Analysis

  • max time kernel
    141s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    14/01/2024, 17:58

General

  • Target

    5aec0e99db7bd449edb9a923df3a2c27.exe

  • Size

    987KB

  • MD5

    5aec0e99db7bd449edb9a923df3a2c27

  • SHA1

    1bcbfd66a0c5f10aa4a1437a7cd23c706418f282

  • SHA256

    9f51d19f0129696e8086dcf8bc470180c210a175f2b0fdfc91163d46a67a7f37

  • SHA512

    52cab3ff8fd5c37c22d576951acdb5373470ea194492bd70a01e3602a9f4cd7f56d604af49caed17e04da65eda74b117d2e8b20ac3ad0d58b4cd49eafa17cb32

  • SSDEEP

    24576:lfQvLUcdAIwlXeXIU2Tq2fGsuR2HTCRoe/1B:lfQjUchwl4IUcq2HuYHm3

Score
10/10

Malware Config

Signatures

  • Detect Lumma Stealer payload V4 4 IoCs
  • Lumma Stealer

    An infostealer written in C++ first seen in August 2022.

  • Executes dropped EXE 10 IoCs
  • Loads dropped DLL 20 IoCs
  • Drops file in System32 directory 22 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5aec0e99db7bd449edb9a923df3a2c27.exe
    "C:\Users\Admin\AppData\Local\Temp\5aec0e99db7bd449edb9a923df3a2c27.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:2312
    • C:\Windows\SysWOW64\wuaudit.exe
      C:\Windows\system32\wuaudit.exe 568 "C:\Users\Admin\AppData\Local\Temp\5aec0e99db7bd449edb9a923df3a2c27.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:2868
      • C:\Windows\SysWOW64\wuaudit.exe
        C:\Windows\system32\wuaudit.exe 516 "C:\Windows\SysWOW64\wuaudit.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in System32 directory
        • Suspicious use of WriteProcessMemory
        PID:2636
        • C:\Windows\SysWOW64\wuaudit.exe
          C:\Windows\system32\wuaudit.exe 524 "C:\Windows\SysWOW64\wuaudit.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in System32 directory
          • Suspicious use of WriteProcessMemory
          PID:1664
          • C:\Windows\SysWOW64\wuaudit.exe
            C:\Windows\system32\wuaudit.exe 528 "C:\Windows\SysWOW64\wuaudit.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Drops file in System32 directory
            • Suspicious use of WriteProcessMemory
            PID:2904
            • C:\Windows\SysWOW64\wuaudit.exe
              C:\Windows\system32\wuaudit.exe 532 "C:\Windows\SysWOW64\wuaudit.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Drops file in System32 directory
              • Suspicious use of WriteProcessMemory
              PID:1300
              • C:\Windows\SysWOW64\wuaudit.exe
                C:\Windows\system32\wuaudit.exe 520 "C:\Windows\SysWOW64\wuaudit.exe"
                7⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Drops file in System32 directory
                • Suspicious use of WriteProcessMemory
                PID:1292
                • C:\Windows\SysWOW64\wuaudit.exe
                  C:\Windows\system32\wuaudit.exe 540 "C:\Windows\SysWOW64\wuaudit.exe"
                  8⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Drops file in System32 directory
                  • Suspicious use of WriteProcessMemory
                  PID:2200
                  • C:\Windows\SysWOW64\wuaudit.exe
                    C:\Windows\system32\wuaudit.exe 544 "C:\Windows\SysWOW64\wuaudit.exe"
                    9⤵
                    • Executes dropped EXE
                    • Loads dropped DLL
                    • Drops file in System32 directory
                    • Suspicious use of WriteProcessMemory
                    PID:2112
                    • C:\Windows\SysWOW64\wuaudit.exe
                      C:\Windows\system32\wuaudit.exe 548 "C:\Windows\SysWOW64\wuaudit.exe"
                      10⤵
                      • Executes dropped EXE
                      • Loads dropped DLL
                      • Drops file in System32 directory
                      • Suspicious use of WriteProcessMemory
                      PID:2948
                      • C:\Windows\SysWOW64\wuaudit.exe
                        C:\Windows\system32\wuaudit.exe 536 "C:\Windows\SysWOW64\wuaudit.exe"
                        11⤵
                        • Executes dropped EXE
                        • Drops file in System32 directory
                        PID:1532

Network

        MITRE ATT&CK Matrix

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\SysWOW64\wuaudit.exe

          Filesize

          576KB

          MD5

          ed9232b962aad41714297e8c29e1186b

          SHA1

          fa0c1de8a1dfeb6c14d4b55b05bd152de5da8be7

          SHA256

          0a3a1220d257d7a857974ba2d56c8fc52083b4e8ec7da78bfe1cf9f5dcab8cb9

          SHA512

          0e340bd1927a947b2240bc61e0771ed5d65748ff5c5cc70743bc566fe002d70cf37428c41ac76f2663c528cc1c2535a40fb1b1e1545357ded719e39294ee0996

        • C:\Windows\SysWOW64\wuaudit.exe

          Filesize

          256KB

          MD5

          a38637a25b9e5598e60c20c107459fb6

          SHA1

          ccfc1827cbfeac8deac8a9b0c30d84837d8e7138

          SHA256

          1997f853ace7586a8357adf3ba89aeb4fba935265216842f79ac57f01360e93c

          SHA512

          098eed932d7e66b7e30c965d169833aad397392c24a050d121ee8d43d4a83b97fadf6c18aace96ceb022365634274d950164ef061753b1d3d78311c8c5fe3298

        • \Windows\SysWOW64\wuaudit.exe

          Filesize

          1.6MB

          MD5

          7fffaf18f426d754485258a826ad4de3

          SHA1

          168c8f02ddeb714fa1090939aea68164489bfc0a

          SHA256

          4ba88f7cda7b2f8564738894b99f8a9a60c5bb6e4e65687752007afcdf6bce85

          SHA512

          b2d71d4ee4890cd8bad02c4875787d9283024dc4af34dfe80541afbb23d5c9570e34c9f405ce7feaff56494f7395dc87773a890f97f578dc11f30f9b92aa81cf

        • memory/2312-9-0x000000007EF50000-0x000000007EFAC000-memory.dmp

          Filesize

          368KB

        • memory/2312-28-0x0000000075140000-0x0000000075152000-memory.dmp

          Filesize

          72KB

        • memory/2312-5-0x000000007EF50000-0x000000007EFAC000-memory.dmp

          Filesize

          368KB

        • memory/2312-6-0x000000007EF50000-0x000000007EFAC000-memory.dmp

          Filesize

          368KB

        • memory/2312-7-0x000000007EF50000-0x000000007EFAC000-memory.dmp

          Filesize

          368KB

        • memory/2312-8-0x000000007EF50000-0x000000007EFAC000-memory.dmp

          Filesize

          368KB

        • memory/2312-0-0x0000000000400000-0x00000000005E8000-memory.dmp

          Filesize

          1.9MB

        • memory/2312-10-0x00000000756B0000-0x00000000757A0000-memory.dmp

          Filesize

          960KB

        • memory/2312-12-0x00000000754B0000-0x00000000754BB000-memory.dmp

          Filesize

          44KB

        • memory/2312-11-0x0000000075520000-0x0000000075529000-memory.dmp

          Filesize

          36KB

        • memory/2312-1-0x000000007EF50000-0x000000007EFAC000-memory.dmp

          Filesize

          368KB

        • memory/2312-14-0x0000000075640000-0x000000007564C000-memory.dmp

          Filesize

          48KB

        • memory/2312-15-0x0000000075260000-0x00000000752AF000-memory.dmp

          Filesize

          316KB

        • memory/2312-16-0x0000000075230000-0x0000000075237000-memory.dmp

          Filesize

          28KB

        • memory/2312-17-0x0000000076C70000-0x0000000076C76000-memory.dmp

          Filesize

          24KB

        • memory/2312-4-0x000000007EF50000-0x000000007EFAC000-memory.dmp

          Filesize

          368KB

        • memory/2312-3-0x000000007EF50000-0x000000007EFAC000-memory.dmp

          Filesize

          368KB

        • memory/2312-2-0x000000007EF50000-0x000000007EFAC000-memory.dmp

          Filesize

          368KB

        • memory/2312-13-0x00000000752B0000-0x0000000075308000-memory.dmp

          Filesize

          352KB

        • memory/2312-31-0x0000000075210000-0x0000000075221000-memory.dmp

          Filesize

          68KB

        • memory/2312-34-0x000000007EF50000-0x000000007EFAC000-memory.dmp

          Filesize

          368KB

        • memory/2312-36-0x00000000754B0000-0x00000000754BB000-memory.dmp

          Filesize

          44KB

        • memory/2312-38-0x0000000075320000-0x0000000075328000-memory.dmp

          Filesize

          32KB

        • memory/2312-37-0x0000000075200000-0x0000000075209000-memory.dmp

          Filesize

          36KB

        • memory/2312-39-0x00000000754C0000-0x00000000754D7000-memory.dmp

          Filesize

          92KB

        • memory/2312-35-0x00000000751E0000-0x00000000751F9000-memory.dmp

          Filesize

          100KB

        • memory/2312-33-0x0000000075520000-0x0000000075529000-memory.dmp

          Filesize

          36KB

        • memory/2312-41-0x00000000752B0000-0x00000000752B6000-memory.dmp

          Filesize

          24KB

        • memory/2312-42-0x0000000075260000-0x00000000752AF000-memory.dmp

          Filesize

          316KB

        • memory/2312-43-0x0000000075230000-0x0000000075237000-memory.dmp

          Filesize

          28KB

        • memory/2312-44-0x0000000076C70000-0x0000000076C76000-memory.dmp

          Filesize

          24KB

        • memory/2312-40-0x00000000756B0000-0x00000000757A0000-memory.dmp

          Filesize

          960KB

        • memory/2312-32-0x00000000751D0000-0x00000000751DF000-memory.dmp

          Filesize

          60KB

        • memory/2312-30-0x0000000000400000-0x00000000005E8000-memory.dmp

          Filesize

          1.9MB