0x00007FFCD4C01000-memory.dmp

Filesize
10.8MB

Download
memory/2156-0-0x00007FFCD4143000-0x00007FFCD4145000-memory.dmp

Filesize
8KB

Download
memory/2156-11-0x00007FFCD4140000-0x00007FFCD4C01000-memory.dmp

Filesize
10.8MB

Download
memory/2156-25-0x000001B16E200000-0x000001B16E208000-memory.dmp

Filesize
32KB

Download
memory/2156-1-0x000001B170850000-0x000001B170872000-memory.dmp

Filesize
136KB

Download
memory/2156-77-0x00007FFCD4140000-0x00007FFCD4C01000-memory.dmp

Filesize
10.8MB

Download
memory/2156-30-0x000001B170A20000-0x000001B170A32000-memory.dmp

Filesize
72KB

Download
memory/3676-58-0x00007FFCF2570000-0x00007FFCF2765000-memory.dmp

Filesize
2.0MB

Download
memory/3676-57-0x0000000075400000-0x000000007557B000-memory.dmp

Filesize
1.5MB

Download
memory/4740-82-0x00007FFCF2570000-0x00007FFCF2765000-memory.dmp

Filesize
2.0MB

Download
memory/4740-83-0x0000000075530000-0x00000000756AB000-memory.dmp

Filesize
1.5MB

Download
memory/4784-85-0x00007FFCF2570000-0x00007FFCF2765000-memory.dmp

Filesize
2.0MB

Download
memory/4784-86-0x0000000000AB0000-0x0000000000B0D000-memory.dmp

Filesize
372KB

Download
memory/4784-89-0x0000000000AB0000-0x0000000000B0D000-memory.dmp

Filesize
372KB

Download
memory/5012-76-0x0000000075530000-0x00000000756AB000-memory.dmp

Filesize
1.5MB

Download
memory/5012-78-0x00007FFCF2570000-0x00007FFCF2765000-memory.dmp

Filesize
2.0MB

Download
memory/5012-79-0x0000000075530000-0x00000000756AB000-memory.dmp

Filesize
1.5MB

Download