Analysis
-
max time kernel
141s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
14/01/2024, 17:58
Static task
static1
Behavioral task
behavioral1
Sample
5aec0e99db7bd449edb9a923df3a2c27.exe
Resource
win7-20231215-en
General
-
Target
5aec0e99db7bd449edb9a923df3a2c27.exe
-
Size
987KB
-
MD5
5aec0e99db7bd449edb9a923df3a2c27
-
SHA1
1bcbfd66a0c5f10aa4a1437a7cd23c706418f282
-
SHA256
9f51d19f0129696e8086dcf8bc470180c210a175f2b0fdfc91163d46a67a7f37
-
SHA512
52cab3ff8fd5c37c22d576951acdb5373470ea194492bd70a01e3602a9f4cd7f56d604af49caed17e04da65eda74b117d2e8b20ac3ad0d58b4cd49eafa17cb32
-
SSDEEP
24576:lfQvLUcdAIwlXeXIU2Tq2fGsuR2HTCRoe/1B:lfQjUchwl4IUcq2HuYHm3
Malware Config
Signatures
-
Detect Lumma Stealer payload V4 4 IoCs
resource yara_rule behavioral1/files/0x000b000000012185-21.dat family_lumma_v4 behavioral1/files/0x000b000000012185-25.dat family_lumma_v4 behavioral1/files/0x000b000000012185-29.dat family_lumma_v4 behavioral1/memory/2312-30-0x0000000000400000-0x00000000005E8000-memory.dmp family_lumma_v4 -
Executes dropped EXE 10 IoCs
pid Process 2868 wuaudit.exe 2636 wuaudit.exe 1664 wuaudit.exe 2904 wuaudit.exe 1300 wuaudit.exe 1292 wuaudit.exe 2200 wuaudit.exe 2112 wuaudit.exe 2948 wuaudit.exe 1532 wuaudit.exe -
Loads dropped DLL 20 IoCs
pid Process 2312 5aec0e99db7bd449edb9a923df3a2c27.exe 2312 5aec0e99db7bd449edb9a923df3a2c27.exe 2868 wuaudit.exe 2868 wuaudit.exe 2636 wuaudit.exe 2636 wuaudit.exe 1664 wuaudit.exe 1664 wuaudit.exe 2904 wuaudit.exe 2904 wuaudit.exe 1300 wuaudit.exe 1300 wuaudit.exe 1292 wuaudit.exe 1292 wuaudit.exe 2200 wuaudit.exe 2200 wuaudit.exe 2112 wuaudit.exe 2112 wuaudit.exe 2948 wuaudit.exe 2948 wuaudit.exe -
Drops file in System32 directory 22 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\wuaudit.exe wuaudit.exe File created C:\Windows\SysWOW64\wuaudit.exe wuaudit.exe File created C:\Windows\SysWOW64\wuaudit.exe wuaudit.exe File created C:\Windows\SysWOW64\wuaudit.exe wuaudit.exe File created C:\Windows\SysWOW64\wuaudit.exe 5aec0e99db7bd449edb9a923df3a2c27.exe File opened for modification C:\Windows\SysWOW64\wuaudit.exe wuaudit.exe File created C:\Windows\SysWOW64\wuaudit.exe wuaudit.exe File opened for modification C:\Windows\SysWOW64\wuaudit.exe wuaudit.exe File created C:\Windows\SysWOW64\wuaudit.exe wuaudit.exe File created C:\Windows\SysWOW64\wuaudit.exe wuaudit.exe File opened for modification C:\Windows\SysWOW64\wuaudit.exe wuaudit.exe File opened for modification C:\Windows\SysWOW64\wuaudit.exe wuaudit.exe File created C:\Windows\SysWOW64\wuaudit.exe wuaudit.exe File opened for modification C:\Windows\SysWOW64\wuaudit.exe wuaudit.exe File opened for modification C:\Windows\SysWOW64\wuaudit.exe wuaudit.exe File created C:\Windows\SysWOW64\wuaudit.exe wuaudit.exe File opened for modification C:\Windows\SysWOW64\wuaudit.exe wuaudit.exe File created C:\Windows\SysWOW64\wuaudit.exe wuaudit.exe File opened for modification C:\Windows\SysWOW64\wuaudit.exe wuaudit.exe File created C:\Windows\SysWOW64\wuaudit.exe wuaudit.exe File opened for modification C:\Windows\SysWOW64\wuaudit.exe wuaudit.exe File opened for modification C:\Windows\SysWOW64\wuaudit.exe 5aec0e99db7bd449edb9a923df3a2c27.exe -
Suspicious use of WriteProcessMemory 40 IoCs
description pid Process procid_target PID 2312 wrote to memory of 2868 2312 5aec0e99db7bd449edb9a923df3a2c27.exe 28 PID 2312 wrote to memory of 2868 2312 5aec0e99db7bd449edb9a923df3a2c27.exe 28 PID 2312 wrote to memory of 2868 2312 5aec0e99db7bd449edb9a923df3a2c27.exe 28 PID 2312 wrote to memory of 2868 2312 5aec0e99db7bd449edb9a923df3a2c27.exe 28 PID 2868 wrote to memory of 2636 2868 wuaudit.exe 29 PID 2868 wrote to memory of 2636 2868 wuaudit.exe 29 PID 2868 wrote to memory of 2636 2868 wuaudit.exe 29 PID 2868 wrote to memory of 2636 2868 wuaudit.exe 29 PID 2636 wrote to memory of 1664 2636 wuaudit.exe 32 PID 2636 wrote to memory of 1664 2636 wuaudit.exe 32 PID 2636 wrote to memory of 1664 2636 wuaudit.exe 32 PID 2636 wrote to memory of 1664 2636 wuaudit.exe 32 PID 1664 wrote to memory of 2904 1664 wuaudit.exe 33 PID 1664 wrote to memory of 2904 1664 wuaudit.exe 33 PID 1664 wrote to memory of 2904 1664 wuaudit.exe 33 PID 1664 wrote to memory of 2904 1664 wuaudit.exe 33 PID 2904 wrote to memory of 1300 2904 wuaudit.exe 34 PID 2904 wrote to memory of 1300 2904 wuaudit.exe 34 PID 2904 wrote to memory of 1300 2904 wuaudit.exe 34 PID 2904 wrote to memory of 1300 2904 wuaudit.exe 34 PID 1300 wrote to memory of 1292 1300 wuaudit.exe 35 PID 1300 wrote to memory of 1292 1300 wuaudit.exe 35 PID 1300 wrote to memory of 1292 1300 wuaudit.exe 35 PID 1300 wrote to memory of 1292 1300 wuaudit.exe 35 PID 1292 wrote to memory of 2200 1292 wuaudit.exe 36 PID 1292 wrote to memory of 2200 1292 wuaudit.exe 36 PID 1292 wrote to memory of 2200 1292 wuaudit.exe 36 PID 1292 wrote to memory of 2200 1292 wuaudit.exe 36 PID 2200 wrote to memory of 2112 2200 wuaudit.exe 37 PID 2200 wrote to memory of 2112 2200 wuaudit.exe 37 PID 2200 wrote to memory of 2112 2200 wuaudit.exe 37 PID 2200 wrote to memory of 2112 2200 wuaudit.exe 37 PID 2112 wrote to memory of 2948 2112 wuaudit.exe 38 PID 2112 wrote to memory of 2948 2112 wuaudit.exe 38 PID 2112 wrote to memory of 2948 2112 wuaudit.exe 38 PID 2112 wrote to memory of 2948 2112 wuaudit.exe 38 PID 2948 wrote to memory of 1532 2948 wuaudit.exe 39 PID 2948 wrote to memory of 1532 2948 wuaudit.exe 39 PID 2948 wrote to memory of 1532 2948 wuaudit.exe 39 PID 2948 wrote to memory of 1532 2948 wuaudit.exe 39
Processes
-
C:\Users\Admin\AppData\Local\Temp\5aec0e99db7bd449edb9a923df3a2c27.exe"C:\Users\Admin\AppData\Local\Temp\5aec0e99db7bd449edb9a923df3a2c27.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Windows\SysWOW64\wuaudit.exeC:\Windows\system32\wuaudit.exe 568 "C:\Users\Admin\AppData\Local\Temp\5aec0e99db7bd449edb9a923df3a2c27.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\wuaudit.exeC:\Windows\system32\wuaudit.exe 516 "C:\Windows\SysWOW64\wuaudit.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\wuaudit.exeC:\Windows\system32\wuaudit.exe 524 "C:\Windows\SysWOW64\wuaudit.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Windows\SysWOW64\wuaudit.exeC:\Windows\system32\wuaudit.exe 528 "C:\Windows\SysWOW64\wuaudit.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\SysWOW64\wuaudit.exeC:\Windows\system32\wuaudit.exe 532 "C:\Windows\SysWOW64\wuaudit.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1300 -
C:\Windows\SysWOW64\wuaudit.exeC:\Windows\system32\wuaudit.exe 520 "C:\Windows\SysWOW64\wuaudit.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1292 -
C:\Windows\SysWOW64\wuaudit.exeC:\Windows\system32\wuaudit.exe 540 "C:\Windows\SysWOW64\wuaudit.exe"8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\SysWOW64\wuaudit.exeC:\Windows\system32\wuaudit.exe 544 "C:\Windows\SysWOW64\wuaudit.exe"9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\SysWOW64\wuaudit.exeC:\Windows\system32\wuaudit.exe 548 "C:\Windows\SysWOW64\wuaudit.exe"10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\SysWOW64\wuaudit.exeC:\Windows\system32\wuaudit.exe 536 "C:\Windows\SysWOW64\wuaudit.exe"11⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1532
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
576KB
MD5ed9232b962aad41714297e8c29e1186b
SHA1fa0c1de8a1dfeb6c14d4b55b05bd152de5da8be7
SHA2560a3a1220d257d7a857974ba2d56c8fc52083b4e8ec7da78bfe1cf9f5dcab8cb9
SHA5120e340bd1927a947b2240bc61e0771ed5d65748ff5c5cc70743bc566fe002d70cf37428c41ac76f2663c528cc1c2535a40fb1b1e1545357ded719e39294ee0996
-
Filesize
256KB
MD5a38637a25b9e5598e60c20c107459fb6
SHA1ccfc1827cbfeac8deac8a9b0c30d84837d8e7138
SHA2561997f853ace7586a8357adf3ba89aeb4fba935265216842f79ac57f01360e93c
SHA512098eed932d7e66b7e30c965d169833aad397392c24a050d121ee8d43d4a83b97fadf6c18aace96ceb022365634274d950164ef061753b1d3d78311c8c5fe3298
-
Filesize
1.6MB
MD57fffaf18f426d754485258a826ad4de3
SHA1168c8f02ddeb714fa1090939aea68164489bfc0a
SHA2564ba88f7cda7b2f8564738894b99f8a9a60c5bb6e4e65687752007afcdf6bce85
SHA512b2d71d4ee4890cd8bad02c4875787d9283024dc4af34dfe80541afbb23d5c9570e34c9f405ce7feaff56494f7395dc87773a890f97f578dc11f30f9b92aa81cf