lumma | 1afe857d1b5f2c0ff48ebbd2f32abf11f9b310416b1273e77adc7ee37f001ff8

Analysis

max time kernel
147s
max time network
193s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
07-01-2024 18:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Samples 1/5e6e5fe247e96c09a7297b32c31880847a6827762b9afdbb7d7b46e3c0071a91.exe
Size

1.7MB
MD5

fee771c9a50a56880f6bce04874f6f5c
SHA1

e5a9f281eb91405004cd4f347db7b5f23f8d6b8f
SHA256

5e6e5fe247e96c09a7297b32c31880847a6827762b9afdbb7d7b46e3c0071a91
SHA512

e1cb760ddc11d2eeba73fd5bd3baabcebc82c7f41ed9a7cc2d7e30bf527ac6aaf3593536a57c3ac546ecf29b1521764f0412062a811645d0bbcf739ca579f422
SSDEEP

24576:3eHTg0cKA71b0+P7tT4o+AVDT2wEpXs+XFJP+jP2jetVS7cb6z54R7u9ud9Xu9cI:3TrTqAVm/JRX2IetVz6mRuaxt

Score

10^/10

lumma stealer

Malware Config

Extracted

Family

lumma

http://zamesblack.fun/api

Signatures

Detect Lumma Stealer payload V4 3 IoCs

Processes:

resource	yara_rule
behavioral30/memory/2360-32-0x0000000005770000-0x00000000057F6000-memory.dmp	family_lumma_v4
behavioral30/memory/2360-34-0x0000000005770000-0x00000000057F6000-memory.dmp	family_lumma_v4
behavioral30/memory/2360-35-0x0000000005770000-0x00000000057F6000-memory.dmp	family_lumma_v4

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
Executes dropped EXE 1 IoCs

Processes:

Town.pif

pid process

2360 Town.pif
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4856 2360 WerFault.exe Town.pif
208 2360 WerFault.exe Town.pif
Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

3492 tasklist.exe
4668 tasklist.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3064 PING.EXE
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

Town.pif

pid process

2360 Town.pif
2360 Town.pif
2360 Town.pif
2360 Town.pif
2360 Town.pif
2360 Town.pif
2360 Town.pif
2360 Town.pif
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

tasklist.exetasklist.exe

description pid process

Token: SeDebugPrivilege 4668 tasklist.exe
Token: SeDebugPrivilege 3492 tasklist.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

Town.pif

pid process

2360 Town.pif
2360 Town.pif
2360 Town.pif
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

Town.pif

pid process

2360 Town.pif
2360 Town.pif
2360 Town.pif

pid	process
2360	Town.pif

pid	pid_target	process	target process
4856	2360	WerFault.exe	Town.pif
208	2360	WerFault.exe	Town.pif

pid	process
3492	tasklist.exe
4668	tasklist.exe

pid	process
3064	PING.EXE

pid	process
2360	Town.pif
2360	Town.pif
2360	Town.pif
2360	Town.pif
2360	Town.pif
2360	Town.pif
2360	Town.pif
2360	Town.pif

description	pid	process
Token: SeDebugPrivilege	4668	tasklist.exe
Token: SeDebugPrivilege	3492	tasklist.exe

pid	process
2360	Town.pif
2360	Town.pif
2360	Town.pif

pid	process
2360	Town.pif
2360	Town.pif
2360	Town.pif

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

5e6e5fe247e96c09a7297b32c31880847a6827762b9afdbb7d7b46e3c0071a91.execmd.execmd.exe

description	pid	process	target process
PID 4332 wrote to memory of 4916	4332	5e6e5fe247e96c09a7297b32c31880847a6827762b9afdbb7d7b46e3c0071a91.exe	cmd.exe
PID 4332 wrote to memory of 4916	4332	5e6e5fe247e96c09a7297b32c31880847a6827762b9afdbb7d7b46e3c0071a91.exe	cmd.exe
PID 4332 wrote to memory of 4916	4332	5e6e5fe247e96c09a7297b32c31880847a6827762b9afdbb7d7b46e3c0071a91.exe	cmd.exe
PID 4916 wrote to memory of 4460	4916	cmd.exe	cmd.exe
PID 4916 wrote to memory of 4460	4916	cmd.exe	cmd.exe
PID 4916 wrote to memory of 4460	4916	cmd.exe	cmd.exe
PID 4460 wrote to memory of 4668	4460	cmd.exe	tasklist.exe
PID 4460 wrote to memory of 4668	4460	cmd.exe	tasklist.exe
PID 4460 wrote to memory of 4668	4460	cmd.exe	tasklist.exe
PID 4460 wrote to memory of 3936	4460	cmd.exe	findstr.exe
PID 4460 wrote to memory of 3936	4460	cmd.exe	findstr.exe
PID 4460 wrote to memory of 3936	4460	cmd.exe	findstr.exe
PID 4460 wrote to memory of 3492	4460	cmd.exe	tasklist.exe
PID 4460 wrote to memory of 3492	4460	cmd.exe	tasklist.exe
PID 4460 wrote to memory of 3492	4460	cmd.exe	tasklist.exe
PID 4460 wrote to memory of 856	4460	cmd.exe	findstr.exe
PID 4460 wrote to memory of 856	4460	cmd.exe	findstr.exe
PID 4460 wrote to memory of 856	4460	cmd.exe	findstr.exe
PID 4460 wrote to memory of 3376	4460	cmd.exe	cmd.exe
PID 4460 wrote to memory of 3376	4460	cmd.exe	cmd.exe
PID 4460 wrote to memory of 3376	4460	cmd.exe	cmd.exe
PID 4460 wrote to memory of 1552	4460	cmd.exe	cmd.exe
PID 4460 wrote to memory of 1552	4460	cmd.exe	cmd.exe
PID 4460 wrote to memory of 1552	4460	cmd.exe	cmd.exe
PID 4460 wrote to memory of 3232	4460	cmd.exe	cmd.exe
PID 4460 wrote to memory of 3232	4460	cmd.exe	cmd.exe
PID 4460 wrote to memory of 3232	4460	cmd.exe	cmd.exe
PID 4460 wrote to memory of 2360	4460	cmd.exe	Town.pif
PID 4460 wrote to memory of 2360	4460	cmd.exe	Town.pif
PID 4460 wrote to memory of 2360	4460	cmd.exe	Town.pif
PID 4460 wrote to memory of 3064	4460	cmd.exe	PING.EXE
PID 4460 wrote to memory of 3064	4460	cmd.exe	PING.EXE
PID 4460 wrote to memory of 3064	4460	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\Samples 1\5e6e5fe247e96c09a7297b32c31880847a6827762b9afdbb7d7b46e3c0071a91.exe
"C:\Users\Admin\AppData\Local\Temp\Samples 1\5e6e5fe247e96c09a7297b32c31880847a6827762b9afdbb7d7b46e3c0071a91.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4332

C:\Windows\SysWOW64\cmd.exe
cmd /k cmd < Sorry & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:4916

C:\Windows\SysWOW64\cmd.exe
cmd
3⤵
- Suspicious use of WriteProcessMemory
PID:4460

C:\Windows\SysWOW64\tasklist.exe
tasklist
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4668

C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
4⤵
PID:3936

C:\Windows\SysWOW64\tasklist.exe
tasklist
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3492

C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe"
4⤵
PID:856

C:\Windows\SysWOW64\cmd.exe
cmd /c mkdir 17832
4⤵
PID:3376

C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Edges + Inf + Foul + Entrepreneurs 17832\Town.pif
4⤵
PID:1552

C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Admit + Like + Yu 17832\a
4⤵
PID:3232

C:\Users\Admin\AppData\Local\Temp\47683\17832\Town.pif
17832\Town.pif 17832\a
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2360 -s 1460
5⤵
- Program crash
PID:4856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2360 -s 1576
5⤵
- Program crash
PID:208

C:\Windows\SysWOW64\PING.EXE
ping -n 5 localhost
4⤵
- Runs ping.exe
PID:3064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2360 -ip 2360
1⤵
PID:3476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2360 -ip 2360
1⤵
PID:4024

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\47683\17832\Town.pif
Filesize
924KB

MD5
848164d084384c49937f99d5b894253e

SHA1
3055ef803eeec4f175ebf120f94125717ee12444

SHA256
f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3

SHA512
aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a

Download Submit
C:\Users\Admin\AppData\Local\Temp\47683\17832\a
Filesize
1.1MB

MD5
cf3cad1cd81fdcd412284f36cd152e4f

SHA1
9e13626b96829190239294a430a7490cd3f08356

SHA256
4f78826f2e0ec86ca4a4b13a50220a79aaad30ee2374bd10548e105de38827c6

SHA512
f14a9e88bf0aacdf48e3fbd36784ce9620e2127f5f41e105afdf5366ac5ff7dcc8664708f2a84fcd12c29ea80361bc592b0222ce13d8f5158a224c67d0517196

Download Submit
C:\Users\Admin\AppData\Local\Temp\47683\Admit
Filesize
446KB

MD5
2b3c9515510eee0dc19c67772f793c4f

SHA1
6d4c851e63dd8d7073e9d9fbf2603bbab7b60100

SHA256
7bfbe7b40752a99a4405031be7a92ee835238bd098081afe527663fa4f8ac4bf

SHA512
470cf48f1e3966865eb3c6bea8d14fe67444069a6c689451271ec968a320d1496432956b21f6746b3c5d72c1b241c166da5cda3abf7c2e767c0817d98c1e899e

Download Submit
C:\Users\Admin\AppData\Local\Temp\47683\Edges
Filesize
250KB

MD5
bc38068047fa909483d2029dbd56a138

SHA1
447a3143f062a11854eba0db83c4b1e8ee5649ce

SHA256
65f59b33867862480eb3765dbbe8666cd038770daf6d22761cf0a5f50613221f

SHA512
11f0acbedc74dd6ff1979b238b2bed638f55f4fb2a0c6503e48d6be66c8d360600dc1c41d0a161ea8568598f9117d3c998e1e2825959078eb6942d7d5270fb1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\47683\Entrepreneurs
Filesize
219KB

MD5
f27a3c6f675ef8dc39afa3e9d1ca52f1

SHA1
50c617f9727877f69cb45d0860110508e5ddd99a

SHA256
107c9f5f21d19fd781218ef317597a5039ba9fe22a908a5b610ee60480059d3f

SHA512
f5452015f2eb9c6b0452bd1729b06baea9d5a2848594bed478e3c949266fa8438c552f2961d19a4624f981ba552e9525bc42188792a75babbee98c0f1557db1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\47683\Foul
Filesize
190KB

MD5
0fb98b666cec21e6a510379372988208

SHA1
2701956d358029eacffc086adf94cfb287744d5b

SHA256
c5f575ab19db378b1303debb9b5417cb14fde8f330667f71fe93230ea9b33926

SHA512
5285f84364c501c828081f3c12fb0e407edabe77aa13634ffdb1344460f969faf5fbdf08bc66ebf93551421442993d9650728bfc7fc10da582031bc64892a86f

Download Submit
C:\Users\Admin\AppData\Local\Temp\47683\Inf
Filesize
265KB

MD5
f7b1477adc53dd39d4d4095c5ef777ea

SHA1
fe4fefd565e79d3417f527bbf3586d93519304aa

SHA256
1c2d1a532679278f12fc4994195f1e190da14424e781caa9ebbb2e8615d0d899

SHA512
cb521aaa5f53c8816e379b17740a88c3c1290a6e6dc06ad1bcd23d56681a1b52ba3250f5ecd4416e2eb3da35dca1501a67eca0835e6ed4a7cb71fe2d45612d50

Download Submit
C:\Users\Admin\AppData\Local\Temp\47683\Like
Filesize
404KB

MD5
2369acddad6dc5da2a87623b652974d9

SHA1
efc1441d1ddbc0c36011676415841c49a5a0223c

SHA256
3d470e1b625e72b8b89d18236380074c2893c42371a04670d1ca9b27ac825738

SHA512
d3330f2e186c7c438f8394ac485ac55c2f5ecb6430fe30fd929aa3451e5f8dbec8ac1ce0a0ee7c7d7687a7290752043b5811a76ee80497044d42156f41ded112

Download Submit
C:\Users\Admin\AppData\Local\Temp\47683\Sorry
Filesize
11KB

MD5
26413b5e758c26171fec67d8139b8482

SHA1
42548f7957d4d19b3afbd6b81405a2d80f638c55

SHA256
24017740ee1bd1195a54de9b174823a2a6fde0f04cbd5bfbde5917b4bf760d30

SHA512
4f1631b328c863e03e2157aa178f7a99b63bfec61a8416c0ec2bb9ba546b58ddef880149fc1800493846f79342f66939d1067f8a2d44f407563983082db8121d

Download Submit
C:\Users\Admin\AppData\Local\Temp\47683\Yu
Filesize
278KB

MD5
5ac68d1e171391b319399de52fb5472a

SHA1
690f71693528b9ae7718a1bfc580d8588f1f06ae

SHA256
b0743290c227ea97f6c03ff7a9f0027a0c9c0c82ad028fb100ac46e09250782a

SHA512
c4615167cd5b6f336cab0690efcd5893e328de8a7def90142a8e8104953e7a5ec832ce82db37582cad52b335a950f841da6d7640f008a15b9921a9acddc14c04

Download Submit
memory/2360-28-0x0000000005770000-0x00000000057F6000-memory.dmp

Filesize
536KB

Download
memory/2360-29-0x0000000005770000-0x00000000057F6000-memory.dmp

Filesize
536KB

Download
memory/2360-35-0x0000000005770000-0x00000000057F6000-memory.dmp

Filesize
536KB

Download
memory/2360-34-0x0000000005770000-0x00000000057F6000-memory.dmp

Filesize
536KB

Download
memory/2360-32-0x0000000005770000-0x00000000057F6000-memory.dmp

Filesize
536KB

Download
memory/2360-31-0x0000000005770000-0x00000000057F6000-memory.dmp

Filesize
536KB

Download
memory/2360-27-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/2360-30-0x0000000005770000-0x00000000057F6000-memory.dmp

Filesize
536KB

Download
memory/4332-25-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/4332-0-0x0000000000600000-0x00000000007B1000-memory.dmp

Filesize
1.7MB

Download
memory/4332-26-0x0000000000600000-0x00000000007B1000-memory.dmp

Filesize
1.7MB

Download
memory/4332-2-0x0000000000600000-0x00000000007B1000-memory.dmp

Filesize
1.7MB

Download
memory/4332-24-0x0000000000600000-0x00000000007B1000-memory.dmp

Filesize
1.7MB

Download
memory/4332-1-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download