Analysis Overview
SHA256
df4d859ead3eedc85f206be1822330eaf0cf9f65889f244be231e7de0446b7ad
Threat Level: Known bad
The file ezyzip.zip was found to be: Known bad.
Malicious Activity Summary
Lumma Stealer
Loads dropped DLL
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-04 17:47
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-04 17:47
Reported
2024-07-04 17:51
Platform
win7-20240419-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Processes
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\ezyzip.zip
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-04 17:47
Reported
2024-07-04 17:51
Platform
win10v2004-20240611-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Processes
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\ezyzip.zip
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-07-04 17:47
Reported
2024-07-04 17:49
Platform
win7-20240419-en
Max time kernel
15s
Max time network
16s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\github_installer.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\github_installer.exe
"C:\Users\Admin\AppData\Local\Temp\github_installer.exe"
Network
Files
memory/2368-0-0x00000000746EE000-0x00000000746EF000-memory.dmp
memory/2368-1-0x00000000000D0000-0x0000000000164000-memory.dmp
memory/2368-2-0x00000000002B0000-0x00000000002B6000-memory.dmp
\Users\Admin\AppData\Roaming\d3d9.dll
| MD5 | ff0531892270c9da7859e1adf5e0bf65 |
| SHA1 | 9087ff214b0228efddbd68e043685234ba0d7932 |
| SHA256 | 3fb33acf13aaafdd8d26fc70cab223812f8bf286550e620a09f91155a0b7b86e |
| SHA512 | 7995903d039ba81c837e6a7fe5fdaaf3e003115f2bd826cc9940fccb77ceca0ae2f6ccb56eca5fda1acf2bbc579e7e9ae4fb54df39ee626a2de23ddcdec81c27 |
memory/2368-7-0x0000000075830000-0x00000000758F1000-memory.dmp
memory/2368-8-0x00000000746E0000-0x0000000074DCE000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-07-04 17:47
Reported
2024-07-04 17:51
Platform
win10v2004-20240611-en
Max time kernel
150s
Max time network
152s
Command Line
Signatures
Lumma Stealer
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\github_installer.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4456 set thread context of 3684 | N/A | C:\Users\Admin\AppData\Local\Temp\github_installer.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\github_installer.exe
"C:\Users\Admin\AppData\Local\Temp\github_installer.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| GB | 184.28.176.49:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | stationacutwo.shop | udp |
| US | 172.67.172.239:443 | stationacutwo.shop | tcp |
| US | 8.8.8.8:53 | 239.172.67.172.in-addr.arpa | udp |
| US | 172.67.172.239:443 | stationacutwo.shop | tcp |
| US | 172.67.172.239:443 | stationacutwo.shop | tcp |
| US | 172.67.172.239:443 | stationacutwo.shop | tcp |
| US | 172.67.172.239:443 | stationacutwo.shop | tcp |
| GB | 184.28.176.51:443 | www.bing.com | tcp |
| US | 172.67.172.239:443 | stationacutwo.shop | tcp |
| US | 8.8.8.8:53 | 51.176.28.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.73.42.20.in-addr.arpa | udp |
Files
memory/4456-0-0x00000000751DE000-0x00000000751DF000-memory.dmp
memory/4456-1-0x0000000000690000-0x0000000000724000-memory.dmp
memory/4456-2-0x0000000005010000-0x0000000005016000-memory.dmp
C:\Users\Admin\AppData\Roaming\d3d9.dll
| MD5 | ff0531892270c9da7859e1adf5e0bf65 |
| SHA1 | 9087ff214b0228efddbd68e043685234ba0d7932 |
| SHA256 | 3fb33acf13aaafdd8d26fc70cab223812f8bf286550e620a09f91155a0b7b86e |
| SHA512 | 7995903d039ba81c837e6a7fe5fdaaf3e003115f2bd826cc9940fccb77ceca0ae2f6ccb56eca5fda1acf2bbc579e7e9ae4fb54df39ee626a2de23ddcdec81c27 |
memory/4456-13-0x0000000077C71000-0x0000000077D91000-memory.dmp
memory/3684-12-0x0000000000400000-0x0000000000457000-memory.dmp
memory/3684-15-0x0000000000400000-0x0000000000457000-memory.dmp
memory/4456-14-0x00000000751D0000-0x0000000075980000-memory.dmp
memory/3684-9-0x0000000000400000-0x0000000000457000-memory.dmp
memory/3684-16-0x0000000000400000-0x0000000000457000-memory.dmp
memory/4456-17-0x00000000751D0000-0x0000000075980000-memory.dmp