lumma | 42f6ed3f3f25e52787a9e43dec53306eb63e581d87882f3fbc4756685714e39a

Resubmissions

07-01-2024 18:26

240107-w3ameabffn 10

Analysis

max time kernel
142s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
07-01-2024 18:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Samples 7/e396aa398fb1fa0f6c9db780211f758649e9a1f26bb5a2e7026b1cfec6ea9c0d.exe
Size

1.7MB
MD5

710785459d065a7e822861764ec36480
SHA1

d7d641f65e380e71f13dd04a6a37c903b532fb32
SHA256

e396aa398fb1fa0f6c9db780211f758649e9a1f26bb5a2e7026b1cfec6ea9c0d
SHA512

7fc4596b4cc119c9f939d4577e54c788dccd3c9aa84d8bfcd8dde14ee22da8b525b5c06201c045634e346444c78bf923c5e203e88af7717fac80178f52f7fa45
SSDEEP

24576:TV+UOwZmL/nvlkykFlTrAEdghT0WUQ2YUhOxiq2p7j4jNyXpcHLYiSHdX3Ra/KhV:TXZnl3AEyRV2YUIxPsDnI/wM2

Score

10^/10

lumma stealer

Malware Config

Extracted

Family

lumma

http://zamesblack.fun/api

Signatures

Detect Lumma Stealer payload V4 3 IoCs

resource	yara_rule
behavioral28/memory/668-31-0x00000000002D0000-0x0000000000356000-memory.dmp	family_lumma_v4
behavioral28/memory/668-33-0x00000000002D0000-0x0000000000356000-memory.dmp	family_lumma_v4
behavioral28/memory/668-34-0x00000000002D0000-0x0000000000356000-memory.dmp	family_lumma_v4

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma

Executes dropped EXE 1 IoCs

pid	Process
668	Angle.pif

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
4792	tasklist.exe
1848	tasklist.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4700	PING.EXE

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
668	Angle.pif
668	Angle.pif
668	Angle.pif
668	Angle.pif
668	Angle.pif
668	Angle.pif
668	Angle.pif
668	Angle.pif

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4792	tasklist.exe
Token: SeDebugPrivilege	1848	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
668	Angle.pif
668	Angle.pif
668	Angle.pif

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
668	Angle.pif
668	Angle.pif
668	Angle.pif

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 4248 wrote to memory of 1636	4248	e396aa398fb1fa0f6c9db780211f758649e9a1f26bb5a2e7026b1cfec6ea9c0d.exe	99
PID 4248 wrote to memory of 1636	4248	e396aa398fb1fa0f6c9db780211f758649e9a1f26bb5a2e7026b1cfec6ea9c0d.exe	99
PID 4248 wrote to memory of 1636	4248	e396aa398fb1fa0f6c9db780211f758649e9a1f26bb5a2e7026b1cfec6ea9c0d.exe	99
PID 1636 wrote to memory of 2792	1636	cmd.exe	98
PID 1636 wrote to memory of 2792	1636	cmd.exe	98
PID 1636 wrote to memory of 2792	1636	cmd.exe	98
PID 2792 wrote to memory of 4792	2792	cmd.exe	101
PID 2792 wrote to memory of 4792	2792	cmd.exe	101
PID 2792 wrote to memory of 4792	2792	cmd.exe	101
PID 2792 wrote to memory of 2252	2792	cmd.exe	100
PID 2792 wrote to memory of 2252	2792	cmd.exe	100
PID 2792 wrote to memory of 2252	2792	cmd.exe	100
PID 2792 wrote to memory of 1848	2792	cmd.exe	103
PID 2792 wrote to memory of 1848	2792	cmd.exe	103
PID 2792 wrote to memory of 1848	2792	cmd.exe	103
PID 2792 wrote to memory of 2176	2792	cmd.exe	102
PID 2792 wrote to memory of 2176	2792	cmd.exe	102
PID 2792 wrote to memory of 2176	2792	cmd.exe	102
PID 2792 wrote to memory of 4936	2792	cmd.exe	108
PID 2792 wrote to memory of 4936	2792	cmd.exe	108
PID 2792 wrote to memory of 4936	2792	cmd.exe	108
PID 2792 wrote to memory of 1756	2792	cmd.exe	107
PID 2792 wrote to memory of 1756	2792	cmd.exe	107
PID 2792 wrote to memory of 1756	2792	cmd.exe	107
PID 2792 wrote to memory of 2168	2792	cmd.exe	106
PID 2792 wrote to memory of 2168	2792	cmd.exe	106
PID 2792 wrote to memory of 2168	2792	cmd.exe	106
PID 2792 wrote to memory of 668	2792	cmd.exe	105
PID 2792 wrote to memory of 668	2792	cmd.exe	105
PID 2792 wrote to memory of 668	2792	cmd.exe	105
PID 2792 wrote to memory of 4700	2792	cmd.exe	104
PID 2792 wrote to memory of 4700	2792	cmd.exe	104
PID 2792 wrote to memory of 4700	2792	cmd.exe	104

C:\Users\Admin\AppData\Local\Temp\Samples 7\e396aa398fb1fa0f6c9db780211f758649e9a1f26bb5a2e7026b1cfec6ea9c0d.exe
"C:\Users\Admin\AppData\Local\Temp\Samples 7\e396aa398fb1fa0f6c9db780211f758649e9a1f26bb5a2e7026b1cfec6ea9c0d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4248
- C:\Windows\SysWOW64\cmd.exe
  cmd /k cmd < Catch & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1636

C:\Windows\SysWOW64\cmd.exe
cmd
1⤵
- Suspicious use of WriteProcessMemory
PID:2792
- C:\Windows\SysWOW64\findstr.exe
  findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
  2⤵
  PID:2252
- C:\Windows\SysWOW64\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:4792
- C:\Windows\SysWOW64\findstr.exe
  findstr /I "wrsa.exe"
  2⤵
  PID:2176
- C:\Windows\SysWOW64\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:1848
- C:\Windows\SysWOW64\PING.EXE
  ping -n 5 localhost
  2⤵
  - Runs ping.exe
  PID:4700
- C:\Users\Admin\AppData\Local\Temp\33562\16996\Angle.pif
  16996\Angle.pif 16996\C
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:668
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy /b Armstrong + Who + Standing 16996\C
  2⤵
  PID:2168
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy /b Jobs + Promo + Rally + Latinas + Assumes 16996\Angle.pif
  2⤵
  PID:1756
- C:\Windows\SysWOW64\cmd.exe
  cmd /c mkdir 16996
  2⤵
  PID:4936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\33562\16996\Angle.pif

Filesize
924KB

MD5
848164d084384c49937f99d5b894253e

SHA1
3055ef803eeec4f175ebf120f94125717ee12444

SHA256
f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3

SHA512
aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a

Download Submit
C:\Users\Admin\AppData\Local\Temp\33562\Catch

Filesize
12KB

MD5
718bb1691450f42b1a46fe23f2eb507f

SHA1
6e5fcd14d4f5511b969699e650024e731b0b49aa

SHA256
461155c91a86d6ff3ed6d517a459b36ab53e1f73ede7f054578c26e9284d3f80

SHA512
7188c1c24db1624d602f48e60d834f3b71d70f975a00e7e1e6298113266339fb55a14101c51fa251494d9d2614a1a592beb29d2376c570cc8187353f19ec1cff

Download Submit
C:\Users\Admin\AppData\Local\Temp\33562\Jobs

Filesize
257KB

MD5
102c7e49642516f9821d97b94ebdbdb7

SHA1
de28c06d5de6b689859a6d98a5d9bc656b0530d7

SHA256
6f47049fcdb5d2e5fe4ef66ce428794379f97b2099e97798406d666a1c187ed8

SHA512
5f067423bd94de1fe35fda9bb972502c11e4c26f224b05a1f9a56dad8caf0ea64d058772f202ba659c3036e493d7d22f68b38a043f8b51e5ce2d0eb25f2dc61b

Download Submit
C:\Users\Admin\AppData\Local\Temp\33562\Latinas

Filesize
92KB

MD5
f648eca1e688ea3e550947b014da826d

SHA1
d53d4a3f98dab34ffdc6419ef8fdb0381d442ddc

SHA256
58569185e14ebf3c3a4560af09821900d26b42e721984748f1a1d740d1d7a532

SHA512
89a7e408d137da27550e8ef52824b6dfd39149aba98cd628a613bdce3e10335f982f7d2306274f83efaf7d5014aa158f2c910dbcbb6f92e2018f61648a2f1c4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\33562\Promo

Filesize
129KB

MD5
6494d8de7e5c15e5d636474e0a650fe6

SHA1
1aedd0ed9c1310a691f8a420617db357ebab8430

SHA256
e50b45a5d2f5d0ef07b1098f086fe7d365a6858239ece89d23540f52031914ee

SHA512
d7c84f1f737947d6929d8183700d48656c6ddf6f495d0e2aab673dfe4ac75e7b6e70e3e7ede4493162f1d3677860ec6236b56fc7662f307952a108d397e68196

Download Submit
C:\Users\Admin\AppData\Local\Temp\33562\Rally

Filesize
152KB

MD5
cd2e635cabae7d929cd246778dbfb69b

SHA1
36dc87dae8c8b0e74993a6344a710096c7c08df9

SHA256
1422ab4975976de3009c7ec349a7e884aab78be0d500cda9dc667f97875d5f3c

SHA512
382adc28eb085f5b27ad72c9795e308f222a7caf7062e6e4e0cfb6d701a08b5f12d2778733d78f0272fe69543305fb55e3b6b19a6c26d3b41d2d837abdb382b6

Download Submit
memory/668-29-0x00000000002D0000-0x0000000000356000-memory.dmp

Filesize
536KB

Download
memory/668-26-0x00000000041F0000-0x00000000041F1000-memory.dmp

Filesize
4KB

Download
memory/668-27-0x00000000002D0000-0x0000000000356000-memory.dmp

Filesize
536KB

Download
memory/668-28-0x00000000002D0000-0x0000000000356000-memory.dmp

Filesize
536KB

Download
memory/668-30-0x00000000002D0000-0x0000000000356000-memory.dmp

Filesize
536KB

Download
memory/668-31-0x00000000002D0000-0x0000000000356000-memory.dmp

Filesize
536KB

Download
memory/668-33-0x00000000002D0000-0x0000000000356000-memory.dmp

Filesize
536KB

Download
memory/668-34-0x00000000002D0000-0x0000000000356000-memory.dmp

Filesize
536KB

Download
memory/4248-25-0x0000000000300000-0x00000000004BF000-memory.dmp

Filesize
1.7MB

Download
memory/4248-0-0x00000000023C0000-0x00000000023C1000-memory.dmp

Filesize
4KB

Download
memory/4248-5-0x0000000000300000-0x00000000004BF000-memory.dmp

Filesize
1.7MB

Download