Analysis Overview
SHA256
73dea3ec1437dd358cc7c48d80bcd41001c79bf344a3039908159a9bed5d8583
Threat Level: Known bad
The file a948976eded517477a4f71a15578a9e1 was found to be: Known bad.
Malicious Activity Summary
Lumma Stealer
Detect Lumma Stealer payload V4
Lumma family
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-02-27 13:33
Signatures
Detect Lumma Stealer payload V4
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Lumma family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-27 13:33
Reported
2024-02-27 13:35
Platform
win7-20240221-en
Max time kernel
148s
Max time network
126s
Command Line
Signatures
Detect Lumma Stealer payload V4
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Lumma Stealer
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\lass.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a948976eded517477a4f71a15578a9e1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a948976eded517477a4f71a15578a9e1.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe | C:\Windows\SysWOW64\lass.exe | N/A |
| File created | C:\Windows\SysWOW64\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe | C:\Windows\SysWOW64\lass.exe | N/A |
| File created | C:\Windows\SysWOW64\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe | C:\Windows\SysWOW64\lass.exe | N/A |
| File created | C:\Windows\SysWOW64\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe | C:\Windows\SysWOW64\lass.exe | N/A |
| File created | C:\Windows\SysWOW64\lass.exe | C:\Windows\SysWOW64\lass.exe | N/A |
| File created | C:\Windows\SysWOW64\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe | C:\Windows\SysWOW64\lass.exe | N/A |
| File created | C:\Windows\SysWOW64\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe | C:\Windows\SysWOW64\lass.exe | N/A |
| File created | C:\Windows\SysWOW64\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe | C:\Windows\SysWOW64\lass.exe | N/A |
| File created | C:\Windows\SysWOW64\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe | C:\Windows\SysWOW64\lass.exe | N/A |
| File created | C:\Windows\SysWOW64\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe | C:\Windows\SysWOW64\lass.exe | N/A |
| File created | C:\Windows\SysWOW64\lass.exe\lass.exe\lass.exe | C:\Windows\SysWOW64\lass.exe | N/A |
| File created | C:\Windows\SysWOW64\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe | C:\Windows\SysWOW64\lass.exe | N/A |
| File created | C:\Windows\SysWOW64\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe | C:\Windows\SysWOW64\lass.exe | N/A |
| File created | C:\Windows\SysWOW64\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe | C:\Windows\SysWOW64\lass.exe | N/A |
| File created | C:\Windows\SysWOW64\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe | C:\Windows\SysWOW64\lass.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\lass.exe | C:\Users\Admin\AppData\Local\Temp\a948976eded517477a4f71a15578a9e1.exe | N/A |
| File created | C:\Windows\SysWOW64\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe | C:\Windows\SysWOW64\lass.exe | N/A |
| File created | C:\Windows\SysWOW64\lass.exe\lass.exe\lass.exe\lass.exe | C:\Windows\SysWOW64\lass.exe | N/A |
| File created | C:\Windows\SysWOW64\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe | C:\Windows\SysWOW64\lass.exe | N/A |
| File created | C:\Windows\SysWOW64\lass.exe | C:\Users\Admin\AppData\Local\Temp\a948976eded517477a4f71a15578a9e1.exe | N/A |
| File created | C:\Windows\SysWOW64\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe | C:\Windows\SysWOW64\lass.exe | N/A |
| File created | C:\Windows\SysWOW64\lass.exe\lass.exe | C:\Windows\SysWOW64\lass.exe | N/A |
| File created | C:\Windows\SysWOW64\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe | C:\Windows\SysWOW64\lass.exe | N/A |
| File created | C:\Windows\SysWOW64\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe | C:\Windows\SysWOW64\lass.exe | N/A |
| File created | C:\Windows\SysWOW64\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe | C:\Windows\SysWOW64\lass.exe | N/A |
| File created | C:\Windows\SysWOW64\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe | C:\Windows\SysWOW64\lass.exe | N/A |
| File created | C:\Windows\SysWOW64\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe | C:\Windows\SysWOW64\lass.exe | N/A |
| File created | C:\Windows\SysWOW64\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe | C:\Windows\SysWOW64\lass.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2248 wrote to memory of 1876 | N/A | C:\Users\Admin\AppData\Local\Temp\a948976eded517477a4f71a15578a9e1.exe | C:\Windows\SysWOW64\lass.exe |
| PID 2248 wrote to memory of 1876 | N/A | C:\Users\Admin\AppData\Local\Temp\a948976eded517477a4f71a15578a9e1.exe | C:\Windows\SysWOW64\lass.exe |
| PID 2248 wrote to memory of 1876 | N/A | C:\Users\Admin\AppData\Local\Temp\a948976eded517477a4f71a15578a9e1.exe | C:\Windows\SysWOW64\lass.exe |
| PID 2248 wrote to memory of 1876 | N/A | C:\Users\Admin\AppData\Local\Temp\a948976eded517477a4f71a15578a9e1.exe | C:\Windows\SysWOW64\lass.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\a948976eded517477a4f71a15578a9e1.exe
"C:\Users\Admin\AppData\Local\Temp\a948976eded517477a4f71a15578a9e1.exe"
C:\Windows\SysWOW64\lass.exe
C:\Windows\system32\lass.exe
Network
Files
\Windows\SysWOW64\lass.exe
| MD5 | a948976eded517477a4f71a15578a9e1 |
| SHA1 | 3762de142aae4044829461ed186a9b397e668d1f |
| SHA256 | 73dea3ec1437dd358cc7c48d80bcd41001c79bf344a3039908159a9bed5d8583 |
| SHA512 | f935453f15ba296b47be1c273f97512eefb61659065442024db92c864d2edfe281b252fb91c8e39111dab26d10747c821285799e11e38c11a835d28d8ec5117f |
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-27 13:33
Reported
2024-02-27 13:35
Platform
win10v2004-20240226-en
Max time kernel
147s
Max time network
112s
Command Line
Signatures
Detect Lumma Stealer payload V4
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Lumma Stealer
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\lass.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\lass.exe | C:\Windows\SysWOW64\lass.exe | N/A |
| File created | C:\Windows\SysWOW64\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe | C:\Windows\SysWOW64\lass.exe | N/A |
| File created | C:\Windows\SysWOW64\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe | C:\Windows\SysWOW64\lass.exe | N/A |
| File created | C:\Windows\SysWOW64\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe | C:\Windows\SysWOW64\lass.exe | N/A |
| File created | C:\Windows\SysWOW64\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe | C:\Windows\SysWOW64\lass.exe | N/A |
| File created | C:\Windows\SysWOW64\lass.exe\lass.exe\lass.exe | C:\Windows\SysWOW64\lass.exe | N/A |
| File created | C:\Windows\SysWOW64\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe | C:\Windows\SysWOW64\lass.exe | N/A |
| File created | C:\Windows\SysWOW64\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe | C:\Windows\SysWOW64\lass.exe | N/A |
| File created | C:\Windows\SysWOW64\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe | C:\Windows\SysWOW64\lass.exe | N/A |
| File created | C:\Windows\SysWOW64\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe | C:\Windows\SysWOW64\lass.exe | N/A |
| File created | C:\Windows\SysWOW64\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe | C:\Windows\SysWOW64\lass.exe | N/A |
| File created | C:\Windows\SysWOW64\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe | C:\Windows\SysWOW64\lass.exe | N/A |
| File created | C:\Windows\SysWOW64\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe | C:\Windows\SysWOW64\lass.exe | N/A |
| File created | C:\Windows\SysWOW64\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe | C:\Windows\SysWOW64\lass.exe | N/A |
| File created | C:\Windows\SysWOW64\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe | C:\Windows\SysWOW64\lass.exe | N/A |
| File created | C:\Windows\SysWOW64\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe | C:\Windows\SysWOW64\lass.exe | N/A |
| File created | C:\Windows\SysWOW64\lass.exe\lass.exe\lass.exe\lass.exe | C:\Windows\SysWOW64\lass.exe | N/A |
| File created | C:\Windows\SysWOW64\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe | C:\Windows\SysWOW64\lass.exe | N/A |
| File created | C:\Windows\SysWOW64\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe | C:\Windows\SysWOW64\lass.exe | N/A |
| File created | C:\Windows\SysWOW64\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe | C:\Windows\SysWOW64\lass.exe | N/A |
| File created | C:\Windows\SysWOW64\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe | C:\Windows\SysWOW64\lass.exe | N/A |
| File created | C:\Windows\SysWOW64\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe | C:\Windows\SysWOW64\lass.exe | N/A |
| File created | C:\Windows\SysWOW64\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe | C:\Windows\SysWOW64\lass.exe | N/A |
| File created | C:\Windows\SysWOW64\lass.exe | C:\Users\Admin\AppData\Local\Temp\a948976eded517477a4f71a15578a9e1.exe | N/A |
| File created | C:\Windows\SysWOW64\lass.exe\lass.exe | C:\Windows\SysWOW64\lass.exe | N/A |
| File created | C:\Windows\SysWOW64\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe | C:\Windows\SysWOW64\lass.exe | N/A |
| File created | C:\Windows\SysWOW64\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe\lass.exe | C:\Windows\SysWOW64\lass.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\lass.exe | C:\Users\Admin\AppData\Local\Temp\a948976eded517477a4f71a15578a9e1.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3280 wrote to memory of 4164 | N/A | C:\Users\Admin\AppData\Local\Temp\a948976eded517477a4f71a15578a9e1.exe | C:\Windows\SysWOW64\lass.exe |
| PID 3280 wrote to memory of 4164 | N/A | C:\Users\Admin\AppData\Local\Temp\a948976eded517477a4f71a15578a9e1.exe | C:\Windows\SysWOW64\lass.exe |
| PID 3280 wrote to memory of 4164 | N/A | C:\Users\Admin\AppData\Local\Temp\a948976eded517477a4f71a15578a9e1.exe | C:\Windows\SysWOW64\lass.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\a948976eded517477a4f71a15578a9e1.exe
"C:\Users\Admin\AppData\Local\Temp\a948976eded517477a4f71a15578a9e1.exe"
C:\Windows\SysWOW64\lass.exe
C:\Windows\system32\lass.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 179.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.178.17.96.in-addr.arpa | udp |
Files
C:\Windows\SysWOW64\lass.exe
| MD5 | a948976eded517477a4f71a15578a9e1 |
| SHA1 | 3762de142aae4044829461ed186a9b397e668d1f |
| SHA256 | 73dea3ec1437dd358cc7c48d80bcd41001c79bf344a3039908159a9bed5d8583 |
| SHA512 | f935453f15ba296b47be1c273f97512eefb61659065442024db92c864d2edfe281b252fb91c8e39111dab26d10747c821285799e11e38c11a835d28d8ec5117f |