lumma | deb84edb1b68cf868beb0e84e40d06cc101ee1cde8ca03e112f710db6ca07bfe

General

Target

deb84edb1b68cf868beb0e84e40d06cc101ee1cde8ca03e112f710db6ca07bfe.exe
Size

8.4MB
MD5

ca48226df272a89b2d2622eb0ea90e2a
SHA1

55a245e4d74b6085fbb500474195e01bea262f68
SHA256

deb84edb1b68cf868beb0e84e40d06cc101ee1cde8ca03e112f710db6ca07bfe
SHA512

e2130d93b671834dfe3b306fc1603af2fff84163991fb4490b17113585528b56b2f310cd37974aaf650567d6275f17e248286561e0b1e5047eb9060e7edfee73
SSDEEP

196608:lHg2bkWJWRVifVqP1kyyM5r9a06OgR7JzvygVgCKaUoK6kgSvxQv:lHg7WQ19kFyg06R1y4gCKI52xQv

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

C2

https://toppyneedus.biz/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	deb84edb1b68cf868beb0e84e40d06cc101ee1cde8ca03e112f710db6ca07bfe.tmp

Executes dropped EXE 5 IoCs

pid	Process
5080	deb84edb1b68cf868beb0e84e40d06cc101ee1cde8ca03e112f710db6ca07bfe.tmp
1780	KMSpico.exe
1856	KMSpico.tmp
4992	core.exe
4948	core.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	deb84edb1b68cf868beb0e84e40d06cc101ee1cde8ca03e112f710db6ca07bfe.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KMSpico.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KMSpico.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	core.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	core.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	deb84edb1b68cf868beb0e84e40d06cc101ee1cde8ca03e112f710db6ca07bfe.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
5080	deb84edb1b68cf868beb0e84e40d06cc101ee1cde8ca03e112f710db6ca07bfe.tmp
5080	deb84edb1b68cf868beb0e84e40d06cc101ee1cde8ca03e112f710db6ca07bfe.tmp
4992	core.exe
4992	core.exe
4992	core.exe
4992	core.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
5080	deb84edb1b68cf868beb0e84e40d06cc101ee1cde8ca03e112f710db6ca07bfe.tmp

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3100 wrote to memory of 5080	3100	deb84edb1b68cf868beb0e84e40d06cc101ee1cde8ca03e112f710db6ca07bfe.exe	83
PID 3100 wrote to memory of 5080	3100	deb84edb1b68cf868beb0e84e40d06cc101ee1cde8ca03e112f710db6ca07bfe.exe	83
PID 3100 wrote to memory of 5080	3100	deb84edb1b68cf868beb0e84e40d06cc101ee1cde8ca03e112f710db6ca07bfe.exe	83
PID 5080 wrote to memory of 1780	5080	deb84edb1b68cf868beb0e84e40d06cc101ee1cde8ca03e112f710db6ca07bfe.tmp	91
PID 5080 wrote to memory of 1780	5080	deb84edb1b68cf868beb0e84e40d06cc101ee1cde8ca03e112f710db6ca07bfe.tmp	91
PID 5080 wrote to memory of 1780	5080	deb84edb1b68cf868beb0e84e40d06cc101ee1cde8ca03e112f710db6ca07bfe.tmp	91
PID 1780 wrote to memory of 1856	1780	KMSpico.exe	92
PID 1780 wrote to memory of 1856	1780	KMSpico.exe	92
PID 1780 wrote to memory of 1856	1780	KMSpico.exe	92
PID 5080 wrote to memory of 4992	5080	deb84edb1b68cf868beb0e84e40d06cc101ee1cde8ca03e112f710db6ca07bfe.tmp	93
PID 5080 wrote to memory of 4992	5080	deb84edb1b68cf868beb0e84e40d06cc101ee1cde8ca03e112f710db6ca07bfe.tmp	93
PID 5080 wrote to memory of 4992	5080	deb84edb1b68cf868beb0e84e40d06cc101ee1cde8ca03e112f710db6ca07bfe.tmp	93
PID 5080 wrote to memory of 4948	5080	deb84edb1b68cf868beb0e84e40d06cc101ee1cde8ca03e112f710db6ca07bfe.tmp	98
PID 5080 wrote to memory of 4948	5080	deb84edb1b68cf868beb0e84e40d06cc101ee1cde8ca03e112f710db6ca07bfe.tmp	98
PID 5080 wrote to memory of 4948	5080	deb84edb1b68cf868beb0e84e40d06cc101ee1cde8ca03e112f710db6ca07bfe.tmp	98

C:\Users\Admin\AppData\Local\Temp\deb84edb1b68cf868beb0e84e40d06cc101ee1cde8ca03e112f710db6ca07bfe.exe
"C:\Users\Admin\AppData\Local\Temp\deb84edb1b68cf868beb0e84e40d06cc101ee1cde8ca03e112f710db6ca07bfe.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3100
- C:\Users\Admin\AppData\Local\Temp\is-MIIA0.tmp\deb84edb1b68cf868beb0e84e40d06cc101ee1cde8ca03e112f710db6ca07bfe.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-MIIA0.tmp\deb84edb1b68cf868beb0e84e40d06cc101ee1cde8ca03e112f710db6ca07bfe.tmp" /SL5="$5021E,7821354,844800,C:\Users\Admin\AppData\Local\Temp\deb84edb1b68cf868beb0e84e40d06cc101ee1cde8ca03e112f710db6ca07bfe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:5080
- - C:\Users\Admin\AppData\Roaming\MyApp\data\KMSpico.exe
    "C:\Users\Admin\AppData\Roaming\MyApp\data\KMSpico.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1780
  - - C:\Users\Admin\AppData\Local\Temp\is-2Q887.tmp\KMSpico.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-2Q887.tmp\KMSpico.tmp" /SL5="$301EE,2952592,69120,C:\Users\Admin\AppData\Roaming\MyApp\data\KMSpico.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1856
- - C:\Users\Admin\AppData\Roaming\MyApp\core.exe
    "C:\Users\Admin\AppData\Roaming\MyApp\core.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4992
- - C:\Users\Admin\AppData\Roaming\MyApp\core.exe
    "C:\Users\Admin\AppData\Roaming\MyApp\core.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9dce48e6

Filesize
2.0MB

MD5
799c99a1ed471b81064984749bafce23

SHA1
1f60d72e2e8a37d2816dbf2523297fbde4f020f2

SHA256
3658ac12409eef521153e90e83ec835413ae98f7105f516a101eed47399bb13a

SHA512
18345742524b9ef901be2f58410ec3781ed6bf32b7833b0d1dcc8443c938403ce9a6637c41262c43e70680e035100d0d882ae8699739da4635525ef52b915734

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-2Q887.tmp\KMSpico.tmp

Filesize
703KB

MD5
1778c1f66ff205875a6435a33229ab3c

SHA1
5b6189159b16c6f85feed66834af3e06c0277a19

SHA256
95c06acac4fe4598840e5556f9613d43aa1039c52dac64536f59e45a70f79da6

SHA512
8844de1296ce707e3c5c71823f5118f8f2e50287ace3a2ee1ec0b69df0ec48ebcf5b755db669d2cd869d345fb06a9c07b36e98eda8c32a9b26b8fe22bdc105a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-MIIA0.tmp\deb84edb1b68cf868beb0e84e40d06cc101ee1cde8ca03e112f710db6ca07bfe.tmp

Filesize
3.4MB

MD5
e4c43138ccb8240276872fd1aec369be

SHA1
cb867b89b8bf19a405a5eee8aa7fe07964f1c16c

SHA256
46be5e3f28a5e4ed63d66b901d927c25944b4da36effea9c97fb05994360edf5

SHA512
f25ad4d0442d6bbd3bdf3320db0869404faba2cab2425bcb265721889b31a67c97ae5b464e09932f49addd4d2575a5e0672c06b9ab9bdecbdd2fe9c766c2ec91

Download Submit
C:\Users\Admin\AppData\Roaming\MyApp\data\KMSpico.exe

Filesize
3.1MB

MD5
a02164371a50c5ff9fa2870ef6e8cfa3

SHA1
060614723f8375ecaad8b249ff07e3be082d7f25

SHA256
64c731adbe1b96cb5765203b1e215093dcf268d020b299445884a4ae62ed2d3a

SHA512
6c6903f3a3092fd3d63c373189f2c06e12de032ee4fd6b80a15f58eaeb2079f3ae8a8bcdac85a358b1f9070b192b1c8260f9aa127d009b5afce475f966e91326

Download Submit
memory/1780-26-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1780-59-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1780-31-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/1856-77-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/1856-75-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/1856-87-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/1856-81-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/1856-40-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/1856-79-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/1856-67-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/1856-83-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/1856-89-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/1856-73-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/1856-71-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/1856-69-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/1856-85-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/1856-60-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/3100-29-0x00000000002E0000-0x00000000003BD000-memory.dmp

Filesize
884KB

Download
memory/3100-0-0x00000000002E0000-0x00000000003BD000-memory.dmp

Filesize
884KB

Download
memory/3100-2-0x00000000002E1000-0x0000000000389000-memory.dmp

Filesize
672KB

Download
memory/3100-47-0x00000000002E0000-0x00000000003BD000-memory.dmp

Filesize
884KB

Download
memory/4948-65-0x0000000000400000-0x0000000000B92000-memory.dmp

Filesize
7.6MB

Download
memory/4992-55-0x00007FFE73330000-0x00007FFE73525000-memory.dmp

Filesize
2.0MB

Download
memory/4992-54-0x0000000074090000-0x000000007420B000-memory.dmp

Filesize
1.5MB

Download
memory/4992-48-0x0000000000400000-0x0000000000B92000-memory.dmp

Filesize
7.6MB

Download
memory/4992-58-0x0000000072520000-0x0000000073774000-memory.dmp

Filesize
18.3MB

Download
memory/4992-62-0x0000000072520000-0x0000000073774000-memory.dmp

Filesize
18.3MB

Download
memory/5080-46-0x0000000000750000-0x0000000000ABB000-memory.dmp

Filesize
3.4MB

Download
memory/5080-39-0x0000000000750000-0x0000000000ABB000-memory.dmp

Filesize
3.4MB

Download
memory/5080-30-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/5080-6-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing