lumma | b56a40c7d3fb5e27bc1b3c5f7fd92da19e2caf6affd5746af9eb344266dd7974

Analysis

max time kernel
141s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
29-12-2023 22:29

Target

059f272bc0995788647bdd9614cacc97.exe
Size

151KB
MD5

059f272bc0995788647bdd9614cacc97
SHA1

43f7dbed65c6bf71cadccd5bce69e8eac0c983ea
SHA256

b56a40c7d3fb5e27bc1b3c5f7fd92da19e2caf6affd5746af9eb344266dd7974
SHA512

4a5d3e3c3b26ecbea8697a07cf2c6263904043c97ab85a6a8e092bbd2d42265c2739ebddf9611c651752d17108d89dc3f1b2d5a507ec5b2df7af8a5eb71e22c5
SSDEEP

3072:qvVi7IdvHF/PG5iKg2ZdUZICiuEhE7XQJeVXrLS1p5pqlv4ZydL0U:qWIFl/u5iwZdUZKuuQgJWJwEV0U

Score

10^/10

lumma stealer

Detect Lumma Stealer payload V4 2 IoCs

resource	yara_rule
behavioral1/memory/1652-12-0x0000000000400000-0x00000000007C7000-memory.dmp	family_lumma_v4
behavioral1/memory/2204-17-0x0000000000400000-0x00000000007C7000-memory.dmp	family_lumma_v4

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma

Executes dropped EXE 1 IoCs

pid	Process
2204	winscrne.exe

Loads dropped DLL 2 IoCs

pid	Process
1652	059f272bc0995788647bdd9614cacc97.exe
1652	059f272bc0995788647bdd9614cacc97.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\winscrne.exe	059f272bc0995788647bdd9614cacc97.exe
File opened for modification	C:\Windows\SysWOW64\winscrne.exe	059f272bc0995788647bdd9614cacc97.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1652 wrote to memory of 2204	1652	059f272bc0995788647bdd9614cacc97.exe	28
PID 1652 wrote to memory of 2204	1652	059f272bc0995788647bdd9614cacc97.exe	28
PID 1652 wrote to memory of 2204	1652	059f272bc0995788647bdd9614cacc97.exe	28
PID 1652 wrote to memory of 2204	1652	059f272bc0995788647bdd9614cacc97.exe	28

C:\Users\Admin\AppData\Local\Temp\059f272bc0995788647bdd9614cacc97.exe
"C:\Users\Admin\AppData\Local\Temp\059f272bc0995788647bdd9614cacc97.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1652
- C:\Windows\SysWOW64\winscrne.exe
  C:\Windows\system32\winscrne.exe
  2⤵
  - Executes dropped EXE
  PID:2204

\Windows\SysWOW64\winscrne.exe

Filesize
151KB

MD5
059f272bc0995788647bdd9614cacc97

SHA1
43f7dbed65c6bf71cadccd5bce69e8eac0c983ea

SHA256
b56a40c7d3fb5e27bc1b3c5f7fd92da19e2caf6affd5746af9eb344266dd7974

SHA512
4a5d3e3c3b26ecbea8697a07cf2c6263904043c97ab85a6a8e092bbd2d42265c2739ebddf9611c651752d17108d89dc3f1b2d5a507ec5b2df7af8a5eb71e22c5

Download Submit
memory/1652-0-0x0000000000400000-0x00000000007C7000-memory.dmp

Filesize
3.8MB

Download
memory/1652-1-0x0000000002290000-0x00000000023A0000-memory.dmp

Filesize
1.1MB

Download
memory/1652-9-0x0000000002E30000-0x00000000031F7000-memory.dmp

Filesize
3.8MB

Download
memory/1652-12-0x0000000000400000-0x00000000007C7000-memory.dmp

Filesize
3.8MB

Download
memory/1652-14-0x0000000002E30000-0x00000000031F7000-memory.dmp

Filesize
3.8MB

Download
memory/1652-19-0x0000000002E30000-0x00000000031F7000-memory.dmp

Filesize
3.8MB

Download
memory/2204-13-0x0000000000400000-0x00000000007C7000-memory.dmp

Filesize
3.8MB

Download
memory/2204-15-0x0000000002240000-0x0000000002350000-memory.dmp

Filesize
1.1MB

Download
memory/2204-17-0x0000000000400000-0x00000000007C7000-memory.dmp

Filesize
3.8MB

Download