lumma | 987fed2dae35dedc1c52230b9938c2a351164d84e8874c8314957812ad641bdb

Analysis

max time kernel
150s
max time network
149s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
15-01-2023 17:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

987fed2dae35dedc1c52230b9938c2a351164d84e8874c8314957812ad641bdb.exe
Size

211KB
MD5

02f3b25318b1cc3c6a24ad7a1738eede
SHA1

43182925664314e2fea57cc3daf719568385e6e0
SHA256

987fed2dae35dedc1c52230b9938c2a351164d84e8874c8314957812ad641bdb
SHA512

356f503151db78a98a2d309b1636693d71e814b3bd4c9ba3b4e6d8955ab6afede0e39c2517e9da03cd2047bdab046a4fdb5b49548f36a160030953e97f20e94c
SSDEEP

3072:CXjrZwbg56Ks5RIZEyS5VDnrqKxyeqLzy5mi:C6yZHSDnuKcn

Score

10^/10

lumma smokeloader backdoor spyware stealer trojan

Malware Config

Extracted

Family

lumma

77.73.134.68

Signatures

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2888-143-0x0000000002D00000-0x0000000002D09000-memory.dmp	family_smokeloader

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

4ECC.exe

pid process

2124 4ECC.exe
Deletes itself 1 IoCs

Processes:

pid process

3028
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2124	4ECC.exe

pid	process
3028

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

987fed2dae35dedc1c52230b9938c2a351164d84e8874c8314957812ad641bdb.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	987fed2dae35dedc1c52230b9938c2a351164d84e8874c8314957812ad641bdb.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	987fed2dae35dedc1c52230b9938c2a351164d84e8874c8314957812ad641bdb.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	987fed2dae35dedc1c52230b9938c2a351164d84e8874c8314957812ad641bdb.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

987fed2dae35dedc1c52230b9938c2a351164d84e8874c8314957812ad641bdb.exe

pid	process
2888	987fed2dae35dedc1c52230b9938c2a351164d84e8874c8314957812ad641bdb.exe
2888	987fed2dae35dedc1c52230b9938c2a351164d84e8874c8314957812ad641bdb.exe
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3028
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

987fed2dae35dedc1c52230b9938c2a351164d84e8874c8314957812ad641bdb.exe

pid process

2888 987fed2dae35dedc1c52230b9938c2a351164d84e8874c8314957812ad641bdb.exe

pid	process
3028

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

description	pid	target process
PID 3028 wrote to memory of 2124	3028	4ECC.exe
PID 3028 wrote to memory of 2124	3028	4ECC.exe
PID 3028 wrote to memory of 2124	3028	4ECC.exe

C:\Users\Admin\AppData\Local\Temp\987fed2dae35dedc1c52230b9938c2a351164d84e8874c8314957812ad641bdb.exe
"C:\Users\Admin\AppData\Local\Temp\987fed2dae35dedc1c52230b9938c2a351164d84e8874c8314957812ad641bdb.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2888

C:\Users\Admin\AppData\Local\Temp\4ECC.exe
C:\Users\Admin\AppData\Local\Temp\4ECC.exe
1⤵
- Executes dropped EXE
PID:2124

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4ECC.exe

Filesize
248KB

MD5
b7a88887e20e7658af423615d1399590

SHA1
c88ed903fb0cddcf2eba4f0437c476ab34fadf59

SHA256
6ebac5146cf168228e348df9f3f1006dc0f9ee26021ac18c8a6b572da174b182

SHA512
1f96bb4a1739e921a75a7573d5649e5981ffd4ad51eb3712fa88fa8418109d3a69a3937135d00179790db0165a88f408c7fa2671c394da499c75e1b781b1b1c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\4ECC.exe

Filesize
248KB

MD5
b7a88887e20e7658af423615d1399590

SHA1
c88ed903fb0cddcf2eba4f0437c476ab34fadf59

SHA256
6ebac5146cf168228e348df9f3f1006dc0f9ee26021ac18c8a6b572da174b182

SHA512
1f96bb4a1739e921a75a7573d5649e5981ffd4ad51eb3712fa88fa8418109d3a69a3937135d00179790db0165a88f408c7fa2671c394da499c75e1b781b1b1c7

Download Submit
memory/2124-176-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-177-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-212-0x0000000000400000-0x0000000002BA6000-memory.dmp

Filesize
39.6MB

Download
memory/2124-211-0x0000000002E46000-0x0000000002E60000-memory.dmp

Filesize
104KB

Download
memory/2124-192-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-157-0x0000000000000000-mapping.dmp

Download
memory/2124-191-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-190-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-189-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-188-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-187-0x0000000000400000-0x0000000002BA6000-memory.dmp

Filesize
39.6MB

Download
memory/2124-186-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-182-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-185-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-184-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-183-0x0000000002CB0000-0x0000000002DFA000-memory.dmp

Filesize
1.3MB

Download
memory/2124-180-0x0000000002E46000-0x0000000002E60000-memory.dmp

Filesize
104KB

Download
memory/2124-181-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-179-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-178-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-175-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-174-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-173-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-172-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-171-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-159-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-170-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-168-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-167-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-165-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-164-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-163-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-162-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-161-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-160-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-169-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/2124-193-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/2888-128-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/2888-141-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/2888-155-0x0000000002F66000-0x0000000002F77000-memory.dmp

Filesize
68KB

Download
memory/2888-154-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/2888-153-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/2888-152-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/2888-151-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/2888-150-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/2888-136-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/2888-120-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/2888-147-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/2888-148-0x0000000000400000-0x0000000002B9D000-memory.dmp

Filesize
39.6MB

Download
memory/2888-122-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/2888-145-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/2888-142-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/2888-144-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/2888-143-0x0000000002D00000-0x0000000002D09000-memory.dmp

Filesize
36KB

Download
memory/2888-124-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/2888-149-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/2888-156-0x0000000000400000-0x0000000002B9D000-memory.dmp

Filesize
39.6MB

Download
memory/2888-135-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/2888-140-0x0000000002F66000-0x0000000002F77000-memory.dmp

Filesize
68KB

Download
memory/2888-138-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/2888-137-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/2888-121-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/2888-139-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/2888-134-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/2888-133-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/2888-132-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/2888-131-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/2888-130-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/2888-129-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/2888-119-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/2888-127-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/2888-126-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/2888-125-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/2888-146-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/2888-123-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download