lumma | 4ab8408183648d617e24a70a4ea8f346af352f6f1b476d2e6d54be518ca969d0

Analysis

max time kernel
509s
max time network
872s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
20/07/2024, 23:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Ulpack.zip
Size

6.5MB
MD5

7af54421bb1721f32f367db1ce8d6684
SHA1

2a8743d1044c60833419e99d3a89785780880d04
SHA256

4ab8408183648d617e24a70a4ea8f346af352f6f1b476d2e6d54be518ca969d0
SHA512

4f158c5fa4f0895e7e0ad7eb15213a4795a9666766b6909bb2220a7afd64dc14bab1963a5ebde1cd7faf4da43d825b6697e0abee783548791d7f110fd0d63646
SSDEEP

98304:TmWk33PIqMUkzImWk33PIqMUksjY1jzcW3PZjmWk3zmWkUs/oV0b:TmvHPI4kUmvHPI4ksjYxlhjmvDmv4y

Score

10^/10

lumma stealer

Malware Config

Extracted

Family

lumma

https://celosiapatroen.shop/api

https://reinforcedirectorywd.shop/api

Signatures

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma

Suspicious use of SetThreadContext 7 IoCs

description	pid	Process	procid_target
PID 1880 set thread context of 4556	1880	Ulpack.exe	82
PID 5044 set thread context of 4224	5044	Ulpack.exe	88
PID 3868 set thread context of 2328	3868	Ulpack.exe	93
PID 1144 set thread context of 5076	1144	Ulpack.exe	97
PID 660 set thread context of 1880	660	Ulpack.exe	106
PID 4776 set thread context of 1172	4776	Ulpack.exe	114
PID 3864 set thread context of 96	3864	Ulpack.exe	128

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\4272278488\2581520266.pri	SecHealthUI.exe

Program crash 14 IoCs

pid	pid_target	Process	procid_target
1452	4556	WerFault.exe	82
2836	4556	WerFault.exe	82
2500	4224	WerFault.exe	88
1600	4224	WerFault.exe	88
5000	2328	WerFault.exe	93
5048	2328	WerFault.exe	93
4304	5076	WerFault.exe	97
4172	5076	WerFault.exe	97
1844	1880	WerFault.exe	106
4480	1880	WerFault.exe	106
2040	1172	WerFault.exe	114
4932	1172	WerFault.exe	114
164	96	WerFault.exe	128
2564	96	WerFault.exe	128

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3164	SecHealthUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1880 wrote to memory of 4556	1880	Ulpack.exe	82
PID 1880 wrote to memory of 4556	1880	Ulpack.exe	82
PID 1880 wrote to memory of 4556	1880	Ulpack.exe	82
PID 1880 wrote to memory of 4556	1880	Ulpack.exe	82
PID 1880 wrote to memory of 4556	1880	Ulpack.exe	82
PID 1880 wrote to memory of 4556	1880	Ulpack.exe	82
PID 1880 wrote to memory of 4556	1880	Ulpack.exe	82
PID 1880 wrote to memory of 4556	1880	Ulpack.exe	82
PID 1880 wrote to memory of 4556	1880	Ulpack.exe	82
PID 5044 wrote to memory of 4224	5044	Ulpack.exe	88
PID 5044 wrote to memory of 4224	5044	Ulpack.exe	88
PID 5044 wrote to memory of 4224	5044	Ulpack.exe	88
PID 5044 wrote to memory of 4224	5044	Ulpack.exe	88
PID 5044 wrote to memory of 4224	5044	Ulpack.exe	88
PID 5044 wrote to memory of 4224	5044	Ulpack.exe	88
PID 5044 wrote to memory of 4224	5044	Ulpack.exe	88
PID 5044 wrote to memory of 4224	5044	Ulpack.exe	88
PID 5044 wrote to memory of 4224	5044	Ulpack.exe	88
PID 3868 wrote to memory of 2328	3868	Ulpack.exe	93
PID 3868 wrote to memory of 2328	3868	Ulpack.exe	93
PID 3868 wrote to memory of 2328	3868	Ulpack.exe	93
PID 3868 wrote to memory of 2328	3868	Ulpack.exe	93
PID 3868 wrote to memory of 2328	3868	Ulpack.exe	93
PID 3868 wrote to memory of 2328	3868	Ulpack.exe	93
PID 3868 wrote to memory of 2328	3868	Ulpack.exe	93
PID 3868 wrote to memory of 2328	3868	Ulpack.exe	93
PID 3868 wrote to memory of 2328	3868	Ulpack.exe	93
PID 1144 wrote to memory of 5076	1144	Ulpack.exe	97
PID 1144 wrote to memory of 5076	1144	Ulpack.exe	97
PID 1144 wrote to memory of 5076	1144	Ulpack.exe	97
PID 1144 wrote to memory of 5076	1144	Ulpack.exe	97
PID 1144 wrote to memory of 5076	1144	Ulpack.exe	97
PID 1144 wrote to memory of 5076	1144	Ulpack.exe	97
PID 1144 wrote to memory of 5076	1144	Ulpack.exe	97
PID 1144 wrote to memory of 5076	1144	Ulpack.exe	97
PID 1144 wrote to memory of 5076	1144	Ulpack.exe	97
PID 660 wrote to memory of 1880	660	Ulpack.exe	106
PID 660 wrote to memory of 1880	660	Ulpack.exe	106
PID 660 wrote to memory of 1880	660	Ulpack.exe	106
PID 660 wrote to memory of 1880	660	Ulpack.exe	106
PID 660 wrote to memory of 1880	660	Ulpack.exe	106
PID 660 wrote to memory of 1880	660	Ulpack.exe	106
PID 660 wrote to memory of 1880	660	Ulpack.exe	106
PID 660 wrote to memory of 1880	660	Ulpack.exe	106
PID 660 wrote to memory of 1880	660	Ulpack.exe	106
PID 4776 wrote to memory of 4196	4776	Ulpack.exe	113
PID 4776 wrote to memory of 4196	4776	Ulpack.exe	113
PID 4776 wrote to memory of 4196	4776	Ulpack.exe	113
PID 4776 wrote to memory of 1172	4776	Ulpack.exe	114
PID 4776 wrote to memory of 1172	4776	Ulpack.exe	114
PID 4776 wrote to memory of 1172	4776	Ulpack.exe	114
PID 4776 wrote to memory of 1172	4776	Ulpack.exe	114
PID 4776 wrote to memory of 1172	4776	Ulpack.exe	114
PID 4776 wrote to memory of 1172	4776	Ulpack.exe	114
PID 4776 wrote to memory of 1172	4776	Ulpack.exe	114
PID 4776 wrote to memory of 1172	4776	Ulpack.exe	114
PID 4776 wrote to memory of 1172	4776	Ulpack.exe	114
PID 3864 wrote to memory of 4364	3864	Ulpack.exe	127
PID 3864 wrote to memory of 4364	3864	Ulpack.exe	127
PID 3864 wrote to memory of 4364	3864	Ulpack.exe	127
PID 3864 wrote to memory of 96	3864	Ulpack.exe	128
PID 3864 wrote to memory of 96	3864	Ulpack.exe	128
PID 3864 wrote to memory of 96	3864	Ulpack.exe	128
PID 3864 wrote to memory of 96	3864	Ulpack.exe	128

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Ulpack.zip
1⤵
PID:4780

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3628

C:\Users\Admin\Desktop\Ulpack\Ulpack.exe
"C:\Users\Admin\Desktop\Ulpack\Ulpack.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1880
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:4556
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4556 -s 1200
    3⤵
    - Program crash
    PID:2836
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4556 -s 1256
    3⤵
    - Program crash
    PID:1452

C:\Users\Admin\Desktop\Ulpack\Ulpack.exe
"C:\Users\Admin\Desktop\Ulpack\Ulpack.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5044
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:4224
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4224 -s 1156
    3⤵
    - Program crash
    PID:1600
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4224 -s 1236
    3⤵
    - Program crash
    PID:2500

C:\Users\Admin\Desktop\Ulpack\Ulpack.exe
"C:\Users\Admin\Desktop\Ulpack\Ulpack.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3868
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:2328
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2328 -s 624
    3⤵
    - Program crash
    PID:5000
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2328 -s 1128
    3⤵
    - Program crash
    PID:5048

C:\Users\Admin\Desktop\Ulpack\Ulpack.exe
"C:\Users\Admin\Desktop\Ulpack\Ulpack.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1144
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:5076
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 1116
    3⤵
    - Program crash
    PID:4304
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 1116
    3⤵
    - Program crash
    PID:4172

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s fdPHost
1⤵
PID:3220

C:\Users\Admin\Desktop\Ulpack\Ulpack.exe
"C:\Users\Admin\Desktop\Ulpack\Ulpack.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:660
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:1880
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1880 -s 1144
    3⤵
    - Program crash
    PID:4480
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1880 -s 1216
    3⤵
    - Program crash
    PID:1844

C:\Users\Admin\Desktop\Ulpack\Ulpack.exe
"C:\Users\Admin\Desktop\Ulpack\Ulpack.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4776
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:4196
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:1172
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1172 -s 1212
    3⤵
    - Program crash
    PID:2040
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1172 -s 660
    3⤵
    - Program crash
    PID:4932

C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe" -ServerName:SecHealthUI.AppXep4x2tbtjws1v9qqs0rmb3hxykvkpqtn.mca
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:3164

C:\Users\Admin\Desktop\Ulpack\Ulpack.exe
"C:\Users\Admin\Desktop\Ulpack\Ulpack.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3864
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:4364
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:96
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 96 -s 644
    3⤵
    - Program crash
    PID:164
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 96 -s 644
    3⤵
    - Program crash
    PID:2564

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Ulpack\read me (Password 2929).txt
1⤵
PID:3708

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/660-22-0x00000000002E0000-0x0000000000477000-memory.dmp

Filesize
1.6MB

Download
memory/660-20-0x00000000002E0000-0x0000000000477000-memory.dmp

Filesize
1.6MB

Download
memory/1144-16-0x00000000002E0000-0x0000000000477000-memory.dmp

Filesize
1.6MB

Download
memory/1144-18-0x00000000002E0000-0x0000000000477000-memory.dmp

Filesize
1.6MB

Download
memory/1880-3-0x00000000002E0000-0x0000000000477000-memory.dmp

Filesize
1.6MB

Download
memory/1880-2-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/1880-0-0x00000000002E0000-0x0000000000477000-memory.dmp

Filesize
1.6MB

Download
memory/3864-32-0x00000000002E0000-0x0000000000477000-memory.dmp

Filesize
1.6MB

Download
memory/3864-30-0x00000000002E0000-0x0000000000477000-memory.dmp

Filesize
1.6MB

Download
memory/3868-12-0x00000000002E0000-0x0000000000477000-memory.dmp

Filesize
1.6MB

Download
memory/3868-14-0x00000000002E0000-0x0000000000477000-memory.dmp

Filesize
1.6MB

Download
memory/4556-5-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4556-7-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4556-6-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4556-1-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4776-24-0x00000000002E0000-0x0000000000477000-memory.dmp

Filesize
1.6MB

Download
memory/4776-26-0x00000000002E0000-0x0000000000477000-memory.dmp

Filesize
1.6MB

Download
memory/5044-10-0x00000000002E0000-0x0000000000477000-memory.dmp

Filesize
1.6MB

Download
memory/5044-8-0x00000000002E0000-0x0000000000477000-memory.dmp

Filesize
1.6MB

Download