Analysis Overview
SHA256
cbfc287e66b97d1c47dd11e81b188287e086c27cc4882e0ab9d5c6eef8d60c92
Threat Level: Known bad
The file !ŞetUp_51286--#PaSꞨKḙy#$$.rar was found to be: Known bad.
Malicious Activity Summary
Lumma Stealer
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-05 14:09
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-05 14:09
Reported
2024-07-05 14:12
Platform
win7-20240508-en
Max time kernel
122s
Max time network
126s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-05 14:09
Reported
2024-07-05 14:12
Platform
win10v2004-20240704-en
Max time kernel
125s
Max time network
133s
Command Line
Signatures
Lumma Stealer
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 452 set thread context of 2812 | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | C:\Windows\SysWOW64\more.com |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SearchIndexer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SearchIndexer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SearchIndexer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SearchIndexer.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 452 wrote to memory of 2812 | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | C:\Windows\SysWOW64\more.com |
| PID 452 wrote to memory of 2812 | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | C:\Windows\SysWOW64\more.com |
| PID 452 wrote to memory of 2812 | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | C:\Windows\SysWOW64\more.com |
| PID 452 wrote to memory of 2812 | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | C:\Windows\SysWOW64\more.com |
| PID 2812 wrote to memory of 4816 | N/A | C:\Windows\SysWOW64\more.com | C:\Windows\SysWOW64\SearchIndexer.exe |
| PID 2812 wrote to memory of 4816 | N/A | C:\Windows\SysWOW64\more.com | C:\Windows\SysWOW64\SearchIndexer.exe |
| PID 2812 wrote to memory of 4816 | N/A | C:\Windows\SysWOW64\more.com | C:\Windows\SysWOW64\SearchIndexer.exe |
| PID 2812 wrote to memory of 4816 | N/A | C:\Windows\SysWOW64\more.com | C:\Windows\SysWOW64\SearchIndexer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
C:\Windows\SysWOW64\more.com
C:\Windows\SysWOW64\more.com
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3764,i,5095735526234624271,6356691058050835509,262144 --variations-seed-version --mojo-platform-channel-handle=3804 /prefetch:8
C:\Windows\SysWOW64\SearchIndexer.exe
C:\Windows\SysWOW64\SearchIndexer.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --field-trial-handle=3032,i,5095735526234624271,6356691058050835509,262144 --variations-seed-version --mojo-platform-channel-handle=2384 /prefetch:3
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | unwielldyzpwo.shop | udp |
| US | 172.67.158.68:443 | unwielldyzpwo.shop | tcp |
| US | 172.67.158.68:443 | unwielldyzpwo.shop | tcp |
| US | 172.67.158.68:443 | unwielldyzpwo.shop | tcp |
| US | 172.67.158.68:443 | unwielldyzpwo.shop | tcp |
| US | 8.8.8.8:53 | 68.158.67.172.in-addr.arpa | udp |
| US | 172.67.158.68:443 | unwielldyzpwo.shop | tcp |
| US | 172.67.158.68:443 | unwielldyzpwo.shop | tcp |
| US | 8.8.8.8:53 | downloadfile123.xyz | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
Files
memory/452-0-0x00007FFA97A60000-0x00007FFA97A7C000-memory.dmp
memory/452-4-0x00007FFA97A78000-0x00007FFA97A79000-memory.dmp
memory/452-5-0x00007FFA97A60000-0x00007FFA97A7C000-memory.dmp
memory/452-6-0x00007FFA97A60000-0x00007FFA97A7C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\260e4e8c
| MD5 | 65d7e154affbe8639a1e6181b9847f62 |
| SHA1 | 39248e29dc810d04785502f111d7a35b358f7c3f |
| SHA256 | 0955169f187f260c08c9b67bdbd7e54057ecf2d5e2f0dda9470e821335c62764 |
| SHA512 | 8afc98d1a978ba428a941cfa1687431b1e40525f1f833cec75b29912eb72a812d493c522b32bffffef4338c8568874d543bb4e86f76a8d48371a4a893a516212 |
memory/2812-10-0x00007FFAA51D0000-0x00007FFAA53C5000-memory.dmp
memory/2812-11-0x00000000757C0000-0x00000000757D4000-memory.dmp
memory/2812-13-0x00000000757C0000-0x00000000757D4000-memory.dmp
memory/2812-12-0x00000000757CE000-0x00000000757D0000-memory.dmp
memory/2812-15-0x00000000757C0000-0x00000000757D4000-memory.dmp
memory/4816-16-0x00007FFAA51D0000-0x00007FFAA53C5000-memory.dmp
memory/4816-17-0x0000000000810000-0x0000000000868000-memory.dmp
memory/4816-18-0x0000000000ADB000-0x0000000000AE2000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
memory/4816-25-0x0000000000810000-0x0000000000868000-memory.dmp
memory/2812-26-0x00000000757CE000-0x00000000757D0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries
| MD5 | 20d4b8fa017a12a108c87f540836e250 |
| SHA1 | 1ac617fac131262b6d3ce1f52f5907e31d5f6f00 |
| SHA256 | 6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d |
| SHA512 | 507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856 |