lumma | cff21c5f5bc8c5280a1aa39b2e1adff16a6af73f5a401cf92aaf35b676b8b3dd

Analysis

max time kernel
141s
max time network
120s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26/12/2023, 14:32

Target

75d810349b4edb62ed10b4ecd0b58522.exe
Size

50KB
MD5

75d810349b4edb62ed10b4ecd0b58522
SHA1

9134c23e3ba665b4aa60d29cff6b144145260041
SHA256

cff21c5f5bc8c5280a1aa39b2e1adff16a6af73f5a401cf92aaf35b676b8b3dd
SHA512

f44ae562548f050d42fb05165b65759209b426987f0eb447958144f9599ae9957dd34cc78f251742396f84c01656ebd05fbbef21c1ca6a26b7a06c44859ee7f3
SSDEEP

768:7kOPZTbQmaRPmeFaxLWl6uxvPrBtNzRL0+1v2skXpvWy5IDWaRGDMYFBJV4Nhj5a:7/hHoFKKlFR9tnL0umXhWwxJDBJ+l5i

Score

10^/10

lumma stealer upx

Detect Lumma Stealer payload V4 2 IoCs

resource	yara_rule
behavioral1/memory/824-12-0x0000000000400000-0x000000000043B000-memory.dmp	family_lumma_v4
behavioral1/memory/1752-10-0x0000000000400000-0x000000000043B000-memory.dmp	family_lumma_v4

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma

Executes dropped EXE 1 IoCs

pid	Process
824	winfix.exe

Loads dropped DLL 2 IoCs

pid	Process
1752	75d810349b4edb62ed10b4ecd0b58522.exe
1752	75d810349b4edb62ed10b4ecd0b58522.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral1/memory/1752-0-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/files/0x000a00000001225c-2.dat	upx
behavioral1/memory/1752-3-0x0000000001ED0000-0x0000000001F0B000-memory.dmp	upx
behavioral1/memory/824-12-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/1752-10-0x0000000000400000-0x000000000043B000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\winfix.exe	75d810349b4edb62ed10b4ecd0b58522.exe
File opened for modification	C:\Windows\SysWOW64\winfix.exe	75d810349b4edb62ed10b4ecd0b58522.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1752 wrote to memory of 824	1752	75d810349b4edb62ed10b4ecd0b58522.exe	28
PID 1752 wrote to memory of 824	1752	75d810349b4edb62ed10b4ecd0b58522.exe	28
PID 1752 wrote to memory of 824	1752	75d810349b4edb62ed10b4ecd0b58522.exe	28
PID 1752 wrote to memory of 824	1752	75d810349b4edb62ed10b4ecd0b58522.exe	28

C:\Users\Admin\AppData\Local\Temp\75d810349b4edb62ed10b4ecd0b58522.exe
"C:\Users\Admin\AppData\Local\Temp\75d810349b4edb62ed10b4ecd0b58522.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1752
- C:\Windows\SysWOW64\winfix.exe
  C:\Windows\system32\winfix.exe
  2⤵
  - Executes dropped EXE
  PID:824

\Windows\SysWOW64\winfix.exe

Filesize
50KB

MD5
75d810349b4edb62ed10b4ecd0b58522

SHA1
9134c23e3ba665b4aa60d29cff6b144145260041

SHA256
cff21c5f5bc8c5280a1aa39b2e1adff16a6af73f5a401cf92aaf35b676b8b3dd

SHA512
f44ae562548f050d42fb05165b65759209b426987f0eb447958144f9599ae9957dd34cc78f251742396f84c01656ebd05fbbef21c1ca6a26b7a06c44859ee7f3

Download Submit
memory/824-12-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1752-0-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1752-3-0x0000000001ED0000-0x0000000001F0B000-memory.dmp

Filesize
236KB

Download
memory/1752-11-0x0000000001ED0000-0x0000000001F0B000-memory.dmp

Filesize
236KB

Download
memory/1752-10-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download