lumma | 12604e1184d3c656d4c8307cd73e79b808d37a09d08710bccb6f7e9da872e77b

Analysis

max time kernel
96s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
06/03/2025, 10:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8feef4a4753bf33560a69d2020deb6f7.exe
Size

133KB
MD5

8feef4a4753bf33560a69d2020deb6f7
SHA1

8cfed3ec74c914f97c4de4ae60ff3e0cde3a85e1
SHA256

12604e1184d3c656d4c8307cd73e79b808d37a09d08710bccb6f7e9da872e77b
SHA512

c48d98b134b4052f7bba7110c3ca4e32471a02f63198bf85e791dda93252a942507df2c86472a824a50fbce3c3767496207e6d0c05e90c1fe704c6c6e38eb77b
SSDEEP

3072:/23Z9FK2ku2HuAQTTl7MuRXv+ClEtVoHpHVGqozKuQgxbEEHK:Gku2HuAQTTRMoXvDHVBKO

Score

10^/10

lumma discovery spyware stealer

Malware Config

Extracted

Family

lumma

https://farmandfamilylife.shop/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 4572 created 3584	4572	8feef4a4753bf33560a69d2020deb6f7.exe	56

Executes dropped EXE 1 IoCs

pid	Process
3380	ZF1643XNALB7I7IBW86H23ZSZ.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4572 set thread context of 5956	4572	8feef4a4753bf33560a69d2020deb6f7.exe	96

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8feef4a4753bf33560a69d2020deb6f7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8feef4a4753bf33560a69d2020deb6f7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ZF1643XNALB7I7IBW86H23ZSZ.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4572	8feef4a4753bf33560a69d2020deb6f7.exe
4572	8feef4a4753bf33560a69d2020deb6f7.exe
4572	8feef4a4753bf33560a69d2020deb6f7.exe
5956	8feef4a4753bf33560a69d2020deb6f7.exe
5956	8feef4a4753bf33560a69d2020deb6f7.exe
5956	8feef4a4753bf33560a69d2020deb6f7.exe
5956	8feef4a4753bf33560a69d2020deb6f7.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4572	8feef4a4753bf33560a69d2020deb6f7.exe
Token: SeDebugPrivilege	4572	8feef4a4753bf33560a69d2020deb6f7.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4572 wrote to memory of 5956	4572	8feef4a4753bf33560a69d2020deb6f7.exe	96
PID 4572 wrote to memory of 5956	4572	8feef4a4753bf33560a69d2020deb6f7.exe	96
PID 4572 wrote to memory of 5956	4572	8feef4a4753bf33560a69d2020deb6f7.exe	96
PID 4572 wrote to memory of 5956	4572	8feef4a4753bf33560a69d2020deb6f7.exe	96
PID 4572 wrote to memory of 5956	4572	8feef4a4753bf33560a69d2020deb6f7.exe	96
PID 4572 wrote to memory of 5956	4572	8feef4a4753bf33560a69d2020deb6f7.exe	96
PID 4572 wrote to memory of 5956	4572	8feef4a4753bf33560a69d2020deb6f7.exe	96
PID 4572 wrote to memory of 5956	4572	8feef4a4753bf33560a69d2020deb6f7.exe	96
PID 4572 wrote to memory of 5956	4572	8feef4a4753bf33560a69d2020deb6f7.exe	96
PID 5956 wrote to memory of 3380	5956	8feef4a4753bf33560a69d2020deb6f7.exe	108
PID 5956 wrote to memory of 3380	5956	8feef4a4753bf33560a69d2020deb6f7.exe	108
PID 5956 wrote to memory of 3380	5956	8feef4a4753bf33560a69d2020deb6f7.exe	108

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3584
- C:\Users\Admin\AppData\Local\Temp\8feef4a4753bf33560a69d2020deb6f7.exe
  "C:\Users\Admin\AppData\Local\Temp\8feef4a4753bf33560a69d2020deb6f7.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4572
- C:\Users\Admin\AppData\Local\Temp\8feef4a4753bf33560a69d2020deb6f7.exe
  "C:\Users\Admin\AppData\Local\Temp\8feef4a4753bf33560a69d2020deb6f7.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:5956
- - C:\Users\Admin\AppData\Local\Temp\ZF1643XNALB7I7IBW86H23ZSZ.exe
    "C:\Users\Admin\AppData\Local\Temp\ZF1643XNALB7I7IBW86H23ZSZ.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ZF1643XNALB7I7IBW86H23ZSZ.exe

Filesize
1.2MB

MD5
f39abc59427c47450b89d4a885129a99

SHA1
31f5dfc37bd783c1158c1faccf04642a0009f430

SHA256
c0e02c4d99bdc475fed4894cda4d6567260405d66b906bf12ef02f1a929ed574

SHA512
3effc5e6e74c7299655d1d74aa7b75f4cd3d5bd4e73081c31a87d3c48bcd199d9961287f9dabe4c0ecf4393b6f80401a795dc94d254703a887c793575cae4d4f

Download Submit
memory/3380-1355-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/3380-1357-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/4572-0-0x000000007454E000-0x000000007454F000-memory.dmp

Filesize
4KB

Download
memory/4572-1-0x0000000000750000-0x0000000000778000-memory.dmp

Filesize
160KB

Download
memory/4572-2-0x0000000074540000-0x0000000074CF0000-memory.dmp

Filesize
7.7MB

Download
memory/4572-3-0x000000007454E000-0x000000007454F000-memory.dmp

Filesize
4KB

Download
memory/4572-4-0x0000000074540000-0x0000000074CF0000-memory.dmp

Filesize
7.7MB

Download
memory/4572-5-0x0000000005B60000-0x0000000005C90000-memory.dmp

Filesize
1.2MB

Download
memory/4572-6-0x0000000006250000-0x00000000067F4000-memory.dmp

Filesize
5.6MB

Download
memory/4572-7-0x0000000005DA0000-0x0000000005E32000-memory.dmp

Filesize
584KB

Download
memory/4572-8-0x0000000005B60000-0x0000000005C89000-memory.dmp

Filesize
1.2MB

Download
memory/4572-21-0x0000000005B60000-0x0000000005C89000-memory.dmp

Filesize
1.2MB

Download
memory/4572-66-0x0000000005B60000-0x0000000005C89000-memory.dmp

Filesize
1.2MB

Download
memory/4572-71-0x0000000005B60000-0x0000000005C89000-memory.dmp

Filesize
1.2MB

Download
memory/4572-69-0x0000000005B60000-0x0000000005C89000-memory.dmp

Filesize
1.2MB

Download
memory/4572-67-0x0000000005B60000-0x0000000005C89000-memory.dmp

Filesize
1.2MB

Download
memory/4572-63-0x0000000005B60000-0x0000000005C89000-memory.dmp

Filesize
1.2MB

Download
memory/4572-62-0x0000000005B60000-0x0000000005C89000-memory.dmp

Filesize
1.2MB

Download
memory/4572-59-0x0000000005B60000-0x0000000005C89000-memory.dmp

Filesize
1.2MB

Download
memory/4572-57-0x0000000005B60000-0x0000000005C89000-memory.dmp

Filesize
1.2MB

Download
memory/4572-55-0x0000000005B60000-0x0000000005C89000-memory.dmp

Filesize
1.2MB

Download
memory/4572-51-0x0000000005B60000-0x0000000005C89000-memory.dmp

Filesize
1.2MB

Download
memory/4572-49-0x0000000005B60000-0x0000000005C89000-memory.dmp

Filesize
1.2MB

Download
memory/4572-47-0x0000000005B60000-0x0000000005C89000-memory.dmp

Filesize
1.2MB

Download
memory/4572-45-0x0000000005B60000-0x0000000005C89000-memory.dmp

Filesize
1.2MB

Download
memory/4572-41-0x0000000005B60000-0x0000000005C89000-memory.dmp

Filesize
1.2MB

Download
memory/4572-39-0x0000000005B60000-0x0000000005C89000-memory.dmp

Filesize
1.2MB

Download
memory/4572-37-0x0000000005B60000-0x0000000005C89000-memory.dmp

Filesize
1.2MB

Download
memory/4572-35-0x0000000005B60000-0x0000000005C89000-memory.dmp

Filesize
1.2MB

Download
memory/4572-31-0x0000000005B60000-0x0000000005C89000-memory.dmp

Filesize
1.2MB

Download
memory/4572-53-0x0000000005B60000-0x0000000005C89000-memory.dmp

Filesize
1.2MB

Download
memory/4572-43-0x0000000005B60000-0x0000000005C89000-memory.dmp

Filesize
1.2MB

Download
memory/4572-33-0x0000000005B60000-0x0000000005C89000-memory.dmp

Filesize
1.2MB

Download
memory/4572-29-0x0000000005B60000-0x0000000005C89000-memory.dmp

Filesize
1.2MB

Download
memory/4572-25-0x0000000005B60000-0x0000000005C89000-memory.dmp

Filesize
1.2MB

Download
memory/4572-23-0x0000000005B60000-0x0000000005C89000-memory.dmp

Filesize
1.2MB

Download
memory/4572-19-0x0000000005B60000-0x0000000005C89000-memory.dmp

Filesize
1.2MB

Download
memory/4572-17-0x0000000005B60000-0x0000000005C89000-memory.dmp

Filesize
1.2MB

Download
memory/4572-15-0x0000000005B60000-0x0000000005C89000-memory.dmp

Filesize
1.2MB

Download
memory/4572-13-0x0000000005B60000-0x0000000005C89000-memory.dmp

Filesize
1.2MB

Download
memory/4572-11-0x0000000005B60000-0x0000000005C89000-memory.dmp

Filesize
1.2MB

Download
memory/4572-9-0x0000000005B60000-0x0000000005C89000-memory.dmp

Filesize
1.2MB

Download
memory/4572-27-0x0000000005B60000-0x0000000005C89000-memory.dmp

Filesize
1.2MB

Download
memory/4572-1330-0x0000000074540000-0x0000000074CF0000-memory.dmp

Filesize
7.7MB

Download
memory/4572-1331-0x0000000005F90000-0x000000000601A000-memory.dmp

Filesize
552KB

Download
memory/4572-1332-0x0000000006150000-0x00000000061D6000-memory.dmp

Filesize
536KB

Download
memory/4572-1333-0x00000000061F0000-0x000000000623C000-memory.dmp

Filesize
304KB

Download
memory/4572-1334-0x0000000006AB0000-0x0000000006B04000-memory.dmp

Filesize
336KB

Download
memory/4572-1335-0x0000000074540000-0x0000000074CF0000-memory.dmp

Filesize
7.7MB

Download
memory/4572-1339-0x0000000074540000-0x0000000074CF0000-memory.dmp

Filesize
7.7MB

Download
memory/4572-1345-0x0000000074540000-0x0000000074CF0000-memory.dmp

Filesize
7.7MB

Download
memory/4572-1346-0x0000000074540000-0x0000000074CF0000-memory.dmp

Filesize
7.7MB

Download
memory/4572-1341-0x0000000074540000-0x0000000074CF0000-memory.dmp

Filesize
7.7MB

Download
memory/5956-1347-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/5956-1348-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download