Analysis Overview
SHA256
8ac72e5a7ff22bd3a80a681d700ffff38d53d112bd017ccd03b17a3e2f1cdec7
Threat Level: Known bad
The file 8ac72e5a7ff22bd3a80a681d700ffff38d53d112bd017ccd03b17a3e2f1cdec7 was found to be: Known bad.
Malicious Activity Summary
Lumma Stealer
Program crash
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-02-27 04:49
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-27 04:49
Reported
2024-02-27 04:54
Platform
win7-20240221-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\8ac72e5a7ff22bd3a80a681d700ffff38d53d112bd017ccd03b17a3e2f1cdec7.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8ac72e5a7ff22bd3a80a681d700ffff38d53d112bd017ccd03b17a3e2f1cdec7.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8ac72e5a7ff22bd3a80a681d700ffff38d53d112bd017ccd03b17a3e2f1cdec7.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2032 wrote to memory of 2816 | N/A | C:\Users\Admin\AppData\Local\Temp\8ac72e5a7ff22bd3a80a681d700ffff38d53d112bd017ccd03b17a3e2f1cdec7.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2032 wrote to memory of 2816 | N/A | C:\Users\Admin\AppData\Local\Temp\8ac72e5a7ff22bd3a80a681d700ffff38d53d112bd017ccd03b17a3e2f1cdec7.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2032 wrote to memory of 2816 | N/A | C:\Users\Admin\AppData\Local\Temp\8ac72e5a7ff22bd3a80a681d700ffff38d53d112bd017ccd03b17a3e2f1cdec7.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2032 wrote to memory of 2816 | N/A | C:\Users\Admin\AppData\Local\Temp\8ac72e5a7ff22bd3a80a681d700ffff38d53d112bd017ccd03b17a3e2f1cdec7.exe | C:\Windows\SysWOW64\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\8ac72e5a7ff22bd3a80a681d700ffff38d53d112bd017ccd03b17a3e2f1cdec7.exe
"C:\Users\Admin\AppData\Local\Temp\8ac72e5a7ff22bd3a80a681d700ffff38d53d112bd017ccd03b17a3e2f1cdec7.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2032 -s 124
Network
Files
memory/2032-0-0x00000000000F0000-0x00000000000F1000-memory.dmp
memory/2032-2-0x0000000000D90000-0x000000000183D000-memory.dmp
memory/2032-3-0x00000000000F0000-0x00000000000F1000-memory.dmp
memory/2032-5-0x00000000000F0000-0x00000000000F1000-memory.dmp
memory/2032-18-0x0000000000160000-0x0000000000161000-memory.dmp
memory/2032-15-0x0000000000150000-0x0000000000151000-memory.dmp
memory/2032-20-0x0000000000160000-0x0000000000161000-memory.dmp
memory/2032-13-0x0000000000150000-0x0000000000151000-memory.dmp
memory/2032-10-0x0000000000100000-0x0000000000101000-memory.dmp
memory/2032-8-0x0000000000100000-0x0000000000101000-memory.dmp
memory/2032-6-0x0000000000100000-0x0000000000101000-memory.dmp
memory/2032-35-0x0000000000190000-0x0000000000191000-memory.dmp
memory/2032-33-0x0000000000190000-0x0000000000191000-memory.dmp
memory/2032-36-0x0000000000D90000-0x000000000183D000-memory.dmp
memory/2032-38-0x0000000077800000-0x0000000077801000-memory.dmp
memory/2032-31-0x0000000000190000-0x0000000000191000-memory.dmp
memory/2032-30-0x0000000000180000-0x0000000000181000-memory.dmp
memory/2032-28-0x0000000000180000-0x0000000000181000-memory.dmp
memory/2032-25-0x0000000000170000-0x0000000000171000-memory.dmp
memory/2032-23-0x0000000000170000-0x0000000000171000-memory.dmp
memory/2032-39-0x00000000001A0000-0x00000000001A1000-memory.dmp
memory/2032-40-0x0000000000D90000-0x000000000183D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-27 04:49
Reported
2024-02-27 04:54
Platform
win10-20240221-en
Max time kernel
195s
Max time network
297s
Command Line
Signatures
Lumma Stealer
Suspicious behavior: EnumeratesProcesses
Processes
C:\Users\Admin\AppData\Local\Temp\8ac72e5a7ff22bd3a80a681d700ffff38d53d112bd017ccd03b17a3e2f1cdec7.exe
"C:\Users\Admin\AppData\Local\Temp\8ac72e5a7ff22bd3a80a681d700ffff38d53d112bd017ccd03b17a3e2f1cdec7.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | resergvearyinitiani.shop | udp |
| US | 172.67.217.100:443 | resergvearyinitiani.shop | tcp |
| US | 8.8.8.8:53 | technologyenterdo.shop | udp |
| US | 104.21.80.118:443 | technologyenterdo.shop | tcp |
| US | 8.8.8.8:53 | 100.217.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lighterepisodeheighte.fun | udp |
| US | 8.8.8.8:53 | problemregardybuiwo.fun | udp |
| US | 8.8.8.8:53 | detectordiscusser.shop | udp |
| US | 172.67.195.126:443 | detectordiscusser.shop | tcp |
| US | 8.8.8.8:53 | edurestunningcrackyow.fun | udp |
| US | 8.8.8.8:53 | pooreveningfuseor.pw | udp |
| US | 8.8.8.8:53 | turkeyunlikelyofw.shop | udp |
| US | 172.67.202.191:443 | turkeyunlikelyofw.shop | tcp |
| US | 8.8.8.8:53 | 118.80.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.195.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | associationokeo.shop | udp |
| US | 104.21.10.242:443 | associationokeo.shop | tcp |
| US | 8.8.8.8:53 | 242.10.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 191.202.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 137.71.105.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
Files
memory/1192-1-0x0000000001B30000-0x0000000001B31000-memory.dmp
memory/1192-0-0x0000000001B20000-0x0000000001B21000-memory.dmp
memory/1192-4-0x0000000001B70000-0x0000000001B71000-memory.dmp
memory/1192-3-0x0000000000B80000-0x000000000162D000-memory.dmp
memory/1192-2-0x0000000001B60000-0x0000000001B61000-memory.dmp
memory/1192-5-0x0000000003620000-0x0000000003621000-memory.dmp
memory/1192-6-0x0000000003630000-0x0000000003631000-memory.dmp
memory/1192-8-0x0000000003640000-0x0000000003641000-memory.dmp
memory/1192-9-0x0000000000B80000-0x000000000162D000-memory.dmp
memory/1192-11-0x0000000003650000-0x0000000003651000-memory.dmp
memory/1192-12-0x0000000000B80000-0x000000000162D000-memory.dmp