lumma | eaf7e1cec4a3562d1489056c7a7acd38f061621aa362c09e080e6b2d4ecfabb5

Analysis

max time kernel
140s
max time network
118s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
29/12/2023, 22:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

05ede67be65ec870220e8125af371889.exe
Size

141KB
MD5

05ede67be65ec870220e8125af371889
SHA1

d40d754452bd3a66cd71f1fce0c538b81a3f5f98
SHA256

eaf7e1cec4a3562d1489056c7a7acd38f061621aa362c09e080e6b2d4ecfabb5
SHA512

0ae5d70d4b7f4184c1af887a4c63733d72282704827035e02aba459c63a2671a6515d96bb3fa9b8023551d8e8b1405e6307fd3b548b6b5fa82864fa794e2adef
SSDEEP

3072:6wtx9NGTPk8yLX9MOPuITUeVKRcOxXq3rxkoF9:rzGTPknX9ZPdTUm1bx19

Score

10^/10

lumma stealer

Malware Config

Signatures

Detect Lumma Stealer payload V4 21 IoCs

resource	yara_rule
behavioral1/memory/2976-0-0x0000000000400000-0x0000000000495000-memory.dmp	family_lumma_v4
behavioral1/memory/2372-13-0x0000000000400000-0x0000000000495000-memory.dmp	family_lumma_v4
behavioral1/memory/2976-14-0x0000000000400000-0x0000000000495000-memory.dmp	family_lumma_v4
behavioral1/memory/2680-20-0x0000000000400000-0x0000000000495000-memory.dmp	family_lumma_v4
behavioral1/memory/2372-21-0x0000000000400000-0x0000000000495000-memory.dmp	family_lumma_v4
behavioral1/memory/2792-28-0x0000000000400000-0x0000000000495000-memory.dmp	family_lumma_v4
behavioral1/memory/2680-29-0x0000000000400000-0x0000000000495000-memory.dmp	family_lumma_v4
behavioral1/memory/2936-35-0x0000000000400000-0x0000000000495000-memory.dmp	family_lumma_v4
behavioral1/memory/2792-36-0x0000000000400000-0x0000000000495000-memory.dmp	family_lumma_v4
behavioral1/memory/1616-42-0x0000000000400000-0x0000000000495000-memory.dmp	family_lumma_v4
behavioral1/memory/2936-43-0x0000000000400000-0x0000000000495000-memory.dmp	family_lumma_v4
behavioral1/memory/384-50-0x0000000000400000-0x0000000000495000-memory.dmp	family_lumma_v4
behavioral1/memory/1616-51-0x0000000000400000-0x0000000000495000-memory.dmp	family_lumma_v4
behavioral1/memory/808-57-0x0000000000400000-0x0000000000495000-memory.dmp	family_lumma_v4
behavioral1/memory/384-58-0x0000000000400000-0x0000000000495000-memory.dmp	family_lumma_v4
behavioral1/memory/688-64-0x0000000000400000-0x0000000000495000-memory.dmp	family_lumma_v4
behavioral1/memory/808-65-0x0000000000400000-0x0000000000495000-memory.dmp	family_lumma_v4
behavioral1/memory/452-71-0x0000000000400000-0x0000000000495000-memory.dmp	family_lumma_v4
behavioral1/memory/688-72-0x0000000000400000-0x0000000000495000-memory.dmp	family_lumma_v4
behavioral1/memory/972-78-0x0000000000400000-0x0000000000495000-memory.dmp	family_lumma_v4
behavioral1/memory/452-79-0x0000000000400000-0x0000000000495000-memory.dmp	family_lumma_v4

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma

Executes dropped EXE 18 IoCs

pid	Process
2372	winxpser.exe
2680	winxpser.exe
2580	winxpser.exe
2792	winxpser.exe
1964	winxpser.exe
2936	winxpser.exe
2364	winxpser.exe
1616	winxpser.exe
2508	winxpser.exe
384	winxpser.exe
764	winxpser.exe
808	winxpser.exe
2388	winxpser.exe
688	winxpser.exe
1096	winxpser.exe
452	winxpser.exe
1676	winxpser.exe
972	winxpser.exe

Loads dropped DLL 20 IoCs

pid	Process
2976	05ede67be65ec870220e8125af371889.exe
2976	05ede67be65ec870220e8125af371889.exe
2372	winxpser.exe
2372	winxpser.exe
2680	winxpser.exe
2680	winxpser.exe
2792	winxpser.exe
2792	winxpser.exe
2936	winxpser.exe
2936	winxpser.exe
1616	winxpser.exe
1616	winxpser.exe
384	winxpser.exe
384	winxpser.exe
808	winxpser.exe
808	winxpser.exe
688	winxpser.exe
688	winxpser.exe
452	winxpser.exe
452	winxpser.exe

Drops file in System32 directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\winxpser.exe	winxpser.exe
File opened for modification	C:\Windows\SysWOW64\winxpser.exe	winxpser.exe
File created	C:\Windows\SysWOW64\winxpser.exe	winxpser.exe
File created	C:\Windows\SysWOW64\winxpser.exe	winxpser.exe
File created	C:\Windows\SysWOW64\winxpser.exe	winxpser.exe
File created	C:\Windows\SysWOW64\winxpser.exe	winxpser.exe
File created	C:\Windows\SysWOW64\winxpser.exe	winxpser.exe
File opened for modification	C:\Windows\SysWOW64\winxpser.exe	winxpser.exe
File opened for modification	C:\Windows\SysWOW64\winxpser.exe	winxpser.exe
File created	C:\Windows\SysWOW64\winxpser.exe	winxpser.exe
File opened for modification	C:\Windows\SysWOW64\winxpser.exe	winxpser.exe
File opened for modification	C:\Windows\SysWOW64\winxpser.exe	winxpser.exe
File opened for modification	C:\Windows\SysWOW64\winxpser.exe	winxpser.exe
File opened for modification	C:\Windows\SysWOW64\winxpser.exe	winxpser.exe
File created	C:\Windows\SysWOW64\winxpser.exe	winxpser.exe
File opened for modification	C:\Windows\SysWOW64\winxpser.exe	05ede67be65ec870220e8125af371889.exe
File opened for modification	C:\Windows\SysWOW64\winxpser.exe	winxpser.exe
File created	C:\Windows\SysWOW64\winxpser.exe	winxpser.exe
File created	C:\Windows\SysWOW64\winxpser.exe	winxpser.exe
File created	C:\Windows\SysWOW64\winxpser.exe	05ede67be65ec870220e8125af371889.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2976 wrote to memory of 2372	2976	05ede67be65ec870220e8125af371889.exe	28
PID 2976 wrote to memory of 2372	2976	05ede67be65ec870220e8125af371889.exe	28
PID 2976 wrote to memory of 2372	2976	05ede67be65ec870220e8125af371889.exe	28
PID 2976 wrote to memory of 2372	2976	05ede67be65ec870220e8125af371889.exe	28
PID 2976 wrote to memory of 2204	2976	05ede67be65ec870220e8125af371889.exe	27
PID 2976 wrote to memory of 2204	2976	05ede67be65ec870220e8125af371889.exe	27
PID 2976 wrote to memory of 2204	2976	05ede67be65ec870220e8125af371889.exe	27
PID 2976 wrote to memory of 2204	2976	05ede67be65ec870220e8125af371889.exe	27
PID 2372 wrote to memory of 2680	2372	winxpser.exe	30
PID 2372 wrote to memory of 2680	2372	winxpser.exe	30
PID 2372 wrote to memory of 2680	2372	winxpser.exe	30
PID 2372 wrote to memory of 2680	2372	winxpser.exe	30
PID 2372 wrote to memory of 2580	2372	winxpser.exe	31
PID 2372 wrote to memory of 2580	2372	winxpser.exe	31
PID 2372 wrote to memory of 2580	2372	winxpser.exe	31
PID 2372 wrote to memory of 2580	2372	winxpser.exe	31
PID 2680 wrote to memory of 2792	2680	winxpser.exe	32
PID 2680 wrote to memory of 2792	2680	winxpser.exe	32
PID 2680 wrote to memory of 2792	2680	winxpser.exe	32
PID 2680 wrote to memory of 2792	2680	winxpser.exe	32
PID 2680 wrote to memory of 1964	2680	winxpser.exe	33
PID 2680 wrote to memory of 1964	2680	winxpser.exe	33
PID 2680 wrote to memory of 1964	2680	winxpser.exe	33
PID 2680 wrote to memory of 1964	2680	winxpser.exe	33
PID 2792 wrote to memory of 2936	2792	winxpser.exe	34
PID 2792 wrote to memory of 2936	2792	winxpser.exe	34
PID 2792 wrote to memory of 2936	2792	winxpser.exe	34
PID 2792 wrote to memory of 2936	2792	winxpser.exe	34
PID 2792 wrote to memory of 2364	2792	winxpser.exe	37
PID 2792 wrote to memory of 2364	2792	winxpser.exe	37
PID 2792 wrote to memory of 2364	2792	winxpser.exe	37
PID 2792 wrote to memory of 2364	2792	winxpser.exe	37
PID 2936 wrote to memory of 1616	2936	winxpser.exe	38
PID 2936 wrote to memory of 1616	2936	winxpser.exe	38
PID 2936 wrote to memory of 1616	2936	winxpser.exe	38
PID 2936 wrote to memory of 1616	2936	winxpser.exe	38
PID 2936 wrote to memory of 2508	2936	winxpser.exe	39
PID 2936 wrote to memory of 2508	2936	winxpser.exe	39
PID 2936 wrote to memory of 2508	2936	winxpser.exe	39
PID 2936 wrote to memory of 2508	2936	winxpser.exe	39
PID 1616 wrote to memory of 384	1616	winxpser.exe	40
PID 1616 wrote to memory of 384	1616	winxpser.exe	40
PID 1616 wrote to memory of 384	1616	winxpser.exe	40
PID 1616 wrote to memory of 384	1616	winxpser.exe	40
PID 1616 wrote to memory of 764	1616	winxpser.exe	41
PID 1616 wrote to memory of 764	1616	winxpser.exe	41
PID 1616 wrote to memory of 764	1616	winxpser.exe	41
PID 1616 wrote to memory of 764	1616	winxpser.exe	41
PID 384 wrote to memory of 808	384	winxpser.exe	42
PID 384 wrote to memory of 808	384	winxpser.exe	42
PID 384 wrote to memory of 808	384	winxpser.exe	42
PID 384 wrote to memory of 808	384	winxpser.exe	42
PID 384 wrote to memory of 2388	384	winxpser.exe	43
PID 384 wrote to memory of 2388	384	winxpser.exe	43
PID 384 wrote to memory of 2388	384	winxpser.exe	43
PID 384 wrote to memory of 2388	384	winxpser.exe	43
PID 808 wrote to memory of 688	808	winxpser.exe	44
PID 808 wrote to memory of 688	808	winxpser.exe	44
PID 808 wrote to memory of 688	808	winxpser.exe	44
PID 808 wrote to memory of 688	808	winxpser.exe	44
PID 808 wrote to memory of 1096	808	winxpser.exe	45
PID 808 wrote to memory of 1096	808	winxpser.exe	45
PID 808 wrote to memory of 1096	808	winxpser.exe	45
PID 808 wrote to memory of 1096	808	winxpser.exe	45

C:\Users\Admin\AppData\Local\Temp\05ede67be65ec870220e8125af371889.exe
"C:\Users\Admin\AppData\Local\Temp\05ede67be65ec870220e8125af371889.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2976
- C:\Users\Admin\AppData\Local\Temp\05ede67be65ec870220e8125af371889.exe
  "C:\Users\Admin\AppData\Local\Temp\05ede67be65ec870220e8125af371889.exe"
  2⤵
  PID:2204
- C:\Windows\SysWOW64\winxpser.exe
  C:\Windows\system32\winxpser.exe 540 "C:\Users\Admin\AppData\Local\Temp\05ede67be65ec870220e8125af371889.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2372
- - C:\Windows\SysWOW64\winxpser.exe
    C:\Windows\system32\winxpser.exe 536 "C:\Windows\SysWOW64\winxpser.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2680
  - - C:\Windows\SysWOW64\winxpser.exe
      C:\Windows\system32\winxpser.exe 532 "C:\Windows\SysWOW64\winxpser.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2792
    - - C:\Windows\SysWOW64\winxpser.exe
        
        C:\Windows\system32\winxpser.exe 564 "C:\Windows\SysWOW64\winxpser.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2936
      - C:\Windows\SysWOW64\winxpser.exe
        
        C:\Windows\system32\winxpser.exe 560 "C:\Windows\SysWOW64\winxpser.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1616
        
        C:\Windows\SysWOW64\winxpser.exe
        
        C:\Windows\system32\winxpser.exe 552 "C:\Windows\SysWOW64\winxpser.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:384
        
        C:\Windows\SysWOW64\winxpser.exe
        
        C:\Windows\system32\winxpser.exe 568 "C:\Windows\SysWOW64\winxpser.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:808
        
        C:\Windows\SysWOW64\winxpser.exe
        
        C:\Windows\system32\winxpser.exe 576 "C:\Windows\SysWOW64\winxpser.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:688
        
        C:\Windows\SysWOW64\winxpser.exe
        
        C:\Windows\system32\winxpser.exe 556 "C:\Windows\SysWOW64\winxpser.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:452
        
        C:\Windows\SysWOW64\winxpser.exe
        
        C:\Windows\system32\winxpser.exe 544 "C:\Windows\SysWOW64\winxpser.exe"
        11⤵
        Executes dropped EXE
        
        PID:972
        
        C:\Windows\SysWOW64\winxpser.exe
        
        "C:\Windows\SysWOW64\winxpser.exe"
        11⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\winxpser.exe
        
        "C:\Windows\SysWOW64\winxpser.exe"
        10⤵
        Executes dropped EXE
        
        PID:1676
        
        C:\Windows\SysWOW64\winxpser.exe
        
        "C:\Windows\SysWOW64\winxpser.exe"
        9⤵
        Executes dropped EXE
        
        PID:1096
        
        C:\Windows\SysWOW64\winxpser.exe
        
        "C:\Windows\SysWOW64\winxpser.exe"
        8⤵
        Executes dropped EXE
        
        PID:2388
        
        C:\Windows\SysWOW64\winxpser.exe
        
        "C:\Windows\SysWOW64\winxpser.exe"
        7⤵
        Executes dropped EXE
        
        PID:764
      - C:\Windows\SysWOW64\winxpser.exe
        
        "C:\Windows\SysWOW64\winxpser.exe"
        6⤵
        Executes dropped EXE
        
        PID:2508
    - - C:\Windows\SysWOW64\winxpser.exe
        
        "C:\Windows\SysWOW64\winxpser.exe"
        5⤵
        Executes dropped EXE
        
        PID:2364
  - - C:\Windows\SysWOW64\winxpser.exe
      "C:\Windows\SysWOW64\winxpser.exe"
      4⤵
      Executes dropped EXE
      PID:1964
- - C:\Windows\SysWOW64\winxpser.exe
    "C:\Windows\SysWOW64\winxpser.exe"
    3⤵
    - Executes dropped EXE
    PID:2580

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\winxpser.exe

Filesize
92KB

MD5
1aac03882919a141e4a23ec98ca62bc6

SHA1
d1863abc083f1de45a15776de4e676c13b737ea6

SHA256
f59ceca4dd71a9e9643ef91de85ea1832599bb3496b9b7b1e9206e433a71ec9d

SHA512
1673bc66b9a3e1c41ef1d558b93119f7e7731070bb0ddfc51e4c9536076e5e5c8bd6d50f541650ef63ca61f079e9d957061699476d959a5085bc083968036526

Download Submit
\Windows\SysWOW64\winxpser.exe

Filesize
141KB

MD5
05ede67be65ec870220e8125af371889

SHA1
d40d754452bd3a66cd71f1fce0c538b81a3f5f98

SHA256
eaf7e1cec4a3562d1489056c7a7acd38f061621aa362c09e080e6b2d4ecfabb5

SHA512
0ae5d70d4b7f4184c1af887a4c63733d72282704827035e02aba459c63a2671a6515d96bb3fa9b8023551d8e8b1405e6307fd3b548b6b5fa82864fa794e2adef

Download Submit
memory/384-50-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/384-58-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/452-79-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/452-71-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/688-72-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/688-64-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/764-53-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/808-65-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/808-57-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/972-78-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/1096-67-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/1616-42-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/1616-49-0x0000000002990000-0x0000000002A25000-memory.dmp

Filesize
596KB

Download
memory/1616-51-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/1676-74-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/1964-31-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/2204-15-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/2364-38-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/2372-21-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/2372-13-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/2388-60-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/2508-45-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/2580-23-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/2680-20-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/2680-27-0x00000000020E0000-0x0000000002175000-memory.dmp

Filesize
596KB

Download
memory/2680-29-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/2792-28-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/2792-36-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/2936-35-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/2936-43-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/2976-5-0x0000000002870000-0x0000000002905000-memory.dmp

Filesize
596KB

Download
memory/2976-14-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/2976-0-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/2976-12-0x0000000002870000-0x0000000002905000-memory.dmp

Filesize
596KB

Download
memory/3044-81-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download