Analysis Overview
SHA256
63bae6ef7079dc92968fe00d5adebd6488ac116f56364d776f86464fcdf08ea3
Threat Level: Known bad
The file VersionUnlimited-main.zip was found to be: Known bad.
Malicious Activity Summary
Lumma Stealer
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
Program crash
One or more HTTP URLs in PDF identified
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-04-24 20:07
Signatures
One or more HTTP URLs in PDF identified
Analysis: behavioral1
Detonation Overview
Submitted
2023-04-24 20:06
Reported
2023-04-24 20:10
Platform
win7-20230220-en
Max time kernel
38s
Max time network
49s
Command Line
Signatures
Lumma Stealer
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1652 set thread context of 1744 | N/A | C:\Users\Admin\AppData\Local\Temp\NewVersionUnlimited\Desktop_Full\Setup_x64.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\NewVersionUnlimited\Desktop_Full\Setup_x64.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\NewVersionUnlimited\Desktop_Full\Setup_x64.exe
"C:\Users\Admin\AppData\Local\Temp\NewVersionUnlimited\Desktop_Full\Setup_x64.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1652 -s 36
Network
| Country | Destination | Domain | Proto |
| NZ | 185.99.132.51:80 | 185.99.132.51 | tcp |
Files
memory/1744-54-0x0000000000400000-0x0000000000439000-memory.dmp
memory/1744-55-0x0000000000400000-0x0000000000439000-memory.dmp
memory/1744-61-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-04-24 20:06
Reported
2023-04-24 20:10
Platform
win10v2004-20230220-en
Max time kernel
149s
Max time network
169s
Command Line
Signatures
Lumma Stealer
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2836 set thread context of 3464 | N/A | C:\Users\Admin\AppData\Local\Temp\NewVersionUnlimited\Desktop_Full\Setup_x64.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\NewVersionUnlimited\Desktop_Full\Setup_x64.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2836 wrote to memory of 3464 | N/A | C:\Users\Admin\AppData\Local\Temp\NewVersionUnlimited\Desktop_Full\Setup_x64.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| PID 2836 wrote to memory of 3464 | N/A | C:\Users\Admin\AppData\Local\Temp\NewVersionUnlimited\Desktop_Full\Setup_x64.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| PID 2836 wrote to memory of 3464 | N/A | C:\Users\Admin\AppData\Local\Temp\NewVersionUnlimited\Desktop_Full\Setup_x64.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| PID 2836 wrote to memory of 3464 | N/A | C:\Users\Admin\AppData\Local\Temp\NewVersionUnlimited\Desktop_Full\Setup_x64.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| PID 2836 wrote to memory of 3464 | N/A | C:\Users\Admin\AppData\Local\Temp\NewVersionUnlimited\Desktop_Full\Setup_x64.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\NewVersionUnlimited\Desktop_Full\Setup_x64.exe
"C:\Users\Admin\AppData\Local\Temp\NewVersionUnlimited\Desktop_Full\Setup_x64.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2836 -ip 2836
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2836 -s 160
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| NZ | 185.99.132.51:80 | 185.99.132.51 | tcp |
| US | 8.8.8.8:53 | 51.132.99.185.in-addr.arpa | udp |
| US | 20.44.10.122:443 | tcp | |
| US | 52.152.110.14:443 | tcp | |
| US | 52.152.110.14:443 | tcp | |
| US | 8.8.8.8:53 | 86.8.109.52.in-addr.arpa | udp |
| NL | 8.238.179.126:80 | tcp | |
| NL | 8.238.179.126:80 | tcp | |
| NL | 173.223.113.164:443 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 131.253.33.203:80 | tcp | |
| US | 52.152.110.14:443 | tcp | |
| US | 52.152.110.14:443 | tcp | |
| US | 52.152.110.14:443 | tcp | |
| US | 52.152.110.14:443 | tcp | |
| US | 52.152.110.14:443 | tcp |
Files
memory/3464-133-0x0000000000700000-0x0000000000739000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2023-04-24 20:06
Reported
2023-04-24 20:10
Platform
win7-20230220-en
Max time kernel
15s
Max time network
33s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WerFault.exe | C:\Windows\system32\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1736 wrote to memory of 2036 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
| PID 1736 wrote to memory of 2036 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
| PID 1736 wrote to memory of 2036 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\NewVersionUnlimited\Desktop_Full\modules.dll,#1
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1736 -s 92
Network
Files
Analysis: behavioral4
Detonation Overview
Submitted
2023-04-24 20:06
Reported
2023-04-24 20:10
Platform
win10v2004-20230220-en
Max time kernel
101s
Max time network
132s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WerFault.exe | C:\Windows\system32\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\NewVersionUnlimited\Desktop_Full\modules.dll,#1
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 360 -p 1312 -ip 1312
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1312 -s 352
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.211.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 40.77.2.164:443 | tcp | |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.8.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.36.159.162.in-addr.arpa | udp |
| NL | 87.248.202.1:80 | tcp | |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| NL | 173.223.113.164:443 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 204.79.197.203:80 | tcp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2023-04-24 20:06
Reported
2023-04-24 20:10
Platform
win7-20230220-en
Max time kernel
25s
Max time network
34s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\NewVersionUnlimited\Desktop_Full\platforms\qwindows.dll,#1
Network
Files
Analysis: behavioral6
Detonation Overview
Submitted
2023-04-24 20:06
Reported
2023-04-24 20:10
Platform
win10v2004-20230220-en
Max time kernel
150s
Max time network
161s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\NewVersionUnlimited\Desktop_Full\platforms\qwindows.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| IE | 20.54.89.15:443 | tcp | |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 164.113.223.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.103.197.20.in-addr.arpa | udp |
| US | 52.152.110.14:443 | tcp | |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 52.152.110.14:443 | tcp | |
| US | 8.8.8.8:53 | 2.36.159.162.in-addr.arpa | udp |
| US | 52.152.110.14:443 | tcp | |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 20.189.173.3:443 | tcp | |
| US | 8.8.8.8:53 | 254.128.241.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 63.13.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 33.18.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 135.1.85.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 250.255.255.239.in-addr.arpa | udp |
| US | 117.18.237.29:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 8.8.8.8:53 | 24.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.162.241.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.133.255.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 32.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| SG | 8.241.128.254:80 | tcp |