Analysis Overview
SHA256
46973e4dda2b1ec2cd464943621ce24a9eeaa0a5fbc96aaf6ead4d1c5d74be88
Threat Level: Known bad
The file NEXSUS.zip was found to be: Known bad.
Malicious Activity Summary
Lumma Stealer
Drops desktop.ini file(s)
Unsigned PE
Checks processor information in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-07 18:20
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-07 18:20
Reported
2024-04-07 18:23
Platform
win10-20240404-en
Max time kernel
134s
Max time network
136s
Command Line
Signatures
Lumma Stealer
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Videos\Captures\desktop.ini | C:\Windows\System32\bcastdvr.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\starter.exe
"C:\Users\Admin\AppData\Local\Temp\starter.exe"
C:\Windows\System32\GamePanel.exe
"C:\Windows\System32\GamePanel.exe" 00000000000501F6 /startuptips
C:\Windows\System32\bcastdvr.exe
"C:\Windows\System32\bcastdvr.exe" -ServerName:Windows.Media.Capture.Internal.BroadcastDVRServer
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | sideindexfollowragelrew.pw | udp |
| US | 8.8.8.8:53 | cleartotalfisherwo.shop | udp |
| US | 172.67.185.32:443 | cleartotalfisherwo.shop | tcp |
| US | 8.8.8.8:53 | worryfillvolcawoi.shop | udp |
| US | 172.67.199.191:443 | worryfillvolcawoi.shop | tcp |
| US | 8.8.8.8:53 | enthusiasimtitleow.shop | udp |
| US | 8.8.8.8:53 | 32.185.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 191.199.67.172.in-addr.arpa | udp |
| US | 172.67.183.226:443 | enthusiasimtitleow.shop | tcp |
| US | 8.8.8.8:53 | dismissalcylinderhostw.shop | udp |
| US | 104.21.22.160:443 | dismissalcylinderhostw.shop | tcp |
| US | 8.8.8.8:53 | 226.183.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | affordcharmcropwo.shop | udp |
| US | 8.8.8.8:53 | 160.22.21.104.in-addr.arpa | udp |
| US | 172.67.181.34:443 | affordcharmcropwo.shop | tcp |
| US | 8.8.8.8:53 | diskretainvigorousiw.shop | udp |
| US | 104.21.23.143:443 | diskretainvigorousiw.shop | tcp |
| US | 8.8.8.8:53 | communicationgenerwo.shop | udp |
| US | 104.21.83.19:443 | communicationgenerwo.shop | tcp |
| US | 8.8.8.8:53 | 34.181.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pillowbrocccolipe.shop | udp |
| US | 188.114.97.2:443 | pillowbrocccolipe.shop | tcp |
| US | 8.8.8.8:53 | 19.83.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 143.23.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.97.114.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 93.65.42.20.in-addr.arpa | udp |
Files
memory/3188-0-0x00000000006D0000-0x000000000071C000-memory.dmp
memory/3188-5-0x0000000000780000-0x0000000000781000-memory.dmp
memory/3188-6-0x0000000000780000-0x0000000000781000-memory.dmp
memory/3188-8-0x0000000000780000-0x0000000000781000-memory.dmp
memory/3188-7-0x0000000000780000-0x0000000000781000-memory.dmp
memory/3188-9-0x0000000000780000-0x00000000007C0000-memory.dmp
memory/3188-10-0x0000000000780000-0x00000000007C0000-memory.dmp
C:\Users\Admin\Videos\Captures\desktop.ini
| MD5 | b0d27eaec71f1cd73b015f5ceeb15f9d |
| SHA1 | 62264f8b5c2f5034a1e4143df6e8c787165fbc2f |
| SHA256 | 86d9f822aeb989755fac82929e8db369b3f5f04117ef96fd76e3d5f920a501d2 |
| SHA512 | 7b5c9783a0a14b600b156825639d24cbbc000f5066c48ce9fecc195255603fc55129aaaca336d7ce6ad4e941d5492b756562f2c7a1d151fcfc2dabac76f3946c |
memory/3188-27-0x00000000006D0000-0x000000000071C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-07 18:20
Reported
2024-04-07 18:22
Platform
win10v2004-20231215-en
Max time kernel
44s
Max time network
45s
Command Line
Signatures
Lumma Stealer
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\svchost.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "162" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" | C:\Windows\system32\LogonUI.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1497073144-2389943819-3385106915-1000\{F2AA83FC-39C5-4CCD-9FF1-1E2629665F93} | C:\Windows\system32\svchost.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\LogonUI.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\starter.exe
"C:\Users\Admin\AppData\Local\Temp\starter.exe"
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3940855 /state1:0x41c64e6d
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sideindexfollowragelrew.pw | udp |
| US | 8.8.8.8:53 | cleartotalfisherwo.shop | udp |
| US | 188.114.96.2:443 | cleartotalfisherwo.shop | tcp |
| US | 8.8.8.8:53 | worryfillvolcawoi.shop | udp |
| US | 172.67.199.191:443 | worryfillvolcawoi.shop | tcp |
| US | 8.8.8.8:53 | 216.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.96.114.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 191.199.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | enthusiasimtitleow.shop | udp |
| US | 188.114.96.2:443 | enthusiasimtitleow.shop | tcp |
| US | 8.8.8.8:53 | dismissalcylinderhostw.shop | udp |
| US | 172.67.205.132:443 | dismissalcylinderhostw.shop | tcp |
| US | 8.8.8.8:53 | affordcharmcropwo.shop | udp |
| US | 104.21.67.211:443 | affordcharmcropwo.shop | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 132.205.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | diskretainvigorousiw.shop | udp |
| US | 104.21.23.143:443 | diskretainvigorousiw.shop | tcp |
| US | 8.8.8.8:53 | communicationgenerwo.shop | udp |
| US | 104.21.83.19:443 | communicationgenerwo.shop | tcp |
| US | 8.8.8.8:53 | 143.23.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 211.67.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pillowbrocccolipe.shop | udp |
| US | 188.114.96.2:443 | pillowbrocccolipe.shop | tcp |
| US | 8.8.8.8:53 | 19.83.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 159.113.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.143.109.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp | |
| N/A | 20.42.65.89:443 | tcp | |
| US | 8.8.8.8:53 | udp |
Files
memory/5040-0-0x0000000000FA0000-0x0000000000FEC000-memory.dmp
memory/5040-5-0x00000000014B0000-0x00000000014B1000-memory.dmp
memory/5040-6-0x00000000014B0000-0x00000000014B1000-memory.dmp
memory/5040-9-0x00000000014B0000-0x00000000014B1000-memory.dmp
memory/5040-8-0x00000000014B0000-0x00000000014B1000-memory.dmp
memory/5040-7-0x00000000014B0000-0x00000000014B1000-memory.dmp
memory/5040-10-0x0000000000FA0000-0x0000000000FEC000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-04-07 18:20
Reported
2024-04-07 18:24
Platform
win11-20240221-en
Max time kernel
148s
Max time network
161s
Command Line
Signatures
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\svchost.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-647252928-2816094679-1307623958-1000\{A989CD98-079C-4302-B44E-AADA6E12BFE6} | C:\Windows\system32\svchost.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\starter.exe
"C:\Users\Admin\AppData\Local\Temp\starter.exe"
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | sideindexfollowragelrew.pw | udp |
| US | 172.67.185.32:443 | cleartotalfisherwo.shop | tcp |
| US | 8.8.8.8:53 | 32.185.67.172.in-addr.arpa | udp |
| US | 172.67.199.191:443 | worryfillvolcawoi.shop | tcp |
| US | 104.21.18.233:443 | enthusiasimtitleow.shop | tcp |
| US | 172.67.205.132:443 | dismissalcylinderhostw.shop | tcp |
| US | 172.67.181.34:443 | affordcharmcropwo.shop | tcp |
| US | 188.114.97.2:443 | diskretainvigorousiw.shop | tcp |
| US | 8.8.8.8:53 | 132.205.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | communicationgenerwo.shop | udp |
| US | 104.21.83.19:443 | communicationgenerwo.shop | tcp |
| US | 188.114.96.2:443 | pillowbrocccolipe.shop | tcp |
| US | 8.8.8.8:53 | 19.83.21.104.in-addr.arpa | udp |
Files
memory/1816-0-0x0000000000BF0000-0x0000000000C3C000-memory.dmp
memory/1816-5-0x0000000002A90000-0x0000000002A91000-memory.dmp
memory/1816-6-0x00000000028E0000-0x00000000028E1000-memory.dmp
memory/1816-7-0x0000000000BF0000-0x0000000000C3C000-memory.dmp