lumma | af14faa83ef43be891fd0e87d3cce5d37d90d372e8892b2a98c5eda8e67ca727

Analysis

max time kernel
142s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
24-04-2024 13:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-24_fd09d779314b96903f5e3ff6c27ce8d5_magniber.exe
Size

13.4MB
MD5

fd09d779314b96903f5e3ff6c27ce8d5
SHA1

8edf0094f78382493b299992ab2d626e1abbf4c8
SHA256

af14faa83ef43be891fd0e87d3cce5d37d90d372e8892b2a98c5eda8e67ca727
SHA512

454854085073a214fd0642b786e4918aae9674e197a4dc1185de45b3bc31342d8f426a7ee2060cfb563c5daec4cec61a46058cc9be2d18040615f85aba5d530a
SSDEEP

196608:dYAgzUvRdvzUGZkof8M3hBiIEo0LMkxa3VFVUPRE7Yrwr1rXrrr/rirur/rTrXrv:ZPvzfvf8MviIEooMsa3WM

Score

10^/10

lumma persistence stealer

Malware Config

Extracted

Family

lumma

https://palmeventeryjusk.shop/api

https://entitlementappwo.shop/api

https://economicscreateojsu.shop/api

https://pushjellysingeywus.shop/api

https://absentconvicsjawun.shop/api

https://suitcaseacanehalk.shop/api

https://bordersoarmanusjuw.shop/api

https://mealplayerpreceodsju.shop/api

https://wifeplasterbakewis.shop/api

Signatures

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2024-04-24_fd09d779314b96903f5e3ff6c27ce8d5_magniber.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aoradic3 = "C:\\Users\\Admin\\Documents\\ChromeUpdate\\MHOST.exeꘀ"	2024-04-24_fd09d779314b96903f5e3ff6c27ce8d5_magniber.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

2024-04-24_fd09d779314b96903f5e3ff6c27ce8d5_magniber.exe

pid process

372 2024-04-24_fd09d779314b96903f5e3ff6c27ce8d5_magniber.exe

pid	process
372	2024-04-24_fd09d779314b96903f5e3ff6c27ce8d5_magniber.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

2024-04-24_fd09d779314b96903f5e3ff6c27ce8d5_magniber.exe

description	pid	process	target process
PID 372 wrote to memory of 3100	372	2024-04-24_fd09d779314b96903f5e3ff6c27ce8d5_magniber.exe	2024-04-24_fd09d779314b96903f5e3ff6c27ce8d5_magniber.exe
PID 372 wrote to memory of 3100	372	2024-04-24_fd09d779314b96903f5e3ff6c27ce8d5_magniber.exe	2024-04-24_fd09d779314b96903f5e3ff6c27ce8d5_magniber.exe
PID 372 wrote to memory of 3100	372	2024-04-24_fd09d779314b96903f5e3ff6c27ce8d5_magniber.exe	2024-04-24_fd09d779314b96903f5e3ff6c27ce8d5_magniber.exe
PID 372 wrote to memory of 3100	372	2024-04-24_fd09d779314b96903f5e3ff6c27ce8d5_magniber.exe	2024-04-24_fd09d779314b96903f5e3ff6c27ce8d5_magniber.exe
PID 372 wrote to memory of 3100	372	2024-04-24_fd09d779314b96903f5e3ff6c27ce8d5_magniber.exe	2024-04-24_fd09d779314b96903f5e3ff6c27ce8d5_magniber.exe
PID 372 wrote to memory of 3100	372	2024-04-24_fd09d779314b96903f5e3ff6c27ce8d5_magniber.exe	2024-04-24_fd09d779314b96903f5e3ff6c27ce8d5_magniber.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-24_fd09d779314b96903f5e3ff6c27ce8d5_magniber.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-24_fd09d779314b96903f5e3ff6c27ce8d5_magniber.exe"
1⤵
- Adds Run key to start application
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:372
- C:\Users\Admin\AppData\Local\Temp\2024-04-24_fd09d779314b96903f5e3ff6c27ce8d5_magniber.exe
  "C:\Users\Admin\AppData\Local\Temp\2024-04-24_fd09d779314b96903f5e3ff6c27ce8d5_magniber.exe"
  2⤵
  PID:3100

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4340 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:8
1⤵
PID:2900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/372-0-0x0000000000400000-0x0000000001183000-memory.dmp

Filesize
13.5MB

Download
memory/372-1-0x0000000000400000-0x0000000001183000-memory.dmp

Filesize
13.5MB

Download
memory/372-2-0x0000000000400000-0x0000000001183000-memory.dmp

Filesize
13.5MB

Download
memory/372-3-0x0000000000400000-0x0000000001183000-memory.dmp

Filesize
13.5MB

Download
memory/372-9-0x0000000000400000-0x0000000001183000-memory.dmp

Filesize
13.5MB

Download
memory/3100-4-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/3100-6-0x0000000001190000-0x00000000011DF000-memory.dmp

Filesize
316KB

Download
memory/3100-7-0x0000000001190000-0x00000000011DF000-memory.dmp

Filesize
316KB

Download
memory/3100-8-0x0000000001190000-0x00000000011DF000-memory.dmp

Filesize
316KB

Download
memory/3100-11-0x0000000001190000-0x00000000011DF000-memory.dmp

Filesize
316KB

Download