Malware Analysis Report

2024-11-13 14:15

Sample ID 240526-kwxb2sda41
Target Main_Satup.zip
SHA256 f6a15f2f6460acf1db5c7724f7417772e4f017b783f886cf9def29dc6eebc3aa
Tags
lumma stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f6a15f2f6460acf1db5c7724f7417772e4f017b783f886cf9def29dc6eebc3aa

Threat Level: Known bad

The file Main_Satup.zip was found to be: Known bad.

Malicious Activity Summary

lumma stealer

Lumma Stealer

Loads dropped DLL

Suspicious use of SetThreadContext

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-26 08:57

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-26 08:57

Reported

2024-05-26 09:02

Platform

win10-20240404-en

Max time kernel

195s

Max time network

197s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Main_Satup\Setup.exe"

Signatures

Lumma Stealer

stealer lumma

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Uhzi.au3 N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4772 set thread context of 4192 N/A C:\Users\Admin\AppData\Local\Temp\Main_Satup\Setup.exe C:\Windows\SysWOW64\more.com

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Main_Satup\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Main_Satup\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Main_Satup\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Main_Satup\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Main_Satup\Setup.exe"

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\more.com

C:\Users\Admin\AppData\Local\Temp\Uhzi.au3

C:\Users\Admin\AppData\Local\Temp\Uhzi.au3

Network

Country Destination Domain Proto
US 20.231.121.79:80 tcp
US 8.8.8.8:53 tubewelfaredopw.shop udp
US 172.67.142.104:443 tubewelfaredopw.shop tcp
US 8.8.8.8:53 museumtespaceorsp.shop udp
US 104.21.32.80:443 museumtespaceorsp.shop tcp
US 8.8.8.8:53 buttockdecarderwiso.shop udp
US 104.21.45.202:443 buttockdecarderwiso.shop tcp
US 8.8.8.8:53 104.142.67.172.in-addr.arpa udp
US 8.8.8.8:53 80.32.21.104.in-addr.arpa udp
US 8.8.8.8:53 averageaattractiionsl.shop udp
US 172.67.220.163:443 averageaattractiionsl.shop tcp
US 8.8.8.8:53 femininiespywageg.shop udp
US 104.21.71.3:443 femininiespywageg.shop tcp
US 8.8.8.8:53 202.45.21.104.in-addr.arpa udp
US 8.8.8.8:53 employhabragaomlsp.shop udp
US 104.21.85.81:443 employhabragaomlsp.shop tcp
US 8.8.8.8:53 stalfbaclcalorieeis.shop udp
US 104.21.3.197:443 stalfbaclcalorieeis.shop tcp
US 8.8.8.8:53 civilianurinedtsraov.shop udp
US 172.67.197.146:443 civilianurinedtsraov.shop tcp
US 8.8.8.8:53 163.220.67.172.in-addr.arpa udp
US 8.8.8.8:53 3.71.21.104.in-addr.arpa udp
US 8.8.8.8:53 81.85.21.104.in-addr.arpa udp
US 8.8.8.8:53 197.3.21.104.in-addr.arpa udp
US 8.8.8.8:53 roomabolishsnifftwk.shop udp
US 172.67.146.92:443 roomabolishsnifftwk.shop tcp
US 8.8.8.8:53 146.197.67.172.in-addr.arpa udp
US 8.8.8.8:53 92.146.67.172.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 90.65.42.20.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp

Files

memory/4772-0-0x00007FFC879E0000-0x00007FFC87B4A000-memory.dmp

memory/4772-4-0x00007FFC879F8000-0x00007FFC879F9000-memory.dmp

memory/4772-5-0x00007FFC879E0000-0x00007FFC87B4A000-memory.dmp

memory/4772-6-0x00007FFC879E0000-0x00007FFC87B4A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d2885516

MD5 ef4498e47d31eeb716e9f2fec0607066
SHA1 28de5dc4cf403a114ce0d2373d6d567b91b8e7a6
SHA256 872ecd484fd833a79c7197303580beff6816258b855438c857fd3a2266c0d678
SHA512 6be4cdeaf9eb41d76377ce9db9fb8a0b0ff72e0c269e8a49955693f46393e1bbe1a6218f3bb23ab45620d7c7c82b40cc8bd98e15c7cfab71f4cf3228c03ae36f

memory/4192-9-0x00007FFC93BC0000-0x00007FFC93D9B000-memory.dmp

memory/4192-11-0x0000000074160000-0x00000000742DB000-memory.dmp

memory/4192-12-0x000000007416E000-0x0000000074170000-memory.dmp

memory/4192-13-0x0000000074160000-0x00000000742DB000-memory.dmp

memory/4192-18-0x0000000074160000-0x00000000742DB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Uhzi.au3

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

memory/196-20-0x0000000000780000-0x00000000007DA000-memory.dmp

memory/196-21-0x00007FFC93BC0000-0x00007FFC93D9B000-memory.dmp

memory/196-23-0x0000000000780000-0x00000000007DA000-memory.dmp

memory/4192-24-0x000000007416E000-0x0000000074170000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-26 08:57

Reported

2024-05-26 09:01

Platform

win11-20240426-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Main_Satup\Setup.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Uhzi.au3 N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1484 set thread context of 936 N/A C:\Users\Admin\AppData\Local\Temp\Main_Satup\Setup.exe C:\Windows\SysWOW64\more.com

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Main_Satup\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Main_Satup\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Main_Satup\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Main_Satup\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Main_Satup\Setup.exe"

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\more.com

C:\Users\Admin\AppData\Local\Temp\Uhzi.au3

C:\Users\Admin\AppData\Local\Temp\Uhzi.au3

Network

Country Destination Domain Proto
US 8.8.8.8:53 tubewelfaredopw.shop udp
US 172.67.142.104:443 tubewelfaredopw.shop tcp
US 104.21.32.80:443 museumtespaceorsp.shop tcp
US 172.67.218.187:443 buttockdecarderwiso.shop tcp
US 172.67.220.163:443 averageaattractiionsl.shop tcp
US 172.67.141.63:443 femininiespywageg.shop tcp
US 8.8.8.8:53 187.218.67.172.in-addr.arpa udp
US 8.8.8.8:53 163.220.67.172.in-addr.arpa udp
US 8.8.8.8:53 104.142.67.172.in-addr.arpa udp
US 172.67.203.218:443 employhabragaomlsp.shop tcp
US 104.21.3.197:443 stalfbaclcalorieeis.shop tcp
US 104.21.49.245:443 civilianurinedtsraov.shop tcp
US 8.8.8.8:53 245.49.21.104.in-addr.arpa udp
US 172.67.146.92:443 roomabolishsnifftwk.shop tcp

Files

memory/1484-0-0x00007FF9304B0000-0x00007FF93062A000-memory.dmp

memory/1484-4-0x00007FF9304C8000-0x00007FF9304C9000-memory.dmp

memory/1484-5-0x00007FF9304B0000-0x00007FF93062A000-memory.dmp

memory/1484-6-0x00007FF9304B0000-0x00007FF93062A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a730a58c

MD5 5890e29592b141a898e9f3a83ace979a
SHA1 7dd0b80feccf484871fd05eb18f4425fabfa28bc
SHA256 6e9f791dcd44166a20b576f733619ea3994e2b4e168d44b3c19b1bf1e3d6b97e
SHA512 3a8045f14cb89d305ef1ead139054f317c2ba00c0d6199ed51e350e983eeef76285172217b923a9afa21d508bb5853229c140186b9036c0e7774f1b90a56b199

memory/936-9-0x00007FF93F3A0000-0x00007FF93F5A9000-memory.dmp

memory/936-11-0x0000000075490000-0x000000007560D000-memory.dmp

memory/936-12-0x000000007549E000-0x00000000754A0000-memory.dmp

memory/936-13-0x0000000075490000-0x000000007560D000-memory.dmp

memory/936-18-0x0000000075490000-0x000000007560D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Uhzi.au3

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

memory/2088-20-0x00007FF93F3A0000-0x00007FF93F5A9000-memory.dmp

memory/2088-22-0x0000000000D40000-0x0000000000D9A000-memory.dmp

memory/936-23-0x000000007549E000-0x00000000754A0000-memory.dmp