lumma | 14c33aa6a0f7ab361be5f99ccdc9f56f14cde20b6a526d5e26e58c94de107320

Analysis

max time kernel
143s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
26-04-2024 00:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-26_0302f17317ac9872d688400bb2bbfd25_magniber.exe
Size

13.2MB
MD5

0302f17317ac9872d688400bb2bbfd25
SHA1

97c2d547aee9f7253e4eeb32520c696b6063c7d3
SHA256

14c33aa6a0f7ab361be5f99ccdc9f56f14cde20b6a526d5e26e58c94de107320
SHA512

60d8e0bf675d50aa0bca56c16e5822ddbd3794807556bc7d1d8d85cd41b1d237c5d57577cc19ad3024edc31e926f4321958d3a91a85026546d24ee1ec2fde7d6
SSDEEP

196608:HYAgzUvfvzUGZkof8M3hBiIEo0LMkxa3VFVUPsy:znvzfvf8MviIEooMsa3WJ

Score

10^/10

lumma persistence stealer

Malware Config

Extracted

Family

lumma

https://exceptionwillapews.shop/api

https://entitlementappwo.shop/api

https://economicscreateojsu.shop/api

https://pushjellysingeywus.shop/api

https://absentconvicsjawun.shop/api

https://suitcaseacanehalk.shop/api

https://bordersoarmanusjuw.shop/api

https://mealplayerpreceodsju.shop/api

https://wifeplasterbakewis.shop/api

Signatures

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2024-04-26_0302f17317ac9872d688400bb2bbfd25_magniber.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aoradic3 = "C:\\Users\\Admin\\Documents\\ChromeUpdate\\MHOST.exe"	2024-04-26_0302f17317ac9872d688400bb2bbfd25_magniber.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

2024-04-26_0302f17317ac9872d688400bb2bbfd25_magniber.exe

pid process

3936 2024-04-26_0302f17317ac9872d688400bb2bbfd25_magniber.exe

pid	process
3936	2024-04-26_0302f17317ac9872d688400bb2bbfd25_magniber.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

2024-04-26_0302f17317ac9872d688400bb2bbfd25_magniber.exe

description	pid	process	target process
PID 3936 wrote to memory of 1872	3936	2024-04-26_0302f17317ac9872d688400bb2bbfd25_magniber.exe	2024-04-26_0302f17317ac9872d688400bb2bbfd25_magniber.exe
PID 3936 wrote to memory of 1872	3936	2024-04-26_0302f17317ac9872d688400bb2bbfd25_magniber.exe	2024-04-26_0302f17317ac9872d688400bb2bbfd25_magniber.exe
PID 3936 wrote to memory of 1872	3936	2024-04-26_0302f17317ac9872d688400bb2bbfd25_magniber.exe	2024-04-26_0302f17317ac9872d688400bb2bbfd25_magniber.exe
PID 3936 wrote to memory of 1872	3936	2024-04-26_0302f17317ac9872d688400bb2bbfd25_magniber.exe	2024-04-26_0302f17317ac9872d688400bb2bbfd25_magniber.exe
PID 3936 wrote to memory of 1872	3936	2024-04-26_0302f17317ac9872d688400bb2bbfd25_magniber.exe	2024-04-26_0302f17317ac9872d688400bb2bbfd25_magniber.exe
PID 3936 wrote to memory of 1872	3936	2024-04-26_0302f17317ac9872d688400bb2bbfd25_magniber.exe	2024-04-26_0302f17317ac9872d688400bb2bbfd25_magniber.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-26_0302f17317ac9872d688400bb2bbfd25_magniber.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-26_0302f17317ac9872d688400bb2bbfd25_magniber.exe"
1⤵
- Adds Run key to start application
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:3936
- C:\Users\Admin\AppData\Local\Temp\2024-04-26_0302f17317ac9872d688400bb2bbfd25_magniber.exe
  "C:\Users\Admin\AppData\Local\Temp\2024-04-26_0302f17317ac9872d688400bb2bbfd25_magniber.exe"
  2⤵
  PID:1872

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1048 --field-trial-handle=2276,i,5697607538120380977,9987005253899555344,262144 --variations-seed-version /prefetch:8
1⤵
PID:1676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1872-6-0x0000000001150000-0x000000000119F000-memory.dmp

Filesize
316KB

Download
memory/1872-4-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1872-7-0x0000000001150000-0x000000000119F000-memory.dmp

Filesize
316KB

Download
memory/1872-8-0x0000000001150000-0x000000000119F000-memory.dmp

Filesize
316KB

Download
memory/1872-11-0x0000000001150000-0x000000000119F000-memory.dmp

Filesize
316KB

Download
memory/3936-0-0x0000000000400000-0x000000000114C000-memory.dmp

Filesize
13.3MB

Download
memory/3936-1-0x0000000000400000-0x000000000114C000-memory.dmp

Filesize
13.3MB

Download
memory/3936-2-0x0000000000400000-0x000000000114C000-memory.dmp

Filesize
13.3MB

Download
memory/3936-3-0x0000000000400000-0x000000000114C000-memory.dmp

Filesize
13.3MB

Download
memory/3936-9-0x0000000000400000-0x000000000114C000-memory.dmp

Filesize
13.3MB

Download