Overview

overview

10

Static

static

1

file.exe

windows7-x64

3

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    78s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-03-2023 13:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    1.9MB

  • MD5

    ffc87cf5de85e0a6a3941bc91780d928

  • SHA1

    6029ea950091d269d9626343a8defefd1b6c5c1c

  • SHA256

    adfb9a94a162120159f2b496ff473ee14024f24192cc13cf9f829bbae6c4023c

  • SHA512

    98a8f5b8073267e1435a7df8bbc2249f226cb82cda16a18a4e8525d8b068f93aeeca577cff3faf2bacda4493028ae4232189ba98c22883ec9face8cd29105556

  • SSDEEP

    49152:XKcEqlms7r6WKt3iS/rmEPM/u0iEV9IHuxJxruCD:66lms3a3iS/rmOMVVqHuvYCD

Score
10/10
lummaspywarestealer

Malware Config

Signatures

  • Lumma Stealer

    An infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 35 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:412
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe"
      2⤵
        PID:1952
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe"
        2⤵
          PID:2940
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe
          "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe"
          2⤵
            PID:3084
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe
            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe"
            2⤵
              PID:3764
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe
              "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe"
              2⤵
                PID:3896
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe
                "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe"
                2⤵
                  PID:3672
                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
                  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe"
                  2⤵
                    PID:4052
                  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe
                    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe"
                    2⤵
                      PID:4820
                    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
                      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe"
                      2⤵
                        PID:1336
                      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe"
                        2⤵
                          PID:1224
                        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
                          "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe"
                          2⤵
                            PID:4980
                          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
                            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"
                            2⤵
                              PID:3864

                          Network

                          MITRE ATT&CK Enterprise v6

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • memory/412-133-0x0000022E3BB10000-0x0000022E3BCFE000-memory.dmp

                            Filesize

                            1.9MB

                            Download

                          • memory/412-134-0x0000022E573F0000-0x0000022E57400000-memory.dmp

                            Filesize

                            64KB

                            Download

                          • memory/3864-135-0x0000000000400000-0x000000000055E000-memory.dmp

                            Filesize

                            1.4MB

                            Download

                          • memory/3864-137-0x0000000000400000-0x000000000055E000-memory.dmp

                            Filesize

                            1.4MB

                            Download

                          • memory/3864-138-0x0000000000400000-0x000000000055E000-memory.dmp

                            Filesize

                            1.4MB

                            Download

                          • memory/3864-139-0x0000000000400000-0x000000000055E000-memory.dmp

                            Filesize

                            1.4MB

                            Download

                          • memory/3864-140-0x0000000000400000-0x000000000055E000-memory.dmp

                            Filesize

                            1.4MB

                            Download

                          • memory/3864-141-0x0000000000400000-0x000000000055E000-memory.dmp

                            Filesize

                            1.4MB

                            Download