lumma | a33973f5db28149436244ea6de4fb1eec9f297b795b949f293bfc322504d9510

Analysis

max time kernel
93s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-01-2025 20:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

stage1.ps1
Size

2KB
MD5

9cc29d3f5d6f3a35268cde9622b1ac9a
SHA1

241b1037acf1d713fc90239739428e3d3c0b9ad2
SHA256

a33973f5db28149436244ea6de4fb1eec9f297b795b949f293bfc322504d9510
SHA512

7a76b35c761708c4c01e2838ef39edeed740201274586649368bcd92e4edb230e68e6cd78880b68f6ef1f2bcb4785e45b19ab3da23d5dcaabae20b25ffacf95e

Score

10^/10

lumma discovery execution stealer

Malware Config

Extracted

Family

lumma

https://toppyneedus.biz/api

https://suggestyuoz.biz/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Blocklisted process makes network request 1 IoCs

flow	pid	Process
6	1396	powershell.exe

Executes dropped EXE 2 IoCs

pid	Process
3820	ISDbg.exe
1540	ISDbg.exe

Loads dropped DLL 12 IoCs

pid	Process
3820	ISDbg.exe
3820	ISDbg.exe
3820	ISDbg.exe
3820	ISDbg.exe
3820	ISDbg.exe
3820	ISDbg.exe
1540	ISDbg.exe
1540	ISDbg.exe
1540	ISDbg.exe
1540	ISDbg.exe
1540	ISDbg.exe
1540	ISDbg.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1540 set thread context of 2796	1540	ISDbg.exe	94

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1396	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ISDbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ISDbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1396	powershell.exe
1396	powershell.exe
3820	ISDbg.exe
1540	ISDbg.exe
1540	ISDbg.exe
2796	cmd.exe
2796	cmd.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
1540	ISDbg.exe
2796	cmd.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1396	powershell.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1396 wrote to memory of 2792	1396	powershell.exe	83
PID 1396 wrote to memory of 2792	1396	powershell.exe	83
PID 2792 wrote to memory of 5048	2792	csc.exe	84
PID 2792 wrote to memory of 5048	2792	csc.exe	84
PID 1396 wrote to memory of 3820	1396	powershell.exe	91
PID 1396 wrote to memory of 3820	1396	powershell.exe	91
PID 1396 wrote to memory of 3820	1396	powershell.exe	91
PID 3820 wrote to memory of 1540	3820	ISDbg.exe	93
PID 3820 wrote to memory of 1540	3820	ISDbg.exe	93
PID 3820 wrote to memory of 1540	3820	ISDbg.exe	93
PID 1540 wrote to memory of 2796	1540	ISDbg.exe	94
PID 1540 wrote to memory of 2796	1540	ISDbg.exe	94
PID 1540 wrote to memory of 2796	1540	ISDbg.exe	94
PID 1540 wrote to memory of 2796	1540	ISDbg.exe	94
PID 2796 wrote to memory of 1164	2796	cmd.exe	97
PID 2796 wrote to memory of 1164	2796	cmd.exe	97
PID 2796 wrote to memory of 1164	2796	cmd.exe	97
PID 2796 wrote to memory of 1164	2796	cmd.exe	97

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\stage1.ps1
1⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1396
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5etttkcu\5etttkcu.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES703E.tmp" "c:\Users\Admin\AppData\Local\Temp\5etttkcu\CSC3CF801A0CF344A30BB7D1D12D85CDE11.TMP"
    3⤵
    PID:5048
- C:\Users\Admin\AppData\Local\Temp\extract1\ISDbg.exe
  "C:\Users\Admin\AppData\Local\Temp\extract1\ISDbg.exe" -ExecutionPolicy Bypass
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3820
- - C:\Users\Admin\AppData\Roaming\comHelpcjq_x86\ISDbg.exe
    "C:\Users\Admin\AppData\Roaming\comHelpcjq_x86\ISDbg.exe" -ExecutionPolicy Bypass
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:1540
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\SysWOW64\cmd.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:2796
    - - C:\Windows\SysWOW64\explorer.exe
        
        "C:\Windows\SysWOW64\explorer.exe" -ExecutionPolicy Bypass
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2eb6a48d

Filesize
1.0MB

MD5
b615047ff8744d5f1c87acc4c013e7aa

SHA1
1b39247a33d6acdf13867fd233ba3828e498e85c

SHA256
311ee52b702ccf07fd47a26593a568307f61cc810c7e7d408f95aa15fc0e8577

SHA512
fb94ce885403bdb7533d24007ac344d6a2aab4f7e18591556bd8c008fafcb509434651ae6dc08ceec897374db4a41b4ad25a14adf8ca0fc53aaca818c792e86e

Download Submit
C:\Users\Admin\AppData\Local\Temp\5etttkcu\5etttkcu.dll

Filesize
3KB

MD5
099c7f980748462d0ef3eed8e74da211

SHA1
cbfaad094617ac8aa47048c3c5da620be9489360

SHA256
58ce57bca486246ac11ca3d7347915802a9086702103060ea04615a9b6eeb61c

SHA512
e764f3290bbc2f8aedef42a4ad41112e4edf47607d56ccdb88cfe8123e05afbc22276e868cc720cfffa6383bd0c0a593f0d06b3b9fbccf908a68b0d974bc8e6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES703E.tmp

Filesize
1KB

MD5
0d82148f643d17d85a252670ee8881f5

SHA1
75b2c8caf80a1a5c3d23f14c23471b63f67f07ed

SHA256
ddd24394e5a15b807d4f349112cc3513922a4850dd60c265a9d8e81a762d5221

SHA512
1424d985e16ae0fc2872d0b3d0a05ae43dc37ba19439ab0f2df7d77cd6f1873ffe819556ed97bfbc351bb030cbd2b1ee8ecdd4bb8682dc825b7e00af74784949

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_32pm2433.krm.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\extract1\FNP_Act_Installer.dll

Filesize
3.2MB

MD5
818abbbd3717505c01e4e8277406af8f

SHA1
4374b855c5a37e89daa37791d1a4f2c635bf66e7

SHA256
bc0acdfb672ad01ad3b658ee51e2ee6523d56ea4bc4c066b390cf9b494e2aa69

SHA512
7c73ec9b15e82964573db1b7d3996677b244b6efa64cab60cefff6d995d3ea3e6e89c1578c5b5a266b964a19336ce5b956a4a4f37be12b4907dbee827b6613b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\extract1\ISDbg.exe

Filesize
3.6MB

MD5
7ca79f128adaf85ba662d15af223acac

SHA1
af6d8587efe0fa22b38e623b0358e4636ac7ea65

SHA256
af2f747f6daa4b949ee7e418e36aee0e40de8abd3cbd4dccc26105dbfa8211d6

SHA512
3ac8fd62d6f4143d0704233664d19271f00bc9322239975d3403272cb9f2b4836d8329431507543f973deb353ddb80ea26befe6217a400d3c6fb5e43bc7652fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\extract1\ISUIServices.dll

Filesize
7.1MB

MD5
30806a5b2b548b8ae5dce694f04f119c

SHA1
df2966770ac32423f02d5c747ce9c0ff9a02937a

SHA256
3ad57c99fd061b4c99120f1bd34466d221b80776cab62d52496f1c0350908d31

SHA512
5a37315e3468afc9a3fad90f95953c16f6f647331aac4a1044d509a07b0cd6bb986af36a816e535abe51fe174c56932aa5fca0a7efd18ede105bc365183bebf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\extract1\MSIMG32.dll

Filesize
3KB

MD5
ae2fb3295fd4bee1e651b7b6639d7bfe

SHA1
4ac939d67002aabccf7a5878302a37b8079dda12

SHA256
c1f88d099af72cae6f6baaf7473da78279dc50b112f7fb68f93b5c3f29051c45

SHA512
90c2adc288547a2fec7bf6865b1341f2708ecf1e9ca78e0e440de008c5b032192998a42de0359f267e51d7ed8ee6a8e3ecc007d002d394cc5629cb81d94e9db9

Download Submit
C:\Users\Admin\AppData\Local\Temp\extract1\improve.yaml

Filesize
807KB

MD5
a34d815f73166c57bca5f257957be230

SHA1
eb2db12c280b55b38aa928e0d62adf1d42cc66dd

SHA256
c3bfa153bcd462d930fd07a471d3ca18c75555392f6b93292ac5d3eeb2c144bf

SHA512
bcdab5f4e3fc64b6e0c0b46f2c687ea790108e18357ff23a31cb986427f8ccc3c2f586b6bd06d615d9ad47bee6cdcadfb32bc0d69a54b84aef24a3aa210c621e

Download Submit
C:\Users\Admin\AppData\Local\Temp\extract1\msvcp140.dll

Filesize
437KB

MD5
dc739066c9d0ca961cba2f320cade28e

SHA1
81ed5f7861e748b90c7ae2d18da80d1409d1fa05

SHA256
74e9268a68118bb1ac5154f8f327887715960ccc37ba9dabbe31ecd82dcbaa55

SHA512
4eb181984d989156b8703fd8bb8963d7a5a3b7f981fe747c6992993b7a1395a21f45dbedf08c1483d523e772bdf41330753e1771243b53da36d2539c01171cf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\extract1\stereometry.csv

Filesize
40KB

MD5
46bf98092f25ee430426e6dc8a23e8c1

SHA1
53c0191276a26b0842fe28126cdb32b8d4f831e3

SHA256
5b2000f087303389df052791ecd30d958d1610a8f33a52bdc2a798ccad114745

SHA512
8e2a5d2773c9b85009b1404905e5e3e0b5a6cbbf6439c422e8a6363afd3146fc3ad99bf031347b592fa6387898ae5be821bdc82b879d21148a438ece6bc8522b

Download Submit
C:\Users\Admin\AppData\Local\Temp\extract1\vcruntime140.dll

Filesize
88KB

MD5
1d4ff3cf64ab08c66ae9a4013c89a3ac

SHA1
f9ee15d0e9b0b7e04ff4c8a5de5afcffe8b2527b

SHA256
65f620bc588d95fe2ed236d1602e49f89077b434c83102549eed137c7fdc7220

SHA512
65fbd68843280e933620c470e524fba993ab4c48ede4bc0917b4ebe25da0408d02daec3f5afcd44a3ff8aba676d2eff2dda3f354029d27932ef39c9fdea51c26

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5etttkcu\5etttkcu.0.cs

Filesize
263B

MD5
7ef2dc814f5c082336d1fbe487a53299

SHA1
47cd4aac3e19115385f1e3e9c9f43736133c5a4c

SHA256
89bdfb37bad7981cb859d457c6da2ac99d1f6b3c8c3324b46c569f2cec1124b3

SHA512
c9e75f7c5b9d4e1156dfd52f9660ee1c3b5e0a8502de4149282d5ec8ae541d4a64a69d8a9f9027768d8fdcb17a89a7613b5a56902f66ed217c8d195e1851ddc9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5etttkcu\5etttkcu.cmdline

Filesize
369B

MD5
bc41cbd050b697cd246ff762768f6bac

SHA1
bbb28d2e9b3aa8e6cb0529378f8c8daf6b050ef3

SHA256
70d80eb00d5290d29f9fc5e40d979d0c96c4268d4d78151476fc2d2c6c8503bd

SHA512
4fca10577cc541b09b11c881fdb30375d630ca46d402112e9f6381473c0b23d89f731f893cdcb47f49e6195c7106a6f2b8464f67abca3c1cf9e37e6058d34e75

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5etttkcu\CSC3CF801A0CF344A30BB7D1D12D85CDE11.TMP

Filesize
652B

MD5
94087cbb4e46d737f29b743e334ebf2c

SHA1
5f957cd72e1494a836b3ca0d28a6dfc93d907bb7

SHA256
07cfff92c00a648984260191ff3f2a02f4a05e3d52025c89954bc96ee77c5ae7

SHA512
ee45d315c9653ceb0d364894c86f4c24d991f4daa3708f352c0297d4184a7a6a3d83f668c4f8f8e146e166c4db3a632ff3060820dad1e1b8bd7e84b9ebb05b6a

Download Submit
memory/1164-123-0x0000000001000000-0x000000000105D000-memory.dmp

Filesize
372KB

Download
memory/1164-120-0x0000000001000000-0x000000000105D000-memory.dmp

Filesize
372KB

Download
memory/1164-119-0x00007FFF06A70000-0x00007FFF06C65000-memory.dmp

Filesize
2.0MB

Download
memory/1396-31-0x00007FFEE8970000-0x00007FFEE9431000-memory.dmp

Filesize
10.8MB

Download
memory/1396-30-0x00007FFEE8970000-0x00007FFEE9431000-memory.dmp

Filesize
10.8MB

Download
memory/1396-0-0x00007FFEE8973000-0x00007FFEE8975000-memory.dmp

Filesize
8KB

Download
memory/1396-25-0x0000017299ED0000-0x0000017299ED8000-memory.dmp

Filesize
32KB

Download
memory/1396-11-0x00000172FF7E0000-0x00000172FF802000-memory.dmp

Filesize
136KB

Download
memory/1396-34-0x00000172FF830000-0x00000172FF842000-memory.dmp

Filesize
72KB

Download
memory/1396-33-0x00000172FF4E0000-0x00000172FF4EA000-memory.dmp

Filesize
40KB

Download
memory/1396-12-0x00007FFEE8970000-0x00007FFEE9431000-memory.dmp

Filesize
10.8MB

Download
memory/1396-29-0x00007FFEE8973000-0x00007FFEE8975000-memory.dmp

Filesize
8KB

Download
memory/1396-27-0x00007FFEE8970000-0x00007FFEE9431000-memory.dmp

Filesize
10.8MB

Download
memory/1396-79-0x00000172FFA20000-0x00000172FFBE2000-memory.dmp

Filesize
1.8MB

Download
memory/1396-28-0x00007FFEE8970000-0x00007FFEE9431000-memory.dmp

Filesize
10.8MB

Download
memory/1396-91-0x00007FFEE8970000-0x00007FFEE9431000-memory.dmp

Filesize
10.8MB

Download
memory/1396-10-0x00007FFEE8970000-0x00007FFEE9431000-memory.dmp

Filesize
10.8MB

Download
memory/1540-113-0x0000000073720000-0x000000007389B000-memory.dmp

Filesize
1.5MB

Download
memory/1540-112-0x00007FFF06A70000-0x00007FFF06C65000-memory.dmp

Filesize
2.0MB

Download
memory/1540-111-0x0000000073720000-0x000000007389B000-memory.dmp

Filesize
1.5MB

Download
memory/1540-100-0x0000000002DC0000-0x00000000034EA000-memory.dmp

Filesize
7.2MB

Download
memory/2796-116-0x00007FFF06A70000-0x00007FFF06C65000-memory.dmp

Filesize
2.0MB

Download
memory/2796-117-0x0000000073720000-0x000000007389B000-memory.dmp

Filesize
1.5MB

Download
memory/3820-82-0x00007FFF06A70000-0x00007FFF06C65000-memory.dmp

Filesize
2.0MB

Download
memory/3820-78-0x0000000073720000-0x000000007389B000-memory.dmp

Filesize
1.5MB

Download
memory/3820-67-0x0000000002B60000-0x000000000328A000-memory.dmp

Filesize
7.2MB

Download