lumma | f07bf397abd8b6bed01b838c3f332319c997f810ee5ec5087e761f1ccc39641a

Analysis

max time kernel
165s
max time network
176s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
14/01/2024, 01:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

lnstall.exe
Size

1.4MB
MD5

38901633c833cba7f682472ced0dbe4b
SHA1

0c11a1ac834d2b270ba60f3605109933ca11a7f0
SHA256

a5c5487194f761dac90e178c9c1753c0f47b041f3168b5c23a587f33f69e5089
SHA512

70d71197c68c9a92883c482aee76978e2a01e785be6fb3b6082369e25d991d3e03d8467e11d87493e54f5a3dc4bcd59fa588f0fabe5f6fdcf3361de95cb471c1
SSDEEP

24576:gLikjHtEvSKi9Q8K8Nj99HxJ+EbUUbnI11f4wuTLoYHTkPQ4JD7eK:gukT+SpRKaJb0f4wrCSP

Score

10^/10

lumma stealer

Malware Config

Extracted

Family

lumma

https://goddirtybrilliancece.fun/api

Signatures

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4048 set thread context of 3956	4048	lnstall.exe	91

Loads dropped DLL 1 IoCs

pid	Process
1120	updater.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4048	lnstall.exe
4048	lnstall.exe
3956	cmd.exe
3956	cmd.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
4048	lnstall.exe
3956	cmd.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4048 wrote to memory of 3956	4048	lnstall.exe	91
PID 4048 wrote to memory of 3956	4048	lnstall.exe	91
PID 4048 wrote to memory of 3956	4048	lnstall.exe	91
PID 4048 wrote to memory of 3956	4048	lnstall.exe	91
PID 3956 wrote to memory of 1120	3956	cmd.exe	101
PID 3956 wrote to memory of 1120	3956	cmd.exe	101
PID 3956 wrote to memory of 1120	3956	cmd.exe	101
PID 3956 wrote to memory of 1120	3956	cmd.exe	101
PID 3956 wrote to memory of 1120	3956	cmd.exe	101

C:\Users\Admin\AppData\Local\Temp\lnstall.exe
"C:\Users\Admin\AppData\Local\Temp\lnstall.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4048
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\SysWOW64\cmd.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:3956
- - C:\Users\Admin\AppData\Local\Temp\updater.exe
    C:\Users\Admin\AppData\Local\Temp\updater.exe
    3⤵
    - Loads dropped DLL
    PID:1120

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\25c68dc4

Filesize
2.5MB

MD5
af1379b22a519e3eb8349a9e870dcf22

SHA1
450e253f386ddd346c6f79478561a8acbfe62c59

SHA256
92aaca17bd28d80782faf0f051211241664e485f2bc5e9b097b447be71bbb74c

SHA512
62ca3b654bf92ef86bfcf68b85cf1c6f985122b89e83db6d48725d7ac4efa1aa843861440d84aca73e926dca1706d18f4cea5e144a1b358a18eda1ec50404c53

Download Submit
C:\Users\Admin\AppData\Local\Temp\updater.exe

Filesize
506KB

MD5
32615b780b2393b77c2f93f7642c7448

SHA1
798b03fe713442573bfd2cfe9c762952a57c58ab

SHA256
1019926602b140cd90067bd1e8ffa210b2f84b98501431f7e9b85974ee958eae

SHA512
f7041414c2b0fd4b1a664bde02e3bb45e917722965ab7f12f9a21b5b5684d3805ac578a6a43dc88b61c4f6c184acd74529615f66a2196f58f4749b9670d6eefe

Download Submit
memory/1120-21-0x0000000001300000-0x00000000013AA000-memory.dmp

Filesize
680KB

Download
memory/1120-20-0x00007FF928BB0000-0x00007FF928DA5000-memory.dmp

Filesize
2.0MB

Download
memory/1120-26-0x0000000001300000-0x00000000013AA000-memory.dmp

Filesize
680KB

Download
memory/1120-25-0x0000000001300000-0x00000000013AA000-memory.dmp

Filesize
680KB

Download
memory/1120-24-0x00000000009C0000-0x0000000000AEC000-memory.dmp

Filesize
1.2MB

Download
memory/3956-18-0x00000000753B0000-0x000000007552B000-memory.dmp

Filesize
1.5MB

Download
memory/3956-15-0x00000000753B0000-0x000000007552B000-memory.dmp

Filesize
1.5MB

Download
memory/3956-14-0x00000000753B0000-0x000000007552B000-memory.dmp

Filesize
1.5MB

Download
memory/3956-12-0x00007FF928BB0000-0x00007FF928DA5000-memory.dmp

Filesize
2.0MB

Download
memory/3956-10-0x00000000753B0000-0x000000007552B000-memory.dmp

Filesize
1.5MB

Download
memory/4048-8-0x00000000753B0000-0x000000007552B000-memory.dmp

Filesize
1.5MB

Download
memory/4048-1-0x00007FF928BB0000-0x00007FF928DA5000-memory.dmp

Filesize
2.0MB

Download
memory/4048-0-0x00000000753B0000-0x000000007552B000-memory.dmp

Filesize
1.5MB

Download
memory/4048-7-0x00000000753B0000-0x000000007552B000-memory.dmp

Filesize
1.5MB

Download