lumma | 7d0ca7b717b408404ea0d4ce98ef1cd2947402d23a7fb8c4429d18707041396c | Triage

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
02-07-2024 14:15

Sharing

Report Analysis Logs

General

Target

KFlauncher.exe
Size

937KB
MD5

edfa515fb1995ccaa53ba97259bdc552
SHA1

4840b49873edc09129a3d725e861a5d3edb8924b
SHA256

7d0ca7b717b408404ea0d4ce98ef1cd2947402d23a7fb8c4429d18707041396c
SHA512

864d2012340b4835c22a8b8a3fd6b42b87b2f1a4d79f2d6e48883a1819a84ca427b0a9c6d73078aad15a4c1696e0e54aed7f56f68a6e00d205b4444610aafed7
SSDEEP

24576:flj0NdQCg30ly0HsqzDC3UALO6FIb+ayoiWF3pw:tLEY0Hsqz+AcIbinWF5w

Score

10^/10

Malware Config

Extracted

Family

lumma

C2

https://potterryisiw.shop/api

https://foodypannyjsud.shop/api

https://contintnetksows.shop/api

https://reinforcedirectorywd.shop/api

Signatures

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
Suspicious use of SetThreadContext 1 IoCs

Processes:

KFlauncher.exe

description pid process target process

PID 2820 set thread context of 4240 2820 KFlauncher.exe RegAsm.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1768 2820 WerFault.exe KFlauncher.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

KFlauncher.exe

description	pid	process	target process
PID 2820 wrote to memory of 4240	2820	KFlauncher.exe	RegAsm.exe
PID 2820 wrote to memory of 4240	2820	KFlauncher.exe	RegAsm.exe
PID 2820 wrote to memory of 4240	2820	KFlauncher.exe	RegAsm.exe
PID 2820 wrote to memory of 4240	2820	KFlauncher.exe	RegAsm.exe
PID 2820 wrote to memory of 4240	2820	KFlauncher.exe	RegAsm.exe
PID 2820 wrote to memory of 4240	2820	KFlauncher.exe	RegAsm.exe
PID 2820 wrote to memory of 4240	2820	KFlauncher.exe	RegAsm.exe
PID 2820 wrote to memory of 4240	2820	KFlauncher.exe	RegAsm.exe
PID 2820 wrote to memory of 4240	2820	KFlauncher.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\KFlauncher.exe
"C:\Users\Admin\AppData\Local\Temp\KFlauncher.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2820

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:4240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2820 -s 560
2⤵
- Program crash
PID:1768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2820 -ip 2820
1⤵
PID:1828

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2820-0-0x0000000000500000-0x0000000000501000-memory.dmp

Filesize
4KB

Download
memory/4240-1-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4240-3-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4240-4-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download