lumma | b86f6bae66732ad1c928f05296c9abef2f801e1351362e0956317a8c65ef2942

Analysis

max time kernel
79s
max time network
81s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
24-06-2024 12:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup.exe
Size

24.7MB
MD5

ff705c79ed5dda7bdbd720803eedfbac
SHA1

a0abfcfa4b58775ca4bd8c4f05887eb8105fe0f8
SHA256

f3c82a7d7446140bce47e45fa8f37def3f36655c6241e18e392703e4a56165e8
SHA512

532649e997b9ba528fef2ad60975a686ae83ae514ff1ead59f53ae8e178f33ff8f8296798e4fa181a16bc83b83c7d6ec26c75d03a1ce542586859379e3a10b8a
SSDEEP

393216:l9jmwJGRFpRdOupOibnGa3dTYDqrycuXhbCNCU:jjLibGmTYgyj2gU

Score

10^/10

lumma persistence privilege_escalation stealer

Malware Config

Extracted

Family

lumma

https://publicitycharetew.shop/api

https://computerexcudesp.shop/api

https://leafcalfconflcitw.shop/api

https://injurypiggyoewirog.shop/api

https://bargainnygroandjwk.shop/api

https://disappointcredisotw.shop/api

https://doughtdrillyksow.shop/api

https://facilitycoursedw.shop/api

Signatures

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
Executes dropped EXE 5 IoCs

Processes:

Setup.tmpSetup.tmpUnRAR.exepythonw.exepythonw.exe

pid process

1764 Setup.tmp
4676 Setup.tmp
4420 UnRAR.exe
1724 pythonw.exe
3896 pythonw.exe
Loads dropped DLL 5 IoCs

Processes:

pythonw.exepythonw.exepsexec.c

pid process

1724 pythonw.exe
1724 pythonw.exe
3896 pythonw.exe
3896 pythonw.exe
4180 psexec.c
Suspicious use of SetThreadContext 1 IoCs

Processes:

pythonw.exe

description pid process target process

PID 3896 set thread context of 1532 3896 pythonw.exe netsh.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1764	Setup.tmp
4676	Setup.tmp
4420	UnRAR.exe
1724	pythonw.exe
3896	pythonw.exe

pid	process
1724	pythonw.exe
1724	pythonw.exe
3896	pythonw.exe
3896	pythonw.exe
4180	psexec.c

description	pid	process	target process
PID 3896 set thread context of 1532	3896	pythonw.exe	netsh.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

Setup.tmppythonw.exepythonw.exenetsh.exe

pid process

4676 Setup.tmp
4676 Setup.tmp
1724 pythonw.exe
3896 pythonw.exe
3896 pythonw.exe
1532 netsh.exe
1532 netsh.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

pythonw.exenetsh.exe

pid process

3896 pythonw.exe
1532 netsh.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

Setup.tmp

pid process

4676 Setup.tmp

pid	process
4676	Setup.tmp
4676	Setup.tmp
1724	pythonw.exe
3896	pythonw.exe
3896	pythonw.exe
1532	netsh.exe
1532	netsh.exe

pid	process
3896	pythonw.exe
1532	netsh.exe

pid	process
4676	Setup.tmp

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

Setup.exeSetup.tmpSetup.exeSetup.tmppythonw.exepythonw.exenetsh.exe

description	pid	process	target process
PID 2912 wrote to memory of 1764	2912	Setup.exe	Setup.tmp
PID 2912 wrote to memory of 1764	2912	Setup.exe	Setup.tmp
PID 2912 wrote to memory of 1764	2912	Setup.exe	Setup.tmp
PID 1764 wrote to memory of 4528	1764	Setup.tmp	Setup.exe
PID 1764 wrote to memory of 4528	1764	Setup.tmp	Setup.exe
PID 1764 wrote to memory of 4528	1764	Setup.tmp	Setup.exe
PID 4528 wrote to memory of 4676	4528	Setup.exe	Setup.tmp
PID 4528 wrote to memory of 4676	4528	Setup.exe	Setup.tmp
PID 4528 wrote to memory of 4676	4528	Setup.exe	Setup.tmp
PID 4676 wrote to memory of 4420	4676	Setup.tmp	UnRAR.exe
PID 4676 wrote to memory of 4420	4676	Setup.tmp	UnRAR.exe
PID 4676 wrote to memory of 1724	4676	Setup.tmp	pythonw.exe
PID 4676 wrote to memory of 1724	4676	Setup.tmp	pythonw.exe
PID 1724 wrote to memory of 3896	1724	pythonw.exe	pythonw.exe
PID 1724 wrote to memory of 3896	1724	pythonw.exe	pythonw.exe
PID 3896 wrote to memory of 1532	3896	pythonw.exe	netsh.exe
PID 3896 wrote to memory of 1532	3896	pythonw.exe	netsh.exe
PID 3896 wrote to memory of 1532	3896	pythonw.exe	netsh.exe
PID 3896 wrote to memory of 1532	3896	pythonw.exe	netsh.exe
PID 1532 wrote to memory of 4180	1532	netsh.exe	psexec.c
PID 1532 wrote to memory of 4180	1532	netsh.exe	psexec.c
PID 1532 wrote to memory of 4180	1532	netsh.exe	psexec.c
PID 1532 wrote to memory of 4180	1532	netsh.exe	psexec.c

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2912

C:\Users\Admin\AppData\Local\Temp\is-L0AHF.tmp\Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-L0AHF.tmp\Setup.tmp" /SL5="$10004E,25213810,791040,C:\Users\Admin\AppData\Local\Temp\Setup.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1764

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe" /VERYSILENT
3⤵
- Suspicious use of WriteProcessMemory
PID:4528

C:\Users\Admin\AppData\Local\Temp\is-IJP4K.tmp\Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-IJP4K.tmp\Setup.tmp" /SL5="$70058,25213810,791040,C:\Users\Admin\AppData\Local\Temp\Setup.exe" /VERYSILENT
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4676

C:\Users\Admin\AppData\Local\Temp\is-TLVI2.tmp\UnRAR.exe
"C:\Users\Admin\AppData\Local\Temp\is-TLVI2.tmp\\UnRAR.exe" x -pwjfQa$fkeH$U -o+ "C:\Users\Admin\AppData\Local\\ArchiveTool\\config\\\ytvtfccvtrdrtxrex676ddd5r45s5sdd6.rar" "C:\Users\Admin\AppData\Local\\ArchiveTool\\config\\"
5⤵
- Executes dropped EXE
PID:4420

C:\Users\Admin\AppData\Local\ArchiveTool\config\pythonw.exe
"C:\Users\Admin\AppData\Local\ArchiveTool\config\pythonw.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1724

C:\Users\Admin\AppData\Roaming\UpdateConfig_v1\pythonw.exe
C:\Users\Admin\AppData\Roaming\UpdateConfig_v1\pythonw.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3896

C:\Windows\SysWOW64\netsh.exe
C:\Windows\SysWOW64\netsh.exe
7⤵
- Event Triggered Execution: Netsh Helper DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1532

C:\Users\Admin\AppData\Local\Temp\psexec.c
C:\Users\Admin\AppData\Local\Temp\psexec.c
8⤵
- Loads dropped DLL
PID:4180

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\ArchiveTool\config\VCRUNTIME140.dll
Filesize
106KB

MD5
49c96cecda5c6c660a107d378fdfc3d4

SHA1
00149b7a66723e3f0310f139489fe172f818ca8e

SHA256
69320f278d90efaaeb67e2a1b55e5b0543883125834c812c8d9c39676e0494fc

SHA512
e09e072f3095379b0c921d41d6e64f4f1cd78400594a2317cfb5e5dca03dedb5a8239ed89905c9e967d1acb376b0585a35addf6648422c7ddb472ce38b1ba60d

Download Submit
C:\Users\Admin\AppData\Local\ArchiveTool\config\binocular.apk
Filesize
80KB

MD5
03c02077961b71f6a643972b3d988ae5

SHA1
b442b35f1e72354f770b841e9ba049b973c0e8b1

SHA256
1e4d9fa17024468c630a100f9c07e9243cb09efc2be73c825203ff3157e6d0bf

SHA512
b53fab2226b0956f6899fc2589ee23a696f43fb9ec06c78c055316aa4e198cbce474d62f8fdc3336896f63f547b5553a7e4263a72c811c82b7d1e1cf05dc4c4c

Download Submit
C:\Users\Admin\AppData\Local\ArchiveTool\config\grate.mkv
Filesize
1.2MB

MD5
f999e902dbc45970b581b0f5b323f8d0

SHA1
946ddb7c9279a88439372753b32aa00d7fda2a68

SHA256
426bf3fd1c6aca3e9571d95e1694914929c36ed1b83d63e461ab0aafc7381ce9

SHA512
8d1d43ef3e251da5935f94ff0e681592a0e113d955fae71666718f37931d6a3922b165672227e3a3ee18f620c05596adf58ed9b8f75a311404289f11e8a2e30d

Download Submit
C:\Users\Admin\AppData\Local\ArchiveTool\config\python310.dll
Filesize
4.3MB

MD5
e5ab46e36a16ec0dd181d4af1ba767b1

SHA1
f5b98206859ed512848b2cc00b23e04536df15be

SHA256
fdd4698a782a8eab1a1ab83052f58093bd1295d2beb6ba2d1c9fefef36b73c79

SHA512
63d658a291d5f1fd446e50ebbc4e41e6864fe766c0c6689c3d33a0619010f819c32493d1ae7d4107667537539aa6135e462c33f5abc4bcfd5ba0056647f136b8

Download Submit
C:\Users\Admin\AppData\Local\ArchiveTool\config\pythonw.exe
Filesize
94KB

MD5
9a4cc0d8e7007f7ef20ca585324e0739

SHA1
f3e5a2e477cac4bab85940a2158eed78f2d74441

SHA256
040d121a3179f49cd3f33f4bc998bc8f78b7f560bfd93f279224d69e76a06e92

SHA512
54636a48141804112f5b4f2fc70cb7c959a041e5743aeedb5184091b51daa1d1a03f0016e8299c0d56d924c6c8ae585e4fc864021081ffdf1e6f3eab11dd43b3

Download Submit
C:\Users\Admin\AppData\Local\ArchiveTool\config\ytvtfccvtrdrtxrex676ddd5r45s5sdd6.rar
Filesize
3.3MB

MD5
7d51b9ba3241369ecdd16183f46f8c95

SHA1
6445d239a4a5c90a3a8865acca5ee446e05b73cc

SHA256
9a7280c5d69d67544b358e66f1e2da2258d05821095b3fd3de6a2ce525d24a39

SHA512
8dff2af9c2d68f6c115bb7bcb441521fe36275df0b4da96e0aeeb154c425b2894040a173a0ac3d6819e810836f6810cafb3da27b0f6bf310cff5ccbcf86ac8da

Download Submit
C:\Users\Admin\AppData\Local\Temp\eef6aad9
Filesize
1.7MB

MD5
da03b4841b1baaaa760be1a8ab445411

SHA1
5d5a98e2ba6325bfb5829e697e5d15e637453685

SHA256
cd74da0157611982dc8207a477af814260e40abd176d21bbae640bd88fa03282

SHA512
d8503e00c36792a84c545a9e8de64b4e0be79d05b3d21bca279347e09dba1e91efc551c675412d0cf2505ef2385237a160482fd78862191e2dc23831b04c643e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-L0AHF.tmp\Setup.tmp
Filesize
2.5MB

MD5
225ce7b7c4005244f9a868927695b167

SHA1
5c2da01dc94a66fae0a70da81a53b2f7fc3ef0d3

SHA256
0f768482302eac28723bc0d35b942f79a17ad99222c19eccffd3a3c4dfa642a2

SHA512
c9794717e40fc0ebffb093df1dde53ecaf1a00e053543639bfc2cbcb965507811fcd7a2f2675988e4c44a83650bb18b5c59a97ddb483c88a702b9f5285316c69

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TLVI2.tmp\UnRAR.exe
Filesize
494KB

MD5
98ccd44353f7bc5bad1bc6ba9ae0cd68

SHA1
76a4e5bf8d298800c886d29f85ee629e7726052d

SHA256
e51021f6cb20efbd2169f2a2da10ce1abca58b4f5f30fbf4bae931e4ecaac99b

SHA512
d6e8146a1055a59cba5e2aaf47f6cb184acdbe28e42ec3daebf1961a91cec5904554d9d433ebf943dd3639c239ef11560fa49f00e1cff02e11cd8d3506c4125f

Download Submit
C:\Users\Admin\AppData\Local\Temp\psexec.c
Filesize
699KB

MD5
24a648a48741b1ac809e47b9543c6f12

SHA1
3e2272b916da4be3c120d17490423230ab62c174

SHA256
078163d5c16f64caa5a14784323fd51451b8c831c73396b967b4e35e6879937b

SHA512
b974ce956f2e922e92ca414d1bd6cc7bcb36bc44532b28b392f2a8052d6d47fd742841c4add6ec5c8283d28d7245b1704af34a523917e49cef007eef700a0b9a

Download Submit
memory/1532-71-0x00007FFBF1F00000-0x00007FFBF20DB000-memory.dmp

Filesize
1.9MB

Download
memory/1724-53-0x00007FFBE5300000-0x00007FFBE546A000-memory.dmp

Filesize
1.4MB

Download
memory/1764-13-0x0000000000400000-0x0000000000685000-memory.dmp

Filesize
2.5MB

Download
memory/1764-6-0x0000000000400000-0x0000000000685000-memory.dmp

Filesize
2.5MB

Download
memory/2912-15-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/2912-0-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/2912-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/3896-67-0x00007FFBE5300000-0x00007FFBE546A000-memory.dmp

Filesize
1.4MB

Download
memory/3896-68-0x00007FFBE5300000-0x00007FFBE546A000-memory.dmp

Filesize
1.4MB

Download
memory/4180-76-0x00007FFBF1F00000-0x00007FFBF20DB000-memory.dmp

Filesize
1.9MB

Download
memory/4180-77-0x00000000003E0000-0x0000000000438000-memory.dmp

Filesize
352KB

Download
memory/4180-78-0x00000000003E0000-0x0000000000438000-memory.dmp

Filesize
352KB

Download
memory/4528-52-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/4528-9-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/4676-50-0x0000000000400000-0x0000000000685000-memory.dmp

Filesize
2.5MB

Download