lumma | hxxps://kmsofficial[.]org/ | Triage

Submit
Reports

Overview

overview

Static

static

1

URLScan

urlscan

1

https://kmsofficial....

windows10-1703-x64

https://kmsofficial....

windows10-2004-x64

1

https://kmsofficial....

windows11-21h2-x64

1

Sharing

General

Target

https://kmsofficial.org/
Sample

240625-jej5qawhqa

Score

10^/10

lumma evasion execution persistence privilege_escalation stealer

Static task

static1

URLScan task

urlscan1

Behavioral task

behavioral1

Sample

https://kmsofficial.org/

Resource

win10-20240404-en

lumma evasion execution persistence privilege_escalation stealer

windows10-1703-x64

32 signatures

600 seconds

Behavioral task

behavioral2

Sample

https://kmsofficial.org/

Resource

win10v2004-20240508-en

windows10-2004-x64

9 signatures

600 seconds

Behavioral task

behavioral3

Sample

https://kmsofficial.org/

Resource

win11-20240508-en

windows11-21h2-x64

8 signatures

600 seconds

Malware Config

Extracted

Family

lumma

C2

https://publicitycharetew.shop/api

https://computerexcudesp.shop/api

https://leafcalfconflcitw.shop/api

https://injurypiggyoewirog.shop/api

https://bargainnygroandjwk.shop/api

https://disappointcredisotw.shop/api

https://doughtdrillyksow.shop/api

https://facilitycoursedw.shop/api

Targets

- Target
  
  https://kmsofficial.org/
Score

10^/10

lumma evasion execution persistence privilege_escalation stealer
- Lumma Stealer
  An infostealer written in C++ first seen in August 2022.
  stealer lumma
- Creates new service(s)
  persistence execution
- Event Triggered Execution: Image File Execution Options Injection
  persistence
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- Stops running service(s)
  evasion execution
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2 behavioral3

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

System Services

Service Execution

Command and Scripting Interpreter

Scheduled Task/Job

Scheduled Task

Persistence

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Image File Execution Options Injection

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Image File Execution Options Injection

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

System Information Discovery

Query Registry

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

Resource Development

Reconnaissance

Tasks

static1

urlscan1

behavioral1

lummaevasionexecutionpersistenceprivilege_escalationstealer

behavioral2

behavioral3

© 2018-2024

Terms | Privacy