Analysis Overview
SHA256
a173db1e8568fc4b00f326d52af0fea19c59639c486d9975589edfd8f1a11da1
Threat Level: Known bad
The file a173db1e8568fc4b00f326d52af0fea19c59639c486d9975589edfd8f1a11da1 was found to be: Known bad.
Malicious Activity Summary
Lumma Stealer
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-05 04:03
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-05 04:03
Reported
2024-07-05 04:07
Platform
win10v2004-20240704-en
Max time kernel
92s
Max time network
129s
Command Line
Signatures
Lumma Stealer
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2664 set thread context of 4772 | N/A | C:\Users\Admin\AppData\Local\Temp\a173db1e8568fc4b00f326d52af0fea19c59639c486d9975589edfd8f1a11da1.exe | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | N/A |
| N/A | N/A | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | N/A |
| N/A | N/A | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | N/A |
| N/A | N/A | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a173db1e8568fc4b00f326d52af0fea19c59639c486d9975589edfd8f1a11da1.exe
"C:\Users\Admin\AppData\Local\Temp\a173db1e8568fc4b00f326d52af0fea19c59639c486d9975589edfd8f1a11da1.exe"
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lyingchemicow.shop | udp |
| US | 104.21.44.207:443 | lyingchemicow.shop | tcp |
| US | 104.21.44.207:443 | lyingchemicow.shop | tcp |
| US | 104.21.44.207:443 | lyingchemicow.shop | tcp |
| US | 8.8.8.8:53 | 207.44.21.104.in-addr.arpa | udp |
| US | 104.21.44.207:443 | lyingchemicow.shop | tcp |
| US | 104.21.44.207:443 | lyingchemicow.shop | tcp |
| US | 104.21.44.207:443 | lyingchemicow.shop | tcp |
| US | 104.21.44.207:443 | lyingchemicow.shop | tcp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
Files
memory/2664-2-0x00007FF63A820000-0x00007FF63B114000-memory.dmp
memory/4772-5-0x0000000000660000-0x00000000006B7000-memory.dmp
memory/2664-6-0x00007FF63A820000-0x00007FF63B114000-memory.dmp
memory/4772-8-0x0000000000660000-0x00000000006B7000-memory.dmp
memory/4772-9-0x0000000000660000-0x00000000006B7000-memory.dmp
memory/4772-10-0x0000000000660000-0x00000000006B7000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-05 04:03
Reported
2024-07-05 04:06
Platform
win11-20240704-en
Max time kernel
146s
Max time network
153s
Command Line
Signatures
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4216 set thread context of 2052 | N/A | C:\Users\Admin\AppData\Local\Temp\a173db1e8568fc4b00f326d52af0fea19c59639c486d9975589edfd8f1a11da1.exe | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | N/A |
| N/A | N/A | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | N/A |
| N/A | N/A | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | N/A |
| N/A | N/A | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a173db1e8568fc4b00f326d52af0fea19c59639c486d9975589edfd8f1a11da1.exe
"C:\Users\Admin\AppData\Local\Temp\a173db1e8568fc4b00f326d52af0fea19c59639c486d9975589edfd8f1a11da1.exe"
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lyingchemicow.shop | udp |
| US | 172.67.203.179:443 | lyingchemicow.shop | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 172.67.203.179:443 | lyingchemicow.shop | tcp |
| US | 172.67.203.179:443 | lyingchemicow.shop | tcp |
| US | 172.67.203.179:443 | lyingchemicow.shop | tcp |
| US | 172.67.203.179:443 | lyingchemicow.shop | tcp |
| US | 172.67.203.179:443 | lyingchemicow.shop | tcp |
Files
memory/2052-4-0x0000000000DE0000-0x0000000000E37000-memory.dmp
memory/2052-7-0x0000000000DE0000-0x0000000000E37000-memory.dmp
memory/4216-5-0x00007FF6B13A0000-0x00007FF6B1C94000-memory.dmp
memory/2052-8-0x0000000000DE0000-0x0000000000E37000-memory.dmp
memory/2052-9-0x0000000000DE0000-0x0000000000E37000-memory.dmp