lumma | 078898cf626e80ac8dfa8e11f62731d0da3557691cbd8ce4bf27bcaf71f36e45

Analysis

max time kernel
91s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
29/01/2025, 01:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Bootstrapper-v2.exe
Size

250.0MB
MD5

5ddc96131a4fa050ed3c6e04f67ddae7
SHA1

82ded800588cfbeb33fe6695959aff66dd1edcdd
SHA256

078898cf626e80ac8dfa8e11f62731d0da3557691cbd8ce4bf27bcaf71f36e45
SHA512

570c1a3fcd0dcdc4c8241d5f7dab781a6b7acefba2e921b58a7a53a33d9e8fa613ce74c1c515f2604aec062f101e649e498f2cef0b3ff9c5b203b1c39d823e52
SSDEEP

24576:SGNzMuKIRynzVp0bPWcrusxT0h1fXMnd+mKpUj:VM+ED0b+6uqTOXMnd+Rpg

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://toppyneedus.biz/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Bootstrapper-v2.exe

Executes dropped EXE 1 IoCs

pid	Process
2236	Entity.com

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
2724	tasklist.exe
3692	tasklist.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\EarSegments	Bootstrapper-v2.exe
File opened for modification	C:\Windows\AhStrength	Bootstrapper-v2.exe
File opened for modification	C:\Windows\SpDover	Bootstrapper-v2.exe
File opened for modification	C:\Windows\DeeplyNet	Bootstrapper-v2.exe
File opened for modification	C:\Windows\ConsortiumCarriers	Bootstrapper-v2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Entity.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bootstrapper-v2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2236	Entity.com
2236	Entity.com
2236	Entity.com
2236	Entity.com
2236	Entity.com
2236	Entity.com

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3692	tasklist.exe
Token: SeDebugPrivilege	2724	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2236	Entity.com
2236	Entity.com
2236	Entity.com

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2236	Entity.com
2236	Entity.com
2236	Entity.com

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2604 wrote to memory of 2064	2604	Bootstrapper-v2.exe	84
PID 2604 wrote to memory of 2064	2604	Bootstrapper-v2.exe	84
PID 2604 wrote to memory of 2064	2604	Bootstrapper-v2.exe	84
PID 2064 wrote to memory of 3692	2064	cmd.exe	86
PID 2064 wrote to memory of 3692	2064	cmd.exe	86
PID 2064 wrote to memory of 3692	2064	cmd.exe	86
PID 2064 wrote to memory of 3472	2064	cmd.exe	87
PID 2064 wrote to memory of 3472	2064	cmd.exe	87
PID 2064 wrote to memory of 3472	2064	cmd.exe	87
PID 2064 wrote to memory of 2724	2064	cmd.exe	90
PID 2064 wrote to memory of 2724	2064	cmd.exe	90
PID 2064 wrote to memory of 2724	2064	cmd.exe	90
PID 2064 wrote to memory of 3860	2064	cmd.exe	91
PID 2064 wrote to memory of 3860	2064	cmd.exe	91
PID 2064 wrote to memory of 3860	2064	cmd.exe	91
PID 2064 wrote to memory of 4988	2064	cmd.exe	92
PID 2064 wrote to memory of 4988	2064	cmd.exe	92
PID 2064 wrote to memory of 4988	2064	cmd.exe	92
PID 2064 wrote to memory of 984	2064	cmd.exe	93
PID 2064 wrote to memory of 984	2064	cmd.exe	93
PID 2064 wrote to memory of 984	2064	cmd.exe	93
PID 2064 wrote to memory of 2556	2064	cmd.exe	94
PID 2064 wrote to memory of 2556	2064	cmd.exe	94
PID 2064 wrote to memory of 2556	2064	cmd.exe	94
PID 2064 wrote to memory of 4112	2064	cmd.exe	95
PID 2064 wrote to memory of 4112	2064	cmd.exe	95
PID 2064 wrote to memory of 4112	2064	cmd.exe	95
PID 2064 wrote to memory of 952	2064	cmd.exe	96
PID 2064 wrote to memory of 952	2064	cmd.exe	96
PID 2064 wrote to memory of 952	2064	cmd.exe	96
PID 2064 wrote to memory of 2236	2064	cmd.exe	97
PID 2064 wrote to memory of 2236	2064	cmd.exe	97
PID 2064 wrote to memory of 2236	2064	cmd.exe	97
PID 2064 wrote to memory of 3344	2064	cmd.exe	98
PID 2064 wrote to memory of 3344	2064	cmd.exe	98
PID 2064 wrote to memory of 3344	2064	cmd.exe	98

C:\Users\Admin\AppData\Local\Temp\Bootstrapper-v2.exe
"C:\Users\Admin\AppData\Local\Temp\Bootstrapper-v2.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2604
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy Soldier Soldier.cmd & Soldier.cmd
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2064
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3692
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "opssvc wrsa"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3472
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2724
- - C:\Windows\SysWOW64\findstr.exe
    findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3860
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 18197
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4988
- - C:\Windows\SysWOW64\extrac32.exe
    extrac32 /Y /E Marriott
    3⤵
    - System Location Discovery: System Language Discovery
    PID:984
- - C:\Windows\SysWOW64\findstr.exe
    findstr /V "Ata" Provisions
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2556
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b 18197\Entity.com + Happens + Hull + Bare + Months + Tions + Yourself + Costumes + Particles + Collaboration 18197\Entity.com
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4112
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Grass + ..\Mcdonald + ..\Blue + ..\All + ..\Achieve + ..\Rape + ..\Relative P
    3⤵
    - System Location Discovery: System Language Discovery
    PID:952
- - C:\Users\Admin\AppData\Local\Temp\18197\Entity.com
    Entity.com P
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2236
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\18197\Entity.com

Filesize
1KB

MD5
97f3d19121998df330656f74ace15fa0

SHA1
e4f3e6a33aaf592555af926162d2849dfcffbfc4

SHA256
928df740c612c380f3bc7b9be4e45ace86886fd7636cfc1062e9cf4942e6c001

SHA512
72264f9f1bf689c1211020e3fa592899cdb22b8bbcab43c7308ed03d0158da86bf831b497b4713aa8c396c42cd28b85ebb04d7adee7822dc18466cba1661a6ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\18197\Entity.com

Filesize
925KB

MD5
62d09f076e6e0240548c2f837536a46a

SHA1
26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

SHA256
1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

SHA512
32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

Download Submit
C:\Users\Admin\AppData\Local\Temp\18197\P

Filesize
510KB

MD5
f54b58971255cd8bb39ac18ff2ef023c

SHA1
baae7a9c556141100c5c4ec7a58c4bd5107af00c

SHA256
3dd7212a8d4123a619aad6cd2ac66f23860a9b398ce5543cfa60937796b717d1

SHA512
51f7d10a3833ce810a8aab40c29971e9e0df36737080904952e2ac2f2c999677018524d92d79044b5e699c1561ffd23970642c2de3aad6f6df7959392d2a9022

Download Submit
C:\Users\Admin\AppData\Local\Temp\Achieve

Filesize
87KB

MD5
6b4b3d1f08334eb101b77825c2e69a0f

SHA1
5ed3cd04f8c243329e0c1df244b5557e13b9a195

SHA256
0cc867c5cc3820b661715316fc7f9cc81a3aa0633636591ad625976a7546cbd4

SHA512
c1603a50fb6967af91407a849d57d0f4816f330b6f822c85bc77a84c1a18a7197c19ce490d236bafede117c26d72a8c6144c142ddfb9661d546a596ab3bb982c

Download Submit
C:\Users\Admin\AppData\Local\Temp\All

Filesize
93KB

MD5
6c8bc112df167396aebb49ea6e22f7b4

SHA1
747ae9e043ac1c383a54053f4035231ed233d040

SHA256
2c1fc99f7b576b4882e4f01d22acdf1bda4dbccb91f3fdd8c09cf39c2f2af54b

SHA512
376fd2b86b2a1729d8150e2dbb040d2ca84a4619b75944d10749a3c1df089e565ec4cc5021785c34baa243ff2a8b57cd63967d3c414ec08552e33032bfe22ccd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bare

Filesize
107KB

MD5
e764237ece1583e546938d1f422e80fa

SHA1
b8cf83ade7e9a4c6bdbde6d87bcc5c81b861ad67

SHA256
c8366f16c835d58d9ef9b923c1f7654ba366605803080ba4a31e6d964403f163

SHA512
62a3d679507ea306ddd3965008c7a685198f057a6ec4def4c28e6aafe610901f5acaa14b86ba00f2c51e31eed8f8c18db168cb9a8f4fddc968f738b62c475b80

Download Submit
C:\Users\Admin\AppData\Local\Temp\Blue

Filesize
77KB

MD5
69cef765fd888bf92d8fe00d5939503f

SHA1
3a3b162245f0b6e145a33056b753f365c0d2f962

SHA256
62c493a3f99320021b2c243c1031b4f544fd839dcc5779f75127b8c718468292

SHA512
2a1308618c299fe16e9818b0e37843321ba8979844b22f5cfec2d7a5b4abf22b5e4e706db100e35c7ff61c32b0d9650caf5c5caa7a89869d8be14d062177ee14

Download Submit
C:\Users\Admin\AppData\Local\Temp\Collaboration

Filesize
99KB

MD5
75c9533f649fc53f15fe66ad1e660837

SHA1
230640e4a5f5d11e34f93ab9268c5f2f434cf904

SHA256
7ebaf5353216d2b73bd4f9a6051a6bf6be84dadee78d99f116fa3b5ca50e9be6

SHA512
0895875b762795ece7c6682cf4055b67860c5464d56221db5754c67a2d29d7061f624e86613cb253a2f07bb5405e9454679a30f27b0a0859550d587a65cce6ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Costumes

Filesize
135KB

MD5
3e6ac35562b5e256ac96255b65d73dc8

SHA1
7b75834345ab18fc06238425422081659f609dc2

SHA256
763d432416f8fa79a907904f2a118b4dd13b6b20d173564398bc430d4c3ae15e

SHA512
4fd0deb65ef349496432ed3b95f1ceeae41e10880a283b63a01eca62cac406afc496cdf17b60b0c8915f010149906f4aa5eeb89dd3aea0ace1fe15c8001d8f0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Grass

Filesize
71KB

MD5
ada59761b1e7e24fc5d82a8d86b2c0fb

SHA1
2ff93f9c77edf53a994876a1526c8c042c24cdae

SHA256
bb4ec0fbe1f5e92e4d1b389119685d766c89722304525aa554bafdc2d04da778

SHA512
429d928fc8336c7e38767b2cd336cf3b493c43b89ee9f39ceacb617490e00a730e0c9acf5340d940a6d02f5579c785df4c6001009527ab85183041154430fba6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Happens

Filesize
65KB

MD5
0dde3c7228dba2b77766f9a8fa8c3b8e

SHA1
8538a5646283374c9249048033227f5e78d13496

SHA256
341acf8c01839083d72f47bea36d026a8ba2e2cf73703582d1c7dc1918e89e9b

SHA512
5f6abf298608321e493d14ba320140e0f43f96dd338877f10717c869deddef6b02d00d3929db5ba7637a3cc37cac9904032c685ac325ae7db413c8d9177e6e5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hull

Filesize
67KB

MD5
52bf5b80ff9b4153ddc294a6d7ea7ea9

SHA1
0d49562bbf835317350d2c5e1e3992d4c7963c1e

SHA256
c7c0fcf2a92b4da6aa9b1a9cf47792982858b1e59d317a6a4e1fec821ad346ca

SHA512
020cab9b98389ffe0da1b129d82b075d0198bab6554cc61756a8da6f3ff11fd5fdbf2cb5bf55ba12eeae4a977858beebc16bf8c2d90f102ba84663a250e2666a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Marriott

Filesize
477KB

MD5
52c85a3d9b4754d17283c58a62ee8e3e

SHA1
aac7f37b3ecced2acacfdf40b1a1e47e0b45183b

SHA256
38ff935f856d0f54ccaf8c01d5419dbc01239f5bc237b6e67c5eace70b766feb

SHA512
3e2fe806494844f9e53a0f1d5d4b777ca159a35e7c79612aea33661ef5049a35c13e904ea8710f904e3381e13022dc9b07ba47d223279dde671ee97570361dbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mcdonald

Filesize
77KB

MD5
ca700ead25ff1da0f3d15b3d4f03d625

SHA1
81ea4585cfafb905c4651019e3dbff36cfb775d2

SHA256
8cb81f9d5f389af49c624740ecf5bd523b9ec52fd95f4d1969f27355ffe616d2

SHA512
27086627d9ecf16e3c5e42c510fe0906d54d7c306abba6a89f1f97bc7f2f12f8d1e6b3cff2e869d672495ba4cd76e00bebac44179e74a406157e9d4ff36bf533

Download Submit
C:\Users\Admin\AppData\Local\Temp\Months

Filesize
136KB

MD5
4cdf3e57d3d57e973cca232bacb9a4b7

SHA1
20daf5a36abe40beafbf17a974754413331095d1

SHA256
59fd8c96ea34e60c3ba49b9912748f8106625858bbfdbcf68d0943153a54cc7d

SHA512
08fd4833009f0f76e6c7173861743c81c57e86c54369e428d89d776c7eb843c52e854270acdfe3bb61afe2d6b5bbb8a32af5487c72a346cddb727267e6cfc4b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Particles

Filesize
80KB

MD5
9332a8e5d5a1f8fe99ac9de9b71546b0

SHA1
5799e7b5424f4768c18ba72319886f64f4836ad6

SHA256
11de444a146e62366fd2864722a3af8e8a62359c2428925dfefd12f363112803

SHA512
7a801916d043547c333111181cdd6e7da46bd64716bd19bc97e550106aa11eb10f7ed1e46701ae0b1e60fa4747875b3d615e8201705100ec941af12988f54380

Download Submit
C:\Users\Admin\AppData\Local\Temp\Provisions

Filesize
1KB

MD5
a0fc1422e0cf1a4cd14ed9f114d885e6

SHA1
dfd7573bf9dd59a0e257d2723c81346f4016a150

SHA256
d1fb7899c63cc1360d05b21982b9623b9657193a0e8324f1704112836e438f26

SHA512
a6e28ace7c60c1f632aa1734fc3558ac86a56d061f0e84985c3e4b5881a595151601330a47dcffe691874530448af9f82368ea6a2a3d4d62c233b22924411ba5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rape

Filesize
80KB

MD5
da60afd0e7846475eb467a411c9d93e3

SHA1
30b04a96b1af7da59e37ae1a0be7438c8593259d

SHA256
7676d619230abd2a2ec536953ef7e14a659fa053fe84edc2e15cc65620f0c8c4

SHA512
0081a63e70ed1f268468ea0ff48e051c9777b8666d9c401d028d248940ab1e1bba6142a844afbbb4325d76757ba10f7ddf802c06e84eece1773a35553280b432

Download Submit
C:\Users\Admin\AppData\Local\Temp\Relative

Filesize
25KB

MD5
0fdde19700b205ff67a80f76e415599c

SHA1
de247cb1f2e6ad764154d147aa4bb12697135e0d

SHA256
5bdb5ed74359d61db52dc3e7d3cc20860537c4a26d0128342f56ef604e314140

SHA512
e182dd2582d6ddb983fa0c2ba3e2b224f21d4de8097501d120214eeb811575d622f4783bf77a8282fe34e081bae3037fd1803416ba24976143e91bcfeeb24cab

Download Submit
C:\Users\Admin\AppData\Local\Temp\Soldier

Filesize
30KB

MD5
9b93917559bc9b0c222e0786dafbf76f

SHA1
2b3f3278e3444988c2332a4af4d2ddb9991aee5e

SHA256
d0e7e1b0847f8ecbedfa44d1536b1499e5c80df10c3c83e216c0475445e34572

SHA512
e7b3fbf3103ce0e0440f85b6fc90e3f8c14a71cc4b20357c91c1fde5d9197005a9235ed1bf51a1f2d72f594d6d4594e3e859b25a650012de9c66ee6f15ceae7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tions

Filesize
109KB

MD5
30ef3a43367b3fe394ebb6a225a362d9

SHA1
bc4b81ea0bfa71bd59980dfddc199fe35a2a8325

SHA256
16f534c2c196a0d78a61d099d034257dd41fcf9d07d422738c3079b85165918c

SHA512
12748e178776bb1fdee515f0c0ca6f81494c08b2e9bd9ffa1e4acb751b956dc91af3d6861b04c13d6ccf1448483a7d5c67913975f2165a19bbe16a6532bc38bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Yourself

Filesize
125KB

MD5
0aae4fc7f27d4e7aa26a26c6845e4c73

SHA1
fe66162004af2f417114d864694159168b14e403

SHA256
446845e5b7b23d1d2364e1ce022a9b55737305cf5ac03f15d040271ef2033ff5

SHA512
9fc10812f441721aee3ea1b661a3621db7b71ac55edab0bae9ca81c38c0305fd26be1d54629fadc219d165ef2b63b782653e5baa0226d06be79fcdb901d984c0

Download Submit
memory/2236-748-0x0000000000110000-0x000000000016D000-memory.dmp

Filesize
372KB

Download
memory/2236-750-0x0000000000110000-0x000000000016D000-memory.dmp

Filesize
372KB

Download
memory/2236-749-0x0000000000110000-0x000000000016D000-memory.dmp

Filesize
372KB

Download
memory/2236-751-0x0000000000110000-0x000000000016D000-memory.dmp

Filesize
372KB

Download
memory/2236-752-0x0000000000110000-0x000000000016D000-memory.dmp

Filesize
372KB

Download