Malware Analysis Report

2024-11-15 06:25

Sample ID 240705-yxdszsxckf
Target infected.zip
SHA256 78921f75ee30f950b9cfa43a79f92edc2589cc0e813f22ebdb4993ab5b4926ac
Tags
spyware lumma stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

78921f75ee30f950b9cfa43a79f92edc2589cc0e813f22ebdb4993ab5b4926ac

Threat Level: Known bad

The file infected.zip was found to be: Known bad.

Malicious Activity Summary

spyware lumma stealer

Lumma Stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Program crash

Suspicious behavior: MapViewOfSection

Checks processor information in registry

Enumerates system info in registry

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-05 20:09

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-07-05 20:09

Reported

2024-07-05 20:12

Platform

win11-20240704-en

Max time kernel

147s

Max time network

155s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Program\Debugs\Newtonsoft.Json.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Program\Debugs\Newtonsoft.Json.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-05 20:09

Reported

2024-07-05 20:12

Platform

win11-20240704-en

Max time kernel

92s

Max time network

99s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Program\Debugs\AlphaFS.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Program\Debugs\AlphaFS.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-07-05 20:09

Reported

2024-07-05 20:12

Platform

win10v2004-20240704-en

Max time kernel

149s

Max time network

154s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Program\Libs\libgcc_s_dw2-1.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3192 wrote to memory of 1576 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3192 wrote to memory of 1576 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3192 wrote to memory of 1576 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Program\Libs\libgcc_s_dw2-1.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Program\Libs\libgcc_s_dw2-1.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1576 -ip 1576

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1576 -s 616

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 89.65.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-07-05 20:09

Reported

2024-07-05 20:12

Platform

win11-20240704-en

Max time kernel

90s

Max time network

99s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Program\Setup.exe"

Signatures

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1380 set thread context of 1904 N/A C:\Users\Admin\AppData\Local\Temp\Program\Setup.exe C:\Windows\SysWOW64\more.com

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Program\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Program\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Program\Setup.exe"

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\SearchIndexer.exe

C:\Windows\SysWOW64\SearchIndexer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 unwielldyzpwo.shop udp
US 172.67.158.68:443 unwielldyzpwo.shop tcp
US 172.67.158.68:443 unwielldyzpwo.shop tcp
US 172.67.158.68:443 unwielldyzpwo.shop tcp
US 8.8.8.8:53 68.158.67.172.in-addr.arpa udp
US 172.67.158.68:443 unwielldyzpwo.shop tcp
US 172.67.158.68:443 unwielldyzpwo.shop tcp
US 172.67.158.68:443 unwielldyzpwo.shop tcp

Files

memory/1380-0-0x00007FFBF2560000-0x00007FFBF257C000-memory.dmp

memory/1380-4-0x00007FFBF2578000-0x00007FFBF2579000-memory.dmp

memory/1380-5-0x00007FFBF2560000-0x00007FFBF257C000-memory.dmp

memory/1380-6-0x00007FFBF2560000-0x00007FFBF257C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ef8d57fc

MD5 179d2698cb7977135b9d6d37ddbb6537
SHA1 9d73bdbca18e7553f4425e500cb2855eaf2e397b
SHA256 61d1518e85e793b86067ec99de7d20d8ff3256086cfc49c1b7e7aa2bb580dd88
SHA512 5ace100c290c3384e0063202caf758b8604725f0255c3d18cc01feb93ee681eef8dd3be19d47de3075c52e6b68e714a28b1905e1a389ca7ffedf6a0bc9ccaf4e

memory/1904-10-0x00007FFBF7D00000-0x00007FFBF7F09000-memory.dmp

memory/1904-11-0x00000000758D0000-0x00000000758E5000-memory.dmp

memory/1904-12-0x00000000758DE000-0x00000000758E0000-memory.dmp

memory/1904-13-0x00000000758D0000-0x00000000758E5000-memory.dmp

memory/1904-15-0x00000000758D0000-0x00000000758E5000-memory.dmp

memory/4500-16-0x00007FFBF7D00000-0x00007FFBF7F09000-memory.dmp

memory/4500-17-0x0000000000C80000-0x0000000000CD8000-memory.dmp

memory/4500-18-0x0000000000F8B000-0x0000000000F92000-memory.dmp

memory/4500-19-0x0000000000C80000-0x0000000000CD8000-memory.dmp

memory/1904-20-0x00000000758DE000-0x00000000758E0000-memory.dmp

Analysis: behavioral21

Detonation Overview

Submitted

2024-07-05 20:09

Reported

2024-07-05 20:12

Platform

win10v2004-20240704-en

Max time kernel

135s

Max time network

145s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Program\caret.xls"

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Program\caret.xls"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.32.109.52.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 26.178.89.13.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 89.65.42.20.in-addr.arpa udp

Files

memory/4000-0-0x00007FFB5A270000-0x00007FFB5A280000-memory.dmp

memory/4000-2-0x00007FFB5A270000-0x00007FFB5A280000-memory.dmp

memory/4000-1-0x00007FFB5A270000-0x00007FFB5A280000-memory.dmp

memory/4000-3-0x00007FFB9A28D000-0x00007FFB9A28E000-memory.dmp

memory/4000-4-0x00007FFB5A270000-0x00007FFB5A280000-memory.dmp

memory/4000-6-0x00007FFB9A1F0000-0x00007FFB9A3E5000-memory.dmp

memory/4000-7-0x00007FFB5A270000-0x00007FFB5A280000-memory.dmp

memory/4000-5-0x00007FFB9A1F0000-0x00007FFB9A3E5000-memory.dmp

memory/4000-10-0x00007FFB9A1F0000-0x00007FFB9A3E5000-memory.dmp

memory/4000-12-0x00007FFB9A1F0000-0x00007FFB9A3E5000-memory.dmp

memory/4000-11-0x00007FFB9A1F0000-0x00007FFB9A3E5000-memory.dmp

memory/4000-13-0x00007FFB57990000-0x00007FFB579A0000-memory.dmp

memory/4000-9-0x00007FFB9A1F0000-0x00007FFB9A3E5000-memory.dmp

memory/4000-14-0x00007FFB9A1F0000-0x00007FFB9A3E5000-memory.dmp

memory/4000-8-0x00007FFB9A1F0000-0x00007FFB9A3E5000-memory.dmp

memory/4000-18-0x00007FFB9A1F0000-0x00007FFB9A3E5000-memory.dmp

memory/4000-17-0x00007FFB57990000-0x00007FFB579A0000-memory.dmp

memory/4000-19-0x00007FFB9A1F0000-0x00007FFB9A3E5000-memory.dmp

memory/4000-16-0x00007FFB9A1F0000-0x00007FFB9A3E5000-memory.dmp

memory/4000-15-0x00007FFB9A1F0000-0x00007FFB9A3E5000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

MD5 95f6efd168a1689831f7e70fc3e80364
SHA1 72cf55207312c9aa4c11fee48c3eec41bbb1ac3d
SHA256 b4c49315bca61033ca430ffeaf42757e5176ca4911e4e0c90244bf4572c45ab6
SHA512 c8ee4c6d25a08a4ffe53ab3a3590fd18c474faec16091e6f5bf7d0e01470a2135f200d322080879df46e168fc7944d860938ef238d255316a4055168d9cb7c25

memory/4000-31-0x00007FFB9A1F0000-0x00007FFB9A3E5000-memory.dmp

memory/4000-45-0x00007FFB5A270000-0x00007FFB5A280000-memory.dmp

memory/4000-46-0x00007FFB5A270000-0x00007FFB5A280000-memory.dmp

memory/4000-48-0x00007FFB5A270000-0x00007FFB5A280000-memory.dmp

memory/4000-47-0x00007FFB5A270000-0x00007FFB5A280000-memory.dmp

memory/4000-49-0x00007FFB9A1F0000-0x00007FFB9A3E5000-memory.dmp

Analysis: behavioral23

Detonation Overview

Submitted

2024-07-05 20:09

Reported

2024-07-05 20:12

Platform

win10v2004-20240704-en

Max time kernel

93s

Max time network

95s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Program\msedge_elf.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Program\msedge_elf.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-07-05 20:09

Reported

2024-07-05 20:12

Platform

win11-20240704-en

Max time kernel

91s

Max time network

100s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Program\Libs\Injecting.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Program\Libs\Injecting.dll,#1

Network

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-07-05 20:09

Reported

2024-07-05 20:12

Platform

win11-20240704-en

Max time kernel

7s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Program\test.asp

Signatures

Enumerates physical storage devices

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Program\test.asp

Network

N/A

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-07-05 20:09

Reported

2024-07-05 20:12

Platform

win10v2004-20240704-en

Max time kernel

92s

Max time network

99s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Program\Debugs\VersionStable.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Program\Debugs\VersionStable.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-07-05 20:09

Reported

2024-07-05 20:12

Platform

win11-20240704-en

Max time kernel

101s

Max time network

131s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Program\caret.xls"

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Program\caret.xls"

Network

Files

memory/3000-0-0x00007FF8C1650000-0x00007FF8C1660000-memory.dmp

memory/3000-4-0x00007FF9015C0000-0x00007FF9017C9000-memory.dmp

memory/3000-6-0x00007FF9015C0000-0x00007FF9017C9000-memory.dmp

memory/3000-7-0x00007FF8C1650000-0x00007FF8C1660000-memory.dmp

memory/3000-10-0x00007FF9015C0000-0x00007FF9017C9000-memory.dmp

memory/3000-9-0x00007FF9015C0000-0x00007FF9017C9000-memory.dmp

memory/3000-13-0x00007FF9015C0000-0x00007FF9017C9000-memory.dmp

memory/3000-14-0x00007FF9015C0000-0x00007FF9017C9000-memory.dmp

memory/3000-15-0x00007FF8BF310000-0x00007FF8BF320000-memory.dmp

memory/3000-12-0x00007FF9015C0000-0x00007FF9017C9000-memory.dmp

memory/3000-16-0x00007FF8BF310000-0x00007FF8BF320000-memory.dmp

memory/3000-18-0x00007FF9015C0000-0x00007FF9017C9000-memory.dmp

memory/3000-20-0x00007FF9015C0000-0x00007FF9017C9000-memory.dmp

memory/3000-19-0x00007FF9015C0000-0x00007FF9017C9000-memory.dmp

memory/3000-17-0x00007FF9015C0000-0x00007FF9017C9000-memory.dmp

memory/3000-22-0x00007FF9015C0000-0x00007FF9017C9000-memory.dmp

memory/3000-21-0x00007FF9015C0000-0x00007FF9017C9000-memory.dmp

memory/3000-11-0x00007FF9015C0000-0x00007FF9017C9000-memory.dmp

memory/3000-8-0x00007FF9015C0000-0x00007FF9017C9000-memory.dmp

memory/3000-3-0x00007FF901663000-0x00007FF901664000-memory.dmp

memory/3000-5-0x00007FF8C1650000-0x00007FF8C1660000-memory.dmp

memory/3000-2-0x00007FF8C1650000-0x00007FF8C1660000-memory.dmp

memory/3000-1-0x00007FF8C1650000-0x00007FF8C1660000-memory.dmp

memory/3000-25-0x00007FF9015C0000-0x00007FF9017C9000-memory.dmp

memory/3000-40-0x00007FF8C1650000-0x00007FF8C1660000-memory.dmp

memory/3000-39-0x00007FF8C1650000-0x00007FF8C1660000-memory.dmp

memory/3000-42-0x00007FF8C1650000-0x00007FF8C1660000-memory.dmp

memory/3000-41-0x00007FF8C1650000-0x00007FF8C1660000-memory.dmp

memory/3000-43-0x00007FF9015C0000-0x00007FF9017C9000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-07-05 20:09

Reported

2024-07-05 20:12

Platform

win10v2004-20240704-en

Max time kernel

149s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Program\ErrorLog\DirectoryMonitor_[1MB]_[1].exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Program\ErrorLog\DirectoryMonitor_[1MB]_[1].exe

"C:\Users\Admin\AppData\Local\Temp\Program\ErrorLog\DirectoryMonitor_[1MB]_[1].exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.173.189.20.in-addr.arpa udp

Files

memory/3044-0-0x00007FFA41813000-0x00007FFA41815000-memory.dmp

memory/3044-1-0x0000000000E80000-0x0000000001070000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-07-05 20:09

Reported

2024-07-05 20:12

Platform

win10v2004-20240704-en

Max time kernel

147s

Max time network

157s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Program\Debugs\Newtonsoft.Json.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Program\Debugs\Newtonsoft.Json.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-07-05 20:09

Reported

2024-07-05 20:12

Platform

win11-20240704-en

Max time kernel

147s

Max time network

156s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Program\Debugs\VersionStable.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Program\Debugs\VersionStable.dll,#1

Network

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-07-05 20:09

Reported

2024-07-05 20:12

Platform

win10v2004-20240704-en

Max time kernel

93s

Max time network

95s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Program\Libs\Injecting.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Program\Libs\Injecting.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-05 20:09

Reported

2024-07-05 20:12

Platform

win10v2004-20240704-en

Max time kernel

149s

Max time network

155s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Program\Debugs\AlphaFS.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Program\Debugs\AlphaFS.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 89.65.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-07-05 20:09

Reported

2024-07-05 20:12

Platform

win11-20240704-en

Max time kernel

90s

Max time network

96s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Program\Debugs\License.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Program\Debugs\License.dll,#1

Network

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-07-05 20:09

Reported

2024-07-05 20:12

Platform

win11-20240704-en

Max time kernel

146s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Program\ErrorLog\DirectoryMonitor_[1MB]_[1].exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Program\ErrorLog\DirectoryMonitor_[1MB]_[1].exe

"C:\Users\Admin\AppData\Local\Temp\Program\ErrorLog\DirectoryMonitor_[1MB]_[1].exe"

Network

Files

memory/576-0-0x00007FFCB0E53000-0x00007FFCB0E55000-memory.dmp

memory/576-1-0x0000000000820000-0x0000000000A10000-memory.dmp

Analysis: behavioral15

Detonation Overview

Submitted

2024-07-05 20:09

Reported

2024-07-05 20:12

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Program\Libs\libEGL.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2676 wrote to memory of 4464 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2676 wrote to memory of 4464 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2676 wrote to memory of 4464 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Program\Libs\libEGL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Program\Libs\libEGL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4464 -ip 4464

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 604

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-07-05 20:09

Reported

2024-07-05 20:10

Platform

win11-20240704-en

Max time kernel

13s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Program\msedge_elf.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Program\msedge_elf.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-07-05 20:09

Reported

2024-07-05 20:12

Platform

win10v2004-20240704-en

Max time kernel

94s

Max time network

150s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Program\test.asp

Signatures

Enumerates physical storage devices

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Program\test.asp

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-07-05 20:09

Reported

2024-07-05 20:12

Platform

win11-20240508-en

Max time kernel

146s

Max time network

152s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Program\Libs\Extreme.Net.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Program\Libs\Extreme.Net.dll,#1

Network

Country Destination Domain Proto
IE 52.111.236.22:443 tcp

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-07-05 20:09

Reported

2024-07-05 20:12

Platform

win10v2004-20240704-en

Max time kernel

93s

Max time network

101s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Program\Setup.exe"

Signatures

Lumma Stealer

stealer lumma

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3292 set thread context of 2820 N/A C:\Users\Admin\AppData\Local\Temp\Program\Setup.exe C:\Windows\SysWOW64\more.com

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Program\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Program\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Program\Setup.exe"

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\SearchIndexer.exe

C:\Windows\SysWOW64\SearchIndexer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 unwielldyzpwo.shop udp
US 172.67.158.68:443 unwielldyzpwo.shop tcp
US 172.67.158.68:443 unwielldyzpwo.shop tcp
US 172.67.158.68:443 unwielldyzpwo.shop tcp
US 172.67.158.68:443 unwielldyzpwo.shop tcp
US 8.8.8.8:53 68.158.67.172.in-addr.arpa udp
US 172.67.158.68:443 unwielldyzpwo.shop tcp
US 172.67.158.68:443 unwielldyzpwo.shop tcp
US 172.67.158.68:443 unwielldyzpwo.shop tcp
US 8.8.8.8:53 downloadfile123.xyz udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp

Files

memory/3292-0-0x00007FFF63F90000-0x00007FFF63FAC000-memory.dmp

memory/3292-5-0x00007FFF63F90000-0x00007FFF63FAC000-memory.dmp

memory/3292-4-0x00007FFF63FA8000-0x00007FFF63FA9000-memory.dmp

memory/3292-6-0x00007FFF63F90000-0x00007FFF63FAC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\605d7702

MD5 c4b4ded2f38b63eba7723b3748eaa1eb
SHA1 b310e859c793a1f0dd7cfb47fe28bc3124ab5a8b
SHA256 03e25e9cd744a90fb83141cb454f44f703ad7e1e783aba5f0e5c56923488d5af
SHA512 e0c04f4df6e95bda64f55b2ad513f7826368faa2718fd4ece0532b58191fe355868116e553608002365f02681d64c2982f7a87db4b81c06b7111d75eba1d926d

memory/2820-10-0x00007FFF6AEB0000-0x00007FFF6B0A5000-memory.dmp

memory/2820-11-0x0000000075C30000-0x0000000075C44000-memory.dmp

memory/2820-13-0x0000000075C30000-0x0000000075C44000-memory.dmp

memory/2820-12-0x0000000075C3E000-0x0000000075C40000-memory.dmp

memory/2820-15-0x0000000075C30000-0x0000000075C44000-memory.dmp

memory/2156-16-0x00007FFF6AEB0000-0x00007FFF6B0A5000-memory.dmp

memory/2156-17-0x0000000000CE0000-0x0000000000D38000-memory.dmp

memory/2156-18-0x0000000000C4B000-0x0000000000C52000-memory.dmp

memory/2156-19-0x0000000000CE0000-0x0000000000D38000-memory.dmp

memory/2820-20-0x0000000075C3E000-0x0000000075C40000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-07-05 20:09

Reported

2024-07-05 20:12

Platform

win10v2004-20240704-en

Max time kernel

94s

Max time network

96s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Program\Debugs\License.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Program\Debugs\License.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-07-05 20:09

Reported

2024-07-05 20:12

Platform

win11-20240704-en

Max time kernel

91s

Max time network

99s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Program\Libs\libEGL.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2828 wrote to memory of 3508 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2828 wrote to memory of 3508 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2828 wrote to memory of 3508 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Program\Libs\libEGL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Program\Libs\libEGL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3508 -ip 3508

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3508 -s 452

Network

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-07-05 20:09

Reported

2024-07-05 20:12

Platform

win11-20240704-en

Max time kernel

90s

Max time network

101s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Program\Libs\libgcc_s_dw2-1.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2068 wrote to memory of 608 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2068 wrote to memory of 608 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2068 wrote to memory of 608 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Program\Libs\libgcc_s_dw2-1.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Program\Libs\libgcc_s_dw2-1.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 608 -ip 608

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 608 -s 472

Network

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-07-05 20:09

Reported

2024-07-05 20:12

Platform

win10v2004-20240704-en

Max time kernel

93s

Max time network

100s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Program\Libs\Extreme.Net.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Program\Libs\Extreme.Net.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp

Files

N/A