Analysis Overview
SHA256
109a657adb755ec3cd536f673f0c72061ad6fc2bd501170f4d6ff29881cfac96
Threat Level: Known bad
The file 109a657adb755ec3cd536f673f0c72061ad6fc2bd501170f4d6ff29881cfac96 was found to be: Known bad.
Malicious Activity Summary
Lumma Stealer
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-05 02:25
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-05 02:25
Reported
2024-07-05 02:28
Platform
win7-20240220-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1728 set thread context of 3020 | N/A | C:\Users\Admin\AppData\Local\Temp\6c3496832cdffffedde13f9c75138ee62dd968eaa26bc23e1cbc082e638c3513.exe | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6c3496832cdffffedde13f9c75138ee62dd968eaa26bc23e1cbc082e638c3513.exe
"C:\Users\Admin\AppData\Local\Temp\6c3496832cdffffedde13f9c75138ee62dd968eaa26bc23e1cbc082e638c3513.exe"
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
Network
Files
memory/3020-4-0x0000000000210000-0x0000000000267000-memory.dmp
memory/3020-9-0x0000000000210000-0x0000000000267000-memory.dmp
memory/3020-8-0x0000000000210000-0x0000000000267000-memory.dmp
memory/3020-6-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/3020-5-0x0000000000210000-0x0000000000267000-memory.dmp
memory/1728-10-0x000000013FBA0000-0x00000001400EB000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-05 02:25
Reported
2024-07-05 02:28
Platform
win10v2004-20240704-en
Max time kernel
120s
Max time network
125s
Command Line
Signatures
Lumma Stealer
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3716 set thread context of 4492 | N/A | C:\Users\Admin\AppData\Local\Temp\6c3496832cdffffedde13f9c75138ee62dd968eaa26bc23e1cbc082e638c3513.exe | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | N/A |
| N/A | N/A | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | N/A |
| N/A | N/A | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | N/A |
| N/A | N/A | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6c3496832cdffffedde13f9c75138ee62dd968eaa26bc23e1cbc082e638c3513.exe
"C:\Users\Admin\AppData\Local\Temp\6c3496832cdffffedde13f9c75138ee62dd968eaa26bc23e1cbc082e638c3513.exe"
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | stationacutwo.shop | udp |
| US | 172.67.172.239:443 | stationacutwo.shop | tcp |
| US | 172.67.172.239:443 | stationacutwo.shop | tcp |
| US | 172.67.172.239:443 | stationacutwo.shop | tcp |
| US | 172.67.172.239:443 | stationacutwo.shop | tcp |
| US | 8.8.8.8:53 | 239.172.67.172.in-addr.arpa | udp |
| US | 172.67.172.239:443 | stationacutwo.shop | tcp |
| US | 172.67.172.239:443 | stationacutwo.shop | tcp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
Files
memory/4492-4-0x0000000001090000-0x00000000010E7000-memory.dmp
memory/3716-5-0x00007FF703D10000-0x00007FF70425B000-memory.dmp
memory/4492-7-0x0000000001090000-0x00000000010E7000-memory.dmp
memory/4492-8-0x0000000001090000-0x00000000010E7000-memory.dmp
memory/4492-9-0x0000000001090000-0x00000000010E7000-memory.dmp