Malware Analysis Report

2025-06-15 19:54

Sample ID 240426-pxk3mabh79
Target Codex.rar
SHA256 0b42eeb661e4cf8635ef4205a17073a5ea97143dcf042579540fd9d1a225bd4d
Tags
lumma stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0b42eeb661e4cf8635ef4205a17073a5ea97143dcf042579540fd9d1a225bd4d

Threat Level: Known bad

The file Codex.rar was found to be: Known bad.

Malicious Activity Summary

lumma stealer

Lumma Stealer

Checks computer location settings

Executes dropped EXE

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-26 12:42

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-26 12:42

Reported

2024-04-26 12:45

Platform

win7-20240419-en

Max time kernel

121s

Max time network

123s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Codex.rar

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2436 wrote to memory of 1680 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2436 wrote to memory of 1680 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2436 wrote to memory of 1680 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Codex.rar

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Codex.rar

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-26 12:42

Reported

2024-04-26 12:45

Platform

win10v2004-20240226-en

Max time kernel

85s

Max time network

135s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Codex.rar

Signatures

Lumma Stealer

stealer lumma

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Windows\system32\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO8104AD68\Codex.exe N/A
N/A N/A C:\Users\Admin\Desktop\Codex.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2056 set thread context of 1672 N/A C:\Users\Admin\AppData\Local\Temp\7zO8104AD68\Codex.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
PID 1816 set thread context of 4164 N/A C:\Users\Admin\Desktop\Codex.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Program Files\7-Zip\7zFM.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1840 wrote to memory of 4120 N/A C:\Windows\system32\cmd.exe C:\Program Files\7-Zip\7zFM.exe
PID 1840 wrote to memory of 4120 N/A C:\Windows\system32\cmd.exe C:\Program Files\7-Zip\7zFM.exe
PID 4120 wrote to memory of 2056 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO8104AD68\Codex.exe
PID 4120 wrote to memory of 2056 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO8104AD68\Codex.exe
PID 2056 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\7zO8104AD68\Codex.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
PID 2056 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\7zO8104AD68\Codex.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
PID 2056 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\7zO8104AD68\Codex.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
PID 2056 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\7zO8104AD68\Codex.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
PID 2056 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\7zO8104AD68\Codex.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
PID 1816 wrote to memory of 4164 N/A C:\Users\Admin\Desktop\Codex.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
PID 1816 wrote to memory of 4164 N/A C:\Users\Admin\Desktop\Codex.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
PID 1816 wrote to memory of 4164 N/A C:\Users\Admin\Desktop\Codex.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
PID 1816 wrote to memory of 4164 N/A C:\Users\Admin\Desktop\Codex.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
PID 1816 wrote to memory of 4164 N/A C:\Users\Admin\Desktop\Codex.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Codex.rar

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Codex.rar"

C:\Users\Admin\AppData\Local\Temp\7zO8104AD68\Codex.exe

"C:\Users\Admin\AppData\Local\Temp\7zO8104AD68\Codex.exe"

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3980 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:8

C:\Users\Admin\Desktop\Codex.exe

"C:\Users\Admin\Desktop\Codex.exe"

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

C:\Users\Admin\Desktop\Codex.exe

"C:\Users\Admin\Desktop\Codex.exe"

C:\Users\Admin\Desktop\Codex.exe

"C:\Users\Admin\Desktop\Codex.exe"

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

C:\Users\Admin\Desktop\Codex.exe

"C:\Users\Admin\Desktop\Codex.exe"

C:\Users\Admin\Desktop\Codex.exe

"C:\Users\Admin\Desktop\Codex.exe"

C:\Users\Admin\Desktop\Codex.exe

"C:\Users\Admin\Desktop\Codex.exe"

C:\Users\Admin\Desktop\Codex.exe

"C:\Users\Admin\Desktop\Codex.exe"

C:\Users\Admin\Desktop\Codex.exe

"C:\Users\Admin\Desktop\Codex.exe"

C:\Users\Admin\Desktop\Codex.exe

"C:\Users\Admin\Desktop\Codex.exe"

C:\Users\Admin\Desktop\Codex.exe

"C:\Users\Admin\Desktop\Codex.exe"

C:\Users\Admin\Desktop\Codex.exe

"C:\Users\Admin\Desktop\Codex.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 134.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 peanuearthflaxes.shop udp
US 104.21.51.162:443 peanuearthflaxes.shop tcp
US 8.8.8.8:53 productivelookewr.shop udp
US 172.67.150.207:443 productivelookewr.shop tcp
US 8.8.8.8:53 tolerateilusidjukl.shop udp
US 172.67.147.41:443 tolerateilusidjukl.shop tcp
US 8.8.8.8:53 162.51.21.104.in-addr.arpa udp
US 8.8.8.8:53 41.147.67.172.in-addr.arpa udp
US 8.8.8.8:53 207.150.67.172.in-addr.arpa udp
US 8.8.8.8:53 shatterbreathepsw.shop udp
US 172.67.169.43:443 shatterbreathepsw.shop tcp
US 8.8.8.8:53 shortsvelventysjo.shop udp
US 104.21.16.225:443 shortsvelventysjo.shop tcp
US 8.8.8.8:53 incredibleextedwj.shop udp
US 172.67.218.63:443 incredibleextedwj.shop tcp
US 8.8.8.8:53 alcojoldwograpciw.shop udp
US 104.21.48.243:443 alcojoldwograpciw.shop tcp
US 8.8.8.8:53 liabilitynighstjsko.shop udp
US 104.21.44.3:443 liabilitynighstjsko.shop tcp
US 8.8.8.8:53 demonstationfukewko.shop udp
US 8.8.8.8:53 43.169.67.172.in-addr.arpa udp
US 8.8.8.8:53 225.16.21.104.in-addr.arpa udp
US 8.8.8.8:53 63.218.67.172.in-addr.arpa udp
US 8.8.8.8:53 243.48.21.104.in-addr.arpa udp
US 8.8.8.8:53 3.44.21.104.in-addr.arpa udp
US 172.67.147.169:443 demonstationfukewko.shop tcp
US 8.8.8.8:53 169.147.67.172.in-addr.arpa udp
US 8.8.8.8:53 133.190.18.2.in-addr.arpa udp
US 104.21.51.162:443 peanuearthflaxes.shop tcp
US 172.67.150.207:443 productivelookewr.shop tcp
US 172.67.147.41:443 tolerateilusidjukl.shop tcp
US 172.67.169.43:443 shatterbreathepsw.shop tcp
US 104.21.16.225:443 shortsvelventysjo.shop tcp
US 172.67.218.63:443 incredibleextedwj.shop tcp
US 104.21.48.243:443 alcojoldwograpciw.shop tcp
US 104.21.44.3:443 liabilitynighstjsko.shop tcp
US 172.67.147.169:443 demonstationfukewko.shop tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 104.21.51.162:443 peanuearthflaxes.shop tcp
US 172.67.150.207:443 productivelookewr.shop tcp
US 172.67.147.41:443 tolerateilusidjukl.shop tcp
US 172.67.169.43:443 shatterbreathepsw.shop tcp
US 104.21.16.225:443 shortsvelventysjo.shop tcp
US 172.67.218.63:443 incredibleextedwj.shop tcp
US 104.21.48.243:443 alcojoldwograpciw.shop tcp
US 104.21.44.3:443 liabilitynighstjsko.shop tcp
US 172.67.147.169:443 demonstationfukewko.shop tcp

Files

C:\Users\Admin\AppData\Local\Temp\7zO8104AD68\Codex.exe

MD5 2c7698c295ff76f112703bb08ba29aad
SHA1 3bcd3c32f8f636ef5bd096076cb42f47f293b51b
SHA256 c7657c92d0a3997b33c6f54b56f7543f1aef2beb2131e93aad9b68f4a1240070
SHA512 1348bc0183dc970ba70fc321cfbc7412f45d1604f3553c472a7024b0668031a24d6cf5fc899fe93025c947fdb94cd690d9d99ecc1e7e2de36e3dba73516ea00a

memory/2056-16-0x00007FF6729D0000-0x00007FF6741A4000-memory.dmp

memory/1672-17-0x0000000000F20000-0x0000000000F6F000-memory.dmp

memory/2056-18-0x00007FF6729D0000-0x00007FF6741A4000-memory.dmp

memory/1672-19-0x0000000000F20000-0x0000000000F6F000-memory.dmp

memory/1816-26-0x00007FF74F600000-0x00007FF750DD4000-memory.dmp

memory/4164-29-0x0000000000AA0000-0x0000000000AEF000-memory.dmp

memory/4164-31-0x0000000000AA0000-0x0000000000AEF000-memory.dmp

memory/1816-30-0x00007FF74F600000-0x00007FF750DD4000-memory.dmp

memory/4516-76-0x00007FF74BFE0000-0x00007FF74D7B4000-memory.dmp

C:\Users\Admin\Desktop\Codex.exe

MD5 2196047f5370b6cf25adfecc69c138c6
SHA1 355c9c38ce13eaf91af2165daa9101fe58034604
SHA256 80b451d593873facef68c4a5fde44131e737c1fed2ca042bd12cb5051d4d913e
SHA512 92d2f5c7fd4b8e26d8210f3c0bee663a58c0452a78e789ae42c410ab0888f3f83af99d6494e2dfffe6c6b48df980c8f106f14eae5e4b01708781c7cdc61e2192

memory/1012-82-0x0000000001040000-0x000000000108F000-memory.dmp

memory/1012-84-0x0000000001040000-0x000000000108F000-memory.dmp

memory/4516-83-0x00007FF74BFE0000-0x00007FF74D7B4000-memory.dmp

C:\Users\Admin\Desktop\Codex.exe

MD5 61feeddf5aae8926916d9f2c55c322a8
SHA1 405a43ba44e011a4d56e95ba8f6601da537dcce6
SHA256 0fa9d4bf611df4d58ca88fe93d99b86c77ba299f675b49a9b414c8e6cb126b8e
SHA512 9998ff97c8897ee69cd3a2ed995731f54072d57be00de9c6140e8a0963f6fcc6c7fa82a6f7115895b2163fe12420410c9f165d1bdf75ee38b3231dced49fc11f

C:\Users\Admin\Desktop\Codex.exe

MD5 f1d358e87fef4d40bbb08ba6af8bfd88
SHA1 fcbac8c7f2b2c9720808c86ce4378dfb84af2f97
SHA256 2e042848726889b2fe6d4daf436f0b50770f8f8faea38724d44d02c52b50f457
SHA512 3b2ebf0b423440577fa5a28fe28a935b6efa471987758b6af786a8855349c79162054876ce4dcad81da4823154b0baa3e66d0b90d4d93ad0c606c78291b3a6ee

C:\Users\Admin\Desktop\Codex.exe

MD5 939fd31784e0e59f58aac546b6f9f199
SHA1 92ff57404231c0f68f62cd51255832dd03e0e0d1
SHA256 f4eedda589eef7c498b9118828a19eb2ab8b00a17373df0ad3ef17f2c8e1bb6f
SHA512 235c6fa7c90931a7bb532a3868af61bb416a3555b6b3b563b159511990c2043daeaa69abdca0fd741d5f0a9b5c508230c1692f78541aa495f77618c6d93be2d3

C:\Users\Admin\Desktop\Codex.exe

MD5 820854b1903b548241264391873644d9
SHA1 a1534f6d6859b8e02c0801b2a1f5bc51d339e034
SHA256 19b548f2891744ca51f2469ff24640492ef4a41d150c4aec3f48bce94c430676
SHA512 ebb2896d7e29d779d475f6385146a7e8cf5e66d198e87d41680090587e0290eab796798790699817c3b634901900c987abdd7883f6d01c8a7673fa57b20b487d

C:\Users\Admin\Desktop\Codex.exe

MD5 1b4eb203d0b398aeb2d811c057f5635d
SHA1 38a3346b4c0128ada1ccb75d118d6cd5da6815b2
SHA256 3e0425bae606fd01dab1c8e4055318e4629c6081bdee3245c1269e82b55458d1
SHA512 d286725a4ff599b0d1c31010f924676159fe58d5f864d0d35b785ca9a023a4b77365c5e334cf01f71edff1c36839f6b04abeb7e5a1bdf9ad9371612d7a53e687

C:\Users\Admin\Desktop\Codex.exe

MD5 7ecc511b1989b717651bf2945616acaa
SHA1 263e5f7af0acfb76135c8999db440f4cea890592
SHA256 6f52869a5963c10be021324e6fdd0fad2d468a5c55fac0e70b1cd50b251c4d3b
SHA512 ebf3865992eb50e0a778ed82bae56b49a123dcc310cad787e112b3a4712821b69c09f93b8b90a091fbebf68727a9984ea72b9365c64677fef56fb0f3b212c990

C:\Users\Admin\Desktop\Codex.exe

MD5 5e54c91900f431182678c7ee811d93a9
SHA1 3fe7e2329efc7395f237c4f9ed21c1a7d4912d80
SHA256 26906c4daee613ecffc8b6e5cc458534486a9436673d3515a2ba1d8852317a3f
SHA512 2d5ba6744f1fdd0dc3e6de075a78b7567b2fa2cbd7bd67d132167b034ac5622fc4d2bd21802ecacf91c671fb3ad06cc92f0ad89f41e4447edf4d423884e7c8a4

C:\Users\Admin\Desktop\Codex.exe

MD5 a0bb9b6bc9e70b817fe9f6ca2d8c81b9
SHA1 4f80d2e832488324fb6de89c1918014b2635403b
SHA256 f88d9f06e3d144b4b0d74197df51ab0abaf1b1f760228d5e106319e6bffd37d7
SHA512 bd7b43e651e942f2887af41a8338290a26ddd43f3dc8a6ad2d51b2ed648996dd6d9c55af40044748cb56d4f12cdb71619d73352b9a4e286318aca54d62593ccc

memory/4056-93-0x00007FF74BFE0000-0x00007FF74D7B4000-memory.dmp