lumma | cab5c8a281ec3e6eb8a095054de0110d9271b9f7dff1fd416ff50f79ff62d399

Analysis

max time kernel
146s
max time network
109s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
24/12/2023, 18:03

Target

0a5f5d6d13e30b61ffab77cb54fc370f.exe
Size

78KB
MD5

0a5f5d6d13e30b61ffab77cb54fc370f
SHA1

5274e1cadb3fa76edafff8a68f4c7946af671823
SHA256

cab5c8a281ec3e6eb8a095054de0110d9271b9f7dff1fd416ff50f79ff62d399
SHA512

9f28df9398c50e67af1c0a38dff19cdcc6bd41d517afd5d5f2428949afe2932a403aea422ac181780f441ebf40101435fcb050fd3ef8ab977be943a8f74ca811
SSDEEP

1536:atMhIlpDgSin/KQOS2123r0f83531/ImSaQ5TuPyxEpgTH9vbTMGxq:atnlpDgSinidJED3J1/I3aQchgTHJbTu

Score

10^/10

lumma stealer

Detect Lumma Stealer payload V4 3 IoCs

resource	yara_rule
behavioral2/memory/3376-7-0x0000000000400000-0x000000000048D91E-memory.dmp	family_lumma_v4
behavioral2/memory/3292-8-0x0000000000400000-0x000000000048D91E-memory.dmp	family_lumma_v4
behavioral2/memory/3376-9-0x0000000000400000-0x000000000048D91E-memory.dmp	family_lumma_v4

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma

Executes dropped EXE 1 IoCs

pid	Process
3376	winupdate.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\winupdate.exe	0a5f5d6d13e30b61ffab77cb54fc370f.exe
File opened for modification	C:\Windows\winupdate.exe	0a5f5d6d13e30b61ffab77cb54fc370f.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3292 wrote to memory of 3376	3292	0a5f5d6d13e30b61ffab77cb54fc370f.exe	23
PID 3292 wrote to memory of 3376	3292	0a5f5d6d13e30b61ffab77cb54fc370f.exe	23
PID 3292 wrote to memory of 3376	3292	0a5f5d6d13e30b61ffab77cb54fc370f.exe	23

C:\Users\Admin\AppData\Local\Temp\0a5f5d6d13e30b61ffab77cb54fc370f.exe
"C:\Users\Admin\AppData\Local\Temp\0a5f5d6d13e30b61ffab77cb54fc370f.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3292
- C:\Windows\winupdate.exe
  C:\Windows\winupdate.exe 1168 "C:\Users\Admin\AppData\Local\Temp\0a5f5d6d13e30b61ffab77cb54fc370f.exe"
  2⤵
  - Executes dropped EXE
  PID:3376

C:\Windows\winupdate.exe

Filesize
78KB

MD5
0a5f5d6d13e30b61ffab77cb54fc370f

SHA1
5274e1cadb3fa76edafff8a68f4c7946af671823

SHA256
cab5c8a281ec3e6eb8a095054de0110d9271b9f7dff1fd416ff50f79ff62d399

SHA512
9f28df9398c50e67af1c0a38dff19cdcc6bd41d517afd5d5f2428949afe2932a403aea422ac181780f441ebf40101435fcb050fd3ef8ab977be943a8f74ca811

Download Submit
memory/3292-0-0x0000000000400000-0x000000000048D91E-memory.dmp

Filesize
566KB

Download
memory/3292-8-0x0000000000400000-0x000000000048D91E-memory.dmp

Filesize
566KB

Download
memory/3376-7-0x0000000000400000-0x000000000048D91E-memory.dmp

Filesize
566KB

Download
memory/3376-9-0x0000000000400000-0x000000000048D91E-memory.dmp

Filesize
566KB

Download