Overview

overview

10

Static

static

3

63dfcc398c...65.exe

windows7-x64

10

63dfcc398c...65.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-07-2023 07:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    63dfcc398c3e2bc3fa0ff47386f41465.exe

  • Size

    301KB

  • MD5

    63dfcc398c3e2bc3fa0ff47386f41465

  • SHA1

    23490cf34a4c3970c86cbbaed3dc671324e89856

  • SHA256

    b78c9c6edd3756702be3d87df39dec7776e412bf4eb93a65c881f2e4a403afe6

  • SHA512

    c264078c9c072bd03b72a00a3be24a5658b6285573999cfe81aa7f675699912a5281bf74272a86f3d44ca3f49a8ac33687f90aacd28171ee737ef4e1229cdb3e

  • SSDEEP

    6144:cL5S1NG6IPg7BsXcmGICGJD0lWGqaVTDqGUPcMRsXK3su2:c01FII7BsXbSsG5VTDqGdKsXg

Score
10/10
lummadiscoveryspywarestealer

Malware Config

Extracted

Family

lumma

C2

gstatic-node.io

Signatures

  • Lumma Stealer

    An infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\63dfcc398c3e2bc3fa0ff47386f41465.exe
    "C:\Users\Admin\AppData\Local\Temp\63dfcc398c3e2bc3fa0ff47386f41465.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:2488
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2488 -s 3516
      2⤵
      • Program crash
      PID:4348
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2488 -ip 2488
    1⤵
      PID:528

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2488-134-0x00000000006A0000-0x00000000007A0000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2488-135-0x0000000002250000-0x00000000022AB000-memory.dmp

      Filesize

      364KB

      Download

    • memory/2488-136-0x0000000000400000-0x0000000000505000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/2488-137-0x0000000000400000-0x0000000000505000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/2488-138-0x00000000006A0000-0x00000000007A0000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2488-139-0x0000000002250000-0x00000000022AB000-memory.dmp

      Filesize

      364KB

      Download

    • memory/2488-140-0x0000000000400000-0x0000000000505000-memory.dmp

      Filesize

      1.0MB

      Download