Analysis

  • max time kernel
    105s
  • max time network
    215s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250610-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250610-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/07/2025, 11:57

General

  • Target

    04072025_1157_InnoChameleon.exe

  • Size

    1.1MB

  • MD5

    2f8393e1aa4c24d3e5e5be7b34496978

  • SHA1

    1e5a0ab07c575daf9a072f69c221c6823f1d9072

  • SHA256

    0c09d626762969426c58e715e6f44aa782f4edeeae4b436e7246fa3dc3713ba4

  • SHA512

    5b40c6f9de5a95bf2a81de087f8cb1785e9e4f3a8835a4904a339a1ad2b873a4e1f18bff51c16d5f0018ca526dd427c695ea9e1fccb0117e8e92d173f2b56dae

  • SSDEEP

    24576:N0ajgKNQm3E/UUHc0fZUaB3WvtRbOuEcNB0ysEajeYEWc:NFtE8AXfPY5E+JUfEWc

Malware Config

Extracted

Family

lumma

C2

https://t.me/sadwq223123asdsad

https://giyewf.shop/gbtw

https://ycvduc.xyz/trie

https://nbcsfar.xyz/tpxz

https://cbakk.xyz/ajng

https://trsuv.xyz/gait

https://sqgzl.xyz/taoa

https://cexpxg.xyz/airq

https://urarfx.xyz/twox

https://liaxn.xyz/nbzh

Attributes
  • build_id

    23d7e62ebeb343fc6c92b86e8c20e3fe2c28b95d6e

Signatures

  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

  • Lumma family
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates processes with tasklist 1 TTPs 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies system certificate store 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\04072025_1157_InnoChameleon.exe
    "C:\Users\Admin\AppData\Local\Temp\04072025_1157_InnoChameleon.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4592
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c copy Volt.jpg Volt.jpg.bat & Volt.jpg.bat
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1996
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist
        3⤵
        • Enumerates processes with tasklist
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:5816
      • C:\Windows\SysWOW64\findstr.exe
        findstr /I "opssvc wrsa"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2512
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist
        3⤵
        • Enumerates processes with tasklist
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:5744
      • C:\Windows\SysWOW64\findstr.exe
        findstr "nsWscSvc ekrn bdservicehost SophosHealth AvastUI AVGUI & if not errorlevel 1 Set WTWeCJRHnQjpWResuXaRjuzPxbYFNhbkAGH=AutoIt3.exe & Set KUauBpAncgceSqQjbhWnLryvbslsLXOSEy=.a3x & Set EvvvqBcYMSRiiQYlWBlnWuKasDttNcuTzgk=300
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2268
      • C:\Windows\SysWOW64\extrac32.exe
        extrac32 /Y Actions.jpg *.*
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2884
      • C:\Windows\SysWOW64\findstr.exe
        findstr /V "Judge" Pins
        3⤵
        • System Location Discovery: System Language Discovery
        PID:5672
      • C:\Users\Admin\AppData\Local\Temp\432811\Smooth.com
        Smooth.com i
        3⤵
        • Deletes itself
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Modifies system certificate store
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2908
      • C:\Windows\SysWOW64\choice.exe
        choice /d n /t 5
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4956

Network

        MITRE ATT&CK Enterprise v16

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\432811\Smooth.com

          Filesize

          925KB

          MD5

          62d09f076e6e0240548c2f837536a46a

          SHA1

          26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

          SHA256

          1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

          SHA512

          32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

        • C:\Users\Admin\AppData\Local\Temp\432811\i

          Filesize

          467KB

          MD5

          0af9e22506b0c923c0cbdd17e569dd31

          SHA1

          0a18cc56c9d54ac5d7bddb62a2cc2446133df0b3

          SHA256

          15f040b15db2d9665a8a50eb3a972cfcf30b2a4a08be9759876a64f072005084

          SHA512

          813eaede24117daf74294c4d9f7b3cc59b41b83785dda0ce8277c8bfb64109c14c574640d96a666d93cee3ac6ad9e4a5d8abc62533564ce984d6ebddb4b5072c

        • C:\Users\Admin\AppData\Local\Temp\Actions.jpg

          Filesize

          478KB

          MD5

          e46cc3cf2db4502ac1ecb3bfa7cef9d0

          SHA1

          bed48acd38d6be13487c2be5ebf87943bb2ddb0e

          SHA256

          1ffde3f0b42c24e9d9fbfe868f9a27ed4ba5208f733ce3b1ec064604a6b45b92

          SHA512

          b602dd81a6f62bba8cbb240d0e08ada1655959b43ef37b35631cf3824683c9effbb4e78db009be61ee00c47bee685cb35766939fd6ac51ca6f20d24f4ae2d961

        • C:\Users\Admin\AppData\Local\Temp\Agent

          Filesize

          121KB

          MD5

          0637a7f3b27457de2c31284b536e2650

          SHA1

          b06cad6345dd33c772a188329371dace6d8c1e39

          SHA256

          32b57b1fe1a1b36d29bda5c1e782cf969c5c2dbaf7bf8d23856e0d199cbfe113

          SHA512

          a2087c0f5632bdb623ae2a6980e71c7b70c107fd9a8476f5d610dc8830cf5674cbada6dc0c45227e572b5e1d4fa26aeb0c73387eefe7343326020b36ab905242

        • C:\Users\Admin\AppData\Local\Temp\Almost.jpg

          Filesize

          67KB

          MD5

          8f7ade728f200bbebea6a89078746b5c

          SHA1

          66606853420213b70fed86428f549942bb719518

          SHA256

          f478f80e6f5cc06357106d766edd032c7e9d4d678d395ef06bae11f0acc93f03

          SHA512

          09ee1fa492c949df8e06de9d36790e7f4589a735fa7b3ecb22eed0d0b802bbfab4d4cb1e132a71ea77932145834402ff208eb9cdc5905da34825a7da56ec871b

        • C:\Users\Admin\AppData\Local\Temp\Brochures.jpg

          Filesize

          69KB

          MD5

          eb98cf41f60207be4f00f57d0dbfa912

          SHA1

          4deaf682dd22843269b7e9173af60d1dae260b5b

          SHA256

          981c00cd31bc71a4abd347fa925e07b373c001f523eeaeab8233030e7b33a746

          SHA512

          15b7915c7eaeb811027791ef3987514165126bf119d8b0b6b0a4bdefbbf6810458aac312a6b627a525d61ea153126ec30d3af72c23e0f981f377f79488648f40

        • C:\Users\Admin\AppData\Local\Temp\Concluded

          Filesize

          83KB

          MD5

          624560396f6e45240443d8ff4ec33fe5

          SHA1

          c4dceedfd6650b9932b8f3d6f2c8447b0a6f8404

          SHA256

          bcd21b828ca19dd2af3dcea50cc8cffee7ca93bb9c07f8491c7429e55671767f

          SHA512

          a5a91e148d2988c44c7718f85152e0c72c062b2b6617bd9d98511d7e3a2bf4ebd5e19c88c35e5280e50780a7da07b87f86a5ebfdc275da0480c5511526fd2cbb

        • C:\Users\Admin\AppData\Local\Temp\Established.jpg

          Filesize

          68KB

          MD5

          1988635dba11d4bf1bc7f0324d916703

          SHA1

          f575df302d3e727d230ff5ab5fbae7dcf16ae448

          SHA256

          250c74f0933ffed14cc8f81585c5322cc4a43f612d5391dbd28e1fafbf51770e

          SHA512

          6e2821ccf1f711cf29647ccbce7f29633997d013457f770b265bbd9fc58a695851af02bdaa55d51a6d3f2714af10719aece67f2e1fe0da804b3ed3c9824ee57b

        • C:\Users\Admin\AppData\Local\Temp\Expanded

          Filesize

          61KB

          MD5

          205824c6f6de5a04b18157808f16ae15

          SHA1

          bfe41802af073f1f27be9987011e36cdd6dea580

          SHA256

          04e9e75696d2c43417cc55fdf6ea9ee347c08689472f0490e4c727e982629c59

          SHA512

          4633313a75b5619fa159e6380bee39a82326c396361943900d759a545c4011cbffc73b8b90a9ca46f372f7e3e5a43da27439f648a70b70da2d783a7df34202d1

        • C:\Users\Admin\AppData\Local\Temp\Feature

          Filesize

          83KB

          MD5

          08fc19e80913f01cc2017a0cdb07312d

          SHA1

          f4446e06d5075c5484e4cebed15c95f8944fd43c

          SHA256

          151464d4d5b509174520f77f72af4a2df13e47f5bc386b8757c16bae54702781

          SHA512

          c264dee1c91d98469cc4f10205d35dc2ead497c3878bc73bf5f6fd24a96b4913489618303f524d1bbd59f12fece635ee2eebd84dd36c46c96498a2a400912ad5

        • C:\Users\Admin\AppData\Local\Temp\Harold

          Filesize

          107KB

          MD5

          79f5bc834a462caee8c9b5ba1b21972c

          SHA1

          fccff45b6b11c9c6c04355e7dc00203989b01a22

          SHA256

          223c5867ae5151155ddb9a347e2310b90efc12321ca2380d4623ab74fa387998

          SHA512

          5bea8b73ec01e848a748dd381e60679b7096cb1767de4d5220b89ff385977799134fcc357ca474388698c52ee48735d2c566010fbc2fedb3cfeb2d99147b3abf

        • C:\Users\Admin\AppData\Local\Temp\Looks.jpg

          Filesize

          33KB

          MD5

          f595d410bfd66503706ceca38af31d96

          SHA1

          db514ab05dc131d5104f71cd97fb050389009642

          SHA256

          a71f9d8551fe695bfd6fcbdd5e32fa7210af1b0af6fcab45e8652d30356f3778

          SHA512

          bda49d0a42b50faad2700b148d8b2159e870afb7eacfc9bf914e282a7c512889e8e63ea499244f1c0f9899ff232a8e67c44c315c9f34919688c97fe136bf31a9

        • C:\Users\Admin\AppData\Local\Temp\Pins

          Filesize

          357B

          MD5

          ec01b89ee67746b25094f5c16cea8e62

          SHA1

          4ab7f9321219c50358793a5544820dc9be0b838c

          SHA256

          8ab8d566fb14a7cf4c925e7acaa7cb2572153183e772654c572020a702044162

          SHA512

          9a76271eb42b566d6ca51bc1b1e016094f971197825dcfa02f1d3a2aa227f2a1243f13dac6943d15b60776cd8065c0d09c7f3f01ce6af02f2925adef95a019b7

        • C:\Users\Admin\AppData\Local\Temp\Pipes

          Filesize

          31KB

          MD5

          9f6790bcd34211a8047f546ca3dee4fc

          SHA1

          3eab73d1fe12bebd8f843895c1280e0ef3f95c14

          SHA256

          4eb88b6c9dd74fb724ded480386d2e6e1116a6a936fd1cfe5fe9600d41a8ed18

          SHA512

          7aec9d692ad94a3055edd4fb30b17da83ebf26d845ced1c59737fe0bf567ad00a800d52c32961ed13ff34a7394fbcd23db8a4bc00ad8ca8f4c5ce213b931c522

        • C:\Users\Admin\AppData\Local\Temp\Portuguese

          Filesize

          86KB

          MD5

          d6f9b7ad4abc7e2651946ce4e0f0aa3a

          SHA1

          0d4793f3ebfbef55894f7e95864d175c9d52103e

          SHA256

          2e7ff6ee145781328c5a4c614591b2241131b622109009d03e82460ddce50d2d

          SHA512

          f3a07c7211cdf734bf7156f1155e03abbbbe5b989d78af10c73fe2916578b133d7769657514124a614f70137f39dd73590d16bb6323365ed7ed3e36aae428b36

        • C:\Users\Admin\AppData\Local\Temp\Pour

          Filesize

          127KB

          MD5

          cf08be7163d59411a7796347741706ee

          SHA1

          0b6f84ef5ac3fcd0f9e9c647611941812d1a4029

          SHA256

          4ecb23185c5417c85a3797b26f51cb908735ffce12e8c55b94b9ff47cbc3d059

          SHA512

          4bf428d906e17836899eb30e50e14624c481465cd8991ad72a9e8ae087e90ef9676f6c97d23de68ec413a4185b017d68337a96ba75bba9d769d0997f05735ed7

        • C:\Users\Admin\AppData\Local\Temp\Printers.jpg

          Filesize

          72KB

          MD5

          3a52e2f74e1c11decaf7856da85ebbc0

          SHA1

          a9403ca86a0ed08819f3084aef7f981d061f717d

          SHA256

          394e30fa289832ea300353797d880bb8bfa2bfc573dbdf83edb0016400a7a95a

          SHA512

          23fe7d691e4fddba794174d4ce8694d772f83dc4ec22083faf7919bab0e716a68c938119a60d1dedde83c6c15b3ae609ea46141f1afab550a899e2de2dad0441

        • C:\Users\Admin\AppData\Local\Temp\References

          Filesize

          85KB

          MD5

          3117b4e2edeed15b686c8874ef3d8c54

          SHA1

          a7b83abbb7bd75c06ee5b2dd6397c3779adb644c

          SHA256

          f5c2b3ac5b2e832299b311d14f1e8aad4711c6ac3a3730b1e2a088574359737d

          SHA512

          772669df5ff9e98f3daaed94c1cb804be31defc775b0624181b31c82269d80726a6d59bc6a86ab6f286f975845fcad8a276852c8777938481b68edcddee1b203

        • C:\Users\Admin\AppData\Local\Temp\Sticks.jpg

          Filesize

          79KB

          MD5

          43e5c0f1041a97241004553f18b32e54

          SHA1

          b1b26ffbed879f69a7dd50ed5f3a00982b24be6e

          SHA256

          507f32c47f94d387349084bbeeb653f873145ee868ec2f031b70b9714a8ec7f0

          SHA512

          6207be4abf4effab82ddfe229aec918a697bd4f1969b891d83888c7e9a6101df6dd2c2e5499efc6d0284b5a28d050ff848ac05d2e6a25daf2a3d1a2e3d3e4d27

        • C:\Users\Admin\AppData\Local\Temp\Up.jpg

          Filesize

          79KB

          MD5

          a437c182d29dbce6b5d69c1ea069d931

          SHA1

          e1e2a32e740b0d6dfa73ab77f4b29f4e82a7f8eb

          SHA256

          6cc5d7c7cd996a67f80e8eeb83108652ecf55dee5783497da5b095ccef87b573

          SHA512

          d7abc4810c2d44603481dffaf3e6421d10af9ba4ace23c9784be23b54543c5785637f08ad1fa694a00e1084cb093464408d1b9d99deb65947f008108b6446ea7

        • C:\Users\Admin\AppData\Local\Temp\Volt.jpg

          Filesize

          20KB

          MD5

          079187927e46a2fb84a2777572282c40

          SHA1

          4c1388b21c7871c6304b0ff3929c21c14437f8e4

          SHA256

          ff23c8d9515f9d8aa8670571be589d1b6aaabb0b6bedda50d84796aa323c774f

          SHA512

          c96f13cbae3951e8e0e5e4e768aedfe05b6d601a177d19f94b262e592436a5e6fc66f4a4272f8280d47331ce548caf3b180782628237f316adc6b29cd920fd3c

        • C:\Users\Admin\AppData\Local\Temp\Worldsex

          Filesize

          140KB

          MD5

          4e72d227b9d1e375cc45daf8b29bc44b

          SHA1

          fe444ec24264591a2b9fe15798bfc719202d50ff

          SHA256

          5a027997385b8649350893f46e0d68a9411f6c7f8fb0ed0322d3e67ec5184c02

          SHA512

          3cde6e8a6193cde4ba7cb949ef7488da919e2af83fed828abb9357c5307be2efa0419407cd155f6d09e71c15aa72cb25143b3679ac764ec066cac8b3ce844a94

        • memory/2908-519-0x0000000003FF0000-0x000000000404E000-memory.dmp

          Filesize

          376KB

        • memory/2908-521-0x0000000003FF0000-0x000000000404E000-memory.dmp

          Filesize

          376KB

        • memory/2908-520-0x0000000003FF0000-0x000000000404E000-memory.dmp

          Filesize

          376KB

        • memory/2908-522-0x0000000003FF0000-0x000000000404E000-memory.dmp

          Filesize

          376KB

        • memory/2908-523-0x0000000003FF0000-0x000000000404E000-memory.dmp

          Filesize

          376KB