lumma | 8ddb8e92032cbe0758431e0866b6bee6426e2f6422d3b00b26cb03c4f213785f

Analysis

max time kernel
193s
max time network
297s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
01-07-2024 05:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8ddb8e92032cbe0758431e0866b6bee6426e2f6422d3b00b26cb03c4f213785f.exe
Size

6.4MB
MD5

5050f9bc5d4a4cec3d2c08ed24480a10
SHA1

c3edc7c64810ece5a5fd4b9bc082b1f4dac7bf7f
SHA256

8ddb8e92032cbe0758431e0866b6bee6426e2f6422d3b00b26cb03c4f213785f
SHA512

2f62f4cba6a76681a0ecbb9977120978369ccd8bd2089227d1c581e30c190441f50f5561307eea737a28f625092287c6a6a0eaa924421d8789a72197d83062e6
SSDEEP

98304:6qwBqwWpcCHgb9m429vfTbDJgAWdWikDIyx2yR1OcS/7yMimxwnpyYOF8:6qwBqw16I9evL9Zik0k20wGnOa

Score

10^/10

lumma stealer vmprotect

Malware Config

Extracted

Family

lumma

https://foodypannyjsud.shop/api

https://potterryisiw.shop/api

https://contintnetksows.shop/api

https://reinforcedirectorywd.shop/api

Signatures

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
Executes dropped EXE 2 IoCs

Processes:

polaris.exepokafdw.exe

pid process

1576 polaris.exe
2416 pokafdw.exe
VMProtect packed file 2 IoCs
Detects executables packed with VMProtect commercial packer.
vmprotect

Processes:

resource yara_rule

C:\Users\Admin\AppData\Local\Temp\RarSFX1\pokafdw.exe vmprotect
behavioral2/memory/2416-22-0x0000000000290000-0x0000000000B9C000-memory.dmp vmprotect
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

pokafdw.exe

pid process

2416 pokafdw.exe
2416 pokafdw.exe

pid	process
1576	polaris.exe
2416	pokafdw.exe

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\RarSFX1\pokafdw.exe	vmprotect
behavioral2/memory/2416-22-0x0000000000290000-0x0000000000B9C000-memory.dmp	vmprotect

pid	process
2416	pokafdw.exe
2416	pokafdw.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

8ddb8e92032cbe0758431e0866b6bee6426e2f6422d3b00b26cb03c4f213785f.execmd.exepolaris.exe

description	pid	process	target process
PID 4912 wrote to memory of 3856	4912	8ddb8e92032cbe0758431e0866b6bee6426e2f6422d3b00b26cb03c4f213785f.exe	cmd.exe
PID 4912 wrote to memory of 3856	4912	8ddb8e92032cbe0758431e0866b6bee6426e2f6422d3b00b26cb03c4f213785f.exe	cmd.exe
PID 3856 wrote to memory of 1576	3856	cmd.exe	polaris.exe
PID 3856 wrote to memory of 1576	3856	cmd.exe	polaris.exe
PID 1576 wrote to memory of 2416	1576	polaris.exe	pokafdw.exe
PID 1576 wrote to memory of 2416	1576	polaris.exe	pokafdw.exe
PID 1576 wrote to memory of 2416	1576	polaris.exe	pokafdw.exe

C:\Users\Admin\AppData\Local\Temp\8ddb8e92032cbe0758431e0866b6bee6426e2f6422d3b00b26cb03c4f213785f.exe
"C:\Users\Admin\AppData\Local\Temp\8ddb8e92032cbe0758431e0866b6bee6426e2f6422d3b00b26cb03c4f213785f.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:3856

C:\Users\Admin\AppData\Local\Temp\RarSFX0\polaris.exe
polaris.exe -priverdD
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1576

C:\Users\Admin\AppData\Local\Temp\RarSFX1\pokafdw.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\pokafdw.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2416

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat
Filesize
38B

MD5
76ce3d5d5c3032cc9f78133af90b7ca7

SHA1
774907a1177135daf81ad950c2201510958cc52b

SHA256
7deb532bdc37e4ed59642407a94a479ad7b7c18b852c9237899bb1fa9e55febd

SHA512
fbc4c6fe065ed0000687130f6a173349ccd3fb68a6b5fa72c24cac90cbb53b82970961b60bee7bc1318682de70823aa054eff27010773b3c5b950ed084ba71de

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\polaris.exe
Filesize
5.9MB

MD5
0f21f614bbd1768957b4ada1faf64885

SHA1
9e1fde36a3f615e783afec63be45a55453a14b89

SHA256
cda0db0d276a2a24745a5c9b23712e2c950f5dd5c103f1ab88b9f1bdbe5be501

SHA512
8df61c2aa68b1ffef973d60bfa46c1fb0566ddc64f84729e459bc5d587daeab2cdc0ab5a69db3bb57bad1b2067969db06a83d9066c71215a2bd7e1f416b7c0a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\pokafdw.exe
Filesize
5.5MB

MD5
5fd19293fa5acf9323ebc45b5df49b06

SHA1
6f0c22c0f40a1a4ac7abf31c7e3ba977bd3a133a

SHA256
659ad4fec79f03ac2f1c9fc81371a426cefd6abaef8edad4403a71f29088a261

SHA512
595e552e6202d7b22615eff1fecb35ad0fdf7506dd70dd3b708b7342b119a3f885bbdb0709785401a991b5de55cd4043c6398baa2a9b6a45ca390687e99aa697

Download Submit
memory/2416-20-0x0000000002B70000-0x0000000002B71000-memory.dmp

Filesize
4KB

Download
memory/2416-22-0x0000000000290000-0x0000000000B9C000-memory.dmp

Filesize
9.0MB

Download