lumma | 3621cbb7c16bb07b3636356e9f73788c95057b3fe7cba6850e8f3b2d0fda6dc5

Analysis

max time kernel
18s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 09:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

14f9e3ea623dccde8cc077de47dc6c1b.exe
Size

216KB
MD5

14f9e3ea623dccde8cc077de47dc6c1b
SHA1

e55644d8a8b366d94f6e05be56daed1ff7ca4241
SHA256

3621cbb7c16bb07b3636356e9f73788c95057b3fe7cba6850e8f3b2d0fda6dc5
SHA512

e35bae057c97a7fe2567ca1562a1c7418f66cd07d92f52cf364133b679677aadece02e28375e44c47d2ed81e458742b2911a0ec2d5c624749cea694edfbd46b4
SSDEEP

6144:6b3UYmL5+wp7XH51MnD9fpoh+WclrLqE:6beLpJXZ1b+WSyE

Score

10^/10

lumma metasploit backdoor stealer trojan upx

Malware Config

Extracted

Family

metasploit

Version

encoder/fnstenv_mov

Signatures

Detect Lumma Stealer payload V4 29 IoCs

resource	yara_rule
behavioral2/memory/4432-5-0x0000000000400000-0x0000000000481000-memory.dmp	family_lumma_v4
behavioral2/memory/4432-4-0x0000000000400000-0x0000000000481000-memory.dmp	family_lumma_v4
behavioral2/memory/4432-2-0x0000000000400000-0x0000000000481000-memory.dmp	family_lumma_v4
behavioral2/memory/4432-12-0x0000000000400000-0x0000000000481000-memory.dmp	family_lumma_v4
behavioral2/memory/4432-1-0x0000000000400000-0x0000000000481000-memory.dmp	family_lumma_v4
behavioral2/memory/244-17-0x0000000000400000-0x0000000000481000-memory.dmp	family_lumma_v4
behavioral2/memory/244-19-0x0000000000400000-0x0000000000481000-memory.dmp	family_lumma_v4
behavioral2/memory/244-18-0x0000000000400000-0x0000000000481000-memory.dmp	family_lumma_v4
behavioral2/memory/244-20-0x0000000000400000-0x0000000000481000-memory.dmp	family_lumma_v4
behavioral2/memory/2140-30-0x0000000000400000-0x0000000000481000-memory.dmp	family_lumma_v4
behavioral2/memory/2140-29-0x0000000000400000-0x0000000000481000-memory.dmp	family_lumma_v4
behavioral2/memory/2140-28-0x0000000000400000-0x0000000000481000-memory.dmp	family_lumma_v4
behavioral2/memory/2140-31-0x0000000000400000-0x0000000000481000-memory.dmp	family_lumma_v4
behavioral2/memory/2156-39-0x0000000000400000-0x0000000000481000-memory.dmp	family_lumma_v4
behavioral2/memory/2156-41-0x0000000000400000-0x0000000000481000-memory.dmp	family_lumma_v4
behavioral2/memory/2156-40-0x0000000000400000-0x0000000000481000-memory.dmp	family_lumma_v4
behavioral2/memory/2156-42-0x0000000000400000-0x0000000000481000-memory.dmp	family_lumma_v4
behavioral2/memory/3860-52-0x0000000000400000-0x0000000000481000-memory.dmp	family_lumma_v4
behavioral2/memory/3860-51-0x0000000000400000-0x0000000000481000-memory.dmp	family_lumma_v4
behavioral2/memory/3860-50-0x0000000000400000-0x0000000000481000-memory.dmp	family_lumma_v4
behavioral2/memory/3860-53-0x0000000000400000-0x0000000000481000-memory.dmp	family_lumma_v4
behavioral2/memory/760-63-0x0000000000400000-0x0000000000481000-memory.dmp	family_lumma_v4
behavioral2/memory/760-61-0x0000000000400000-0x0000000000481000-memory.dmp	family_lumma_v4
behavioral2/memory/760-60-0x0000000000400000-0x0000000000481000-memory.dmp	family_lumma_v4
behavioral2/memory/760-64-0x0000000000400000-0x0000000000481000-memory.dmp	family_lumma_v4
behavioral2/memory/2792-74-0x0000000000400000-0x0000000000481000-memory.dmp	family_lumma_v4
behavioral2/memory/2792-73-0x0000000000400000-0x0000000000481000-memory.dmp	family_lumma_v4
behavioral2/memory/2792-72-0x0000000000400000-0x0000000000481000-memory.dmp	family_lumma_v4
behavioral2/memory/2792-75-0x0000000000400000-0x0000000000481000-memory.dmp	family_lumma_v4

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Executes dropped EXE 4 IoCs

pid	Process
3780	globalpatch.exe
244	globalpatch.exe
932	globalpatch.exe
2140	globalpatch.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3732-0-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral2/memory/3732-3-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral2/memory/3780-16-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral2/memory/932-22-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral2/memory/932-27-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral2/memory/2392-33-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral2/memory/2392-38-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral2/memory/1452-44-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral2/memory/1452-49-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral2/memory/1564-55-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral2/memory/1564-62-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral2/memory/208-66-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral2/memory/208-71-0x0000000000400000-0x000000000044B000-memory.dmp	upx

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\globalpatch.exe	globalpatch.exe
File created	C:\Windows\SysWOW64\globalpatch.exe	globalpatch.exe
File created	C:\Windows\SysWOW64\globalpatch.exe	14f9e3ea623dccde8cc077de47dc6c1b.exe
File opened for modification	C:\Windows\SysWOW64\globalpatch.exe	14f9e3ea623dccde8cc077de47dc6c1b.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 3732 set thread context of 4432	3732	14f9e3ea623dccde8cc077de47dc6c1b.exe	30
PID 3780 set thread context of 244	3780	globalpatch.exe	43
PID 932 set thread context of 2140	932	globalpatch.exe	103

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 3732 wrote to memory of 4432	3732	14f9e3ea623dccde8cc077de47dc6c1b.exe	30
PID 3732 wrote to memory of 4432	3732	14f9e3ea623dccde8cc077de47dc6c1b.exe	30
PID 3732 wrote to memory of 4432	3732	14f9e3ea623dccde8cc077de47dc6c1b.exe	30
PID 3732 wrote to memory of 4432	3732	14f9e3ea623dccde8cc077de47dc6c1b.exe	30
PID 3732 wrote to memory of 4432	3732	14f9e3ea623dccde8cc077de47dc6c1b.exe	30
PID 3732 wrote to memory of 4432	3732	14f9e3ea623dccde8cc077de47dc6c1b.exe	30
PID 3732 wrote to memory of 4432	3732	14f9e3ea623dccde8cc077de47dc6c1b.exe	30
PID 3732 wrote to memory of 4432	3732	14f9e3ea623dccde8cc077de47dc6c1b.exe	30
PID 4432 wrote to memory of 3780	4432	14f9e3ea623dccde8cc077de47dc6c1b.exe	33
PID 4432 wrote to memory of 3780	4432	14f9e3ea623dccde8cc077de47dc6c1b.exe	33
PID 4432 wrote to memory of 3780	4432	14f9e3ea623dccde8cc077de47dc6c1b.exe	33
PID 3780 wrote to memory of 244	3780	globalpatch.exe	43
PID 3780 wrote to memory of 244	3780	globalpatch.exe	43
PID 3780 wrote to memory of 244	3780	globalpatch.exe	43
PID 3780 wrote to memory of 244	3780	globalpatch.exe	43
PID 3780 wrote to memory of 244	3780	globalpatch.exe	43
PID 3780 wrote to memory of 244	3780	globalpatch.exe	43
PID 3780 wrote to memory of 244	3780	globalpatch.exe	43
PID 3780 wrote to memory of 244	3780	globalpatch.exe	43
PID 244 wrote to memory of 932	244	globalpatch.exe	102
PID 244 wrote to memory of 932	244	globalpatch.exe	102
PID 244 wrote to memory of 932	244	globalpatch.exe	102
PID 932 wrote to memory of 2140	932	globalpatch.exe	103
PID 932 wrote to memory of 2140	932	globalpatch.exe	103
PID 932 wrote to memory of 2140	932	globalpatch.exe	103
PID 932 wrote to memory of 2140	932	globalpatch.exe	103
PID 932 wrote to memory of 2140	932	globalpatch.exe	103
PID 932 wrote to memory of 2140	932	globalpatch.exe	103
PID 932 wrote to memory of 2140	932	globalpatch.exe	103
PID 932 wrote to memory of 2140	932	globalpatch.exe	103

C:\Users\Admin\AppData\Local\Temp\14f9e3ea623dccde8cc077de47dc6c1b.exe
"C:\Users\Admin\AppData\Local\Temp\14f9e3ea623dccde8cc077de47dc6c1b.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3732
- C:\Users\Admin\AppData\Local\Temp\14f9e3ea623dccde8cc077de47dc6c1b.exe
  "C:\Users\Admin\AppData\Local\Temp\14f9e3ea623dccde8cc077de47dc6c1b.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4432
- - C:\Windows\SysWOW64\globalpatch.exe
    C:\Windows\system32\globalpatch.exe 1004 "C:\Users\Admin\AppData\Local\Temp\14f9e3ea623dccde8cc077de47dc6c1b.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:3780
  - - C:\Windows\SysWOW64\globalpatch.exe
      1004 "C:\Users\Admin\AppData\Local\Temp\14f9e3ea623dccde8cc077de47dc6c1b.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:244
    - - C:\Windows\SysWOW64\globalpatch.exe
        
        C:\Windows\system32\globalpatch.exe 1124 "C:\Windows\SysWOW64\globalpatch.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:932
      - C:\Windows\SysWOW64\globalpatch.exe
        
        1124 "C:\Windows\SysWOW64\globalpatch.exe"
        6⤵
        Executes dropped EXE
        
        PID:2140
        
        C:\Windows\SysWOW64\globalpatch.exe
        
        C:\Windows\system32\globalpatch.exe 1092 "C:\Windows\SysWOW64\globalpatch.exe"
        7⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\globalpatch.exe
        
        1092 "C:\Windows\SysWOW64\globalpatch.exe"
        8⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\globalpatch.exe
        
        C:\Windows\system32\globalpatch.exe 1104 "C:\Windows\SysWOW64\globalpatch.exe"
        9⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\globalpatch.exe
        
        1104 "C:\Windows\SysWOW64\globalpatch.exe"
        10⤵
        
        PID:3860
        
        C:\Windows\SysWOW64\globalpatch.exe
        
        C:\Windows\system32\globalpatch.exe 1092 "C:\Windows\SysWOW64\globalpatch.exe"
        11⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\globalpatch.exe
        
        1092 "C:\Windows\SysWOW64\globalpatch.exe"
        12⤵
        
        PID:760
        
        C:\Windows\SysWOW64\globalpatch.exe
        
        C:\Windows\system32\globalpatch.exe 1092 "C:\Windows\SysWOW64\globalpatch.exe"
        13⤵
        
        PID:208
        
        C:\Windows\SysWOW64\globalpatch.exe
        
        1092 "C:\Windows\SysWOW64\globalpatch.exe"
        14⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\globalpatch.exe
        
        C:\Windows\system32\globalpatch.exe 1092 "C:\Windows\SysWOW64\globalpatch.exe"
        15⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\globalpatch.exe
        
        1092 "C:\Windows\SysWOW64\globalpatch.exe"
        16⤵
        
        PID:3656
        
        C:\Windows\SysWOW64\globalpatch.exe
        
        C:\Windows\system32\globalpatch.exe 1096 "C:\Windows\SysWOW64\globalpatch.exe"
        17⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\globalpatch.exe
        
        1096 "C:\Windows\SysWOW64\globalpatch.exe"
        18⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\globalpatch.exe
        
        C:\Windows\system32\globalpatch.exe 1084 "C:\Windows\SysWOW64\globalpatch.exe"
        19⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\globalpatch.exe
        
        1084 "C:\Windows\SysWOW64\globalpatch.exe"
        20⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\globalpatch.exe
        
        C:\Windows\system32\globalpatch.exe 1104 "C:\Windows\SysWOW64\globalpatch.exe"
        21⤵
        
        PID:4256
        
        C:\Windows\SysWOW64\globalpatch.exe
        
        1104 "C:\Windows\SysWOW64\globalpatch.exe"
        22⤵
        
        PID:2692

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/208-71-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/208-66-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/244-17-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/244-20-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/244-18-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/244-19-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/760-60-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/760-63-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/760-61-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/760-64-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/932-27-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/932-22-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1452-49-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1452-44-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1564-62-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1564-55-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2140-29-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2140-28-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2140-30-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2140-31-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2156-42-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2156-40-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2156-41-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2156-39-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2392-38-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2392-33-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2692-120-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2792-75-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2792-74-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2792-73-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2792-72-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3656-86-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3656-84-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3656-85-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3656-83-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3732-3-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/3732-0-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/3780-16-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/3860-50-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3860-53-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3860-52-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3860-51-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4256-118-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/4256-110-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/4432-12-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4432-1-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4432-2-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4432-4-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4432-5-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4436-77-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/4436-82-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/4444-88-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/4444-93-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/4608-107-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4608-113-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4908-94-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4908-97-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4908-95-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4908-96-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/5064-104-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/5064-99-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download