Analysis Overview
SHA256
8ac72e5a7ff22bd3a80a681d700ffff38d53d112bd017ccd03b17a3e2f1cdec7
Threat Level: Known bad
The file 8ac72e5a7ff22bd3a80a681d700ffff38d53d112bd017ccd03b17a3e2f1cdec7 was found to be: Known bad.
Malicious Activity Summary
Lumma Stealer
Program crash
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-02-29 04:57
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-29 04:57
Reported
2024-02-29 05:02
Platform
win7-20240221-en
Max time kernel
117s
Max time network
118s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\8ac72e5a7ff22bd3a80a681d700ffff38d53d112bd017ccd03b17a3e2f1cdec7.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8ac72e5a7ff22bd3a80a681d700ffff38d53d112bd017ccd03b17a3e2f1cdec7.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8ac72e5a7ff22bd3a80a681d700ffff38d53d112bd017ccd03b17a3e2f1cdec7.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2808 wrote to memory of 2820 | N/A | C:\Users\Admin\AppData\Local\Temp\8ac72e5a7ff22bd3a80a681d700ffff38d53d112bd017ccd03b17a3e2f1cdec7.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2808 wrote to memory of 2820 | N/A | C:\Users\Admin\AppData\Local\Temp\8ac72e5a7ff22bd3a80a681d700ffff38d53d112bd017ccd03b17a3e2f1cdec7.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2808 wrote to memory of 2820 | N/A | C:\Users\Admin\AppData\Local\Temp\8ac72e5a7ff22bd3a80a681d700ffff38d53d112bd017ccd03b17a3e2f1cdec7.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2808 wrote to memory of 2820 | N/A | C:\Users\Admin\AppData\Local\Temp\8ac72e5a7ff22bd3a80a681d700ffff38d53d112bd017ccd03b17a3e2f1cdec7.exe | C:\Windows\SysWOW64\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\8ac72e5a7ff22bd3a80a681d700ffff38d53d112bd017ccd03b17a3e2f1cdec7.exe
"C:\Users\Admin\AppData\Local\Temp\8ac72e5a7ff22bd3a80a681d700ffff38d53d112bd017ccd03b17a3e2f1cdec7.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2808 -s 124
Network
Files
memory/2808-1-0x0000000001010000-0x0000000001ABD000-memory.dmp
memory/2808-0-0x00000000000F0000-0x00000000000F1000-memory.dmp
memory/2808-3-0x00000000000F0000-0x00000000000F1000-memory.dmp
memory/2808-5-0x00000000000F0000-0x00000000000F1000-memory.dmp
memory/2808-6-0x0000000000100000-0x0000000000101000-memory.dmp
memory/2808-8-0x0000000000100000-0x0000000000101000-memory.dmp
memory/2808-30-0x0000000000140000-0x0000000000141000-memory.dmp
memory/2808-28-0x0000000000140000-0x0000000000141000-memory.dmp
memory/2808-25-0x0000000000130000-0x0000000000131000-memory.dmp
memory/2808-23-0x0000000000130000-0x0000000000131000-memory.dmp
memory/2808-20-0x0000000000120000-0x0000000000121000-memory.dmp
memory/2808-18-0x0000000000120000-0x0000000000121000-memory.dmp
memory/2808-15-0x0000000000110000-0x0000000000111000-memory.dmp
memory/2808-13-0x0000000000110000-0x0000000000111000-memory.dmp
memory/2808-10-0x0000000000100000-0x0000000000101000-memory.dmp
memory/2808-31-0x0000000000150000-0x0000000000151000-memory.dmp
memory/2808-33-0x0000000000150000-0x0000000000151000-memory.dmp
memory/2808-35-0x0000000000150000-0x0000000000151000-memory.dmp
memory/2808-37-0x0000000077BD0000-0x0000000077BD1000-memory.dmp
memory/2808-36-0x0000000001010000-0x0000000001ABD000-memory.dmp
memory/2808-39-0x0000000000160000-0x0000000000161000-memory.dmp
memory/2808-40-0x0000000001010000-0x0000000001ABD000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-29 04:57
Reported
2024-02-29 05:02
Platform
win10-20240221-en
Max time kernel
194s
Max time network
297s
Command Line
Signatures
Lumma Stealer
Suspicious behavior: EnumeratesProcesses
Processes
C:\Users\Admin\AppData\Local\Temp\8ac72e5a7ff22bd3a80a681d700ffff38d53d112bd017ccd03b17a3e2f1cdec7.exe
"C:\Users\Admin\AppData\Local\Temp\8ac72e5a7ff22bd3a80a681d700ffff38d53d112bd017ccd03b17a3e2f1cdec7.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | resergvearyinitiani.shop | udp |
| US | 172.67.217.100:443 | resergvearyinitiani.shop | tcp |
| US | 8.8.8.8:53 | 100.217.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | technologyenterdo.shop | udp |
| US | 104.21.80.118:443 | technologyenterdo.shop | tcp |
| US | 8.8.8.8:53 | lighterepisodeheighte.fun | udp |
| US | 8.8.8.8:53 | problemregardybuiwo.fun | udp |
| US | 8.8.8.8:53 | detectordiscusser.shop | udp |
| US | 104.21.60.92:443 | detectordiscusser.shop | tcp |
| US | 8.8.8.8:53 | edurestunningcrackyow.fun | udp |
| US | 8.8.8.8:53 | pooreveningfuseor.pw | udp |
| US | 8.8.8.8:53 | turkeyunlikelyofw.shop | udp |
| US | 8.8.8.8:53 | 118.80.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.60.21.104.in-addr.arpa | udp |
| US | 104.21.76.253:443 | turkeyunlikelyofw.shop | tcp |
| US | 8.8.8.8:53 | associationokeo.shop | udp |
| US | 104.21.10.242:443 | associationokeo.shop | tcp |
| US | 8.8.8.8:53 | 253.76.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 242.10.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 168.117.168.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
Files
memory/756-1-0x0000000000C70000-0x0000000000C71000-memory.dmp
memory/756-0-0x0000000000C60000-0x0000000000C61000-memory.dmp
memory/756-2-0x0000000000F10000-0x00000000019BD000-memory.dmp
memory/756-4-0x0000000000EB0000-0x0000000000EB1000-memory.dmp
memory/756-3-0x0000000000C80000-0x0000000000C81000-memory.dmp
memory/756-5-0x0000000000EC0000-0x0000000000EC1000-memory.dmp
memory/756-6-0x0000000000ED0000-0x0000000000ED1000-memory.dmp
memory/756-7-0x0000000000EE0000-0x0000000000EE1000-memory.dmp
memory/756-8-0x0000000000F10000-0x00000000019BD000-memory.dmp
memory/756-10-0x0000000000F10000-0x00000000019BD000-memory.dmp
memory/756-11-0x0000000000F10000-0x00000000019BD000-memory.dmp