Analysis Overview
SHA256
78921f75ee30f950b9cfa43a79f92edc2589cc0e813f22ebdb4993ab5b4926ac
Threat Level: Known bad
The file infected.zip was found to be: Known bad.
Malicious Activity Summary
Lumma Stealer
Executes dropped EXE
Loads dropped DLL
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-05 20:10
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-05 20:10
Reported
2024-07-05 20:15
Platform
win10v2004-20240704-en
Max time kernel
165s
Max time network
204s
Command Line
Signatures
Lumma Stealer
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Program\Setup.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Program\Setup.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1720 set thread context of 4232 | N/A | C:\Users\Admin\AppData\Local\Temp\Program\Setup.exe | C:\Windows\SysWOW64\more.com |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Program\Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Program\Setup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SearchIndexer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SearchIndexer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SearchIndexer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SearchIndexer.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Program\Setup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1720 wrote to memory of 4232 | N/A | C:\Users\Admin\AppData\Local\Temp\Program\Setup.exe | C:\Windows\SysWOW64\more.com |
| PID 1720 wrote to memory of 4232 | N/A | C:\Users\Admin\AppData\Local\Temp\Program\Setup.exe | C:\Windows\SysWOW64\more.com |
| PID 1720 wrote to memory of 4232 | N/A | C:\Users\Admin\AppData\Local\Temp\Program\Setup.exe | C:\Windows\SysWOW64\more.com |
| PID 1720 wrote to memory of 4232 | N/A | C:\Users\Admin\AppData\Local\Temp\Program\Setup.exe | C:\Windows\SysWOW64\more.com |
| PID 4232 wrote to memory of 1908 | N/A | C:\Windows\SysWOW64\more.com | C:\Windows\SysWOW64\SearchIndexer.exe |
| PID 4232 wrote to memory of 1908 | N/A | C:\Windows\SysWOW64\more.com | C:\Windows\SysWOW64\SearchIndexer.exe |
| PID 4232 wrote to memory of 1908 | N/A | C:\Windows\SysWOW64\more.com | C:\Windows\SysWOW64\SearchIndexer.exe |
| PID 4232 wrote to memory of 1908 | N/A | C:\Windows\SysWOW64\more.com | C:\Windows\SysWOW64\SearchIndexer.exe |
Processes
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\infected.zip
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\" -an -ai#7zMap19623:96:7zEvent11900
C:\Users\Admin\AppData\Local\Temp\Program\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Program\Setup.exe"
C:\Windows\SysWOW64\more.com
C:\Windows\SysWOW64\more.com
C:\Windows\SysWOW64\SearchIndexer.exe
C:\Windows\SysWOW64\SearchIndexer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 240.143.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.143.182.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | unwielldyzpwo.shop | udp |
| US | 104.21.73.56:443 | unwielldyzpwo.shop | tcp |
| US | 104.21.73.56:443 | unwielldyzpwo.shop | tcp |
| US | 104.21.73.56:443 | unwielldyzpwo.shop | tcp |
| US | 104.21.73.56:443 | unwielldyzpwo.shop | tcp |
| US | 104.21.73.56:443 | unwielldyzpwo.shop | tcp |
| US | 8.8.8.8:53 | 56.73.21.104.in-addr.arpa | udp |
| US | 104.21.73.56:443 | unwielldyzpwo.shop | tcp |
| US | 8.8.8.8:53 | downloadfile123.xyz | udp |
Files
C:\Users\Admin\AppData\Local\Temp\Program\Setup.exe
| MD5 | f975a2d83d63a473fa2fc5206b66bb79 |
| SHA1 | e49d21f112ab27ae0953aff30ae122440cf164b9 |
| SHA256 | 6a2d3876003f6c68f824df4f0033564d8c230716908ba2e6c06ea1dd6d5f98e8 |
| SHA512 | 4af4ce56bf131432d488ed112f8858c1e1392d013c6ac0603f2fd70ed513091e35854c0f678efeab7fa9a551517c6b9698f40a92729112de4b852fa3c0c69d64 |
C:\Users\Admin\AppData\Local\Temp\Program\msedge_elf.dll
| MD5 | b37d0df4c44e4e1e9502f6b90adbd73d |
| SHA1 | 2164d4fd7184f2ed4ebb225f2ea36b84c001f7ee |
| SHA256 | 0b16174a0a47cfcabf5dd427e56355b806467ac3284d5d55f66aa19fbcf91e92 |
| SHA512 | f5fbb1d506835a4cedd2843a7ff1e1b750ad0c147730e9de521de0c1b67cece4ded32ea0bf153341f9fe6630febb7af785b117d4c49fdfe01e65a18fc450a265 |
C:\Users\Admin\AppData\Local\Temp\Program\test.asp
| MD5 | 012206c2a828f8687db2a3e5e878068f |
| SHA1 | ee75d067cebca73b982546e1d4c7c7cf32569e8a |
| SHA256 | 42f229a1430516ca02825a0b8ead2aa296c1a1cd7e1b41165d918e6657fe4ac4 |
| SHA512 | 8a0c894cdf75f675b692a3e5fd0db278536c7b8044490fd1a83b47ca606996d9d36190017f33ff9874e0223dd6e2dbb9f5173c870d501e0ae57fbc2bb6ca323b |
C:\Users\Admin\AppData\Local\Temp\Program\caret.xls
| MD5 | 4d4b5ccd0ff38d099e68792ee07c4a99 |
| SHA1 | f529d6bb59e1edd6ee57b7ceca20afaa2272d157 |
| SHA256 | 90b7b1dbc330af1f1d80403bacb25b46506b666aa9182fef90aaec5d612507a7 |
| SHA512 | b8113fef6c0e7dea4ad6615fa0a451e72f481d72691d9f4001196be7784df8620ea8b7c00456a546204e0540580eaa13a4bb7ed18ef90ba7a7022682573484f6 |
memory/1720-36-0x00007FFDA6460000-0x00007FFDA647C000-memory.dmp
memory/1720-40-0x00007FFDA6460000-0x00007FFDA647C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\d8928b9a
| MD5 | c5adcef29ab7b7bd62fae63abab9188d |
| SHA1 | fbb16ddb70d87f46d104c3d0f2326f792b71a768 |
| SHA256 | ae25c79823a569ce6914fd5ec487d3ccb0137ef518e2b005f500a5ad9e83853a |
| SHA512 | 31ab8c3a4890aedc4a19160ab503bdd0d5934837f5a98104d7863ec12fc5a114e67c4e5c43150b6fc9cd324bad60bdefe425b9072aaf28b4b32a8253600dbfc6 |
memory/4232-44-0x00007FFDB04F0000-0x00007FFDB06E5000-memory.dmp
memory/4232-45-0x0000000075B00000-0x0000000075B14000-memory.dmp
memory/1908-47-0x00007FFDB04F0000-0x00007FFDB06E5000-memory.dmp
memory/1908-48-0x0000000000180000-0x00000000001D8000-memory.dmp
memory/1908-49-0x0000000000180000-0x00000000001D8000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-05 20:10
Reported
2024-07-05 20:13
Platform
win11-20240704-en
Max time kernel
152s
Max time network
155s
Command Line
Signatures
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe | N/A |
Processes
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\infected.zip
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Network
| Country | Destination | Domain | Proto |
| GB | 92.123.142.177:443 | tcp | |
| GB | 184.28.176.67:443 | r.bing.com | tcp |
| US | 20.42.65.94:443 | browser.pipe.aria.microsoft.com | tcp |
| US | 8.8.8.8:53 | 67.176.28.184.in-addr.arpa | udp |