lumma | 1afe857d1b5f2c0ff48ebbd2f32abf11f9b310416b1273e77adc7ee37f001ff8

Analysis

max time kernel
130s
max time network
183s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
07-01-2024 18:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Samples 1/5e6e5fe247e96c09a7297b32c31880847a6827762b9afdbb7d7b46e3c0071a91.exe
Size

1.7MB
MD5

fee771c9a50a56880f6bce04874f6f5c
SHA1

e5a9f281eb91405004cd4f347db7b5f23f8d6b8f
SHA256

5e6e5fe247e96c09a7297b32c31880847a6827762b9afdbb7d7b46e3c0071a91
SHA512

e1cb760ddc11d2eeba73fd5bd3baabcebc82c7f41ed9a7cc2d7e30bf527ac6aaf3593536a57c3ac546ecf29b1521764f0412062a811645d0bbcf739ca579f422
SSDEEP

24576:3eHTg0cKA71b0+P7tT4o+AVDT2wEpXs+XFJP+jP2jetVS7cb6z54R7u9ud9Xu9cI:3TrTqAVm/JRX2IetVz6mRuaxt

Score

10^/10

lumma stealer

Malware Config

Extracted

Family

lumma

http://zamesblack.fun/api

Signatures

Detect Lumma Stealer payload V4 3 IoCs

Processes:

resource	yara_rule
behavioral29/memory/2952-32-0x0000000004170000-0x00000000041F6000-memory.dmp	family_lumma_v4
behavioral29/memory/2952-33-0x0000000004170000-0x00000000041F6000-memory.dmp	family_lumma_v4
behavioral29/memory/2952-34-0x0000000004170000-0x00000000041F6000-memory.dmp	family_lumma_v4

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
Executes dropped EXE 1 IoCs

Processes:

Town.pif

pid process

2952 Town.pif
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

1040 cmd.exe
Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

2260 tasklist.exe
2940 tasklist.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2016 PING.EXE
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

Town.pif

pid process

2952 Town.pif
2952 Town.pif
2952 Town.pif
2952 Town.pif
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

tasklist.exetasklist.exe

description pid process

Token: SeDebugPrivilege 2260 tasklist.exe
Token: SeDebugPrivilege 2940 tasklist.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

Town.pif

pid process

2952 Town.pif
2952 Town.pif
2952 Town.pif
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

Town.pif

pid process

2952 Town.pif
2952 Town.pif
2952 Town.pif

pid	process
2952	Town.pif

pid	process
1040	cmd.exe

pid	process
2260	tasklist.exe
2940	tasklist.exe

pid	process
2016	PING.EXE

pid	process
2952	Town.pif
2952	Town.pif
2952	Town.pif
2952	Town.pif

description	pid	process
Token: SeDebugPrivilege	2260	tasklist.exe
Token: SeDebugPrivilege	2940	tasklist.exe

pid	process
2952	Town.pif
2952	Town.pif
2952	Town.pif

pid	process
2952	Town.pif
2952	Town.pif
2952	Town.pif

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

5e6e5fe247e96c09a7297b32c31880847a6827762b9afdbb7d7b46e3c0071a91.execmd.execmd.exe

description	pid	process	target process
PID 2712 wrote to memory of 2624	2712	5e6e5fe247e96c09a7297b32c31880847a6827762b9afdbb7d7b46e3c0071a91.exe	cmd.exe
PID 2712 wrote to memory of 2624	2712	5e6e5fe247e96c09a7297b32c31880847a6827762b9afdbb7d7b46e3c0071a91.exe	cmd.exe
PID 2712 wrote to memory of 2624	2712	5e6e5fe247e96c09a7297b32c31880847a6827762b9afdbb7d7b46e3c0071a91.exe	cmd.exe
PID 2712 wrote to memory of 2624	2712	5e6e5fe247e96c09a7297b32c31880847a6827762b9afdbb7d7b46e3c0071a91.exe	cmd.exe
PID 2624 wrote to memory of 1040	2624	cmd.exe	cmd.exe
PID 2624 wrote to memory of 1040	2624	cmd.exe	cmd.exe
PID 2624 wrote to memory of 1040	2624	cmd.exe	cmd.exe
PID 2624 wrote to memory of 1040	2624	cmd.exe	cmd.exe
PID 1040 wrote to memory of 2260	1040	cmd.exe	tasklist.exe
PID 1040 wrote to memory of 2260	1040	cmd.exe	tasklist.exe
PID 1040 wrote to memory of 2260	1040	cmd.exe	tasklist.exe
PID 1040 wrote to memory of 2260	1040	cmd.exe	tasklist.exe
PID 1040 wrote to memory of 2600	1040	cmd.exe	findstr.exe
PID 1040 wrote to memory of 2600	1040	cmd.exe	findstr.exe
PID 1040 wrote to memory of 2600	1040	cmd.exe	findstr.exe
PID 1040 wrote to memory of 2600	1040	cmd.exe	findstr.exe
PID 1040 wrote to memory of 2940	1040	cmd.exe	tasklist.exe
PID 1040 wrote to memory of 2940	1040	cmd.exe	tasklist.exe
PID 1040 wrote to memory of 2940	1040	cmd.exe	tasklist.exe
PID 1040 wrote to memory of 2940	1040	cmd.exe	tasklist.exe
PID 1040 wrote to memory of 2920	1040	cmd.exe	findstr.exe
PID 1040 wrote to memory of 2920	1040	cmd.exe	findstr.exe
PID 1040 wrote to memory of 2920	1040	cmd.exe	findstr.exe
PID 1040 wrote to memory of 2920	1040	cmd.exe	findstr.exe
PID 1040 wrote to memory of 2964	1040	cmd.exe	cmd.exe
PID 1040 wrote to memory of 2964	1040	cmd.exe	cmd.exe
PID 1040 wrote to memory of 2964	1040	cmd.exe	cmd.exe
PID 1040 wrote to memory of 2964	1040	cmd.exe	cmd.exe
PID 1040 wrote to memory of 2976	1040	cmd.exe	cmd.exe
PID 1040 wrote to memory of 2976	1040	cmd.exe	cmd.exe
PID 1040 wrote to memory of 2976	1040	cmd.exe	cmd.exe
PID 1040 wrote to memory of 2976	1040	cmd.exe	cmd.exe
PID 1040 wrote to memory of 3020	1040	cmd.exe	cmd.exe
PID 1040 wrote to memory of 3020	1040	cmd.exe	cmd.exe
PID 1040 wrote to memory of 3020	1040	cmd.exe	cmd.exe
PID 1040 wrote to memory of 3020	1040	cmd.exe	cmd.exe
PID 1040 wrote to memory of 2952	1040	cmd.exe	Town.pif
PID 1040 wrote to memory of 2952	1040	cmd.exe	Town.pif
PID 1040 wrote to memory of 2952	1040	cmd.exe	Town.pif
PID 1040 wrote to memory of 2952	1040	cmd.exe	Town.pif
PID 1040 wrote to memory of 2016	1040	cmd.exe	PING.EXE
PID 1040 wrote to memory of 2016	1040	cmd.exe	PING.EXE
PID 1040 wrote to memory of 2016	1040	cmd.exe	PING.EXE
PID 1040 wrote to memory of 2016	1040	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\Samples 1\5e6e5fe247e96c09a7297b32c31880847a6827762b9afdbb7d7b46e3c0071a91.exe
"C:\Users\Admin\AppData\Local\Temp\Samples 1\5e6e5fe247e96c09a7297b32c31880847a6827762b9afdbb7d7b46e3c0071a91.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2712

C:\Windows\SysWOW64\cmd.exe
cmd /k cmd < Sorry & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:2624

C:\Windows\SysWOW64\cmd.exe
cmd
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1040

C:\Windows\SysWOW64\tasklist.exe
tasklist
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2260

C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
4⤵
PID:2600

C:\Windows\SysWOW64\tasklist.exe
tasklist
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2940

C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe"
4⤵
PID:2920

C:\Windows\SysWOW64\cmd.exe
cmd /c mkdir 17910
4⤵
PID:2964

C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Edges + Inf + Foul + Entrepreneurs 17910\Town.pif
4⤵
PID:2976

C:\Windows\SysWOW64\PING.EXE
ping -n 5 localhost
4⤵
- Runs ping.exe
PID:2016

C:\Users\Admin\AppData\Local\Temp\11560\17910\Town.pif
17910\Town.pif 17910\a
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2952

C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Admit + Like + Yu 17910\a
4⤵
PID:3020

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\11560\17910\Town.pif
Filesize
520KB

MD5
8c75c8c52cc76230d840e18259f3fb22

SHA1
886d331c87bc156ec1b999f60108d0af9a50c0b7

SHA256
44218d9a4625172005d46e71780620e16b9cc65580762dfe2aa84e1ef39a1faf

SHA512
8adc4d548ea7acfc6a9bb41c8bea893b3a14d69c8ee70229940835460b627bb38ec9efda450059c023282bef89f7f45286724517c74b334b4455de2d686ac5af

Download Submit
C:\Users\Admin\AppData\Local\Temp\11560\17910\Town.pif
Filesize
924KB

MD5
848164d084384c49937f99d5b894253e

SHA1
3055ef803eeec4f175ebf120f94125717ee12444

SHA256
f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3

SHA512
aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a

Download Submit
C:\Users\Admin\AppData\Local\Temp\11560\17910\a
Filesize
97KB

MD5
e904085037daa318f4a21c3675159b0f

SHA1
f0347349e416a2296add28c41b684540ad22f266

SHA256
1c2ea72f00147e3fed095621ef75e82d1d5c0642c137e900575ee33962f90a2d

SHA512
205abaa23365c99f941b8c6b58a3fe03539d1fc34bdd1acb7084a5788110e763e4d9a29fdaf1818e3e201f853d87ee2773ca7c83f0bbd7975d0157275e828a0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\11560\Admit
Filesize
446KB

MD5
2b3c9515510eee0dc19c67772f793c4f

SHA1
6d4c851e63dd8d7073e9d9fbf2603bbab7b60100

SHA256
7bfbe7b40752a99a4405031be7a92ee835238bd098081afe527663fa4f8ac4bf

SHA512
470cf48f1e3966865eb3c6bea8d14fe67444069a6c689451271ec968a320d1496432956b21f6746b3c5d72c1b241c166da5cda3abf7c2e767c0817d98c1e899e

Download Submit
C:\Users\Admin\AppData\Local\Temp\11560\Edges
Filesize
250KB

MD5
bc38068047fa909483d2029dbd56a138

SHA1
447a3143f062a11854eba0db83c4b1e8ee5649ce

SHA256
65f59b33867862480eb3765dbbe8666cd038770daf6d22761cf0a5f50613221f

SHA512
11f0acbedc74dd6ff1979b238b2bed638f55f4fb2a0c6503e48d6be66c8d360600dc1c41d0a161ea8568598f9117d3c998e1e2825959078eb6942d7d5270fb1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\11560\Entrepreneurs
Filesize
219KB

MD5
f27a3c6f675ef8dc39afa3e9d1ca52f1

SHA1
50c617f9727877f69cb45d0860110508e5ddd99a

SHA256
107c9f5f21d19fd781218ef317597a5039ba9fe22a908a5b610ee60480059d3f

SHA512
f5452015f2eb9c6b0452bd1729b06baea9d5a2848594bed478e3c949266fa8438c552f2961d19a4624f981ba552e9525bc42188792a75babbee98c0f1557db1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\11560\Foul
Filesize
190KB

MD5
0fb98b666cec21e6a510379372988208

SHA1
2701956d358029eacffc086adf94cfb287744d5b

SHA256
c5f575ab19db378b1303debb9b5417cb14fde8f330667f71fe93230ea9b33926

SHA512
5285f84364c501c828081f3c12fb0e407edabe77aa13634ffdb1344460f969faf5fbdf08bc66ebf93551421442993d9650728bfc7fc10da582031bc64892a86f

Download Submit
C:\Users\Admin\AppData\Local\Temp\11560\Inf
Filesize
265KB

MD5
f7b1477adc53dd39d4d4095c5ef777ea

SHA1
fe4fefd565e79d3417f527bbf3586d93519304aa

SHA256
1c2d1a532679278f12fc4994195f1e190da14424e781caa9ebbb2e8615d0d899

SHA512
cb521aaa5f53c8816e379b17740a88c3c1290a6e6dc06ad1bcd23d56681a1b52ba3250f5ecd4416e2eb3da35dca1501a67eca0835e6ed4a7cb71fe2d45612d50

Download Submit
C:\Users\Admin\AppData\Local\Temp\11560\Like
Filesize
404KB

MD5
2369acddad6dc5da2a87623b652974d9

SHA1
efc1441d1ddbc0c36011676415841c49a5a0223c

SHA256
3d470e1b625e72b8b89d18236380074c2893c42371a04670d1ca9b27ac825738

SHA512
d3330f2e186c7c438f8394ac485ac55c2f5ecb6430fe30fd929aa3451e5f8dbec8ac1ce0a0ee7c7d7687a7290752043b5811a76ee80497044d42156f41ded112

Download Submit
C:\Users\Admin\AppData\Local\Temp\11560\Sorry
Filesize
11KB

MD5
26413b5e758c26171fec67d8139b8482

SHA1
42548f7957d4d19b3afbd6b81405a2d80f638c55

SHA256
24017740ee1bd1195a54de9b174823a2a6fde0f04cbd5bfbde5917b4bf760d30

SHA512
4f1631b328c863e03e2157aa178f7a99b63bfec61a8416c0ec2bb9ba546b58ddef880149fc1800493846f79342f66939d1067f8a2d44f407563983082db8121d

Download Submit
C:\Users\Admin\AppData\Local\Temp\11560\Yu
Filesize
278KB

MD5
5ac68d1e171391b319399de52fb5472a

SHA1
690f71693528b9ae7718a1bfc580d8588f1f06ae

SHA256
b0743290c227ea97f6c03ff7a9f0027a0c9c0c82ad028fb100ac46e09250782a

SHA512
c4615167cd5b6f336cab0690efcd5893e328de8a7def90142a8e8104953e7a5ec832ce82db37582cad52b335a950f841da6d7640f008a15b9921a9acddc14c04

Download Submit
memory/2712-12-0x0000000000600000-0x00000000007B1000-memory.dmp

Filesize
1.7MB

Download
memory/2712-0-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2712-6-0x0000000000600000-0x00000000007B1000-memory.dmp

Filesize
1.7MB

Download
memory/2712-5-0x0000000000600000-0x00000000007B1000-memory.dmp

Filesize
1.7MB

Download
memory/2712-26-0x0000000000600000-0x00000000007B1000-memory.dmp

Filesize
1.7MB

Download
memory/2952-28-0x0000000004170000-0x00000000041F6000-memory.dmp

Filesize
536KB

Download
memory/2952-27-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/2952-29-0x0000000004170000-0x00000000041F6000-memory.dmp

Filesize
536KB

Download
memory/2952-30-0x0000000004170000-0x00000000041F6000-memory.dmp

Filesize
536KB

Download
memory/2952-31-0x0000000004170000-0x00000000041F6000-memory.dmp

Filesize
536KB

Download
memory/2952-32-0x0000000004170000-0x00000000041F6000-memory.dmp

Filesize
536KB

Download
memory/2952-33-0x0000000004170000-0x00000000041F6000-memory.dmp

Filesize
536KB

Download
memory/2952-34-0x0000000004170000-0x00000000041F6000-memory.dmp

Filesize
536KB

Download