lumma | 4d6bcae5eb557b4f84e9b19fb679a4c109290d811c68018815ab6c48d4228346

Analysis

max time kernel
144s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
14-01-2024 12:09

Target

Launcher.exe
Size

796KB
MD5

5deb964f3b14a5af71991745fb8d1724
SHA1

7d72eb66ea84887760cd19b8f40bfbd01c2a5ae0
SHA256

4d6bcae5eb557b4f84e9b19fb679a4c109290d811c68018815ab6c48d4228346
SHA512

697eed7521e189a05befcbe85df86f0175fd6ae8a2b7fc5b3741ff993ddf455068a6b4315737ffdea0c4df4d2e0f1cefe3a86de5334604cee5c5ba6331e18d73
SSDEEP

12288:oqLTgFrogGDk3a+kjWt6yIjixZbnrzJXUTvxN/u7yS9QHvc/YRsa8Uu:B4QBr6nFNnrz6TvD9UwR4

Score

10^/10

lumma stealer

Family

lumma

https://goddirtybrilliancece.fun/api

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2276 set thread context of 4020	2276	Launcher.exe	89

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1988	4020	WerFault.exe	89

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2276	Launcher.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2276 wrote to memory of 2064	2276	Launcher.exe	88
PID 2276 wrote to memory of 2064	2276	Launcher.exe	88
PID 2276 wrote to memory of 2064	2276	Launcher.exe	88
PID 2276 wrote to memory of 4020	2276	Launcher.exe	89
PID 2276 wrote to memory of 4020	2276	Launcher.exe	89
PID 2276 wrote to memory of 4020	2276	Launcher.exe	89
PID 2276 wrote to memory of 4020	2276	Launcher.exe	89
PID 2276 wrote to memory of 4020	2276	Launcher.exe	89
PID 2276 wrote to memory of 4020	2276	Launcher.exe	89
PID 2276 wrote to memory of 4020	2276	Launcher.exe	89
PID 2276 wrote to memory of 4020	2276	Launcher.exe	89
PID 2276 wrote to memory of 4020	2276	Launcher.exe	89

C:\Users\Admin\AppData\Local\Temp\Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Launcher.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2276
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:2064
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:4020
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4020 -s 816
    3⤵
    - Program crash
    PID:1988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4020 -ip 4020
1⤵
PID:4756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4020 -ip 4020
1⤵
PID:2788

memory/2276-12-0x0000000074B00000-0x00000000752B0000-memory.dmp

Filesize
7.7MB

Download
memory/2276-1-0x0000000074B00000-0x00000000752B0000-memory.dmp

Filesize
7.7MB

Download
memory/2276-2-0x0000000005900000-0x0000000005910000-memory.dmp

Filesize
64KB

Download
memory/2276-3-0x00000000057E0000-0x00000000057E1000-memory.dmp

Filesize
4KB

Download
memory/2276-4-0x00000000058E0000-0x00000000058E1000-memory.dmp

Filesize
4KB

Download
memory/2276-6-0x00000000058E0000-0x00000000058E1000-memory.dmp

Filesize
4KB

Download
memory/2276-0-0x0000000000E30000-0x0000000000EFE000-memory.dmp

Filesize
824KB

Download
memory/4020-5-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/4020-9-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/4020-13-0x0000000001210000-0x0000000001211000-memory.dmp

Filesize
4KB

Download
memory/4020-14-0x0000000001210000-0x0000000001211000-memory.dmp

Filesize
4KB

Download
memory/4020-11-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/4020-15-0x0000000001210000-0x0000000001211000-memory.dmp

Filesize
4KB

Download
memory/4020-16-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download