Analysis
-
max time kernel
148s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
27-02-2024 13:33
Behavioral task
behavioral1
Sample
a948976eded517477a4f71a15578a9e1.exe
Resource
win7-20240221-en
General
-
Target
a948976eded517477a4f71a15578a9e1.exe
-
Size
104KB
-
MD5
a948976eded517477a4f71a15578a9e1
-
SHA1
3762de142aae4044829461ed186a9b397e668d1f
-
SHA256
73dea3ec1437dd358cc7c48d80bcd41001c79bf344a3039908159a9bed5d8583
-
SHA512
f935453f15ba296b47be1c273f97512eefb61659065442024db92c864d2edfe281b252fb91c8e39111dab26d10747c821285799e11e38c11a835d28d8ec5117f
-
SSDEEP
1536:SXpTCaBA4oCe7TX454bdgunpIr/5OlJ8bBjXO1IK3hrDNljWLVI/S:WpTSZhgB5OlJ8bBK1IChrDNl
Malware Config
Signatures
-
Detect Lumma Stealer payload V4 1 IoCs
Processes:
resource yara_rule \Windows\SysWOW64\lass.exe family_lumma_v4 -
Executes dropped EXE 1 IoCs
Processes:
lass.exepid process 1876 lass.exe -
Loads dropped DLL 2 IoCs
Processes:
a948976eded517477a4f71a15578a9e1.exepid process 2248 a948976eded517477a4f71a15578a9e1.exe 2248 a948976eded517477a4f71a15578a9e1.exe -
Drops file in System32 directory 28 IoCs
Processes:
lass.exea948976eded517477a4f71a15578a9e1.exedescription ioc process File created C:\Windows\SysWOW64\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe lass.exe File created C:\Windows\SysWOW64\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe lass.exe File created C:\Windows\SysWOW64\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe lass.exe File created C:\Windows\SysWOW64\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe lass.exe File created C:\Windows\SysWOW64\lass.exe lass.exe File created C:\Windows\SysWOW64\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe lass.exe File created C:\Windows\SysWOW64\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe lass.exe File created C:\Windows\SysWOW64\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe lass.exe File created C:\Windows\SysWOW64\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe lass.exe File created C:\Windows\SysWOW64\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe lass.exe File created C:\Windows\SysWOW64\lass.exe\lass.exe\lass.exe lass.exe File created C:\Windows\SysWOW64\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe lass.exe File created C:\Windows\SysWOW64\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe lass.exe File created C:\Windows\SysWOW64\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe lass.exe File created C:\Windows\SysWOW64\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe lass.exe File opened for modification C:\Windows\SysWOW64\lass.exe a948976eded517477a4f71a15578a9e1.exe File created C:\Windows\SysWOW64\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe lass.exe File created C:\Windows\SysWOW64\lass.exe\lass.exe\lass.exe\lass.exe lass.exe File created C:\Windows\SysWOW64\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe lass.exe File created C:\Windows\SysWOW64\lass.exe a948976eded517477a4f71a15578a9e1.exe File created C:\Windows\SysWOW64\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe lass.exe File created C:\Windows\SysWOW64\lass.exe\lass.exe lass.exe File created C:\Windows\SysWOW64\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe lass.exe File created C:\Windows\SysWOW64\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe lass.exe File created C:\Windows\SysWOW64\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe lass.exe File created C:\Windows\SysWOW64\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe lass.exe File created C:\Windows\SysWOW64\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe lass.exe File created C:\Windows\SysWOW64\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe lass.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
a948976eded517477a4f71a15578a9e1.exedescription pid process target process PID 2248 wrote to memory of 1876 2248 a948976eded517477a4f71a15578a9e1.exe lass.exe PID 2248 wrote to memory of 1876 2248 a948976eded517477a4f71a15578a9e1.exe lass.exe PID 2248 wrote to memory of 1876 2248 a948976eded517477a4f71a15578a9e1.exe lass.exe PID 2248 wrote to memory of 1876 2248 a948976eded517477a4f71a15578a9e1.exe lass.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a948976eded517477a4f71a15578a9e1.exe"C:\Users\Admin\AppData\Local\Temp\a948976eded517477a4f71a15578a9e1.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\SysWOW64\lass.exeC:\Windows\system32\lass.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1876
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
104KB
MD5a948976eded517477a4f71a15578a9e1
SHA13762de142aae4044829461ed186a9b397e668d1f
SHA25673dea3ec1437dd358cc7c48d80bcd41001c79bf344a3039908159a9bed5d8583
SHA512f935453f15ba296b47be1c273f97512eefb61659065442024db92c864d2edfe281b252fb91c8e39111dab26d10747c821285799e11e38c11a835d28d8ec5117f