lumma | e76d951971518c981ddf72654abf7c10c658fe6edd603969613a2845ec341a5c

Analysis

max time kernel
31s
max time network
35s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
21-03-2023 14:39

Target

35da3c297e61921f3937ac550fcbcbb6e8b8332933112b5b5a5c994c5ae1127d.exe
Size

6.6MB
MD5

3beca7c27060ec4d5b08447c9485b6e5
SHA1

bd5f951c3e4439a07fe9ae592521515662a3f897
SHA256

35da3c297e61921f3937ac550fcbcbb6e8b8332933112b5b5a5c994c5ae1127d
SHA512

d1a25b374ff1ae0992b76aa413947612f964b3fe3fc783b8c02586cabc240de7c80735d0f802776751eabdfcdd71a1fe50423627f1e3259c28a366a852515558
SSDEEP

98304:WWpMCfGPcv+y18rNBI4FKn9XBD3qt2Rnrtx:WkHAtnQ953qt2

Score

10^/10

lumma stealer

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

35da3c297e61921f3937ac550fcbcbb6e8b8332933112b5b5a5c994c5ae1127d.exe

pid	process
1228	35da3c297e61921f3937ac550fcbcbb6e8b8332933112b5b5a5c994c5ae1127d.exe
1228	35da3c297e61921f3937ac550fcbcbb6e8b8332933112b5b5a5c994c5ae1127d.exe
1228	35da3c297e61921f3937ac550fcbcbb6e8b8332933112b5b5a5c994c5ae1127d.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

35da3c297e61921f3937ac550fcbcbb6e8b8332933112b5b5a5c994c5ae1127d.exe

description pid process

Token: SeDebugPrivilege 1228 35da3c297e61921f3937ac550fcbcbb6e8b8332933112b5b5a5c994c5ae1127d.exe

description	pid	process
Token: SeDebugPrivilege	1228	35da3c297e61921f3937ac550fcbcbb6e8b8332933112b5b5a5c994c5ae1127d.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

35da3c297e61921f3937ac550fcbcbb6e8b8332933112b5b5a5c994c5ae1127d.exe

description	pid	process	target process
PID 1228 wrote to memory of 268	1228	35da3c297e61921f3937ac550fcbcbb6e8b8332933112b5b5a5c994c5ae1127d.exe	MSBuild.exe
PID 1228 wrote to memory of 268	1228	35da3c297e61921f3937ac550fcbcbb6e8b8332933112b5b5a5c994c5ae1127d.exe	MSBuild.exe
PID 1228 wrote to memory of 268	1228	35da3c297e61921f3937ac550fcbcbb6e8b8332933112b5b5a5c994c5ae1127d.exe	MSBuild.exe
PID 1228 wrote to memory of 268	1228	35da3c297e61921f3937ac550fcbcbb6e8b8332933112b5b5a5c994c5ae1127d.exe	MSBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
2⤵
PID:268

memory/1228-54-0x0000000001300000-0x0000000001996000-memory.dmp

Filesize
6.6MB

Download
memory/1228-55-0x000000001C120000-0x000000001C2D0000-memory.dmp

Filesize
1.7MB

Download
memory/1228-56-0x000000001AEC0000-0x000000001AF40000-memory.dmp

Filesize
512KB

Download
memory/1228-57-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/1228-58-0x000000001AEC0000-0x000000001AF40000-memory.dmp

Filesize
512KB

Download