lumma | 16285d3c4e953dd62009d46507c6ffe6a113f55345a9edb3e09fba72518dd6dc

Analysis

max time kernel
153s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27/01/2025, 21:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bewerbungsmaster.professional.german.incl.keygen.rar.exe
Size

911.2MB
MD5

59ba9c00cb882b6ccfccbd733a018b6d
SHA1

615c92841b1e4f11121770d6e7e347e64457ad05
SHA256

a103c50ea0998add632a7e4341a121f6b939c40cdce6ef828d2ef30c1275499a
SHA512

cdcde37f5889b00665d380eb5ff1ce1d21473564c1d3eab60d441d8c31a9d11c2029f69fab503506d6b08b2fecedc9506e5f5e92c16b430c104222fe565fd69c
SSDEEP

196608:656eBi63yD94k9OaSDmNz74e/E4agGW0PoNyqyv0kOVmA/kz7QAbslkF074+tLF+:zDD9fYajdXJkOVJkzCK074+tJfsU682

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://toppyneedus.biz/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	bewerbungsmaster.professional.german.incl.keygen.rar.exe

Executes dropped EXE 1 IoCs

pid	Process
3196	Subscribe.com

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
4356	tasklist.exe
3088	tasklist.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\FewerTaken	bewerbungsmaster.professional.german.incl.keygen.rar.exe
File opened for modification	C:\Windows\FormationTickets	bewerbungsmaster.professional.german.incl.keygen.rar.exe
File opened for modification	C:\Windows\VitaminsSpeaker	bewerbungsmaster.professional.german.incl.keygen.rar.exe
File opened for modification	C:\Windows\SoCrossword	bewerbungsmaster.professional.german.incl.keygen.rar.exe
File opened for modification	C:\Windows\DisplayParticipated	bewerbungsmaster.professional.german.incl.keygen.rar.exe
File opened for modification	C:\Windows\DirBeatles	bewerbungsmaster.professional.german.incl.keygen.rar.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Subscribe.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bewerbungsmaster.professional.german.incl.keygen.rar.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3196	Subscribe.com
3196	Subscribe.com
3196	Subscribe.com
3196	Subscribe.com
3196	Subscribe.com
3196	Subscribe.com

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4356	tasklist.exe
Token: SeDebugPrivilege	3088	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
3196	Subscribe.com
3196	Subscribe.com
3196	Subscribe.com

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
3196	Subscribe.com
3196	Subscribe.com
3196	Subscribe.com

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 3124 wrote to memory of 4868	3124	bewerbungsmaster.professional.german.incl.keygen.rar.exe	81
PID 3124 wrote to memory of 4868	3124	bewerbungsmaster.professional.german.incl.keygen.rar.exe	81
PID 3124 wrote to memory of 4868	3124	bewerbungsmaster.professional.german.incl.keygen.rar.exe	81
PID 4868 wrote to memory of 4356	4868	cmd.exe	83
PID 4868 wrote to memory of 4356	4868	cmd.exe	83
PID 4868 wrote to memory of 4356	4868	cmd.exe	83
PID 4868 wrote to memory of 1644	4868	cmd.exe	84
PID 4868 wrote to memory of 1644	4868	cmd.exe	84
PID 4868 wrote to memory of 1644	4868	cmd.exe	84
PID 4868 wrote to memory of 3088	4868	cmd.exe	86
PID 4868 wrote to memory of 3088	4868	cmd.exe	86
PID 4868 wrote to memory of 3088	4868	cmd.exe	86
PID 4868 wrote to memory of 5080	4868	cmd.exe	87
PID 4868 wrote to memory of 5080	4868	cmd.exe	87
PID 4868 wrote to memory of 5080	4868	cmd.exe	87
PID 4868 wrote to memory of 2672	4868	cmd.exe	88
PID 4868 wrote to memory of 2672	4868	cmd.exe	88
PID 4868 wrote to memory of 2672	4868	cmd.exe	88
PID 4868 wrote to memory of 3312	4868	cmd.exe	89
PID 4868 wrote to memory of 3312	4868	cmd.exe	89
PID 4868 wrote to memory of 3312	4868	cmd.exe	89
PID 4868 wrote to memory of 3256	4868	cmd.exe	90
PID 4868 wrote to memory of 3256	4868	cmd.exe	90
PID 4868 wrote to memory of 3256	4868	cmd.exe	90
PID 4868 wrote to memory of 3752	4868	cmd.exe	91
PID 4868 wrote to memory of 3752	4868	cmd.exe	91
PID 4868 wrote to memory of 3752	4868	cmd.exe	91
PID 4868 wrote to memory of 4392	4868	cmd.exe	92
PID 4868 wrote to memory of 4392	4868	cmd.exe	92
PID 4868 wrote to memory of 4392	4868	cmd.exe	92
PID 4868 wrote to memory of 3196	4868	cmd.exe	93
PID 4868 wrote to memory of 3196	4868	cmd.exe	93
PID 4868 wrote to memory of 3196	4868	cmd.exe	93
PID 4868 wrote to memory of 3724	4868	cmd.exe	94
PID 4868 wrote to memory of 3724	4868	cmd.exe	94
PID 4868 wrote to memory of 3724	4868	cmd.exe	94

C:\Users\Admin\AppData\Local\Temp\bewerbungsmaster.professional.german.incl.keygen.rar.exe
"C:\Users\Admin\AppData\Local\Temp\bewerbungsmaster.professional.german.incl.keygen.rar.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3124
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy Chronicle Chronicle.cmd & Chronicle.cmd
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4868
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4356
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "opssvc wrsa"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1644
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3088
- - C:\Windows\SysWOW64\findstr.exe
    findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5080
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 799932
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2672
- - C:\Windows\SysWOW64\extrac32.exe
    extrac32 /Y /E Fiction
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3312
- - C:\Windows\SysWOW64\findstr.exe
    findstr /V "Wear" Drill
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3256
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b 799932\Subscribe.com + Relatively + Angela + Tax + Christmas + Combinations + Broader + Fat + Gravity + Estimation 799932\Subscribe.com
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3752
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Contractor + ..\Announce + ..\Fifth + ..\Mating + ..\Diagnosis + ..\Rewards S
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4392
- - C:\Users\Admin\AppData\Local\Temp\799932\Subscribe.com
    Subscribe.com S
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:3196
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\799932\S

Filesize
482KB

MD5
c6c3f87247d3900c01a994353f5134f7

SHA1
6c9b8faa7a82282f1a7990c26d3dd0bf3f4ad8d1

SHA256
88aaea7194e9d00d17c6e99867403de9be71c4af75de3197a501ae8638608004

SHA512
33e1e94471328bc88dc534bd77a0b9b21142a92315e386c8264e6d056af70c58c024bd4ac8721daab6db7ff56db79fada4efa7210d056b9275ec2869b2cbaf00

Download Submit
C:\Users\Admin\AppData\Local\Temp\799932\Subscribe.com

Filesize
393B

MD5
37ccb2357f8de57f53c33053c178505d

SHA1
be607e3c1ec725361b00d9698d3cc043b8b584fd

SHA256
317f224f097bfb81623fada0a3b9e97cedb8aa750a45e0b90eaa74a9fe4c7a00

SHA512
8caea73647522ad224f758759838f7fcfe4a1729cfc5e75ca785485faee55af031b9a33e5163e99787e0b6248769e1733d9063e60c60ffc0d0f37a674c34dae3

Download Submit
C:\Users\Admin\AppData\Local\Temp\799932\Subscribe.com

Filesize
925KB

MD5
62d09f076e6e0240548c2f837536a46a

SHA1
26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

SHA256
1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

SHA512
32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Angela

Filesize
96KB

MD5
6f338ee81c5dfe3805235505b9f74a64

SHA1
ac91d15bc7d73e4480b278f1a16996e12bdf2c20

SHA256
f87a3a0b88fbb790657e462f7d1ab8bac14c01dcedc2038826a0ba6de8ab06f5

SHA512
ff884fb19528566e4ce6ffe3bfe2b2ac0e216b6f6ffc8de5bc4d7f65a751ab24d513a9ccaa998d09ec8772b0207a5bf99ff175051701712db021c737dc342ce3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Announce

Filesize
94KB

MD5
38902a3dea3b1f42921ef6f53f12d41b

SHA1
04b0766bc3c29a2150e877e8530c4b7abfc4a91e

SHA256
36e78b2de46bfc22148c293036769b5673738531877b805686947e48978c4528

SHA512
0a9ddbf49649aca973c282be3848c6991d66664f82db099ecac34f9712174df2a67f26b3d236dc748441a16c3b1e00034ed3c136640b212bd3b754506d85ce91

Download Submit
C:\Users\Admin\AppData\Local\Temp\Broader

Filesize
125KB

MD5
293b358c9418c06e3ed002ed7812ce38

SHA1
a7adfc776d8ab26e7823fea898c073bf7911b9be

SHA256
50ea8f57cb06f2128893322f995dab65fe15f3a616f797c60937c91c53546a8f

SHA512
e66cf8339f1f07d08ec9733515d852a75680c3e155354e132859a881fc2f57a45a76c617f874e051d561220c616ecb6f4a7b41f80649c0e23d1159b2bb765536

Download Submit
C:\Users\Admin\AppData\Local\Temp\Christmas

Filesize
115KB

MD5
b7ae641cb52c9a4478fbbc30e11e74b5

SHA1
78004186d18553b103b0889657d09e45b6c0fa32

SHA256
1a037ab11487ba430a60d97ca66dbec95b0541f33336a13ac7acd7ffdcfa4690

SHA512
b7830b6d3b53df570fcc04b4c66f0bd25b19f2a4026b7c518a9a3b9620bbe05701d1d47d5a816bca1731f92c5b7398eeda14e5fa466398b5b495937a1901ea44

Download Submit
C:\Users\Admin\AppData\Local\Temp\Chronicle

Filesize
16KB

MD5
33daebcbc9573f0e1879ae0c762681d2

SHA1
9b6850aac337301268a50ae73e30b69d31fcb0d0

SHA256
1469638551031ef8abd4a1f6d4f7ead3d82f6f20a77111dc7b81160260feaa30

SHA512
d6a5924c08bc3c1d948a26a4ba8f190fbe3f3b80d6fb48ac1168ca654f879d2c46df69b0e809439350c003d78d5d247c92e3fc68b6d995a1b8dfe15ed96044c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Combinations

Filesize
97KB

MD5
222ce2600eaa85223ec64d17d3a6b579

SHA1
c47b5e19570c60c32c08e38f14ae703119d2d107

SHA256
48db8e95c856e78c7ec0c4813a117b321e6822f9bad96ddb3be691577c6a502d

SHA512
5cb3cd2b6c669aba0efa6572c5a8d988baed88c6fd1812f631d828579c70330c0b9abcb38ef0e7489d4ca9807b6bc1d23687e0be17375f7af160bcd24f711702

Download Submit
C:\Users\Admin\AppData\Local\Temp\Contractor

Filesize
92KB

MD5
7f528cde79130a922313f605b9d223c5

SHA1
5e10e89c09644f56f73f0f1df8dc71aa6fb8a9ea

SHA256
44cc629a224eb52bb332f66b7c31ecc27eb81d7e4068e2bc86ba72fe9a5e98a3

SHA512
0fd6e0947f797ae299d84225e2a3255afbc142d8538607b3ad4599c71dca74d3a8ed95fd22ccf33b5006f017bc426fbccba1d6af2d7d1baa7c5f5a6151493a86

Download Submit
C:\Users\Admin\AppData\Local\Temp\Diagnosis

Filesize
77KB

MD5
0ce0ae605da437190f75b07e3fac7991

SHA1
d185ce7eae2634c8e3648bffb34edc5980e3ddf5

SHA256
3056e0bd5d3fd9d1a54b540aa5d7029e43c4b2265eedf272a96f98dbf1a8c3bf

SHA512
c5380ba080d67a90a5a73be0124b65e54683b40c42bdc5386523680878829f720cfd1ef6b3746117120fe4e678395a5cad6306628d62a3f35cb72015e759207b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Drill

Filesize
397B

MD5
18e806dadae20d41ac097deb8812a6c0

SHA1
b500592223d88b2f0c7516e773ac8a254d2cd114

SHA256
3a17217452ce4224940e32f4865547d4be3ee65a4b267bfc70dfaaa4a096718e

SHA512
8dcb330c6d1ec6cbc0b1dff810964df284acbea77fd0a3edf781e9f3daf6c3f3b5f1d85e5009a0c77b321ec0d96f09b2aa657556ce581585bdb4e168cb6801ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\Estimation

Filesize
26KB

MD5
0554c62b40a989824dd9d6fa9c0856dd

SHA1
eb90b42e22c22c23082640195dc9f9ea2d7838d9

SHA256
b8d9887095885b47072653aa2ee491da9e1a06c8b4552685d641605502c0ac69

SHA512
41a7af0433b819c15cd844aec9de75ea7ef2c0041976d6bb4c0e796176d6ec14d93cd0b835d4b8d2bfc863059ff076305b7778b16ea99f5805b9822fba977bb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fat

Filesize
127KB

MD5
aa5fe1ac39fdcb7f9b5a68651816d44f

SHA1
c82e8ff73514f4c5d24f333eda51fbf19440e306

SHA256
ab4bee4fcca010125a9e343a445dc2673f35c846e7d6b9b1611a3076462c63ea

SHA512
b2e468c0534195cd4771a242c7c8b28a2d6c5a8ed535f8385435745435be2b9d218ef07fd4ffa3f43eff8621ec113f675161cdf00b07ff0b78335b6766fb2324

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fiction

Filesize
476KB

MD5
a7d9034efc4244a23525deceaf8a0b41

SHA1
bd80a9b198572a68c020ac88b716a0e916024046

SHA256
c877af3fcde6d60115ced5b2244bf316accfa923363bd06ee9583aa8b9e63c4f

SHA512
c3165ad273c86ffef7f25410ca689417eef528f77ff96bdb42d6ad3897e36af193c05f777536f5a927a0f70e2ce8eccbd728947700341f2b2f6f90742ba7622f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fifth

Filesize
82KB

MD5
daf66c2576c3561dea3d863232313ed4

SHA1
8d3ca66d6446a590b9fa4261f24794eb00776be9

SHA256
36997d0760bc1295a412649226422216e5d5a4eb91016e78245445ad2390e3ca

SHA512
2c098dc62bd733db749480b42385b1a3e4f91023375aeab54be6d6697e97371dd5f4ffba3d24c3dae900e98f956bf6980f2e79311fed93a7d14fb09832eaa418

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gravity

Filesize
104KB

MD5
601f974e4547895e2ebf6de20222eef9

SHA1
890502c994b51789a9a2b2fd5a967fc07c39fec3

SHA256
068efa74e5b6d81c18c893d6c0b3fc971cbbb024114ac4a5eb48c76e1f0eb56d

SHA512
e3bdd92a8749ef462d81931ed7d719074796cd5f1c06b82615c37c4a133c847188b66cf50ff3f4f6517d45df29bbdae5958376aaf3faf7bc921d1b51d9c5f309

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mating

Filesize
84KB

MD5
bd403271661c662a1839c64d5a8ffb00

SHA1
1af7e76cb3cdf9225e7bc4054ac6988a4c451f78

SHA256
4a9fb7d91b561cfdc90c384d7ace93bad775fef41365e13f16132bc73ce4d7b5

SHA512
4118da2d6a5fee6fce2fc23718295b394dd7460a0f9477ebd9fd242c0c9a2aef0643be6e38ded14af97ea1573d07117f7fc5c93b2561a32558a689fc89e17bae

Download Submit
C:\Users\Admin\AppData\Local\Temp\Relatively

Filesize
106KB

MD5
36e28064d86507b5309c8232e1d03dbb

SHA1
f94985975b2fe2554b9d3b9401780c42d90f6828

SHA256
55ab067ccb893715a73e8b61b278b548f018f6b08d0229c2f76e79c02af940dd

SHA512
a6c446e231d37419b21c4d1d2fa3847b0e7c4c2595b11d4fa2ec79cb444f3a132962a6a6b94b2d646201585299ccc321fbcfe98161bbac1c211de4c610abdea8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rewards

Filesize
53KB

MD5
7ce30a7844ade9f70836e28e69b60216

SHA1
a3397c767a1f16cf974300682185b2c3ee8e994f

SHA256
c82f57f35aa264763b2514c48d8058389406b23014484635d30f99eb1cf319d0

SHA512
3e3e006a80bbf123d1e2103b4c6519f4f77e9fe1b99517547d03b3fd8bfbcb440592bb70d6f69d525f0a6add79e2cc2ecdea199e0b1a3b54dbd3672ac83d0adb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tax

Filesize
128KB

MD5
7e235df2433326af2bfd74d4d1c9701b

SHA1
d8658f494b247e9d6773d4c9ad75f3ed74ea7bb5

SHA256
681b3fb5c1481d78c350d6d47606075797d4ef0f0826a8c74f9a998f7c343f57

SHA512
292071d5572df220511d42070ecf801dcef9700ebfebc64f7d08b1d8952bf724ac1e9bb4ebd114007f769509c1e1c48a6eb99943981a1feaf5b02977b07491ce

Download Submit
memory/3196-431-0x00000000044B0000-0x000000000450F000-memory.dmp

Filesize
380KB

Download
memory/3196-432-0x00000000044B0000-0x000000000450F000-memory.dmp

Filesize
380KB

Download
memory/3196-433-0x00000000044B0000-0x000000000450F000-memory.dmp

Filesize
380KB

Download
memory/3196-435-0x00000000044B0000-0x000000000450F000-memory.dmp

Filesize
380KB

Download
memory/3196-434-0x00000000044B0000-0x000000000450F000-memory.dmp

Filesize
380KB

Download