Analysis Overview
SHA256
40f16ab6bb3d428d1398163549e5cf817374a75aacf174c7f357c0056c51b2c1
Threat Level: Known bad
The file WerboPack.rar was found to be: Known bad.
Malicious Activity Summary
Lumma Stealer
Executes dropped EXE
Checks computer location settings
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Modifies registry class
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-07 17:15
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-07 17:14
Reported
2024-04-07 17:21
Platform
win10-20240404-en
Max time kernel
195s
Max time network
298s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\WerboPack.rar
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.143.182.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-07 17:14
Reported
2024-04-07 17:21
Platform
win10v2004-20240226-en
Max time kernel
147s
Max time network
274s
Command Line
Signatures
Lumma Stealer
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\WerboPack.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1940 set thread context of 2092 | N/A | C:\Users\Admin\Downloads\WerboPack.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\WerboPack.rar
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\WerboPack.rar"
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Admin\Downloads\WerboPack.exe
"C:\Users\Admin\Downloads\WerboPack.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sideindexfollowragelrew.pw | udp |
| US | 8.8.8.8:53 | birdpenallitysydw.shop | udp |
| US | 188.114.96.2:443 | birdpenallitysydw.shop | tcp |
| US | 8.8.8.8:53 | 2.96.114.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cinemaclinicttanwk.shop | udp |
| US | 104.21.63.97:443 | cinemaclinicttanwk.shop | tcp |
| US | 8.8.8.8:53 | 97.63.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | disagreemenywyws.shop | udp |
| US | 104.21.89.249:443 | disagreemenywyws.shop | tcp |
| US | 8.8.8.8:53 | speedparticipatewo.shop | udp |
| US | 188.114.96.2:443 | speedparticipatewo.shop | tcp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.89.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fixturewordbakewos.shop | udp |
| US | 104.21.61.180:443 | fixturewordbakewos.shop | tcp |
| US | 8.8.8.8:53 | colorprioritytubbew.shop | udp |
| US | 172.67.139.138:443 | colorprioritytubbew.shop | tcp |
| US | 8.8.8.8:53 | abuselinenaidwjuew.shop | udp |
| US | 188.114.96.2:443 | abuselinenaidwjuew.shop | tcp |
| US | 8.8.8.8:53 | methodgreenglassdatw.shop | udp |
| US | 104.21.38.106:443 | methodgreenglassdatw.shop | tcp |
| US | 8.8.8.8:53 | 180.61.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.139.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 106.38.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.162.46.104.in-addr.arpa | udp |
Files
C:\Users\Admin\Downloads\ASP.NET Web Pages\v1.0\Microsoft.AspNet.Razor.ru.1.0.20105.408\lib\net40\ru\system.web.razor.xml
| MD5 | 398dc059ac7b960a31bba803c6d4b7a3 |
| SHA1 | dfac62f6e4ac50a0029031244fc5a1469ffe90e8 |
| SHA256 | 943feccacef5fe23b3daf662594e3b45fcb8bc1caf25ea1c474721921caa9488 |
| SHA512 | f3bb82690b39dad744be9c403f7efcf2c40c903f85be013fff4b1a2ac77e8d59e77bc1eb9989134f800fba3d9bcb987485a92b719386750c70dd7fa1acb533e0 |
C:\Users\Admin\Downloads\ASP.NET Web Pages\v1.0\Microsoft.AspNet.WebPages.ru.1.0.20105.408\lib\net40\system.web.webpages.razor.xml
| MD5 | 9c8531c1d5f692cd921c8a56d85bc85d |
| SHA1 | 801b699bec07e93fdd05469f15cf80be4178e409 |
| SHA256 | 16953fbbff24c3d927e5640060948da47c15a32918ecb2fc4f922a82b3fcfa9c |
| SHA512 | 3e7fbce84ca7bc96d46ffc3b4fc7acf21d962d379589125a6515178693c379eb6b5833e428ec11f106e9b807147c698e898840a20a8189a01baf76ace9a1f719 |
C:\Users\Admin\Downloads\ASP.NET Web Pages\v1.0\Microsoft.Web.Infrastructure.1.0.0.0\lib\net40\Microsoft.Web.Infrastructure.dll
| MD5 | 969d6caf273394f064475292d549516e |
| SHA1 | 91f688c235388c8bcee03ff20d0c8a90dbdd4e3e |
| SHA256 | fe18f4259c947c1fd6d74f1827370e72d7ad09aefb4b720af227333583e0169f |
| SHA512 | b4f6a614e5fc52850e3d02ebf7e85abf1ebe3fb4ebd6b4f03ec9dc4989cce88e44714ca2198dd7e632f5ed0f15225a68b31052da33e5ac3ce48a1c91c3c04446 |
C:\Users\Admin\Downloads\ASP.NET Web Pages\v1.0\Visual Studio 2012\thirdpartynotices.rtf
| MD5 | b0ac92e72b07a4b37d66f0264e3373c0 |
| SHA1 | 769dec94ed0bfcb47e68026aa01e80a26943ff38 |
| SHA256 | 5a0792c375031840221f1737ba389b0d6dac373b118a107e50fbe78fe5f4ba69 |
| SHA512 | 716c37b16c577de53b7f6e3934e09ae329e138a8a1725d60e9d8907c43c4400918a31b12ae173644efc25ccc9bf7cb332a3042c17386a3724320ab977a7ded52 |
C:\Users\Admin\Downloads\ASP.NET Web Pages\v1.0\WebConfig\System.Web.WebPages.Deployment.dll
| MD5 | f9efab153915541f6cbdd147f85f9842 |
| SHA1 | 5d923740f2377298ad917eb9f5bfb45e0b1465fb |
| SHA256 | 130fe2b8282263c77d9bee89d636166848291432696c449d708c819b17bf053a |
| SHA512 | 74890a53f2b0b73816e5155fb2b48580fa1dbf3e35077e7915d96ae57516c5da2bbf968978ae134e12754039a5ada6f8dfbcdc121cab9b887a6d4d259b68f3ba |
C:\Users\Admin\Downloads\WerboPack.exe
| MD5 | eae3129fa88c966cb39c4674fd6d99a4 |
| SHA1 | f68802ca240d2c80acf877d93f1bbabc962e8fd1 |
| SHA256 | b604b64d2d488b0559d8e5868cfc4dd2f2519c712d3ba5833dfb0ac8be3adf08 |
| SHA512 | f93953739d9918940ea78cab92c36d520dae49082612916611ec5d05de8648b147854822168535f329dee6d4759687442e50b8d08a4fcb950733128330b3eb87 |
memory/1940-1060-0x00000000006A0000-0x00000000006F2000-memory.dmp
memory/1940-1061-0x00000000752D0000-0x0000000075A80000-memory.dmp
memory/2092-1064-0x0000000000400000-0x000000000044E000-memory.dmp
memory/2092-1068-0x0000000000400000-0x000000000044E000-memory.dmp
memory/1940-1069-0x00000000752D0000-0x0000000075A80000-memory.dmp
memory/1940-1070-0x0000000002940000-0x0000000004940000-memory.dmp
memory/2092-1071-0x0000000000F10000-0x0000000000F42000-memory.dmp
memory/2092-1073-0x0000000000F10000-0x0000000000F42000-memory.dmp
memory/2092-1072-0x0000000000F10000-0x0000000000F42000-memory.dmp
memory/2092-1074-0x0000000000F10000-0x0000000000F42000-memory.dmp
memory/2092-1075-0x0000000000400000-0x000000000044E000-memory.dmp
memory/2092-1076-0x0000000000F10000-0x0000000000F42000-memory.dmp
memory/1940-1077-0x0000000002940000-0x0000000004940000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-04-07 17:14
Reported
2024-04-07 17:21
Platform
win11-20240221-en
Max time kernel
178s
Max time network
289s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\WerboPack.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3868 set thread context of 4964 | N/A | C:\Users\Admin\Downloads\WerboPack.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3594324687-1993884830-4019639329-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3594324687-1993884830-4019639329-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\WerboPack.rar
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\WerboPack.rar"
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Admin\Downloads\WerboPack.exe
"C:\Users\Admin\Downloads\WerboPack.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Network
| Country | Destination | Domain | Proto |
| US | 188.114.96.2:443 | speedparticipatewo.shop | tcp |
| US | 104.21.63.97:443 | cinemaclinicttanwk.shop | tcp |
| US | 104.21.89.249:443 | disagreemenywyws.shop | tcp |
| US | 8.8.8.8:53 | 2.96.114.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.63.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.89.21.104.in-addr.arpa | udp |
| US | 188.114.96.2:443 | abuselinenaidwjuew.shop | tcp |
| US | 104.21.61.180:443 | fixturewordbakewos.shop | tcp |
| US | 104.21.94.186:443 | colorprioritytubbew.shop | tcp |
| US | 188.114.97.2:443 | abuselinenaidwjuew.shop | tcp |
| US | 104.21.38.106:443 | methodgreenglassdatw.shop | tcp |
Files
C:\Users\Admin\Downloads\ASP.NET Web Pages\v1.0\Microsoft.AspNet.Razor.ru.1.0.20105.408\lib\net40\ru\system.web.razor.xml
| MD5 | 398dc059ac7b960a31bba803c6d4b7a3 |
| SHA1 | dfac62f6e4ac50a0029031244fc5a1469ffe90e8 |
| SHA256 | 943feccacef5fe23b3daf662594e3b45fcb8bc1caf25ea1c474721921caa9488 |
| SHA512 | f3bb82690b39dad744be9c403f7efcf2c40c903f85be013fff4b1a2ac77e8d59e77bc1eb9989134f800fba3d9bcb987485a92b719386750c70dd7fa1acb533e0 |
C:\Users\Admin\Downloads\ASP.NET Web Pages\v1.0\Microsoft.AspNet.WebPages.ru.1.0.20105.408\lib\net40\system.web.webpages.razor.xml
| MD5 | 9c8531c1d5f692cd921c8a56d85bc85d |
| SHA1 | 801b699bec07e93fdd05469f15cf80be4178e409 |
| SHA256 | 16953fbbff24c3d927e5640060948da47c15a32918ecb2fc4f922a82b3fcfa9c |
| SHA512 | 3e7fbce84ca7bc96d46ffc3b4fc7acf21d962d379589125a6515178693c379eb6b5833e428ec11f106e9b807147c698e898840a20a8189a01baf76ace9a1f719 |
C:\Users\Admin\Downloads\ASP.NET Web Pages\v1.0\Microsoft.Web.Infrastructure.1.0.0.0\lib\net40\Microsoft.Web.Infrastructure.dll
| MD5 | 969d6caf273394f064475292d549516e |
| SHA1 | 91f688c235388c8bcee03ff20d0c8a90dbdd4e3e |
| SHA256 | fe18f4259c947c1fd6d74f1827370e72d7ad09aefb4b720af227333583e0169f |
| SHA512 | b4f6a614e5fc52850e3d02ebf7e85abf1ebe3fb4ebd6b4f03ec9dc4989cce88e44714ca2198dd7e632f5ed0f15225a68b31052da33e5ac3ce48a1c91c3c04446 |
C:\Users\Admin\Downloads\ASP.NET Web Pages\v1.0\WebConfig\System.Web.WebPages.Deployment.dll
| MD5 | f9efab153915541f6cbdd147f85f9842 |
| SHA1 | 5d923740f2377298ad917eb9f5bfb45e0b1465fb |
| SHA256 | 130fe2b8282263c77d9bee89d636166848291432696c449d708c819b17bf053a |
| SHA512 | 74890a53f2b0b73816e5155fb2b48580fa1dbf3e35077e7915d96ae57516c5da2bbf968978ae134e12754039a5ada6f8dfbcdc121cab9b887a6d4d259b68f3ba |
C:\Users\Admin\Downloads\ASP.NET Web Pages\v1.0\Visual Studio 2012\thirdpartynotices.rtf
| MD5 | b0ac92e72b07a4b37d66f0264e3373c0 |
| SHA1 | 769dec94ed0bfcb47e68026aa01e80a26943ff38 |
| SHA256 | 5a0792c375031840221f1737ba389b0d6dac373b118a107e50fbe78fe5f4ba69 |
| SHA512 | 716c37b16c577de53b7f6e3934e09ae329e138a8a1725d60e9d8907c43c4400918a31b12ae173644efc25ccc9bf7cb332a3042c17386a3724320ab977a7ded52 |
C:\Users\Admin\Downloads\WerboPack.exe
| MD5 | eae3129fa88c966cb39c4674fd6d99a4 |
| SHA1 | f68802ca240d2c80acf877d93f1bbabc962e8fd1 |
| SHA256 | b604b64d2d488b0559d8e5868cfc4dd2f2519c712d3ba5833dfb0ac8be3adf08 |
| SHA512 | f93953739d9918940ea78cab92c36d520dae49082612916611ec5d05de8648b147854822168535f329dee6d4759687442e50b8d08a4fcb950733128330b3eb87 |
memory/3868-1060-0x0000000000680000-0x00000000006D2000-memory.dmp
memory/3868-1061-0x0000000074A40000-0x00000000751F1000-memory.dmp
memory/4964-1064-0x0000000000400000-0x000000000044E000-memory.dmp
memory/3868-1069-0x0000000074A40000-0x00000000751F1000-memory.dmp
memory/4964-1068-0x0000000000400000-0x000000000044E000-memory.dmp
memory/4964-1072-0x00000000012F0000-0x0000000001330000-memory.dmp
memory/4964-1071-0x00000000012F0000-0x0000000001330000-memory.dmp
memory/3868-1070-0x0000000002CC0000-0x0000000004CC0000-memory.dmp
memory/4964-1073-0x00000000012F0000-0x0000000001330000-memory.dmp
memory/4964-1074-0x0000000000400000-0x000000000044E000-memory.dmp
memory/3868-1075-0x0000000002CC0000-0x0000000004CC0000-memory.dmp