Analysis
-
max time kernel
144s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
14/01/2024, 17:58
Static task
static1
Behavioral task
behavioral1
Sample
5aec0e99db7bd449edb9a923df3a2c27.exe
Resource
win7-20231215-en
General
-
Target
5aec0e99db7bd449edb9a923df3a2c27.exe
-
Size
987KB
-
MD5
5aec0e99db7bd449edb9a923df3a2c27
-
SHA1
1bcbfd66a0c5f10aa4a1437a7cd23c706418f282
-
SHA256
9f51d19f0129696e8086dcf8bc470180c210a175f2b0fdfc91163d46a67a7f37
-
SHA512
52cab3ff8fd5c37c22d576951acdb5373470ea194492bd70a01e3602a9f4cd7f56d604af49caed17e04da65eda74b117d2e8b20ac3ad0d58b4cd49eafa17cb32
-
SSDEEP
24576:lfQvLUcdAIwlXeXIU2Tq2fGsuR2HTCRoe/1B:lfQjUchwl4IUcq2HuYHm3
Malware Config
Signatures
-
Detect Lumma Stealer payload V4 5 IoCs
resource yara_rule behavioral2/memory/5012-10-0x0000000000400000-0x00000000005E8000-memory.dmp family_lumma_v4 behavioral2/files/0x0007000000023221-17.dat family_lumma_v4 behavioral2/memory/5012-19-0x0000000000400000-0x00000000005E8000-memory.dmp family_lumma_v4 behavioral2/files/0x0007000000023221-25.dat family_lumma_v4 behavioral2/files/0x0007000000023221-28.dat family_lumma_v4 -
Executes dropped EXE 10 IoCs
pid Process 3392 wuaudit.exe 1008 wuaudit.exe 3084 wuaudit.exe 1528 wuaudit.exe 4348 wuaudit.exe 5112 wuaudit.exe 3064 wuaudit.exe 664 wuaudit.exe 4228 wuaudit.exe 1876 wuaudit.exe -
Drops file in System32 directory 22 IoCs
description ioc Process File created C:\Windows\SysWOW64\wuaudit.exe 5aec0e99db7bd449edb9a923df3a2c27.exe File opened for modification C:\Windows\SysWOW64\wuaudit.exe wuaudit.exe File opened for modification C:\Windows\SysWOW64\wuaudit.exe wuaudit.exe File created C:\Windows\SysWOW64\wuaudit.exe wuaudit.exe File opened for modification C:\Windows\SysWOW64\wuaudit.exe 5aec0e99db7bd449edb9a923df3a2c27.exe File created C:\Windows\SysWOW64\wuaudit.exe wuaudit.exe File opened for modification C:\Windows\SysWOW64\wuaudit.exe wuaudit.exe File created C:\Windows\SysWOW64\wuaudit.exe wuaudit.exe File opened for modification C:\Windows\SysWOW64\wuaudit.exe wuaudit.exe File created C:\Windows\SysWOW64\wuaudit.exe wuaudit.exe File opened for modification C:\Windows\SysWOW64\wuaudit.exe wuaudit.exe File opened for modification C:\Windows\SysWOW64\wuaudit.exe wuaudit.exe File created C:\Windows\SysWOW64\wuaudit.exe wuaudit.exe File created C:\Windows\SysWOW64\wuaudit.exe wuaudit.exe File opened for modification C:\Windows\SysWOW64\wuaudit.exe wuaudit.exe File created C:\Windows\SysWOW64\wuaudit.exe wuaudit.exe File opened for modification C:\Windows\SysWOW64\wuaudit.exe wuaudit.exe File created C:\Windows\SysWOW64\wuaudit.exe wuaudit.exe File created C:\Windows\SysWOW64\wuaudit.exe wuaudit.exe File opened for modification C:\Windows\SysWOW64\wuaudit.exe wuaudit.exe File created C:\Windows\SysWOW64\wuaudit.exe wuaudit.exe File opened for modification C:\Windows\SysWOW64\wuaudit.exe wuaudit.exe -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 5012 wrote to memory of 3392 5012 5aec0e99db7bd449edb9a923df3a2c27.exe 89 PID 5012 wrote to memory of 3392 5012 5aec0e99db7bd449edb9a923df3a2c27.exe 89 PID 5012 wrote to memory of 3392 5012 5aec0e99db7bd449edb9a923df3a2c27.exe 89 PID 3392 wrote to memory of 1008 3392 wuaudit.exe 101 PID 3392 wrote to memory of 1008 3392 wuaudit.exe 101 PID 3392 wrote to memory of 1008 3392 wuaudit.exe 101 PID 1008 wrote to memory of 3084 1008 wuaudit.exe 103 PID 1008 wrote to memory of 3084 1008 wuaudit.exe 103 PID 1008 wrote to memory of 3084 1008 wuaudit.exe 103 PID 3084 wrote to memory of 1528 3084 wuaudit.exe 105 PID 3084 wrote to memory of 1528 3084 wuaudit.exe 105 PID 3084 wrote to memory of 1528 3084 wuaudit.exe 105 PID 1528 wrote to memory of 4348 1528 wuaudit.exe 106 PID 1528 wrote to memory of 4348 1528 wuaudit.exe 106 PID 1528 wrote to memory of 4348 1528 wuaudit.exe 106 PID 4348 wrote to memory of 5112 4348 wuaudit.exe 108 PID 4348 wrote to memory of 5112 4348 wuaudit.exe 108 PID 4348 wrote to memory of 5112 4348 wuaudit.exe 108 PID 5112 wrote to memory of 3064 5112 wuaudit.exe 109 PID 5112 wrote to memory of 3064 5112 wuaudit.exe 109 PID 5112 wrote to memory of 3064 5112 wuaudit.exe 109 PID 3064 wrote to memory of 664 3064 wuaudit.exe 118 PID 3064 wrote to memory of 664 3064 wuaudit.exe 118 PID 3064 wrote to memory of 664 3064 wuaudit.exe 118 PID 664 wrote to memory of 4228 664 wuaudit.exe 119 PID 664 wrote to memory of 4228 664 wuaudit.exe 119 PID 664 wrote to memory of 4228 664 wuaudit.exe 119 PID 4228 wrote to memory of 1876 4228 wuaudit.exe 123 PID 4228 wrote to memory of 1876 4228 wuaudit.exe 123 PID 4228 wrote to memory of 1876 4228 wuaudit.exe 123
Processes
-
C:\Users\Admin\AppData\Local\Temp\5aec0e99db7bd449edb9a923df3a2c27.exe"C:\Users\Admin\AppData\Local\Temp\5aec0e99db7bd449edb9a923df3a2c27.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5012 -
C:\Windows\SysWOW64\wuaudit.exeC:\Windows\system32\wuaudit.exe 1184 "C:\Users\Admin\AppData\Local\Temp\5aec0e99db7bd449edb9a923df3a2c27.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3392 -
C:\Windows\SysWOW64\wuaudit.exeC:\Windows\system32\wuaudit.exe 1128 "C:\Windows\SysWOW64\wuaudit.exe"3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1008 -
C:\Windows\SysWOW64\wuaudit.exeC:\Windows\system32\wuaudit.exe 1088 "C:\Windows\SysWOW64\wuaudit.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3084 -
C:\Windows\SysWOW64\wuaudit.exeC:\Windows\system32\wuaudit.exe 1100 "C:\Windows\SysWOW64\wuaudit.exe"5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Windows\SysWOW64\wuaudit.exeC:\Windows\system32\wuaudit.exe 1104 "C:\Windows\SysWOW64\wuaudit.exe"6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4348 -
C:\Windows\SysWOW64\wuaudit.exeC:\Windows\system32\wuaudit.exe 1112 "C:\Windows\SysWOW64\wuaudit.exe"7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5112 -
C:\Windows\SysWOW64\wuaudit.exeC:\Windows\system32\wuaudit.exe 1092 "C:\Windows\SysWOW64\wuaudit.exe"8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\SysWOW64\wuaudit.exeC:\Windows\system32\wuaudit.exe 1116 "C:\Windows\SysWOW64\wuaudit.exe"9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:664 -
C:\Windows\SysWOW64\wuaudit.exeC:\Windows\system32\wuaudit.exe 1120 "C:\Windows\SysWOW64\wuaudit.exe"10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4228 -
C:\Windows\SysWOW64\wuaudit.exeC:\Windows\system32\wuaudit.exe 1124 "C:\Windows\SysWOW64\wuaudit.exe"11⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1876
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.6MB
MD57fffaf18f426d754485258a826ad4de3
SHA1168c8f02ddeb714fa1090939aea68164489bfc0a
SHA2564ba88f7cda7b2f8564738894b99f8a9a60c5bb6e4e65687752007afcdf6bce85
SHA512b2d71d4ee4890cd8bad02c4875787d9283024dc4af34dfe80541afbb23d5c9570e34c9f405ce7feaff56494f7395dc87773a890f97f578dc11f30f9b92aa81cf
-
Filesize
98KB
MD5a12f2de24349ac5e2a98d50cec31d85b
SHA104f4447f7c69045e73ac3e480b4b4c426660bfc3
SHA25636eb25cf1284912eaf7c0d1b30e1b997f3e23c9f8556d657e71d96103004c43d
SHA5122016e51022cf62cc6996db5e39f9c8ab30ef0219069901120731002a2e5936ef064949d8ff18a9307dd066790a2f13de2ae70734cbb195d3655708d4c4998c84
-
Filesize
1.1MB
MD5282aad35586adda69ea5476e0e5261cf
SHA1c13d068f8c37fec715c0e75003c9239db45a2e21
SHA2564163a3ae0fd9d2ad2d672f59a1672fd5ad80464d295b0041db6a7f24bf754f70
SHA5123a5c1c6eeb1079741f2f358665f92ee8fded26f987629aedd5cb35a1a127a43e220d269b81c32a6eb1743dba9ef6f7b65dc190ee095ab7633087d01047d5e123