Analysis Overview
SHA256
210089624720b3e282b0fc7745ca60181ea404af7d5ca869d067093e57b56e87
Threat Level: Known bad
The file 210089624720b3e282b0fc7745ca60181ea404af7d5ca869d067093e57b56e87 was found to be: Known bad.
Malicious Activity Summary
Lumma Stealer
Program crash
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-02-23 04:47
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-23 04:47
Reported
2024-02-23 04:52
Platform
win10-20240221-en
Max time kernel
190s
Max time network
298s
Command Line
Signatures
Lumma Stealer
Processes
C:\Users\Admin\AppData\Local\Temp\210089624720b3e282b0fc7745ca60181ea404af7d5ca869d067093e57b56e87.exe
"C:\Users\Admin\AppData\Local\Temp\210089624720b3e282b0fc7745ca60181ea404af7d5ca869d067093e57b56e87.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | associationokeo.shop | udp |
| US | 172.67.147.18:443 | associationokeo.shop | tcp |
| US | 8.8.8.8:53 | technologyenterdo.shop | udp |
| US | 172.67.180.132:443 | technologyenterdo.shop | tcp |
| US | 8.8.8.8:53 | 18.147.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lighterepisodeheighte.fun | udp |
| US | 8.8.8.8:53 | problemregardybuiwo.fun | udp |
| US | 8.8.8.8:53 | 132.180.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | detectordiscusser.shop | udp |
| US | 104.21.60.92:443 | detectordiscusser.shop | tcp |
| US | 8.8.8.8:53 | edurestunningcrackyow.fun | udp |
| US | 8.8.8.8:53 | pooreveningfuseor.pw | udp |
| US | 8.8.8.8:53 | turkeyunlikelyofw.shop | udp |
| US | 104.21.76.253:443 | turkeyunlikelyofw.shop | tcp |
| US | 8.8.8.8:53 | 92.60.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 253.76.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89.65.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.178.17.96.in-addr.arpa | udp |
Files
memory/4656-0-0x00000000009A0000-0x00000000009A1000-memory.dmp
memory/4656-1-0x00000000009A0000-0x00000000009A1000-memory.dmp
memory/4656-2-0x00000000009A0000-0x00000000009A1000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-23 04:47
Reported
2024-02-23 04:52
Platform
win7-20240215-en
Max time kernel
120s
Max time network
124s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\210089624720b3e282b0fc7745ca60181ea404af7d5ca869d067093e57b56e87.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2208 wrote to memory of 1752 | N/A | C:\Users\Admin\AppData\Local\Temp\210089624720b3e282b0fc7745ca60181ea404af7d5ca869d067093e57b56e87.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2208 wrote to memory of 1752 | N/A | C:\Users\Admin\AppData\Local\Temp\210089624720b3e282b0fc7745ca60181ea404af7d5ca869d067093e57b56e87.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2208 wrote to memory of 1752 | N/A | C:\Users\Admin\AppData\Local\Temp\210089624720b3e282b0fc7745ca60181ea404af7d5ca869d067093e57b56e87.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2208 wrote to memory of 1752 | N/A | C:\Users\Admin\AppData\Local\Temp\210089624720b3e282b0fc7745ca60181ea404af7d5ca869d067093e57b56e87.exe | C:\Windows\SysWOW64\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\210089624720b3e282b0fc7745ca60181ea404af7d5ca869d067093e57b56e87.exe
"C:\Users\Admin\AppData\Local\Temp\210089624720b3e282b0fc7745ca60181ea404af7d5ca869d067093e57b56e87.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2208 -s 124
Network
Files
memory/2208-0-0x0000000000070000-0x0000000000071000-memory.dmp