Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240221-en -
resource tags
arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system -
submitted
21-02-2024 20:33
Static task
static1
Behavioral task
behavioral1
Sample
6f9cce343781ac700700049de9d91013482fda8ca13ba8660a5b97c25b354cad.exe
Resource
win7-20240221-en
General
-
Target
6f9cce343781ac700700049de9d91013482fda8ca13ba8660a5b97c25b354cad.exe
-
Size
5.7MB
-
MD5
839999b53169bec8744194c3e49970ce
-
SHA1
8e2cbf38b74b64f12fa7dd108c8f593de9de5058
-
SHA256
6f9cce343781ac700700049de9d91013482fda8ca13ba8660a5b97c25b354cad
-
SHA512
b22658a490474ab7cd1e47ed7ce3f0ff8e7876d31345dc2ee8505588efb53b234b20c1b4622131044612fb10db4e32605d3cec1a323fe4e1206b6f02189e5857
-
SSDEEP
98304:+JiYFsQ19IoMpBeqdtkGjbk8HdG3x25jtqjHqA2VptdmZ8633CTL6:e919IoMfeqsG/kkkxEyx2pt0A
Malware Config
Signatures
-
Detect Lumma Stealer payload V4 24 IoCs
Processes:
resource yara_rule behavioral2/memory/640-13076-0x0000000010000000-0x000000001080D000-memory.dmp family_lumma_v4 behavioral2/memory/640-13078-0x0000000010000000-0x000000001080D000-memory.dmp family_lumma_v4 behavioral2/memory/640-13079-0x0000000010000000-0x000000001080D000-memory.dmp family_lumma_v4 behavioral2/memory/640-13080-0x0000000010000000-0x000000001080D000-memory.dmp family_lumma_v4 behavioral2/memory/640-13081-0x0000000010000000-0x000000001080D000-memory.dmp family_lumma_v4 behavioral2/memory/640-13082-0x0000000010000000-0x000000001080D000-memory.dmp family_lumma_v4 behavioral2/memory/640-13083-0x0000000010000000-0x000000001080D000-memory.dmp family_lumma_v4 behavioral2/memory/640-13084-0x0000000010000000-0x000000001080D000-memory.dmp family_lumma_v4 behavioral2/memory/640-13085-0x0000000010000000-0x000000001080D000-memory.dmp family_lumma_v4 behavioral2/memory/640-13086-0x0000000010000000-0x000000001080D000-memory.dmp family_lumma_v4 behavioral2/memory/640-13087-0x0000000010000000-0x000000001080D000-memory.dmp family_lumma_v4 behavioral2/memory/640-13088-0x0000000010000000-0x000000001080D000-memory.dmp family_lumma_v4 behavioral2/memory/640-13089-0x0000000010000000-0x000000001080D000-memory.dmp family_lumma_v4 behavioral2/memory/640-13090-0x0000000010000000-0x000000001080D000-memory.dmp family_lumma_v4 behavioral2/memory/640-13091-0x0000000010000000-0x000000001080D000-memory.dmp family_lumma_v4 behavioral2/memory/640-13092-0x0000000010000000-0x000000001080D000-memory.dmp family_lumma_v4 behavioral2/memory/640-13093-0x0000000010000000-0x000000001080D000-memory.dmp family_lumma_v4 behavioral2/memory/640-13094-0x0000000010000000-0x000000001080D000-memory.dmp family_lumma_v4 behavioral2/memory/640-13095-0x0000000010000000-0x000000001080D000-memory.dmp family_lumma_v4 behavioral2/memory/640-13096-0x0000000010000000-0x000000001080D000-memory.dmp family_lumma_v4 behavioral2/memory/640-13097-0x0000000010000000-0x000000001080D000-memory.dmp family_lumma_v4 behavioral2/memory/640-13098-0x0000000010000000-0x000000001080D000-memory.dmp family_lumma_v4 behavioral2/memory/640-13099-0x0000000010000000-0x000000001080D000-memory.dmp family_lumma_v4 behavioral2/memory/640-13100-0x0000000010000000-0x000000001080D000-memory.dmp family_lumma_v4 -
Executes dropped EXE 1 IoCs
Processes:
XFKLN.exepid Process 640 XFKLN.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
XFKLN.exedescription ioc Process File opened (read-only) \??\N: XFKLN.exe File opened (read-only) \??\O: XFKLN.exe File opened (read-only) \??\E: XFKLN.exe File opened (read-only) \??\G: XFKLN.exe File opened (read-only) \??\I: XFKLN.exe File opened (read-only) \??\U: XFKLN.exe File opened (read-only) \??\Z: XFKLN.exe File opened (read-only) \??\H: XFKLN.exe File opened (read-only) \??\K: XFKLN.exe File opened (read-only) \??\R: XFKLN.exe File opened (read-only) \??\P: XFKLN.exe File opened (read-only) \??\W: XFKLN.exe File opened (read-only) \??\X: XFKLN.exe File opened (read-only) \??\A: XFKLN.exe File opened (read-only) \??\B: XFKLN.exe File opened (read-only) \??\M: XFKLN.exe File opened (read-only) \??\S: XFKLN.exe File opened (read-only) \??\T: XFKLN.exe File opened (read-only) \??\V: XFKLN.exe File opened (read-only) \??\Y: XFKLN.exe File opened (read-only) \??\J: XFKLN.exe File opened (read-only) \??\L: XFKLN.exe File opened (read-only) \??\Q: XFKLN.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs
Processes:
XFKLN.exepid Process 640 XFKLN.exe 640 XFKLN.exe 640 XFKLN.exe 640 XFKLN.exe 640 XFKLN.exe 640 XFKLN.exe 640 XFKLN.exe 640 XFKLN.exe 640 XFKLN.exe 640 XFKLN.exe 640 XFKLN.exe 640 XFKLN.exe 640 XFKLN.exe 640 XFKLN.exe 640 XFKLN.exe 640 XFKLN.exe 640 XFKLN.exe 640 XFKLN.exe 640 XFKLN.exe 640 XFKLN.exe 640 XFKLN.exe 640 XFKLN.exe 640 XFKLN.exe 640 XFKLN.exe 640 XFKLN.exe 640 XFKLN.exe 640 XFKLN.exe 640 XFKLN.exe 640 XFKLN.exe 640 XFKLN.exe 640 XFKLN.exe 640 XFKLN.exe 640 XFKLN.exe 640 XFKLN.exe 640 XFKLN.exe 640 XFKLN.exe 640 XFKLN.exe 640 XFKLN.exe 640 XFKLN.exe 640 XFKLN.exe 640 XFKLN.exe 640 XFKLN.exe 640 XFKLN.exe 640 XFKLN.exe 640 XFKLN.exe 640 XFKLN.exe 640 XFKLN.exe 640 XFKLN.exe 640 XFKLN.exe 640 XFKLN.exe 640 XFKLN.exe 640 XFKLN.exe 640 XFKLN.exe 640 XFKLN.exe 640 XFKLN.exe 640 XFKLN.exe 640 XFKLN.exe 640 XFKLN.exe 640 XFKLN.exe 640 XFKLN.exe 640 XFKLN.exe 640 XFKLN.exe 640 XFKLN.exe 640 XFKLN.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
6f9cce343781ac700700049de9d91013482fda8ca13ba8660a5b97c25b354cad.exeXFKLN.exepid Process 4988 6f9cce343781ac700700049de9d91013482fda8ca13ba8660a5b97c25b354cad.exe 4988 6f9cce343781ac700700049de9d91013482fda8ca13ba8660a5b97c25b354cad.exe 640 XFKLN.exe 640 XFKLN.exe 640 XFKLN.exe 640 XFKLN.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
6f9cce343781ac700700049de9d91013482fda8ca13ba8660a5b97c25b354cad.exedescription pid Process procid_target PID 4988 wrote to memory of 640 4988 6f9cce343781ac700700049de9d91013482fda8ca13ba8660a5b97c25b354cad.exe 86 PID 4988 wrote to memory of 640 4988 6f9cce343781ac700700049de9d91013482fda8ca13ba8660a5b97c25b354cad.exe 86 PID 4988 wrote to memory of 640 4988 6f9cce343781ac700700049de9d91013482fda8ca13ba8660a5b97c25b354cad.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\6f9cce343781ac700700049de9d91013482fda8ca13ba8660a5b97c25b354cad.exe"C:\Users\Admin\AppData\Local\Temp\6f9cce343781ac700700049de9d91013482fda8ca13ba8660a5b97c25b354cad.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4988 -
C:\Users\Admin\AppData\Local\Temp\XFKLN.exeC:\Users\Admin\AppData\Local\Temp\XFKLN.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:640
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.0MB
MD570e2a5441ff815abe5a6d82ef4a8bda8
SHA1dd45b3fb8fbeff69273f570075bfaae280dcb9fd
SHA25613fec20b1f4f691814ec9416c892977e0b6554d70cdab320e28caa06a14b60c8
SHA5122e9a3098f94d5f3a3d57f416e00ca1c053cd5d4670a454b88aae69126aa7dcbada6191bcabcbf80b49727df0ee9bda7245ba57a6fa310fe56c7f5bb96db9c4e6
-
Filesize
4.8MB
MD5f6f13f509acd3f40d38f2531eafe982f
SHA1676d36796d47892482fd3cf421b20849c322bd0e
SHA256a9448932f0140d39378e56c63d1be30aa77cd72ce433b26e695dafd98691b216
SHA512f47b161040ac5b7d658342139ca7944b1530b0a8f9d07d9c245991493f135944609c64c4cf923ce3e35b4773f76e2bb7f1ff6721728e5b520dbd801f545f86e4