Analysis Overview
SHA256
f6a15f2f6460acf1db5c7724f7417772e4f017b783f886cf9def29dc6eebc3aa
Threat Level: Known bad
The file Main_Satup.zip was found to be: Known bad.
Malicious Activity Summary
Lumma Stealer
Loads dropped DLL
Suspicious use of SetThreadContext
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-26 08:57
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-26 08:57
Reported
2024-05-26 09:02
Platform
win10-20240404-en
Max time kernel
195s
Max time network
197s
Command Line
Signatures
Lumma Stealer
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Uhzi.au3 | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4772 set thread context of 4192 | N/A | C:\Users\Admin\AppData\Local\Temp\Main_Satup\Setup.exe | C:\Windows\SysWOW64\more.com |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Main_Satup\Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Main_Satup\Setup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Main_Satup\Setup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Main_Satup\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Main_Satup\Setup.exe"
C:\Windows\SysWOW64\more.com
C:\Windows\SysWOW64\more.com
C:\Users\Admin\AppData\Local\Temp\Uhzi.au3
C:\Users\Admin\AppData\Local\Temp\Uhzi.au3
Network
| Country | Destination | Domain | Proto |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | tubewelfaredopw.shop | udp |
| US | 172.67.142.104:443 | tubewelfaredopw.shop | tcp |
| US | 8.8.8.8:53 | museumtespaceorsp.shop | udp |
| US | 104.21.32.80:443 | museumtespaceorsp.shop | tcp |
| US | 8.8.8.8:53 | buttockdecarderwiso.shop | udp |
| US | 104.21.45.202:443 | buttockdecarderwiso.shop | tcp |
| US | 8.8.8.8:53 | 104.142.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.32.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | averageaattractiionsl.shop | udp |
| US | 172.67.220.163:443 | averageaattractiionsl.shop | tcp |
| US | 8.8.8.8:53 | femininiespywageg.shop | udp |
| US | 104.21.71.3:443 | femininiespywageg.shop | tcp |
| US | 8.8.8.8:53 | 202.45.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | employhabragaomlsp.shop | udp |
| US | 104.21.85.81:443 | employhabragaomlsp.shop | tcp |
| US | 8.8.8.8:53 | stalfbaclcalorieeis.shop | udp |
| US | 104.21.3.197:443 | stalfbaclcalorieeis.shop | tcp |
| US | 8.8.8.8:53 | civilianurinedtsraov.shop | udp |
| US | 172.67.197.146:443 | civilianurinedtsraov.shop | tcp |
| US | 8.8.8.8:53 | 163.220.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.71.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.85.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.3.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | roomabolishsnifftwk.shop | udp |
| US | 172.67.146.92:443 | roomabolishsnifftwk.shop | tcp |
| US | 8.8.8.8:53 | 146.197.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.146.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.65.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
Files
memory/4772-0-0x00007FFC879E0000-0x00007FFC87B4A000-memory.dmp
memory/4772-4-0x00007FFC879F8000-0x00007FFC879F9000-memory.dmp
memory/4772-5-0x00007FFC879E0000-0x00007FFC87B4A000-memory.dmp
memory/4772-6-0x00007FFC879E0000-0x00007FFC87B4A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\d2885516
| MD5 | ef4498e47d31eeb716e9f2fec0607066 |
| SHA1 | 28de5dc4cf403a114ce0d2373d6d567b91b8e7a6 |
| SHA256 | 872ecd484fd833a79c7197303580beff6816258b855438c857fd3a2266c0d678 |
| SHA512 | 6be4cdeaf9eb41d76377ce9db9fb8a0b0ff72e0c269e8a49955693f46393e1bbe1a6218f3bb23ab45620d7c7c82b40cc8bd98e15c7cfab71f4cf3228c03ae36f |
memory/4192-9-0x00007FFC93BC0000-0x00007FFC93D9B000-memory.dmp
memory/4192-11-0x0000000074160000-0x00000000742DB000-memory.dmp
memory/4192-12-0x000000007416E000-0x0000000074170000-memory.dmp
memory/4192-13-0x0000000074160000-0x00000000742DB000-memory.dmp
memory/4192-18-0x0000000074160000-0x00000000742DB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Uhzi.au3
| MD5 | c56b5f0201a3b3de53e561fe76912bfd |
| SHA1 | 2a4062e10a5de813f5688221dbeb3f3ff33eb417 |
| SHA256 | 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d |
| SHA512 | 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c |
memory/196-20-0x0000000000780000-0x00000000007DA000-memory.dmp
memory/196-21-0x00007FFC93BC0000-0x00007FFC93D9B000-memory.dmp
memory/196-23-0x0000000000780000-0x00000000007DA000-memory.dmp
memory/4192-24-0x000000007416E000-0x0000000074170000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-26 08:57
Reported
2024-05-26 09:01
Platform
win11-20240426-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Uhzi.au3 | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1484 set thread context of 936 | N/A | C:\Users\Admin\AppData\Local\Temp\Main_Satup\Setup.exe | C:\Windows\SysWOW64\more.com |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Main_Satup\Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Main_Satup\Setup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Main_Satup\Setup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Main_Satup\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Main_Satup\Setup.exe"
C:\Windows\SysWOW64\more.com
C:\Windows\SysWOW64\more.com
C:\Users\Admin\AppData\Local\Temp\Uhzi.au3
C:\Users\Admin\AppData\Local\Temp\Uhzi.au3
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | tubewelfaredopw.shop | udp |
| US | 172.67.142.104:443 | tubewelfaredopw.shop | tcp |
| US | 104.21.32.80:443 | museumtespaceorsp.shop | tcp |
| US | 172.67.218.187:443 | buttockdecarderwiso.shop | tcp |
| US | 172.67.220.163:443 | averageaattractiionsl.shop | tcp |
| US | 172.67.141.63:443 | femininiespywageg.shop | tcp |
| US | 8.8.8.8:53 | 187.218.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 163.220.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.142.67.172.in-addr.arpa | udp |
| US | 172.67.203.218:443 | employhabragaomlsp.shop | tcp |
| US | 104.21.3.197:443 | stalfbaclcalorieeis.shop | tcp |
| US | 104.21.49.245:443 | civilianurinedtsraov.shop | tcp |
| US | 8.8.8.8:53 | 245.49.21.104.in-addr.arpa | udp |
| US | 172.67.146.92:443 | roomabolishsnifftwk.shop | tcp |
Files
memory/1484-0-0x00007FF9304B0000-0x00007FF93062A000-memory.dmp
memory/1484-4-0x00007FF9304C8000-0x00007FF9304C9000-memory.dmp
memory/1484-5-0x00007FF9304B0000-0x00007FF93062A000-memory.dmp
memory/1484-6-0x00007FF9304B0000-0x00007FF93062A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a730a58c
| MD5 | 5890e29592b141a898e9f3a83ace979a |
| SHA1 | 7dd0b80feccf484871fd05eb18f4425fabfa28bc |
| SHA256 | 6e9f791dcd44166a20b576f733619ea3994e2b4e168d44b3c19b1bf1e3d6b97e |
| SHA512 | 3a8045f14cb89d305ef1ead139054f317c2ba00c0d6199ed51e350e983eeef76285172217b923a9afa21d508bb5853229c140186b9036c0e7774f1b90a56b199 |
memory/936-9-0x00007FF93F3A0000-0x00007FF93F5A9000-memory.dmp
memory/936-11-0x0000000075490000-0x000000007560D000-memory.dmp
memory/936-12-0x000000007549E000-0x00000000754A0000-memory.dmp
memory/936-13-0x0000000075490000-0x000000007560D000-memory.dmp
memory/936-18-0x0000000075490000-0x000000007560D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Uhzi.au3
| MD5 | c56b5f0201a3b3de53e561fe76912bfd |
| SHA1 | 2a4062e10a5de813f5688221dbeb3f3ff33eb417 |
| SHA256 | 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d |
| SHA512 | 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c |
memory/2088-20-0x00007FF93F3A0000-0x00007FF93F5A9000-memory.dmp
memory/2088-22-0x0000000000D40000-0x0000000000D9A000-memory.dmp
memory/936-23-0x000000007549E000-0x00000000754A0000-memory.dmp