Analysis Overview
SHA256
1b1339e4dc42f81aef80348ead19ef64a6a8741d643c3e3ef61680e8a12537fe
Threat Level: Known bad
The file 43f72bb2f8ceb8050b832ced484e6e4a.bin was found to be: Known bad.
Malicious Activity Summary
Lumma Stealer
Executes dropped EXE
Suspicious use of SetThreadContext
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-02-22 01:31
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-22 01:31
Reported
2024-02-22 01:34
Platform
win7-20240221-en
Max time kernel
122s
Max time network
126s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\driver1.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1740 wrote to memory of 2316 | N/A | C:\Users\Admin\AppData\Local\Temp\GitExecutor.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 1740 wrote to memory of 2316 | N/A | C:\Users\Admin\AppData\Local\Temp\GitExecutor.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 1740 wrote to memory of 2316 | N/A | C:\Users\Admin\AppData\Local\Temp\GitExecutor.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 1740 wrote to memory of 2620 | N/A | C:\Users\Admin\AppData\Local\Temp\GitExecutor.exe | C:\Users\Admin\AppData\Roaming\driver1.exe |
| PID 1740 wrote to memory of 2620 | N/A | C:\Users\Admin\AppData\Local\Temp\GitExecutor.exe | C:\Users\Admin\AppData\Roaming\driver1.exe |
| PID 1740 wrote to memory of 2620 | N/A | C:\Users\Admin\AppData\Local\Temp\GitExecutor.exe | C:\Users\Admin\AppData\Roaming\driver1.exe |
| PID 1740 wrote to memory of 2620 | N/A | C:\Users\Admin\AppData\Local\Temp\GitExecutor.exe | C:\Users\Admin\AppData\Roaming\driver1.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\GitExecutor.exe
"C:\Users\Admin\AppData\Local\Temp\GitExecutor.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath \"C:\Users\Admin\AppData\Roaming\""
C:\Users\Admin\AppData\Roaming\driver1.exe
C:\Users\Admin\AppData\Roaming\driver1.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | goldteamtrading.wpcomstaging.com | udp |
| US | 192.0.78.20:443 | goldteamtrading.wpcomstaging.com | tcp |
Files
memory/2316-4-0x000000001B2C0000-0x000000001B5A2000-memory.dmp
memory/2316-5-0x0000000002430000-0x0000000002438000-memory.dmp
memory/2316-6-0x000007FEF5F40000-0x000007FEF68DD000-memory.dmp
memory/2316-7-0x0000000002820000-0x00000000028A0000-memory.dmp
memory/2316-8-0x000007FEF5F40000-0x000007FEF68DD000-memory.dmp
memory/2316-9-0x0000000002820000-0x00000000028A0000-memory.dmp
memory/2316-10-0x0000000002820000-0x00000000028A0000-memory.dmp
memory/2316-11-0x000007FEF5F40000-0x000007FEF68DD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab7ACD.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\Local\Temp\Tar7B0E.tmp
| MD5 | 9c0c641c06238516f27941aa1166d427 |
| SHA1 | 64cd549fb8cf014fcd9312aa7a5b023847b6c977 |
| SHA256 | 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f |
| SHA512 | 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06 |
C:\Users\Admin\AppData\Roaming\driver1.exe
| MD5 | 9a25ab8bdaa157c47a64fc2b0a1e443a |
| SHA1 | c96cc57a7bfeaf3415005965974ad721ffebdbbe |
| SHA256 | 14123370ea7689a1be3d067a5a53c96c47aaf2573714a08b65a25369a7523517 |
| SHA512 | 010a8f22d17a7b17afc70c9ed12ca9a532108e99d1f3fb0dc59a0339473395aaf87781d83a14aff4bce751d4b2417f1d0edf16b6afe186ff9c325100058fed41 |
memory/2620-50-0x0000000074CD0000-0x00000000753BE000-memory.dmp
memory/2620-51-0x0000000004720000-0x0000000004770000-memory.dmp
memory/2620-52-0x0000000002390000-0x00000000023D0000-memory.dmp
memory/2620-53-0x0000000002390000-0x00000000023D0000-memory.dmp
memory/2620-54-0x0000000004770000-0x00000000047BE000-memory.dmp
memory/2620-58-0x0000000074CD0000-0x00000000753BE000-memory.dmp
memory/2620-59-0x0000000002450000-0x0000000004450000-memory.dmp
memory/2620-60-0x0000000002450000-0x0000000004450000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-22 01:31
Reported
2024-02-22 01:34
Platform
win10v2004-20240221-en
Max time kernel
145s
Max time network
152s
Command Line
Signatures
Lumma Stealer
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\driver1.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1684 set thread context of 3668 | N/A | C:\Users\Admin\AppData\Roaming\driver1.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\GitExecutor.exe
"C:\Users\Admin\AppData\Local\Temp\GitExecutor.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath \"C:\Users\Admin\AppData\Roaming\""
C:\Users\Admin\AppData\Roaming\driver1.exe
C:\Users\Admin\AppData\Roaming\driver1.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | goldteamtrading.wpcomstaging.com | udp |
| US | 192.0.78.20:443 | goldteamtrading.wpcomstaging.com | tcp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.78.0.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sideindexfollowragelrew.pw | udp |
| US | 8.8.8.8:53 | technologyenterdo.shop | udp |
| US | 172.67.180.132:443 | technologyenterdo.shop | tcp |
| US | 8.8.8.8:53 | lighterepisodeheighte.fun | udp |
| US | 8.8.8.8:53 | problemregardybuiwo.fun | udp |
| US | 8.8.8.8:53 | detectordiscusser.shop | udp |
| US | 104.21.60.92:443 | detectordiscusser.shop | tcp |
| US | 8.8.8.8:53 | 132.180.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | edurestunningcrackyow.fun | udp |
| US | 8.8.8.8:53 | pooreveningfuseor.pw | udp |
| US | 8.8.8.8:53 | turkeyunlikelyofw.shop | udp |
| US | 172.67.202.191:443 | turkeyunlikelyofw.shop | tcp |
| US | 8.8.8.8:53 | associationokeo.shop | udp |
| US | 104.21.10.242:443 | associationokeo.shop | tcp |
| US | 8.8.8.8:53 | 191.202.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 242.10.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.60.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
memory/1032-5-0x00000215B7070000-0x00000215B7092000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rie3hpuk.0ou.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1032-10-0x00007FF8495F0000-0x00007FF84A0B1000-memory.dmp
memory/1032-12-0x00000215B7160000-0x00000215B7170000-memory.dmp
memory/1032-13-0x00000215B7160000-0x00000215B7170000-memory.dmp
memory/1032-11-0x00000215B7160000-0x00000215B7170000-memory.dmp
memory/1032-15-0x00007FF8495F0000-0x00007FF84A0B1000-memory.dmp
C:\Users\Admin\AppData\Roaming\driver1.exe
| MD5 | 9a25ab8bdaa157c47a64fc2b0a1e443a |
| SHA1 | c96cc57a7bfeaf3415005965974ad721ffebdbbe |
| SHA256 | 14123370ea7689a1be3d067a5a53c96c47aaf2573714a08b65a25369a7523517 |
| SHA512 | 010a8f22d17a7b17afc70c9ed12ca9a532108e99d1f3fb0dc59a0339473395aaf87781d83a14aff4bce751d4b2417f1d0edf16b6afe186ff9c325100058fed41 |
memory/1684-20-0x0000000075300000-0x0000000075AB0000-memory.dmp
memory/1684-21-0x0000000002400000-0x0000000002450000-memory.dmp
memory/1684-22-0x0000000004DF0000-0x0000000004E00000-memory.dmp
memory/1684-23-0x0000000004DF0000-0x0000000004E00000-memory.dmp
memory/1684-24-0x0000000004E00000-0x00000000053A4000-memory.dmp
memory/1684-25-0x0000000002800000-0x000000000284E000-memory.dmp
memory/3668-28-0x0000000000400000-0x0000000000445000-memory.dmp
memory/3668-32-0x0000000000400000-0x0000000000445000-memory.dmp
memory/1684-33-0x0000000075300000-0x0000000075AB0000-memory.dmp
memory/1684-34-0x0000000002900000-0x0000000004900000-memory.dmp
memory/3668-37-0x0000000000BF0000-0x0000000000BF1000-memory.dmp
memory/3668-36-0x0000000000400000-0x0000000000445000-memory.dmp
memory/3668-35-0x0000000000BF0000-0x0000000000BF1000-memory.dmp
memory/1684-38-0x0000000002900000-0x0000000004900000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-02-22 01:31
Reported
2024-02-22 01:34
Platform
win7-20240221-en
Max time kernel
122s
Max time network
128s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\opengl32.dll,#1
Network
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-02-22 01:31
Reported
2024-02-22 01:34
Platform
win10v2004-20240221-en
Max time kernel
141s
Max time network
148s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\opengl32.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.173.189.20.in-addr.arpa | udp |