lumma | edbfdd04d154060b82f386191ba772e0b9122e2f82a4e3c0e3ddf65fc7a8b55a

Analysis

max time kernel
134s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
29-06-2024 01:53

Target

edbfdd04d154060b82f386191ba772e0b9122e2f82a4e3c0e3ddf65fc7a8b55a.exe
Size

24.4MB
MD5

16b332205d167a6a6f76c5293aa8f201
SHA1

40c0fba9107d270cf006f58f4fecc9742f806a2b
SHA256

edbfdd04d154060b82f386191ba772e0b9122e2f82a4e3c0e3ddf65fc7a8b55a
SHA512

ff18c351f1f86134f79a535eb5f6045c5dfdf3ab9e632d15a5266c86e25c0cd675a88f457a99f3ae6a92d0929d35f703a366b0d11fac1ffaa09e6f44f39e11f5
SSDEEP

393216:Z8V2nhTIrvYzEWmn+FBhwFDbllTqkl6eFh3zZNgni9HkHxHLCA9arP1A0+3ERPWy:OV2h2QzE0FTIpt6eFl1NykmxeS3u

Score

10^/10

Family

lumma

https://potterryisiw.shop/api

https://foodypannyjsud.shop/api

https://contintnetksows.shop/api

https://reinforcedirectorywd.shop/api

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma

UPX dump on OEP (original entry point) 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4092-0-0x00007FF7D1420000-0x00007FF7D54D2000-memory.dmp	UPX
behavioral2/memory/4092-3-0x00007FF7D1420000-0x00007FF7D54D2000-memory.dmp	UPX
behavioral2/memory/4092-9-0x00007FF7D1420000-0x00007FF7D54D2000-memory.dmp	UPX
behavioral2/memory/4092-11-0x00007FF7D1420000-0x00007FF7D54D2000-memory.dmp	UPX

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

Processes:

resource	yara_rule
behavioral2/memory/4092-0-0x00007FF7D1420000-0x00007FF7D54D2000-memory.dmp	upx
behavioral2/memory/4092-3-0x00007FF7D1420000-0x00007FF7D54D2000-memory.dmp	upx
behavioral2/memory/4092-9-0x00007FF7D1420000-0x00007FF7D54D2000-memory.dmp	upx
behavioral2/memory/4092-11-0x00007FF7D1420000-0x00007FF7D54D2000-memory.dmp	upx

Suspicious use of SetThreadContext 1 IoCs

Processes:

edbfdd04d154060b82f386191ba772e0b9122e2f82a4e3c0e3ddf65fc7a8b55a.exe

description pid process target process

PID 4092 set thread context of 1948 4092 edbfdd04d154060b82f386191ba772e0b9122e2f82a4e3c0e3ddf65fc7a8b55a.exe BitLockerToGo.exe

description	pid	process	target process
PID 4092 set thread context of 1948	4092	edbfdd04d154060b82f386191ba772e0b9122e2f82a4e3c0e3ddf65fc7a8b55a.exe	BitLockerToGo.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

edbfdd04d154060b82f386191ba772e0b9122e2f82a4e3c0e3ddf65fc7a8b55a.exe

description	pid	process	target process
PID 4092 wrote to memory of 1948	4092	edbfdd04d154060b82f386191ba772e0b9122e2f82a4e3c0e3ddf65fc7a8b55a.exe	BitLockerToGo.exe
PID 4092 wrote to memory of 1948	4092	edbfdd04d154060b82f386191ba772e0b9122e2f82a4e3c0e3ddf65fc7a8b55a.exe	BitLockerToGo.exe
PID 4092 wrote to memory of 1948	4092	edbfdd04d154060b82f386191ba772e0b9122e2f82a4e3c0e3ddf65fc7a8b55a.exe	BitLockerToGo.exe
PID 4092 wrote to memory of 1948	4092	edbfdd04d154060b82f386191ba772e0b9122e2f82a4e3c0e3ddf65fc7a8b55a.exe	BitLockerToGo.exe
PID 4092 wrote to memory of 1948	4092	edbfdd04d154060b82f386191ba772e0b9122e2f82a4e3c0e3ddf65fc7a8b55a.exe	BitLockerToGo.exe

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
2⤵
PID:1948

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4136,i,3671441404766730751,12082497324212183132,262144 --variations-seed-version --mojo-platform-channel-handle=3972 /prefetch:8
1⤵
PID:4832

memory/1948-6-0x0000000000C50000-0x0000000000CA6000-memory.dmp

Filesize
344KB

Download
memory/1948-8-0x0000000000C50000-0x0000000000CA6000-memory.dmp

Filesize
344KB

Download
memory/1948-10-0x0000000000C50000-0x0000000000CA6000-memory.dmp

Filesize
344KB

Download
memory/4092-0-0x00007FF7D1420000-0x00007FF7D54D2000-memory.dmp

Filesize
64.7MB

Download
memory/4092-3-0x00007FF7D1420000-0x00007FF7D54D2000-memory.dmp

Filesize
64.7MB

Download
memory/4092-9-0x00007FF7D1420000-0x00007FF7D54D2000-memory.dmp

Filesize
64.7MB

Download
memory/4092-11-0x00007FF7D1420000-0x00007FF7D54D2000-memory.dmp

Filesize
64.7MB

Download