Malware Analysis Report

2024-11-30 02:44

Sample ID 240407-vsd2eahh87
Target WerboPack.rar
SHA256 40f16ab6bb3d428d1398163549e5cf817374a75aacf174c7f357c0056c51b2c1
Tags
lumma stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

40f16ab6bb3d428d1398163549e5cf817374a75aacf174c7f357c0056c51b2c1

Threat Level: Known bad

The file WerboPack.rar was found to be: Known bad.

Malicious Activity Summary

lumma stealer

Lumma Stealer

Executes dropped EXE

Checks computer location settings

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 17:15

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 17:14

Reported

2024-04-07 17:21

Platform

win10-20240404-en

Max time kernel

195s

Max time network

298s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\WerboPack.rar

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\WerboPack.rar

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 208.143.182.52.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 17:14

Reported

2024-04-07 17:21

Platform

win10v2004-20240226-en

Max time kernel

147s

Max time network

274s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\WerboPack.rar

Signatures

Lumma Stealer

stealer lumma

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation C:\Windows\system32\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Downloads\WerboPack.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1940 set thread context of 2092 N/A C:\Users\Admin\Downloads\WerboPack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Program Files\7-Zip\7zFM.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\WerboPack.rar

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\WerboPack.rar"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\Downloads\WerboPack.exe

"C:\Users\Admin\Downloads\WerboPack.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 sideindexfollowragelrew.pw udp
US 8.8.8.8:53 birdpenallitysydw.shop udp
US 188.114.96.2:443 birdpenallitysydw.shop tcp
US 8.8.8.8:53 2.96.114.188.in-addr.arpa udp
US 8.8.8.8:53 cinemaclinicttanwk.shop udp
US 104.21.63.97:443 cinemaclinicttanwk.shop tcp
US 8.8.8.8:53 97.63.21.104.in-addr.arpa udp
US 8.8.8.8:53 disagreemenywyws.shop udp
US 104.21.89.249:443 disagreemenywyws.shop tcp
US 8.8.8.8:53 speedparticipatewo.shop udp
US 188.114.96.2:443 speedparticipatewo.shop tcp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 249.89.21.104.in-addr.arpa udp
US 8.8.8.8:53 fixturewordbakewos.shop udp
US 104.21.61.180:443 fixturewordbakewos.shop tcp
US 8.8.8.8:53 colorprioritytubbew.shop udp
US 172.67.139.138:443 colorprioritytubbew.shop tcp
US 8.8.8.8:53 abuselinenaidwjuew.shop udp
US 188.114.96.2:443 abuselinenaidwjuew.shop tcp
US 8.8.8.8:53 methodgreenglassdatw.shop udp
US 104.21.38.106:443 methodgreenglassdatw.shop tcp
US 8.8.8.8:53 180.61.21.104.in-addr.arpa udp
US 8.8.8.8:53 138.139.67.172.in-addr.arpa udp
US 8.8.8.8:53 106.38.21.104.in-addr.arpa udp
US 8.8.8.8:53 227.162.46.104.in-addr.arpa udp

Files

C:\Users\Admin\Downloads\ASP.NET Web Pages\v1.0\Microsoft.AspNet.Razor.ru.1.0.20105.408\lib\net40\ru\system.web.razor.xml

MD5 398dc059ac7b960a31bba803c6d4b7a3
SHA1 dfac62f6e4ac50a0029031244fc5a1469ffe90e8
SHA256 943feccacef5fe23b3daf662594e3b45fcb8bc1caf25ea1c474721921caa9488
SHA512 f3bb82690b39dad744be9c403f7efcf2c40c903f85be013fff4b1a2ac77e8d59e77bc1eb9989134f800fba3d9bcb987485a92b719386750c70dd7fa1acb533e0

C:\Users\Admin\Downloads\ASP.NET Web Pages\v1.0\Microsoft.AspNet.WebPages.ru.1.0.20105.408\lib\net40\system.web.webpages.razor.xml

MD5 9c8531c1d5f692cd921c8a56d85bc85d
SHA1 801b699bec07e93fdd05469f15cf80be4178e409
SHA256 16953fbbff24c3d927e5640060948da47c15a32918ecb2fc4f922a82b3fcfa9c
SHA512 3e7fbce84ca7bc96d46ffc3b4fc7acf21d962d379589125a6515178693c379eb6b5833e428ec11f106e9b807147c698e898840a20a8189a01baf76ace9a1f719

C:\Users\Admin\Downloads\ASP.NET Web Pages\v1.0\Microsoft.Web.Infrastructure.1.0.0.0\lib\net40\Microsoft.Web.Infrastructure.dll

MD5 969d6caf273394f064475292d549516e
SHA1 91f688c235388c8bcee03ff20d0c8a90dbdd4e3e
SHA256 fe18f4259c947c1fd6d74f1827370e72d7ad09aefb4b720af227333583e0169f
SHA512 b4f6a614e5fc52850e3d02ebf7e85abf1ebe3fb4ebd6b4f03ec9dc4989cce88e44714ca2198dd7e632f5ed0f15225a68b31052da33e5ac3ce48a1c91c3c04446

C:\Users\Admin\Downloads\ASP.NET Web Pages\v1.0\Visual Studio 2012\thirdpartynotices.rtf

MD5 b0ac92e72b07a4b37d66f0264e3373c0
SHA1 769dec94ed0bfcb47e68026aa01e80a26943ff38
SHA256 5a0792c375031840221f1737ba389b0d6dac373b118a107e50fbe78fe5f4ba69
SHA512 716c37b16c577de53b7f6e3934e09ae329e138a8a1725d60e9d8907c43c4400918a31b12ae173644efc25ccc9bf7cb332a3042c17386a3724320ab977a7ded52

C:\Users\Admin\Downloads\ASP.NET Web Pages\v1.0\WebConfig\System.Web.WebPages.Deployment.dll

MD5 f9efab153915541f6cbdd147f85f9842
SHA1 5d923740f2377298ad917eb9f5bfb45e0b1465fb
SHA256 130fe2b8282263c77d9bee89d636166848291432696c449d708c819b17bf053a
SHA512 74890a53f2b0b73816e5155fb2b48580fa1dbf3e35077e7915d96ae57516c5da2bbf968978ae134e12754039a5ada6f8dfbcdc121cab9b887a6d4d259b68f3ba

C:\Users\Admin\Downloads\WerboPack.exe

MD5 eae3129fa88c966cb39c4674fd6d99a4
SHA1 f68802ca240d2c80acf877d93f1bbabc962e8fd1
SHA256 b604b64d2d488b0559d8e5868cfc4dd2f2519c712d3ba5833dfb0ac8be3adf08
SHA512 f93953739d9918940ea78cab92c36d520dae49082612916611ec5d05de8648b147854822168535f329dee6d4759687442e50b8d08a4fcb950733128330b3eb87

memory/1940-1060-0x00000000006A0000-0x00000000006F2000-memory.dmp

memory/1940-1061-0x00000000752D0000-0x0000000075A80000-memory.dmp

memory/2092-1064-0x0000000000400000-0x000000000044E000-memory.dmp

memory/2092-1068-0x0000000000400000-0x000000000044E000-memory.dmp

memory/1940-1069-0x00000000752D0000-0x0000000075A80000-memory.dmp

memory/1940-1070-0x0000000002940000-0x0000000004940000-memory.dmp

memory/2092-1071-0x0000000000F10000-0x0000000000F42000-memory.dmp

memory/2092-1073-0x0000000000F10000-0x0000000000F42000-memory.dmp

memory/2092-1072-0x0000000000F10000-0x0000000000F42000-memory.dmp

memory/2092-1074-0x0000000000F10000-0x0000000000F42000-memory.dmp

memory/2092-1075-0x0000000000400000-0x000000000044E000-memory.dmp

memory/2092-1076-0x0000000000F10000-0x0000000000F42000-memory.dmp

memory/1940-1077-0x0000000002940000-0x0000000004940000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-04-07 17:14

Reported

2024-04-07 17:21

Platform

win11-20240221-en

Max time kernel

178s

Max time network

289s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\WerboPack.rar

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Downloads\WerboPack.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3868 set thread context of 4964 N/A C:\Users\Admin\Downloads\WerboPack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3594324687-1993884830-4019639329-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Program Files\7-Zip\7zFM.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3594324687-1993884830-4019639329-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\WerboPack.rar

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\WerboPack.rar"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\Downloads\WerboPack.exe

"C:\Users\Admin\Downloads\WerboPack.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

Network

Country Destination Domain Proto
US 188.114.96.2:443 speedparticipatewo.shop tcp
US 104.21.63.97:443 cinemaclinicttanwk.shop tcp
US 104.21.89.249:443 disagreemenywyws.shop tcp
US 8.8.8.8:53 2.96.114.188.in-addr.arpa udp
US 8.8.8.8:53 97.63.21.104.in-addr.arpa udp
US 8.8.8.8:53 249.89.21.104.in-addr.arpa udp
US 188.114.96.2:443 abuselinenaidwjuew.shop tcp
US 104.21.61.180:443 fixturewordbakewos.shop tcp
US 104.21.94.186:443 colorprioritytubbew.shop tcp
US 188.114.97.2:443 abuselinenaidwjuew.shop tcp
US 104.21.38.106:443 methodgreenglassdatw.shop tcp

Files

C:\Users\Admin\Downloads\ASP.NET Web Pages\v1.0\Microsoft.AspNet.Razor.ru.1.0.20105.408\lib\net40\ru\system.web.razor.xml

MD5 398dc059ac7b960a31bba803c6d4b7a3
SHA1 dfac62f6e4ac50a0029031244fc5a1469ffe90e8
SHA256 943feccacef5fe23b3daf662594e3b45fcb8bc1caf25ea1c474721921caa9488
SHA512 f3bb82690b39dad744be9c403f7efcf2c40c903f85be013fff4b1a2ac77e8d59e77bc1eb9989134f800fba3d9bcb987485a92b719386750c70dd7fa1acb533e0

C:\Users\Admin\Downloads\ASP.NET Web Pages\v1.0\Microsoft.AspNet.WebPages.ru.1.0.20105.408\lib\net40\system.web.webpages.razor.xml

MD5 9c8531c1d5f692cd921c8a56d85bc85d
SHA1 801b699bec07e93fdd05469f15cf80be4178e409
SHA256 16953fbbff24c3d927e5640060948da47c15a32918ecb2fc4f922a82b3fcfa9c
SHA512 3e7fbce84ca7bc96d46ffc3b4fc7acf21d962d379589125a6515178693c379eb6b5833e428ec11f106e9b807147c698e898840a20a8189a01baf76ace9a1f719

C:\Users\Admin\Downloads\ASP.NET Web Pages\v1.0\Microsoft.Web.Infrastructure.1.0.0.0\lib\net40\Microsoft.Web.Infrastructure.dll

MD5 969d6caf273394f064475292d549516e
SHA1 91f688c235388c8bcee03ff20d0c8a90dbdd4e3e
SHA256 fe18f4259c947c1fd6d74f1827370e72d7ad09aefb4b720af227333583e0169f
SHA512 b4f6a614e5fc52850e3d02ebf7e85abf1ebe3fb4ebd6b4f03ec9dc4989cce88e44714ca2198dd7e632f5ed0f15225a68b31052da33e5ac3ce48a1c91c3c04446

C:\Users\Admin\Downloads\ASP.NET Web Pages\v1.0\WebConfig\System.Web.WebPages.Deployment.dll

MD5 f9efab153915541f6cbdd147f85f9842
SHA1 5d923740f2377298ad917eb9f5bfb45e0b1465fb
SHA256 130fe2b8282263c77d9bee89d636166848291432696c449d708c819b17bf053a
SHA512 74890a53f2b0b73816e5155fb2b48580fa1dbf3e35077e7915d96ae57516c5da2bbf968978ae134e12754039a5ada6f8dfbcdc121cab9b887a6d4d259b68f3ba

C:\Users\Admin\Downloads\ASP.NET Web Pages\v1.0\Visual Studio 2012\thirdpartynotices.rtf

MD5 b0ac92e72b07a4b37d66f0264e3373c0
SHA1 769dec94ed0bfcb47e68026aa01e80a26943ff38
SHA256 5a0792c375031840221f1737ba389b0d6dac373b118a107e50fbe78fe5f4ba69
SHA512 716c37b16c577de53b7f6e3934e09ae329e138a8a1725d60e9d8907c43c4400918a31b12ae173644efc25ccc9bf7cb332a3042c17386a3724320ab977a7ded52

C:\Users\Admin\Downloads\WerboPack.exe

MD5 eae3129fa88c966cb39c4674fd6d99a4
SHA1 f68802ca240d2c80acf877d93f1bbabc962e8fd1
SHA256 b604b64d2d488b0559d8e5868cfc4dd2f2519c712d3ba5833dfb0ac8be3adf08
SHA512 f93953739d9918940ea78cab92c36d520dae49082612916611ec5d05de8648b147854822168535f329dee6d4759687442e50b8d08a4fcb950733128330b3eb87

memory/3868-1060-0x0000000000680000-0x00000000006D2000-memory.dmp

memory/3868-1061-0x0000000074A40000-0x00000000751F1000-memory.dmp

memory/4964-1064-0x0000000000400000-0x000000000044E000-memory.dmp

memory/3868-1069-0x0000000074A40000-0x00000000751F1000-memory.dmp

memory/4964-1068-0x0000000000400000-0x000000000044E000-memory.dmp

memory/4964-1072-0x00000000012F0000-0x0000000001330000-memory.dmp

memory/4964-1071-0x00000000012F0000-0x0000000001330000-memory.dmp

memory/3868-1070-0x0000000002CC0000-0x0000000004CC0000-memory.dmp

memory/4964-1073-0x00000000012F0000-0x0000000001330000-memory.dmp

memory/4964-1074-0x0000000000400000-0x000000000044E000-memory.dmp

memory/3868-1075-0x0000000002CC0000-0x0000000004CC0000-memory.dmp