lumma | cdd8083cd19e16e2684188850142399fe9e0b546f986aa56a520a2d0a481446f

Analysis

max time kernel
178s
max time network
191s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
16-01-2023 08:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cdd8083cd19e16e2684188850142399fe9e0b546f986aa56a520a2d0a481446f.exe
Size

258KB
MD5

ce4d81b9eae32702f7d36fef3a11d4e4
SHA1

e2b39a9b44b860b53b2843a2d7608365cfcf38fb
SHA256

cdd8083cd19e16e2684188850142399fe9e0b546f986aa56a520a2d0a481446f
SHA512

fbfded2ca180c42a282b747a24b0e323be83cbb790b740cf24b3801e1164056041f19c1363dba532c68030b428b15bdf8b05ce89ebba3d69c913b224bf982e18
SSDEEP

6144:GCu1sFLzC0eQJwQABVSmONIk/qtCOWaGC/U4zqQna:GCu1qHC/Q9kSmxVbj/FP

Score

10^/10

lumma rhadamanthys smokeloader backdoor spyware stealer trojan

Malware Config

Extracted

Family

lumma

77.73.134.68

Signatures

Detect rhadamanthys stealer shellcode 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/5104-161-0x00000000027F0000-0x000000000280D000-memory.dmp	family_rhadamanthys
behavioral1/memory/5104-169-0x00000000027F0000-0x000000000280D000-memory.dmp	family_rhadamanthys

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/5000-133-0x00000000005E0000-0x00000000005E9000-memory.dmp	family_smokeloader

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Blocklisted process makes network request 3 IoCs

Processes:

rundll32.exe

flow pid process

60 3808 rundll32.exe
66 3808 rundll32.exe
67 3808 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

5937.exe9074.exeB7C4.exe

pid process

208 5937.exe
3428 9074.exe
5104 B7C4.exe
Loads dropped DLL 2 IoCs

Processes:

rundll32.exerundll32.exe

pid process

3808 rundll32.exe
4448 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3260 208 WerFault.exe 5937.exe
1376 3428 WerFault.exe 9074.exe

flow	pid	process
60	3808	rundll32.exe
66	3808	rundll32.exe
67	3808	rundll32.exe

pid	process
208	5937.exe
3428	9074.exe
5104	B7C4.exe

pid	process
3808	rundll32.exe
4448	rundll32.exe

pid	pid_target	process	target process
3260	208	WerFault.exe	5937.exe
1376	3428	WerFault.exe	9074.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

cdd8083cd19e16e2684188850142399fe9e0b546f986aa56a520a2d0a481446f.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	cdd8083cd19e16e2684188850142399fe9e0b546f986aa56a520a2d0a481446f.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	cdd8083cd19e16e2684188850142399fe9e0b546f986aa56a520a2d0a481446f.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	cdd8083cd19e16e2684188850142399fe9e0b546f986aa56a520a2d0a481446f.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

cdd8083cd19e16e2684188850142399fe9e0b546f986aa56a520a2d0a481446f.exe

pid	process
5000	cdd8083cd19e16e2684188850142399fe9e0b546f986aa56a520a2d0a481446f.exe
5000	cdd8083cd19e16e2684188850142399fe9e0b546f986aa56a520a2d0a481446f.exe
2376
2376
2376
2376
2376
2376
2376
2376
2376
2376
2376
2376
2376
2376
2376
2376
2376
2376
2376
2376
2376
2376
2376
2376
2376
2376
2376
2376
2376
2376
2376
2376
2376
2376
2376
2376
2376
2376
2376
2376
2376
2376
2376
2376
2376
2376
2376
2376
2376
2376
2376
2376
2376
2376
2376
2376
2376
2376
2376
2376
2376
2376

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2376
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

cdd8083cd19e16e2684188850142399fe9e0b546f986aa56a520a2d0a481446f.exe

pid process

5000 cdd8083cd19e16e2684188850142399fe9e0b546f986aa56a520a2d0a481446f.exe

pid	process
2376

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	2376
Token: SeCreatePagefilePrivilege	2376
Token: SeShutdownPrivilege	2376
Token: SeCreatePagefilePrivilege	2376
Token: SeShutdownPrivilege	2376
Token: SeCreatePagefilePrivilege	2376

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

5937.exeB7C4.exe

description	pid	process	target process
PID 2376 wrote to memory of 208	2376		5937.exe
PID 2376 wrote to memory of 208	2376		5937.exe
PID 2376 wrote to memory of 208	2376		5937.exe
PID 2376 wrote to memory of 3428	2376		9074.exe
PID 2376 wrote to memory of 3428	2376		9074.exe
PID 2376 wrote to memory of 3428	2376		9074.exe
PID 208 wrote to memory of 3808	208	5937.exe	rundll32.exe
PID 208 wrote to memory of 3808	208	5937.exe	rundll32.exe
PID 208 wrote to memory of 3808	208	5937.exe	rundll32.exe
PID 2376 wrote to memory of 5104	2376		B7C4.exe
PID 2376 wrote to memory of 5104	2376		B7C4.exe
PID 2376 wrote to memory of 5104	2376		B7C4.exe
PID 5104 wrote to memory of 4448	5104	B7C4.exe	rundll32.exe
PID 5104 wrote to memory of 4448	5104	B7C4.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\cdd8083cd19e16e2684188850142399fe9e0b546f986aa56a520a2d0a481446f.exe
"C:\Users\Admin\AppData\Local\Temp\cdd8083cd19e16e2684188850142399fe9e0b546f986aa56a520a2d0a481446f.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:5000

C:\Users\Admin\AppData\Local\Temp\5937.exe
C:\Users\Admin\AppData\Local\Temp\5937.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:208

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Sdaaysrpyefiy.tmp",Qowsuiaedfeupa
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:3808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 208 -s 540
2⤵
- Program crash
PID:3260

C:\Users\Admin\AppData\Local\Temp\9074.exe
C:\Users\Admin\AppData\Local\Temp\9074.exe
1⤵
- Executes dropped EXE
PID:3428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3428 -s 1316
2⤵
- Program crash
PID:1376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 208 -ip 208
1⤵
PID:3996

C:\Users\Admin\AppData\Local\Temp\B7C4.exe
C:\Users\Admin\AppData\Local\Temp\B7C4.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5104

C:\Windows\system32\rundll32.exe
"C:\Users\Admin\AppData\Roaming\nsis_unse590ad4.dll",PrintUIEntry |5CQkOhmAAAA|1TKr5GsMwYD|67sDqg8OAAl|xYmwxC0TNSO|1k8B3tZkgiyf2sAZQByAG4XAP9sADMAMgAuAKVkHwBs8|AtBQPz8Gb|ADUAYwBrAEKuIwBmAHFDAE89AFjvAE4AaC0CWUiD|+wo6AQCAABI|4PEKMPMzMxM|4lEJBhIiVQkvxBIiUwkCF0BSP+LRCQwSIkEJPaBAThIbwAISMdE2yQQLQHrDoEBEEjXg8ABjwEQgQFASO05lgBzJZ8Diwwk|0gDyEiLwUiL9UyrAVR7AAPRSIt|yooJiAjrwWYFv2VIiwQlYPPwM||JSItQGEg70f90NkiDwiBIi|8CSDvCdCpmg|94SBh1GkyLQP9QZkGDOGt0B+4REUt1CBEQeBAu|3QFSIsA69VI64tI|QDBagBAU1X|VldBVEFVQVb7QVddAWaBOU1a|02L+EyL8kiL79kPhfzz8ExjSf88QYE8CVBFAO8AD4Xq8|BBi4T7CYjz8IXASI087wEPhNZqEYO8Cd2MLQEPhMfz8ESL|2cgRItfHIt3|yREi08YTAPh|0wD2UgD8TPJv0WFyQ+EpPPwTf+LxEGLEEUz0v9IA9OKAoTAdP8dQcHKDQ++wN76AAFEA9C|EXXs|0GB+qr8DXx0|w6DwQFJg8AE|0E7yXNp68aL|8EPtwxORYss|4tMA+t0WDPtvqoQdFFBixTBANP|M8mKAkyLwuu3D8HJyBEDyOUQAfdBigDVEO0zwDOf9kE7DLbgEKYAg||GAYP4CHLu6|8KSIvLQf|VSd+JBPeDxeQQxATfO28Ycq9mAUFf|0FeQV1BXF9e+11bMxdIgexgAf5kAIvp6Gb+||+|SIXAD4SYdSBM9Y2vAYsrEMgz|+j9m30gjV8ETI1F|0Yz0ovL|1Qk|WiAIEyL4A+Ea3p1IEWoEDPAi9ORIF9IiXwkIKYgcIAgP0iL8A+ES3UgpiD|UEiNVghEjUffQEiNjCSFEUiL79jofP1+II1WSGreIBDiIczz8Ohn7yA|RIsGjVcIQSCmIL1YyiGJhCSAhxLe9vPwiw7aIFiJjCTYcREHMJEg6DHvIIuc|i0yTItdOkiD+|tsSIogMEyJZCTvOEyLpBoyTIlcboQBhCTchxGGko0Ru41HSzCMJPDz8Enfi9To6fwFMIqc7ngySI2EeDJBgPN|IY1PbEQwGKQCf4PpAXXzgbx4Mv8hUmV4dU2LhLsk9CIxlCT4NQHC|0g72HI4g|psv3YzRI1JQPoAlKdBuACYAKYgQMoi+Od0GUS2MMAxSY1U+yRskSBJg+hs6N1rgjBIi86mIHhI|4X|dBKLVUJM|I4wGzFIjUwkQP8P10iBxHQhYSQtCC0B
2⤵
- Loads dropped DLL
PID:4448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3428 -ip 3428
1⤵
PID:2576

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5937.exe
Filesize
1.1MB

MD5
dcbea7655543025cd758fdefafd76cde

SHA1
b4075079fc7b3db2373b2d8d0ee07415a146132e

SHA256
e1e3a78fe3a7f1551fd630cf185d4a4403c09f3a460ac05882ce725b74d34aa5

SHA512
908d63121ec4720d51a3499fe1e54b69180f7496547dffa011063e3e7ae2e57aa6c103a5277d0ffcda8d46b7b82fa2e77a09295c5c7509a81dd09021e47443b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\5937.exe
Filesize
1.1MB

MD5
dcbea7655543025cd758fdefafd76cde

SHA1
b4075079fc7b3db2373b2d8d0ee07415a146132e

SHA256
e1e3a78fe3a7f1551fd630cf185d4a4403c09f3a460ac05882ce725b74d34aa5

SHA512
908d63121ec4720d51a3499fe1e54b69180f7496547dffa011063e3e7ae2e57aa6c103a5277d0ffcda8d46b7b82fa2e77a09295c5c7509a81dd09021e47443b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\9074.exe
Filesize
276KB

MD5
c16ba0f2004c45a448d524867b6dfac5

SHA1
4511810aaa7ce1542ee94adf00e4f510025a189d

SHA256
6b8838ea9bff0a51596fe3c2b77b3b0a5402c23cc87692d3648d8f4a28ce705d

SHA512
460237872e9bcf0e70f3d719b7321171f6969bbb3dac1d1d744b8be590a59f9fcba3cb1331e7c19448f4c4f45a340dd704209154e87f20fcdc80d0b8489a50cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\9074.exe
Filesize
276KB

MD5
c16ba0f2004c45a448d524867b6dfac5

SHA1
4511810aaa7ce1542ee94adf00e4f510025a189d

SHA256
6b8838ea9bff0a51596fe3c2b77b3b0a5402c23cc87692d3648d8f4a28ce705d

SHA512
460237872e9bcf0e70f3d719b7321171f6969bbb3dac1d1d744b8be590a59f9fcba3cb1331e7c19448f4c4f45a340dd704209154e87f20fcdc80d0b8489a50cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\B7C4.exe
Filesize
1.0MB

MD5
1e0408fa0cac90633797987ab125c82d

SHA1
37e699aadec3bc595052dcbaf2d7233fbdbb5f80

SHA256
80160cd60a1629379972ccfcb193396bd0fbcc8a1b2bebb4a9c9aeea9f56a507

SHA512
b5821ee297b40a9f23a89e8b8860bd5681e3f901de4d025f05891b3e91cc21606b1e4139c4c0372458c48abe83c6728e0843d25e89360392ffd8ec7a4456b801

Download Submit
C:\Users\Admin\AppData\Local\Temp\B7C4.exe
Filesize
1.0MB

MD5
1e0408fa0cac90633797987ab125c82d

SHA1
37e699aadec3bc595052dcbaf2d7233fbdbb5f80

SHA256
80160cd60a1629379972ccfcb193396bd0fbcc8a1b2bebb4a9c9aeea9f56a507

SHA512
b5821ee297b40a9f23a89e8b8860bd5681e3f901de4d025f05891b3e91cc21606b1e4139c4c0372458c48abe83c6728e0843d25e89360392ffd8ec7a4456b801

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sdaaysrpyefiy.tmp
Filesize
774KB

MD5
e06fb66bfbe1444cc091f0297b8d32db

SHA1
c3e13e3edcbbf30cdc51ce96cc7a802fc88e83af

SHA256
b282eb3f05d375d3487d20596d783fa52aa27013e8b2b407db32d9a3a751319d

SHA512
c639b62f417d46148c3a84ae5ff2cc7018c653424cc1d643a983c41d4a12f6015df0f4359c5e078c2c3e5b1d42de18acfb6aab432266a8c4e37aa5449e961d95

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sdaaysrpyefiy.tmp
Filesize
774KB

MD5
e06fb66bfbe1444cc091f0297b8d32db

SHA1
c3e13e3edcbbf30cdc51ce96cc7a802fc88e83af

SHA256
b282eb3f05d375d3487d20596d783fa52aa27013e8b2b407db32d9a3a751319d

SHA512
c639b62f417d46148c3a84ae5ff2cc7018c653424cc1d643a983c41d4a12f6015df0f4359c5e078c2c3e5b1d42de18acfb6aab432266a8c4e37aa5449e961d95

Download Submit
C:\Users\Admin\AppData\Roaming\nsis_unse590ad4.dll
Filesize
49KB

MD5
832890fded186835970d1d3302590138

SHA1
5385703e9dcde43e60928b2e9c941b7232468a6a

SHA256
438c088568093ad767802ba5e132efbd4e643ddf62e4996565c3b46719e3e576

SHA512
5cf752eac75b532b32501c9d469cbcb6638b49cf20df040554b37986cbe3c068a10e2ff69747b594b5b114111cbbe1cdfbbd0f394a7ac71b863e042414a68ae1

Download Submit
C:\Users\Admin\AppData\Roaming\nsis_unse590ad4.dll
Filesize
49KB

MD5
832890fded186835970d1d3302590138

SHA1
5385703e9dcde43e60928b2e9c941b7232468a6a

SHA256
438c088568093ad767802ba5e132efbd4e643ddf62e4996565c3b46719e3e576

SHA512
5cf752eac75b532b32501c9d469cbcb6638b49cf20df040554b37986cbe3c068a10e2ff69747b594b5b114111cbbe1cdfbbd0f394a7ac71b863e042414a68ae1

Download Submit
memory/208-142-0x0000000000400000-0x0000000000530000-memory.dmp

Filesize
1.2MB

Download
memory/208-137-0x0000000000000000-mapping.dmp

Download
memory/208-170-0x0000000000400000-0x0000000000530000-memory.dmp

Filesize
1.2MB

Download
memory/208-141-0x00000000022F0000-0x000000000241E000-memory.dmp

Filesize
1.2MB

Download
memory/208-146-0x0000000000400000-0x0000000000530000-memory.dmp

Filesize
1.2MB

Download
memory/208-140-0x0000000002201000-0x00000000022EA000-memory.dmp

Filesize
932KB

Download
memory/3428-148-0x000000000060D000-0x0000000000627000-memory.dmp

Filesize
104KB

Download
memory/3428-149-0x00000000005C0000-0x00000000005EA000-memory.dmp

Filesize
168KB

Download
memory/3428-150-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/3428-171-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/3428-156-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/3428-143-0x0000000000000000-mapping.dmp

Download
memory/3808-147-0x0000000000000000-mapping.dmp

Download
memory/4448-162-0x0000000000000000-mapping.dmp

Download
memory/4448-167-0x00007FF468E30000-0x00007FF468F2A000-memory.dmp

Filesize
1000KB

Download
memory/4448-165-0x000001A04FCA0000-0x000001A04FCA7000-memory.dmp

Filesize
28KB

Download
memory/5000-133-0x00000000005E0000-0x00000000005E9000-memory.dmp

Filesize
36KB

Download
memory/5000-134-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/5000-132-0x000000000063E000-0x0000000000654000-memory.dmp

Filesize
88KB

Download
memory/5000-136-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/5000-135-0x000000000063E000-0x0000000000654000-memory.dmp

Filesize
88KB

Download
memory/5104-158-0x0000000000400000-0x0000000000509000-memory.dmp

Filesize
1.0MB

Download
memory/5104-157-0x00000000023E0000-0x0000000002405000-memory.dmp

Filesize
148KB

Download
memory/5104-159-0x000000000057E000-0x0000000000590000-memory.dmp

Filesize
72KB

Download
memory/5104-166-0x0000000000400000-0x0000000000509000-memory.dmp

Filesize
1.0MB

Download
memory/5104-153-0x0000000000000000-mapping.dmp

Download
memory/5104-168-0x000000000057E000-0x0000000000590000-memory.dmp

Filesize
72KB

Download
memory/5104-169-0x00000000027F0000-0x000000000280D000-memory.dmp

Filesize
116KB

Download
memory/5104-161-0x00000000027F0000-0x000000000280D000-memory.dmp

Filesize
116KB

Download
memory/5104-160-0x000000000057E000-0x0000000000590000-memory.dmp

Filesize
72KB

Download