lumma | aa8c290181a84955417dd9d3535d5941999d035a308742775c3096f1e20ea187

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
19/07/2024, 23:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup.exe
Size

12.0MB
MD5

a7118dffeac3772076f1a39a364d608d
SHA1

6b984d9446f23579e154ec47437b9cf820fd6b67
SHA256

f1973746ac0a703b23526f68c639436f0b26b0bc71c4f5adf36dc5f6e8a7f4d0
SHA512

f547c13b78acda9ca0523f0f8cd966c906f70a23a266ac86156dc7e17e6349e5f506366787e7a7823e2b07b0d614c9bd08e34ca5cc4f48799b0fe36ac836e890
SSDEEP

98304:ReAtQzKADvk/9TEaImN9/tiHBIn8c3hCEFRUTaZnPZOtXwH:ReAOWOM/FE1mNHiFc3hr7UTaZnhOtXwH

Score

10^/10

lumma stealer

Malware Config

Extracted

Family

lumma

https://survivedosaz.shop/api

https://applyzxcksdia.shop/api

Signatures

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3952 set thread context of 1480	3952	Setup.exe	87

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1868	848	WerFault.exe	96
4216	848	WerFault.exe	96

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3952	Setup.exe
3952	Setup.exe
1480	cmd.exe
1480	cmd.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
3952	Setup.exe
1480	cmd.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3952 wrote to memory of 1480	3952	Setup.exe	87
PID 3952 wrote to memory of 1480	3952	Setup.exe	87
PID 3952 wrote to memory of 1480	3952	Setup.exe	87
PID 3952 wrote to memory of 1480	3952	Setup.exe	87
PID 1480 wrote to memory of 848	1480	cmd.exe	96
PID 1480 wrote to memory of 848	1480	cmd.exe	96
PID 1480 wrote to memory of 848	1480	cmd.exe	96
PID 1480 wrote to memory of 848	1480	cmd.exe	96

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3952
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\SysWOW64\cmd.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1480
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    PID:848
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 848 -s 1376
      4⤵
      Program crash
      PID:1868
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 848 -s 1436
      4⤵
      Program crash
      PID:4216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 848 -ip 848
1⤵
PID:4608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 848 -ip 848
1⤵
PID:3220

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3381247e

Filesize
1008KB

MD5
13f824c7dc5722a865925a4504cd793c

SHA1
b337c3ec32b00e2b47b22b8279342bcb4490033f

SHA256
fee7ce91f37025394ce83070d4948e8b44a543fd9687c94077c8c8aeb3e3b925

SHA512
5632d3a70051e773ab002719feaebc18db275e4b54d4e5efdbc085fcfac3afdc9d59dcd017970388f547ad86c52e8a0c6a8955f15e64660c50960549d88ccbbd

Download Submit
memory/848-22-0x0000000001200000-0x0000000001257000-memory.dmp

Filesize
348KB

Download
memory/848-21-0x0000000000B73000-0x0000000000B7B000-memory.dmp

Filesize
32KB

Download
memory/848-18-0x0000000001200000-0x0000000001257000-memory.dmp

Filesize
348KB

Download
memory/848-17-0x00007FFFC1B10000-0x00007FFFC1D05000-memory.dmp

Filesize
2.0MB

Download
memory/1480-12-0x00000000759E0000-0x0000000075B5B000-memory.dmp

Filesize
1.5MB

Download
memory/1480-11-0x00007FFFC1B10000-0x00007FFFC1D05000-memory.dmp

Filesize
2.0MB

Download
memory/1480-14-0x00000000759E0000-0x0000000075B5B000-memory.dmp

Filesize
1.5MB

Download
memory/1480-13-0x00000000759EE000-0x00000000759F0000-memory.dmp

Filesize
8KB

Download
memory/1480-16-0x00000000759E0000-0x0000000075B5B000-memory.dmp

Filesize
1.5MB

Download
memory/1480-23-0x00000000759EE000-0x00000000759F0000-memory.dmp

Filesize
8KB

Download
memory/3952-9-0x00000000007F0000-0x000000000084E000-memory.dmp

Filesize
376KB

Download
memory/3952-0-0x00000000007F0000-0x000000000084E000-memory.dmp

Filesize
376KB

Download
memory/3952-7-0x00007FFFA3AC0000-0x00007FFFA3C32000-memory.dmp

Filesize
1.4MB

Download
memory/3952-6-0x00007FFFA3AC0000-0x00007FFFA3C32000-memory.dmp

Filesize
1.4MB

Download
memory/3952-5-0x00007FFFA3AD8000-0x00007FFFA3AD9000-memory.dmp

Filesize
4KB

Download
memory/3952-1-0x00007FFFA3AC0000-0x00007FFFA3C32000-memory.dmp

Filesize
1.4MB

Download