lumma | 9fab6244c65eab9863d45c1908f8dc64116c5a18e7680b00e9b6646ec91b440f

Analysis

max time kernel
213s
max time network
202s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
28-06-2024 18:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

⚠️𝙎𝙏𝙐𝙋𝙄𝘿 𝙈𝘼𝙇𝙒𝘼𝙍𝙀⚠️.exe
Size

10.7MB
MD5

52b105f53cba19ed897bc7d08f2373c3
SHA1

983a8f9b34441ed6e062842bab4b7137b29cc721
SHA256

9fab6244c65eab9863d45c1908f8dc64116c5a18e7680b00e9b6646ec91b440f
SHA512

786fa01b73163b6dad1cb3a14216c674fa47c40ec3dc2e464ca2a65f2e8b7423649032a508aba6b0b289080a6151e6846d02a04903a2a4586f22155f4104a789
SSDEEP

98304:M/zCs0T3+6x1DkITYkn9dD11lXfceCEoZYVb0PJaxrIjioPT0:Syu6x1DkOYkn93Xp7lrJ

Score

10^/10

lumma stealer

Malware Config

Extracted

Family

lumma

https://citizencenturygoodwk.shop/api

https://potterryisiw.shop/api

https://foodypannyjsud.shop/api

https://contintnetksows.shop/api

https://reinforcedirectorywd.shop/api

Signatures

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma

Suspicious use of SetThreadContext 3 IoCs

Processes:

⚠️𝙎𝙏𝙐𝙋𝙄𝘿 𝙈𝘼𝙇𝙒𝘼𝙍𝙀⚠️.exe⚠️𝙎𝙏𝙐𝙋𝙄𝘿 𝙈𝘼𝙇𝙒𝘼𝙍𝙀⚠️.exe⚠️𝙎𝙏𝙐𝙋𝙄𝘿 𝙈𝘼𝙇𝙒𝘼𝙍𝙀⚠️.exe

description	pid	process	target process
PID 4472 set thread context of 2852	4472	⚠️𝙎𝙏𝙐𝙋𝙄𝘿 𝙈𝘼𝙇𝙒𝘼𝙍𝙀⚠️.exe	BitLockerToGo.exe
PID 1776 set thread context of 2488	1776	⚠️𝙎𝙏𝙐𝙋𝙄𝘿 𝙈𝘼𝙇𝙒𝘼𝙍𝙀⚠️.exe	BitLockerToGo.exe
PID 400 set thread context of 116	400	⚠️𝙎𝙏𝙐𝙋𝙄𝘿 𝙈𝘼𝙇𝙒𝘼𝙍𝙀⚠️.exe	BitLockerToGo.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	Taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	Taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	Taskmgr.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

Taskmgr.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Internet Explorer\TypedURLs Taskmgr.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Internet Explorer\TypedURLs	Taskmgr.exe

Modifies registry class 5 IoCs

Processes:

Taskmgr.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	Taskmgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	Taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	Taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	Taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Taskmgr.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

792 NOTEPAD.EXE

pid	process
792	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Taskmgr.exe

pid	process
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Taskmgr.exe

pid process

4768 Taskmgr.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

Taskmgr.exe

description	pid	process
Token: SeDebugPrivilege	4768	Taskmgr.exe
Token: SeSystemProfilePrivilege	4768	Taskmgr.exe
Token: SeCreateGlobalPrivilege	4768	Taskmgr.exe
Token: 33	4768	Taskmgr.exe
Token: SeIncBasePriorityPrivilege	4768	Taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

Taskmgr.exe

pid	process
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

Taskmgr.exe

pid	process
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe
4768	Taskmgr.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

⚠️𝙎𝙏𝙐𝙋𝙄𝘿 𝙈𝘼𝙇𝙒𝘼𝙍𝙀⚠️.exelaunchtm.exe⚠️𝙎𝙏𝙐𝙋𝙄𝘿 𝙈𝘼𝙇𝙒𝘼𝙍𝙀⚠️.exe⚠️𝙎𝙏𝙐𝙋𝙄𝘿 𝙈𝘼𝙇𝙒𝘼𝙍𝙀⚠️.exe

description	pid	process	target process
PID 4472 wrote to memory of 2852	4472	⚠️𝙎𝙏𝙐𝙋𝙄𝘿 𝙈𝘼𝙇𝙒𝘼𝙍𝙀⚠️.exe	BitLockerToGo.exe
PID 4472 wrote to memory of 2852	4472	⚠️𝙎𝙏𝙐𝙋𝙄𝘿 𝙈𝘼𝙇𝙒𝘼𝙍𝙀⚠️.exe	BitLockerToGo.exe
PID 4472 wrote to memory of 2852	4472	⚠️𝙎𝙏𝙐𝙋𝙄𝘿 𝙈𝘼𝙇𝙒𝘼𝙍𝙀⚠️.exe	BitLockerToGo.exe
PID 4472 wrote to memory of 2852	4472	⚠️𝙎𝙏𝙐𝙋𝙄𝘿 𝙈𝘼𝙇𝙒𝘼𝙍𝙀⚠️.exe	BitLockerToGo.exe
PID 4472 wrote to memory of 2852	4472	⚠️𝙎𝙏𝙐𝙋𝙄𝘿 𝙈𝘼𝙇𝙒𝘼𝙍𝙀⚠️.exe	BitLockerToGo.exe
PID 2524 wrote to memory of 4768	2524	launchtm.exe	Taskmgr.exe
PID 2524 wrote to memory of 4768	2524	launchtm.exe	Taskmgr.exe
PID 1776 wrote to memory of 2488	1776	⚠️𝙎𝙏𝙐𝙋𝙄𝘿 𝙈𝘼𝙇𝙒𝘼𝙍𝙀⚠️.exe	BitLockerToGo.exe
PID 1776 wrote to memory of 2488	1776	⚠️𝙎𝙏𝙐𝙋𝙄𝘿 𝙈𝘼𝙇𝙒𝘼𝙍𝙀⚠️.exe	BitLockerToGo.exe
PID 1776 wrote to memory of 2488	1776	⚠️𝙎𝙏𝙐𝙋𝙄𝘿 𝙈𝘼𝙇𝙒𝘼𝙍𝙀⚠️.exe	BitLockerToGo.exe
PID 1776 wrote to memory of 2488	1776	⚠️𝙎𝙏𝙐𝙋𝙄𝘿 𝙈𝘼𝙇𝙒𝘼𝙍𝙀⚠️.exe	BitLockerToGo.exe
PID 1776 wrote to memory of 2488	1776	⚠️𝙎𝙏𝙐𝙋𝙄𝘿 𝙈𝘼𝙇𝙒𝘼𝙍𝙀⚠️.exe	BitLockerToGo.exe
PID 400 wrote to memory of 116	400	⚠️𝙎𝙏𝙐𝙋𝙄𝘿 𝙈𝘼𝙇𝙒𝘼𝙍𝙀⚠️.exe	BitLockerToGo.exe
PID 400 wrote to memory of 116	400	⚠️𝙎𝙏𝙐𝙋𝙄𝘿 𝙈𝘼𝙇𝙒𝘼𝙍𝙀⚠️.exe	BitLockerToGo.exe
PID 400 wrote to memory of 116	400	⚠️𝙎𝙏𝙐𝙋𝙄𝘿 𝙈𝘼𝙇𝙒𝘼𝙍𝙀⚠️.exe	BitLockerToGo.exe
PID 400 wrote to memory of 116	400	⚠️𝙎𝙏𝙐𝙋𝙄𝘿 𝙈𝘼𝙇𝙒𝘼𝙍𝙀⚠️.exe	BitLockerToGo.exe
PID 400 wrote to memory of 116	400	⚠️𝙎𝙏𝙐𝙋𝙄𝘿 𝙈𝘼𝙇𝙒𝘼𝙍𝙀⚠️.exe	BitLockerToGo.exe

C:\Users\Admin\AppData\Local\Temp\⚠️𝙎𝙏𝙐𝙋𝙄𝘿 𝙈𝘼𝙇𝙒𝘼𝙍𝙀⚠️.exe
"C:\Users\Admin\AppData\Local\Temp\⚠️𝙎𝙏𝙐𝙋𝙄𝘿 𝙈𝘼𝙇𝙒𝘼𝙍𝙀⚠️.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4472

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
2⤵
PID:2852

C:\Windows\system32\launchtm.exe
launchtm.exe /2
1⤵
- Suspicious use of WriteProcessMemory
PID:2524

C:\Windows\System32\Taskmgr.exe
"C:\Windows\System32\Taskmgr.exe" /2
2⤵
- Checks SCSI registry key(s)
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4768

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2140

C:\Users\Admin\AppData\Local\Temp\⚠️𝙎𝙏𝙐𝙋𝙄𝘿 𝙈𝘼𝙇𝙒𝘼𝙍𝙀⚠️.exe
"C:\Users\Admin\AppData\Local\Temp\⚠️𝙎𝙏𝙐𝙋𝙄𝘿 𝙈𝘼𝙇𝙒𝘼𝙍𝙀⚠️.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1776

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
2⤵
PID:2488

C:\Users\Admin\AppData\Local\Temp\⚠️𝙎𝙏𝙐𝙋𝙄𝘿 𝙈𝘼𝙇𝙒𝘼𝙍𝙀⚠️.exe
"C:\Users\Admin\AppData\Local\Temp\⚠️𝙎𝙏𝙐𝙋𝙄𝘿 𝙈𝘼𝙇𝙒𝘼𝙍𝙀⚠️.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:400

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
2⤵
PID:116

C:\Users\Admin\AppData\Local\Temp\⚠️𝙎𝙏𝙐𝙋𝙄𝘿 𝙈𝘼𝙇𝙒𝘼𝙍𝙀⚠️.exe
"C:\Users\Admin\AppData\Local\Temp\⚠️𝙎𝙏𝙐𝙋𝙄𝘿 𝙈𝘼𝙇𝙒𝘼𝙍𝙀⚠️.exe"
1⤵
PID:4384

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\BroadcastMsg_1715164888.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:792

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/116-40-0x00000000001A0000-0x00000000001F6000-memory.dmp

Filesize
344KB

Download
memory/116-38-0x00000000001A0000-0x00000000001F6000-memory.dmp

Filesize
344KB

Download
memory/400-35-0x00007FF75A7A0000-0x00007FF75B2BC000-memory.dmp

Filesize
11.1MB

Download
memory/400-39-0x00007FF75A7A0000-0x00007FF75B2BC000-memory.dmp

Filesize
11.1MB

Download
memory/1776-26-0x00007FF75A7A0000-0x00007FF75B2BC000-memory.dmp

Filesize
11.1MB

Download
memory/1776-30-0x00007FF75A7A0000-0x00007FF75B2BC000-memory.dmp

Filesize
11.1MB

Download
memory/2488-29-0x0000000000D60000-0x0000000000DB6000-memory.dmp

Filesize
344KB

Download
memory/2488-31-0x0000000000D60000-0x0000000000DB6000-memory.dmp

Filesize
344KB

Download
memory/2852-9-0x00000000010C0000-0x0000000001116000-memory.dmp

Filesize
344KB

Download
memory/2852-8-0x00000000010C0000-0x0000000001116000-memory.dmp

Filesize
344KB

Download
memory/2852-5-0x00000000010C0000-0x0000000001116000-memory.dmp

Filesize
344KB

Download
memory/4384-43-0x00007FF75A7A0000-0x00007FF75B2BC000-memory.dmp

Filesize
11.1MB

Download
memory/4472-2-0x00007FF75A7A0000-0x00007FF75B2BC000-memory.dmp

Filesize
11.1MB

Download
memory/4472-6-0x00007FF75A7A0000-0x00007FF75B2BC000-memory.dmp

Filesize
11.1MB

Download
memory/4768-11-0x000001AAF58D0000-0x000001AAF58D1000-memory.dmp

Filesize
4KB

Download
memory/4768-16-0x000001AAF58D0000-0x000001AAF58D1000-memory.dmp

Filesize
4KB

Download
memory/4768-17-0x000001AAF58D0000-0x000001AAF58D1000-memory.dmp

Filesize
4KB

Download
memory/4768-18-0x000001AAF58D0000-0x000001AAF58D1000-memory.dmp

Filesize
4KB

Download
memory/4768-19-0x000001AAF58D0000-0x000001AAF58D1000-memory.dmp

Filesize
4KB

Download
memory/4768-20-0x000001AAF58D0000-0x000001AAF58D1000-memory.dmp

Filesize
4KB

Download
memory/4768-21-0x000001AAF58D0000-0x000001AAF58D1000-memory.dmp

Filesize
4KB

Download
memory/4768-22-0x000001AAF58D0000-0x000001AAF58D1000-memory.dmp

Filesize
4KB

Download
memory/4768-12-0x000001AAF58D0000-0x000001AAF58D1000-memory.dmp

Filesize
4KB

Download
memory/4768-10-0x000001AAF58D0000-0x000001AAF58D1000-memory.dmp

Filesize
4KB

Download