lumma | 13d7cc6a5df210830f6470d4412ea16159f25d4285cd9e76b92bc04d722d2d64

Analysis

max time kernel
139s
max time network
155s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26/12/2023, 11:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6b531de6f2cf065a71df26dd1a83b395.exe
Size

905KB
MD5

6b531de6f2cf065a71df26dd1a83b395
SHA1

d4084c7df91751e4693b8daee1115573b2a1ea81
SHA256

13d7cc6a5df210830f6470d4412ea16159f25d4285cd9e76b92bc04d722d2d64
SHA512

c95f0c46a2d7fac057d0559c57ec1367274b299f0feb15e2d125b861ee49a0b66c36de8b56cde4cb4f5e10df543d03694d99f58a823bdef96ab10b21f998d3f9
SSDEEP

12288:sB0uRsxZAxhMarNu1n5gs0xJ26qF1ca36c9U:s6UsxihMr15gsQf2Xqc

Score

10^/10

lumma evasion stealer

Malware Config

Signatures

Detect Lumma Stealer payload V4 2 IoCs

resource	yara_rule
behavioral1/memory/2204-129-0x0000000000400000-0x00000000005E5000-memory.dmp	family_lumma_v4
behavioral1/memory/2204-2-0x0000000000400000-0x00000000005E5000-memory.dmp	family_lumma_v4

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe

Executes dropped EXE 1 IoCs

pid	Process
2024	upds.exe

Loads dropped DLL 2 IoCs

pid	Process
2204	6b531de6f2cf065a71df26dd1a83b395.exe
2204	6b531de6f2cf065a71df26dd1a83b395.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\upds.exe	6b531de6f2cf065a71df26dd1a83b395.exe
File opened for modification	C:\Windows\SysWOW64\upds.exe	6b531de6f2cf065a71df26dd1a83b395.exe

Runs .reg file with regedit 1 IoCs

pid	Process
2988	regedit.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2204 wrote to memory of 2884	2204	6b531de6f2cf065a71df26dd1a83b395.exe	27
PID 2204 wrote to memory of 2884	2204	6b531de6f2cf065a71df26dd1a83b395.exe	27
PID 2204 wrote to memory of 2884	2204	6b531de6f2cf065a71df26dd1a83b395.exe	27
PID 2204 wrote to memory of 2884	2204	6b531de6f2cf065a71df26dd1a83b395.exe	27
PID 2884 wrote to memory of 2988	2884	cmd.exe	28
PID 2884 wrote to memory of 2988	2884	cmd.exe	28
PID 2884 wrote to memory of 2988	2884	cmd.exe	28
PID 2884 wrote to memory of 2988	2884	cmd.exe	28
PID 2204 wrote to memory of 2024	2204	6b531de6f2cf065a71df26dd1a83b395.exe	29
PID 2204 wrote to memory of 2024	2204	6b531de6f2cf065a71df26dd1a83b395.exe	29
PID 2204 wrote to memory of 2024	2204	6b531de6f2cf065a71df26dd1a83b395.exe	29
PID 2204 wrote to memory of 2024	2204	6b531de6f2cf065a71df26dd1a83b395.exe	29

C:\Users\Admin\AppData\Local\Temp\6b531de6f2cf065a71df26dd1a83b395.exe
"C:\Users\Admin\AppData\Local\Temp\6b531de6f2cf065a71df26dd1a83b395.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2204
- C:\Windows\SysWOW64\cmd.exe
  cmd /c c:\a.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2884
- - C:\Windows\SysWOW64\regedit.exe
    REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
    3⤵
    - Modifies security service
    - Runs .reg file with regedit
    PID:2988
- C:\Windows\SysWOW64\upds.exe
  C:\Windows\system32\upds.exe 696 "C:\Users\Admin\AppData\Local\Temp\6b531de6f2cf065a71df26dd1a83b395.exe"
  2⤵
  - Executes dropped EXE
  PID:2024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
9e5db93bd3302c217b15561d8f1e299d

SHA1
95a5579b336d16213909beda75589fd0a2091f30

SHA256
f360fb5740172b6b4dd59c1ac30b480511665ae991196f833167e275d91f943e

SHA512
b5547e5047a3c43397ee846ff9d5979cba45ba44671db5c5df5536d9dc26262e27a8645a08e0cf35960a3601dc0f6f5fe8d47ae232c9ca44d6899e97d36fb25a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
298B

MD5
4117e5a9c995bab9cd3bce3fc2b99a46

SHA1
80144ccbad81c2efb1df64e13d3d5f59ca4486da

SHA256
37b58c2d66ab2f896316ee0cdba30dcc9aac15a51995b8ba6c143c8ba34bf292

SHA512
bdb721bd3dea641a9b1f26b46311c05199de01c6b0d7ea2b973aa71a4f796b292a6964ddef32ba9dfc4a545768943d105f110c5d60716e0ff6f82914affb507c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
849B

MD5
558ce6da965ba1758d112b22e15aa5a2

SHA1
a365542609e4d1dc46be62928b08612fcabe2ede

SHA256
c11beaac10a5e00391ef4b41be8c240f59c5a2dc930aead6d7db237fcd2641fb

SHA512
37f7f10c3d201b11cc5224ae69c5990eb33b4430c601d3c21f6bec9323621120442e0cfa49e1f4eda459ea4ac750277e446dca78b9e44c1445bd891e4e460b5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
2KB

MD5
54ca6e3ef1c12b994043e85a8c9895f0

SHA1
5eaccfb482cbe24cf5c3203ffdc926184097427e

SHA256
0db388471ad17c9c9b4a0a40b2536b7a6f27b8cc96775812d48d7009acb418c0

SHA512
925615f057558a00fb0ed3f9faeee2b70f3dd5469376de9381a387b3666c230fc0bb5b83fd3acf0169872e3c5f747cbdaff473d7fa389a5848f3828916680626

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
cd085b8c40e69c2bf1eb3d59f8155b99

SHA1
3499260f24020fe6d54d9d632d34ba2770bb06e0

SHA256
10546433db0c1ab764cd632eb0d08d93a530c6e52d1ec7fcb9c1fd32193f2a9c

SHA512
3813b8a7f742f6a64da36492447f3f2fee6ea505d7d0dccebede84117ec06101321dfacc7901403ea557171085982ae1a4dc39dd666da9e67d61ea71dfbb8edb

Download Submit
C:\Windows\SysWOW64\upds.exe

Filesize
116KB

MD5
72cbc6b89c18dfba3a2bbb8c27f4ce53

SHA1
ca8ef0fc1729618d1dfb99f7e342eeb412d152f8

SHA256
ce695c832e76b5bdf2f0c2a7ae3ba531d8b0b410c6d75f037e59ac1ffcf4ccb8

SHA512
71f1cb73f128bee06bbaad74c6d03cf2d5be2247c420ac28d2b1d7f8454c1700a158aac83f2206ad345a89af626cf05b39bd008097c7888fb0ca0d7631705b6d

Download Submit
C:\Windows\SysWOW64\upds.exe

Filesize
8KB

MD5
d21e44b34a7059028a0a3eeddf04757a

SHA1
691375b1355f2c97e964ea8475aa2df49722f41c

SHA256
482838248a6a8604e4f38f25620e8eed64e8c508d4015079384f95a60be8c612

SHA512
68289110c243c7f40070125402c3548143e0fef00df0e6062833985cf32e5218768d80f3e4b9e3fa9ff0abcdc42c25e8f29e861b259620ce8de66638c22e2c57

Download Submit
\??\c:\a.bat

Filesize
5KB

MD5
0019a0451cc6b9659762c3e274bc04fb

SHA1
5259e256cc0908f2846e532161b989f1295f479b

SHA256
ce4674afd978d1401596d22a0961f90c8fb53c5bd55649684e1a999c8cf77876

SHA512
314c23ec37cb0cd4443213c019c4541df968447353b422ef6fff1e7ddf6c983c80778787408b7ca9b81e580a6a7f1589ca7f43c022e6fc16182973580ed4d904

Download Submit
\Windows\SysWOW64\upds.exe

Filesize
106KB

MD5
79bc421aff9b9af82fd4f02c818c4235

SHA1
4b3f45e405e1187595fbc531b669edab1b7e7f95

SHA256
10f1b33ab8b96af44d904ac76fec65ebd2dd6989ffffab03fa9e077f4f7ae31b

SHA512
99d17afceaff338214b4f23bee246abc6e356fee6e03718ca231489fc604c74c7952f6fbc6bf94e18221a756ff47e1cf5e160f399f470b24166bf7d5c354a93d

Download Submit
\Windows\SysWOW64\upds.exe

Filesize
6KB

MD5
ccab9f818dc4ce84c51ade54727560ca

SHA1
307604bc70b6e3bb8fc663c80e03d5635efddf19

SHA256
4a0349e84e3f8a1097aa98fd55d36bea6ce5cfea010deab09d0c30064685f6ba

SHA512
34ffaeb3d9d70873cb346ae60d3bc3431da87d8fa95dd74e543a81b985de9576a1295b869b45b62fc4253e80fdb4e77cd6b706efa197c095955d17a20ffc2f45

Download Submit
memory/2024-126-0x0000000000400000-0x00000000005E5000-memory.dmp

Filesize
1.9MB

Download
memory/2204-129-0x0000000000400000-0x00000000005E5000-memory.dmp

Filesize
1.9MB

Download
memory/2204-0-0x0000000000400000-0x00000000005E5000-memory.dmp

Filesize
1.9MB

Download
memory/2204-128-0x0000000004820000-0x0000000004A05000-memory.dmp

Filesize
1.9MB

Download
memory/2204-2-0x0000000000400000-0x00000000005E5000-memory.dmp

Filesize
1.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads