Analysis Overview
SHA256
0f94f6a5c219c17ba7c1c5d9be967e576c7a8f0e097a14706b13feed3aaafe7d
Threat Level: Known bad
The file !ŞetUp_51286--#PaSꞨKḙy#$$.zip was found to be: Known bad.
Malicious Activity Summary
Lumma Stealer
Amadey
Accesses cryptocurrency files/wallets, possible credential harvesting
Downloads MZ/PE file
Suspicious use of SetThreadContext
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Command and Scripting Interpreter: PowerShell
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-04 19:35
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral3
Detonation Overview
Submitted
2024-07-04 19:35
Reported
2024-07-04 19:38
Platform
win11-20240508-en
Max time kernel
146s
Max time network
150s
Command Line
Signatures
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2152 set thread context of 4616 | N/A | C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\Setup.exe | C:\Windows\SysWOW64\more.com |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\Setup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\Setup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\Setup.exe"
C:\Windows\SysWOW64\more.com
C:\Windows\SysWOW64\more.com
C:\Windows\SysWOW64\SearchIndexer.exe
C:\Windows\SysWOW64\SearchIndexer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | unwielldyzpwo.shop | udp |
| US | 8.8.8.8:53 | bouncedgowp.shop | udp |
| US | 8.8.8.8:53 | bannngwko.shop | udp |
| IE | 52.111.236.22:443 | tcp |
Files
memory/2152-0-0x00007FFF3C640000-0x00007FFF3C65C000-memory.dmp
memory/2152-5-0x00007FFF3C640000-0x00007FFF3C65C000-memory.dmp
memory/2152-4-0x00007FFF3C658000-0x00007FFF3C659000-memory.dmp
memory/2152-6-0x00007FFF3C640000-0x00007FFF3C65C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\b65f4664
| MD5 | e5ec136818bcd9296e897ec1a77e02bb |
| SHA1 | 98901f3ef6f1c812eb9fbcb6e9b333b9486b93f9 |
| SHA256 | bd407e0e876bbcbeec0a6c95bd9f6edab8d95ffaf0908cf347b6c79f987d2077 |
| SHA512 | 8969e1bffa65bc760f39aacd3c340b26f6d4ac615d2e695891b2d408ee6836e3b7c754979934f80656e24aaee86254bbccbee6937a554f565606614da29505d1 |
memory/4616-10-0x00007FFF41F20000-0x00007FFF42129000-memory.dmp
memory/4616-11-0x00000000752D0000-0x00000000752E5000-memory.dmp
memory/4616-13-0x00000000752D0000-0x00000000752E5000-memory.dmp
memory/4616-12-0x00000000752DE000-0x00000000752E0000-memory.dmp
memory/4616-15-0x00000000752D0000-0x00000000752E5000-memory.dmp
memory/1904-16-0x00007FFF41F20000-0x00007FFF42129000-memory.dmp
memory/1904-17-0x0000000000D60000-0x0000000000DB8000-memory.dmp
memory/1904-18-0x000000000072B000-0x0000000000732000-memory.dmp
memory/1904-19-0x0000000000D60000-0x0000000000DB8000-memory.dmp
memory/4616-20-0x00000000752DE000-0x00000000752E0000-memory.dmp
memory/1904-21-0x0000000000D60000-0x0000000000DB8000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-04 19:35
Reported
2024-07-04 19:38
Platform
win7-20240221-en
Max time kernel
121s
Max time network
123s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\Setup.exe"
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-04 19:35
Reported
2024-07-04 19:38
Platform
win10v2004-20240704-en
Max time kernel
145s
Max time network
105s
Command Line
Signatures
Amadey
Lumma Stealer
Accesses cryptocurrency files/wallets, possible credential harvesting
Downloads MZ/PE file
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4604 set thread context of 1552 | N/A | C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\Setup.exe | C:\Windows\SysWOW64\more.com |
| PID 3908 set thread context of 4212 | N/A | C:\Users\Admin\AppData\Local\Temp\3XJKGGKKAP7WHKELR8UQONZC35RFI.exe | C:\Windows\SysWOW64\comp.exe |
| PID 3288 set thread context of 4172 | N/A | C:\Users\Admin\AppData\Local\Temp\5N57UY572XC7M2XUVGVS7NN55FL.exe | C:\Windows\SysWOW64\comp.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\CefSharp.BrowserSubprocess.job | C:\Windows\SysWOW64\comp.exe | N/A |
| File created | C:\Windows\Tasks\Managed Machine Service Mini.job | C:\Windows\SysWOW64\comp.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3XJKGGKKAP7WHKELR8UQONZC35RFI.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5N57UY572XC7M2XUVGVS7NN55FL.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\Setup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3XJKGGKKAP7WHKELR8UQONZC35RFI.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5N57UY572XC7M2XUVGVS7NN55FL.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\comp.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\comp.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3XJKGGKKAP7WHKELR8UQONZC35RFI.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3XJKGGKKAP7WHKELR8UQONZC35RFI.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5N57UY572XC7M2XUVGVS7NN55FL.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5N57UY572XC7M2XUVGVS7NN55FL.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\Setup.exe"
C:\Windows\SysWOW64\more.com
C:\Windows\SysWOW64\more.com
C:\Windows\SysWOW64\SearchIndexer.exe
C:\Windows\SysWOW64\SearchIndexer.exe
C:\Users\Admin\AppData\Local\Temp\3XJKGGKKAP7WHKELR8UQONZC35RFI.exe
"C:\Users\Admin\AppData\Local\Temp\3XJKGGKKAP7WHKELR8UQONZC35RFI.exe"
C:\Windows\SysWOW64\comp.exe
C:\Windows\SysWOW64\comp.exe
C:\Users\Admin\AppData\Local\Temp\5N57UY572XC7M2XUVGVS7NN55FL.exe
"C:\Users\Admin\AppData\Local\Temp\5N57UY572XC7M2XUVGVS7NN55FL.exe"
C:\Windows\SysWOW64\comp.exe
C:\Windows\SysWOW64\comp.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\1000003041\run.ps1"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | unwielldyzpwo.shop | udp |
| US | 172.67.158.68:443 | unwielldyzpwo.shop | tcp |
| US | 172.67.158.68:443 | unwielldyzpwo.shop | tcp |
| US | 172.67.158.68:443 | unwielldyzpwo.shop | tcp |
| US | 172.67.158.68:443 | unwielldyzpwo.shop | tcp |
| US | 8.8.8.8:53 | 68.158.67.172.in-addr.arpa | udp |
| US | 172.67.158.68:443 | unwielldyzpwo.shop | tcp |
| US | 172.67.158.68:443 | unwielldyzpwo.shop | tcp |
| US | 172.67.158.68:443 | unwielldyzpwo.shop | tcp |
| US | 8.8.8.8:53 | downloadfile123.xyz | udp |
| US | 172.67.140.114:443 | downloadfile123.xyz | tcp |
| US | 8.8.8.8:53 | 114.140.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | downloaddining3.com | udp |
| US | 8.8.8.8:53 | downloaddining.com | udp |
| US | 8.8.8.8:53 | downloaddining2.com | udp |
| US | 172.67.209.34:80 | downloaddining2.com | tcp |
| RU | 45.140.19.240:80 | downloaddining.com | tcp |
| US | 172.67.208.139:80 | downloaddining3.com | tcp |
| US | 8.8.8.8:53 | contur2fa.recipeupdates.rest | udp |
| US | 172.67.197.250:443 | contur2fa.recipeupdates.rest | tcp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 34.209.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 139.208.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.19.140.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 250.197.67.172.in-addr.arpa | udp |
Files
memory/4604-0-0x00007FF945650000-0x00007FF94566C000-memory.dmp
memory/4604-5-0x00007FF945650000-0x00007FF94566C000-memory.dmp
memory/4604-4-0x00007FF945668000-0x00007FF945669000-memory.dmp
memory/4604-6-0x00007FF945650000-0x00007FF94566C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\563d433
| MD5 | 394f9e41d44bbdbd7b5e9816a0801b3b |
| SHA1 | 431ee4529ca5c29c7ff692dc76b83692f3762dbd |
| SHA256 | 11f9555e4825e41ab00b47a726f2a95484fdeea780a34508cf60f196eacfb734 |
| SHA512 | c3188313126c3f0b222ef86eb379cf9b06968f3667d25e81f4b1c18f106517469d746838982ac19008bd36fa55e575459ad81974de520dd792c81670d48cb5b2 |
memory/1552-10-0x00007FF94D290000-0x00007FF94D485000-memory.dmp
memory/1552-11-0x0000000074E40000-0x0000000074E54000-memory.dmp
memory/1552-13-0x0000000074E40000-0x0000000074E54000-memory.dmp
memory/1552-12-0x0000000074E4E000-0x0000000074E50000-memory.dmp
memory/1552-15-0x0000000074E40000-0x0000000074E54000-memory.dmp
memory/216-16-0x00007FF94D290000-0x00007FF94D485000-memory.dmp
memory/216-17-0x0000000000D30000-0x0000000000D88000-memory.dmp
memory/216-18-0x0000000000A6B000-0x0000000000A72000-memory.dmp
memory/216-19-0x0000000000D30000-0x0000000000D88000-memory.dmp
memory/1552-20-0x0000000074E4E000-0x0000000074E50000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\3XJKGGKKAP7WHKELR8UQONZC35RFI.exe
| MD5 | 024547ee3841ed6035b7bb9866452713 |
| SHA1 | 8f1c8a12cecaeb4f15f3d2a3332073a0b1aefb36 |
| SHA256 | f89e565d3e73984e9b538fba979c8798f06775706cde8ecd1a921c61fecf2d28 |
| SHA512 | fc846fa5432d41973f30c4ee16b197079fb344322d1023c5bf31aa1bbab72d53094f2b17422471a292fbc9250dcb176b6ae2b78a883087689ca2bb9db1205545 |
memory/3908-25-0x0000000000400000-0x0000000000837000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\b159923
| MD5 | d39e706474d16261ec9b1cb57adbd1ee |
| SHA1 | a0b19ed7e6ceb4ef12fedf717f019b1c6f07864a |
| SHA256 | 21a8d114f403a17e319eed493d5bd411201fdc8a6077d6da016fba16cc711135 |
| SHA512 | 0e786655120af5cff93bb574aa1568fccdebcaf0ffe56ce4338a407947b9cc4b34f4e2be6f4300f9d868e5160b5129a98a1c04c359efe3e2ff7a7b365eb12699 |
memory/3908-31-0x0000000074E40000-0x0000000074E54000-memory.dmp
memory/3908-32-0x00007FF94D290000-0x00007FF94D485000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\5N57UY572XC7M2XUVGVS7NN55FL.exe
| MD5 | 7c6730f484b1727b976fdad0f565b048 |
| SHA1 | c8a4a74d3a6e6025614d689a632dda845a7a8ec1 |
| SHA256 | d39f60dbce9c26f2b6336d8b8931f6bcb949022413d602344432eca8cdea8b45 |
| SHA512 | a3a763902e78c0d9ebaff810df2208cebfb22dbe9f7059dc641c301f7f88469cd52e1d04eaed9029ec7e045328fa062e56dad5b5b418a6a65a1511c1d266baad |
memory/216-36-0x0000000000D30000-0x0000000000D88000-memory.dmp
memory/3288-38-0x0000000000400000-0x0000000000847000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\110d2f45
| MD5 | 388667ede854ace9db095fe44c660697 |
| SHA1 | aea9cf775e19bca4aa3d371c2a63c558bb43c77a |
| SHA256 | 25e56853d565a313574317ddd22ac95e8c4bb742b3fb0773a4d8dbed62d14b79 |
| SHA512 | 0c8b5a5385fdd91619c0c271d526a0a8b0dcf7170452b3cd0f4ebb9549ca2761cc9661d86a8a85a90e5db6d884d14ddeeae8c83b1c40e1c0197743220222e94d |
memory/3288-45-0x00007FF94D290000-0x00007FF94D485000-memory.dmp
memory/3908-46-0x0000000074E40000-0x0000000074E54000-memory.dmp
memory/3908-48-0x0000000074E40000-0x0000000074E54000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\e479e61
| MD5 | 893841decbf4c6332ed2875006d01aea |
| SHA1 | 56dbe95018c3b2ce9d0d5c3bc6f618bf854ae319 |
| SHA256 | 24d16abe464ff47607b8cc6f9c46dc2664789b3b6c4cb71bff68f873340f2efa |
| SHA512 | 47a6a05a24558df37a276e411d1adc06a4d6caca7230f6fb9f14d88e5b9af8160d11cdbf7626acc34ae204001000cd58393868366853f991d9e89ee7810cbb38 |
C:\Users\Admin\AppData\Local\Temp\143a3d6b
| MD5 | 1f6c231ab1add6380bcdcadda16d6ac1 |
| SHA1 | ad820342b92e92e04584d643f474a7b73dcd3257 |
| SHA256 | 7ad83f3bf45cbe15e7bc562215544f6233e6354f8e7be26cdd8e3afc91cafef9 |
| SHA512 | 25e33a57c9b455dcea59df74831aa10f35ec8bd025e7acec472b337733e7f99fbc6c29be6be51331b847a3c65044b151dbc74ba9352e650d3f77f4a29ca064a2 |
memory/4212-57-0x00007FF94D290000-0x00007FF94D485000-memory.dmp
memory/4172-58-0x00007FF94D290000-0x00007FF94D485000-memory.dmp
memory/4172-60-0x0000000074E40000-0x0000000074E54000-memory.dmp
memory/4212-70-0x0000000074E40000-0x0000000074E54000-memory.dmp
memory/4212-72-0x0000000074E40000-0x0000000074E54000-memory.dmp
memory/4212-80-0x0000000074E40000-0x0000000074E54000-memory.dmp
memory/2044-81-0x00007FF94D290000-0x00007FF94D485000-memory.dmp
memory/2996-83-0x00007FF94D290000-0x00007FF94D485000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000003041\run.ps1
| MD5 | 0fb684cc15d197c0b937e5528359d7c8 |
| SHA1 | 7d963246f52f42012bdcddb31214283c84c954ed |
| SHA256 | e767d70fc57483aae7a20cb094a9bfc1fd4f04e97fb772cd6892d057e5be4260 |
| SHA512 | c40335f72f802479dc0926704d87670a782362fedae5bb50179d427fc343c6a33cfe09f4640acb15624d1511d3d66f76d87f663f9ad430fc2ddb00c54056103c |
memory/2580-97-0x0000000004F30000-0x0000000004F66000-memory.dmp
memory/2580-98-0x0000000005650000-0x0000000005C78000-memory.dmp
memory/2044-99-0x0000000000DA0000-0x0000000000E07000-memory.dmp
memory/2580-100-0x00000000054F0000-0x0000000005512000-memory.dmp
memory/2580-101-0x0000000005590000-0x00000000055F6000-memory.dmp
memory/2580-102-0x0000000005CF0000-0x0000000005D56000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wip2ral0.vuk.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2580-112-0x00000000060F0000-0x0000000006444000-memory.dmp
memory/2580-113-0x00000000064C0000-0x00000000064DE000-memory.dmp
memory/2580-114-0x0000000006510000-0x000000000655C000-memory.dmp
memory/2580-116-0x0000000006AA0000-0x0000000006AD2000-memory.dmp
memory/2580-117-0x000000006F240000-0x000000006F28C000-memory.dmp
memory/2580-127-0x0000000006B00000-0x0000000006B1E000-memory.dmp
memory/2580-128-0x0000000007500000-0x00000000075A3000-memory.dmp
memory/2580-129-0x0000000007E40000-0x00000000084BA000-memory.dmp
memory/2580-130-0x0000000007820000-0x000000000783A000-memory.dmp
memory/2580-131-0x0000000007860000-0x000000000786A000-memory.dmp
memory/2580-132-0x0000000007A90000-0x0000000007B26000-memory.dmp
memory/2580-133-0x00000000079F0000-0x0000000007A01000-memory.dmp
memory/2996-134-0x00000000006F0000-0x0000000000761000-memory.dmp
memory/2580-135-0x0000000007A30000-0x0000000007A3E000-memory.dmp
memory/2580-136-0x0000000007A40000-0x0000000007A54000-memory.dmp
memory/2580-137-0x0000000007B30000-0x0000000007B4A000-memory.dmp
memory/2580-138-0x0000000007A70000-0x0000000007A78000-memory.dmp