Malware Analysis Report

2024-11-15 06:25

Sample ID 240705-yx2j2sxcmb
Target infected.zip
SHA256 78921f75ee30f950b9cfa43a79f92edc2589cc0e813f22ebdb4993ab5b4926ac
Tags
lumma spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

78921f75ee30f950b9cfa43a79f92edc2589cc0e813f22ebdb4993ab5b4926ac

Threat Level: Known bad

The file infected.zip was found to be: Known bad.

Malicious Activity Summary

lumma spyware stealer

Lumma Stealer

Executes dropped EXE

Loads dropped DLL

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of SetThreadContext

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-05 20:10

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-05 20:10

Reported

2024-07-05 20:15

Platform

win10v2004-20240704-en

Max time kernel

165s

Max time network

204s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\infected.zip

Signatures

Lumma Stealer

stealer lumma

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Program\Setup.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Program\Setup.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1720 set thread context of 4232 N/A C:\Users\Admin\AppData\Local\Temp\Program\Setup.exe C:\Windows\SysWOW64\more.com

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Program\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zG.exe N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\infected.zip

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Program Files\7-Zip\7zG.exe

"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\" -an -ai#7zMap19623:96:7zEvent11900

C:\Users\Admin\AppData\Local\Temp\Program\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Program\Setup.exe"

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\SearchIndexer.exe

C:\Windows\SysWOW64\SearchIndexer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 208.143.182.52.in-addr.arpa udp
US 8.8.8.8:53 unwielldyzpwo.shop udp
US 104.21.73.56:443 unwielldyzpwo.shop tcp
US 104.21.73.56:443 unwielldyzpwo.shop tcp
US 104.21.73.56:443 unwielldyzpwo.shop tcp
US 104.21.73.56:443 unwielldyzpwo.shop tcp
US 104.21.73.56:443 unwielldyzpwo.shop tcp
US 8.8.8.8:53 56.73.21.104.in-addr.arpa udp
US 104.21.73.56:443 unwielldyzpwo.shop tcp
US 8.8.8.8:53 downloadfile123.xyz udp

Files

C:\Users\Admin\AppData\Local\Temp\Program\Setup.exe

MD5 f975a2d83d63a473fa2fc5206b66bb79
SHA1 e49d21f112ab27ae0953aff30ae122440cf164b9
SHA256 6a2d3876003f6c68f824df4f0033564d8c230716908ba2e6c06ea1dd6d5f98e8
SHA512 4af4ce56bf131432d488ed112f8858c1e1392d013c6ac0603f2fd70ed513091e35854c0f678efeab7fa9a551517c6b9698f40a92729112de4b852fa3c0c69d64

C:\Users\Admin\AppData\Local\Temp\Program\msedge_elf.dll

MD5 b37d0df4c44e4e1e9502f6b90adbd73d
SHA1 2164d4fd7184f2ed4ebb225f2ea36b84c001f7ee
SHA256 0b16174a0a47cfcabf5dd427e56355b806467ac3284d5d55f66aa19fbcf91e92
SHA512 f5fbb1d506835a4cedd2843a7ff1e1b750ad0c147730e9de521de0c1b67cece4ded32ea0bf153341f9fe6630febb7af785b117d4c49fdfe01e65a18fc450a265

C:\Users\Admin\AppData\Local\Temp\Program\test.asp

MD5 012206c2a828f8687db2a3e5e878068f
SHA1 ee75d067cebca73b982546e1d4c7c7cf32569e8a
SHA256 42f229a1430516ca02825a0b8ead2aa296c1a1cd7e1b41165d918e6657fe4ac4
SHA512 8a0c894cdf75f675b692a3e5fd0db278536c7b8044490fd1a83b47ca606996d9d36190017f33ff9874e0223dd6e2dbb9f5173c870d501e0ae57fbc2bb6ca323b

C:\Users\Admin\AppData\Local\Temp\Program\caret.xls

MD5 4d4b5ccd0ff38d099e68792ee07c4a99
SHA1 f529d6bb59e1edd6ee57b7ceca20afaa2272d157
SHA256 90b7b1dbc330af1f1d80403bacb25b46506b666aa9182fef90aaec5d612507a7
SHA512 b8113fef6c0e7dea4ad6615fa0a451e72f481d72691d9f4001196be7784df8620ea8b7c00456a546204e0540580eaa13a4bb7ed18ef90ba7a7022682573484f6

memory/1720-36-0x00007FFDA6460000-0x00007FFDA647C000-memory.dmp

memory/1720-40-0x00007FFDA6460000-0x00007FFDA647C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d8928b9a

MD5 c5adcef29ab7b7bd62fae63abab9188d
SHA1 fbb16ddb70d87f46d104c3d0f2326f792b71a768
SHA256 ae25c79823a569ce6914fd5ec487d3ccb0137ef518e2b005f500a5ad9e83853a
SHA512 31ab8c3a4890aedc4a19160ab503bdd0d5934837f5a98104d7863ec12fc5a114e67c4e5c43150b6fc9cd324bad60bdefe425b9072aaf28b4b32a8253600dbfc6

memory/4232-44-0x00007FFDB04F0000-0x00007FFDB06E5000-memory.dmp

memory/4232-45-0x0000000075B00000-0x0000000075B14000-memory.dmp

memory/1908-47-0x00007FFDB04F0000-0x00007FFDB06E5000-memory.dmp

memory/1908-48-0x0000000000180000-0x00000000001D8000-memory.dmp

memory/1908-49-0x0000000000180000-0x00000000001D8000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-05 20:10

Reported

2024-07-05 20:13

Platform

win11-20240704-en

Max time kernel

152s

Max time network

155s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\infected.zip

Signatures

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\infected.zip

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Network

Country Destination Domain Proto
GB 92.123.142.177:443 tcp
GB 184.28.176.67:443 r.bing.com tcp
US 20.42.65.94:443 browser.pipe.aria.microsoft.com tcp
US 8.8.8.8:53 67.176.28.184.in-addr.arpa udp

Files

N/A