Malware Analysis Report

2024-11-15 06:25

Sample ID 240706-bgs7ea1dmn
Target 12e1b33c544e30e8924c46ba16fe3e79.bin
SHA256 a4f7b21dc88bdcf27cbe929d4bba979f759320b53f7e826bc0a77f55ebbf866c
Tags
lumma spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a4f7b21dc88bdcf27cbe929d4bba979f759320b53f7e826bc0a77f55ebbf866c

Threat Level: Known bad

The file 12e1b33c544e30e8924c46ba16fe3e79.bin was found to be: Known bad.

Malicious Activity Summary

lumma spyware stealer

Lumma Stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of SetThreadContext

Enumerates physical storage devices

Program crash

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Checks processor information in registry

Suspicious behavior: AddClipboardFormatListener

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Enumerates system info in registry

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-06 01:07

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-07-06 01:07

Reported

2024-07-06 01:11

Platform

win10v2004-20240704-en

Max time kernel

130s

Max time network

164s

Command Line

"C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\Setup.exe"

Signatures

Lumma Stealer

stealer lumma

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4712 set thread context of 208 N/A C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\Setup.exe C:\Windows\SysWOW64\more.com

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A

Processes

C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\Setup.exe"

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\more.com

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4216,i,8550138573348074061,7308779696487990535,262144 --variations-seed-version --mojo-platform-channel-handle=4172 /prefetch:8

C:\Windows\SysWOW64\SearchIndexer.exe

C:\Windows\SysWOW64\SearchIndexer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --field-trial-handle=2968,i,8550138573348074061,7308779696487990535,262144 --variations-seed-version --mojo-platform-channel-handle=2980 /prefetch:3

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 unwielldyzpwo.shop udp
US 104.21.73.56:443 unwielldyzpwo.shop tcp
US 104.21.73.56:443 unwielldyzpwo.shop tcp
US 8.8.8.8:53 56.73.21.104.in-addr.arpa udp
US 104.21.73.56:443 unwielldyzpwo.shop tcp
US 104.21.73.56:443 unwielldyzpwo.shop tcp
US 104.21.73.56:443 unwielldyzpwo.shop tcp
US 104.21.73.56:443 unwielldyzpwo.shop tcp
US 8.8.8.8:53 downloadfile123.xyz udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

memory/4712-0-0x00007FF841820000-0x00007FF84183C000-memory.dmp

memory/4712-4-0x00007FF841838000-0x00007FF841839000-memory.dmp

memory/4712-5-0x00007FF841820000-0x00007FF84183C000-memory.dmp

memory/4712-6-0x00007FF841820000-0x00007FF84183C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2be2be4f

MD5 c94b302bb7788793d198ef48c505405e
SHA1 d8f8a6cf0f737e15d2be3051cf32f022fb820c35
SHA256 a368907eb5634032e4129ed82ec8a837c9fecaf230f8180b5bcff93a5767a8e2
SHA512 3c7c14916cd2b3f5c32480e488e147f987e5a7f4c424dee071f9b6f3d2ce3cf4489d48b0044e47f91f4981379a342c19dc4d2acd400135934a60c3bfdac07c31

memory/208-10-0x00007FF84B270000-0x00007FF84B465000-memory.dmp

memory/208-11-0x0000000075190000-0x00000000751A4000-memory.dmp

memory/208-13-0x0000000075190000-0x00000000751A4000-memory.dmp

memory/208-12-0x000000007519E000-0x00000000751A0000-memory.dmp

memory/208-15-0x0000000075190000-0x00000000751A4000-memory.dmp

memory/332-16-0x00007FF84B270000-0x00007FF84B465000-memory.dmp

memory/332-17-0x0000000000660000-0x00000000006B8000-memory.dmp

memory/332-18-0x0000000000F0B000-0x0000000000F12000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

memory/332-25-0x0000000000660000-0x00000000006B8000-memory.dmp

memory/208-27-0x000000007519E000-0x00000000751A0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

MD5 20d4b8fa017a12a108c87f540836e250
SHA1 1ac617fac131262b6d3ce1f52f5907e31d5f6f00
SHA256 6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d
SHA512 507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Analysis: behavioral9

Detonation Overview

Submitted

2024-07-06 01:07

Reported

2024-07-06 01:10

Platform

win7-20240704-en

Max time kernel

117s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\ErrorLog\DirectoryMonitor_[1MB]_[1].exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\ErrorLog\DirectoryMonitor_[1MB]_[1].exe

"C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\ErrorLog\DirectoryMonitor_[1MB]_[1].exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2292 -s 536

Network

N/A

Files

memory/2292-0-0x000007FEF6063000-0x000007FEF6064000-memory.dmp

memory/2292-1-0x0000000000B50000-0x0000000000D40000-memory.dmp

memory/2292-2-0x000007FEF6063000-0x000007FEF6064000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2024-07-06 01:07

Reported

2024-07-06 01:10

Platform

win7-20240704-en

Max time kernel

121s

Max time network

129s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\Libs\Extreme.Net.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\Libs\Extreme.Net.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-07-06 01:07

Reported

2024-07-06 01:11

Platform

win10v2004-20240704-en

Max time kernel

93s

Max time network

103s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\Libs\Extreme.Net.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\Libs\Extreme.Net.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-07-06 01:07

Reported

2024-07-06 01:11

Platform

win7-20240704-en

Max time kernel

122s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\Setup.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\Setup.exe"

Network

N/A

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-07-06 01:07

Reported

2024-07-06 01:12

Platform

win7-20240704-en

Max time kernel

117s

Max time network

124s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\test.asp

Signatures

Enumerates physical storage devices

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\test.asp

Network

N/A

Files

memory/1736-21-0x00000000024B0000-0x00000000024B1000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-06 01:07

Reported

2024-07-06 01:10

Platform

win7-20240508-en

Max time kernel

119s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\Debugs\AlphaFS.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\Debugs\AlphaFS.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-07-06 01:07

Reported

2024-07-06 01:10

Platform

win10v2004-20240704-en

Max time kernel

148s

Max time network

164s

Command Line

"C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\ErrorLog\DirectoryMonitor_[1MB]_[1].exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\ErrorLog\DirectoryMonitor_[1MB]_[1].exe

"C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\ErrorLog\DirectoryMonitor_[1MB]_[1].exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 98.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 49.192.11.51.in-addr.arpa udp

Files

memory/2780-0-0x00007FF951BB3000-0x00007FF951BB5000-memory.dmp

memory/2780-1-0x0000000000080000-0x0000000000270000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2024-07-06 01:07

Reported

2024-07-06 01:11

Platform

win7-20240705-en

Max time kernel

119s

Max time network

134s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\Libs\Injecting.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3036 wrote to memory of 2384 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 3036 wrote to memory of 2384 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 3036 wrote to memory of 2384 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\Libs\Injecting.dll,#1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 3036 -s 88

Network

N/A

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-07-06 01:07

Reported

2024-07-06 01:12

Platform

win10v2004-20240704-en

Max time kernel

148s

Max time network

159s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\test.asp

Signatures

Enumerates physical storage devices

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\test.asp

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 227.162.46.104.in-addr.arpa udp

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-07-06 01:07

Reported

2024-07-06 01:11

Platform

win10v2004-20240704-en

Max time kernel

101s

Max time network

110s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\caret.xls"

Signatures

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\caret.xls"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.32.109.52.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 91.65.42.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp

Files

memory/4372-0-0x00007FFBF60D0000-0x00007FFBF60E0000-memory.dmp

memory/4372-2-0x00007FFBF60D0000-0x00007FFBF60E0000-memory.dmp

memory/4372-3-0x00007FFC360ED000-0x00007FFC360EE000-memory.dmp

memory/4372-5-0x00007FFBF60D0000-0x00007FFBF60E0000-memory.dmp

memory/4372-4-0x00007FFBF60D0000-0x00007FFBF60E0000-memory.dmp

memory/4372-1-0x00007FFBF60D0000-0x00007FFBF60E0000-memory.dmp

memory/4372-6-0x00007FFC36050000-0x00007FFC36245000-memory.dmp

memory/4372-7-0x00007FFC36050000-0x00007FFC36245000-memory.dmp

memory/4372-8-0x00007FFC36050000-0x00007FFC36245000-memory.dmp

memory/4372-9-0x00007FFBF3770000-0x00007FFBF3780000-memory.dmp

memory/4372-10-0x00007FFC36050000-0x00007FFC36245000-memory.dmp

memory/4372-11-0x00007FFC36050000-0x00007FFC36245000-memory.dmp

memory/4372-12-0x00007FFC36050000-0x00007FFC36245000-memory.dmp

memory/4372-13-0x00007FFC36050000-0x00007FFC36245000-memory.dmp

memory/4372-14-0x00007FFC36050000-0x00007FFC36245000-memory.dmp

memory/4372-16-0x00007FFBF3770000-0x00007FFBF3780000-memory.dmp

memory/4372-15-0x00007FFC36050000-0x00007FFC36245000-memory.dmp

memory/4372-19-0x00007FFC36050000-0x00007FFC36245000-memory.dmp

memory/4372-20-0x00007FFC36050000-0x00007FFC36245000-memory.dmp

memory/4372-18-0x00007FFC36050000-0x00007FFC36245000-memory.dmp

memory/4372-17-0x00007FFC36050000-0x00007FFC36245000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

MD5 ccf237ee4c8894d8e9f32b6088192757
SHA1 38248a873aee841015445fe37d19032c4e1d5a95
SHA256 72f733afd0850feaf255b5a134b31a1fa7c512c9f858002a35581c14a96817c2
SHA512 79cce476bba28ba04da8298ddd92ffbb6b963fb4f07efbbdc0a5a9f476b563b10e532fc10367dbed9d62d6d78d917cc877bc9d57f7371e2c8dcdbced30a29d14

memory/4372-32-0x00007FFC36050000-0x00007FFC36245000-memory.dmp

memory/4372-47-0x00007FFBF60D0000-0x00007FFBF60E0000-memory.dmp

memory/4372-49-0x00007FFBF60D0000-0x00007FFBF60E0000-memory.dmp

memory/4372-48-0x00007FFBF60D0000-0x00007FFBF60E0000-memory.dmp

memory/4372-46-0x00007FFBF60D0000-0x00007FFBF60E0000-memory.dmp

memory/4372-50-0x00007FFC36050000-0x00007FFC36245000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-07-06 01:07

Reported

2024-07-06 01:10

Platform

win7-20240704-en

Max time kernel

10s

Max time network

17s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\Debugs\Newtonsoft.Json.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\Debugs\Newtonsoft.Json.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-07-06 01:07

Reported

2024-07-06 01:10

Platform

win10v2004-20240508-en

Max time kernel

41s

Max time network

52s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\Debugs\VersionStable.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\Debugs\VersionStable.dll,#1

Network

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-07-06 01:07

Reported

2024-07-06 01:11

Platform

win10v2004-20240704-en

Max time kernel

145s

Max time network

165s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\Libs\libEGL.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4752 wrote to memory of 4928 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4752 wrote to memory of 4928 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4752 wrote to memory of 4928 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\Libs\libEGL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\Libs\libEGL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4928 -ip 4928

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 604

Network

Country Destination Domain Proto
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 101.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-07-06 01:07

Reported

2024-07-06 01:11

Platform

win10v2004-20240704-en

Max time kernel

148s

Max time network

159s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\Libs\libgcc_s_dw2-1.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3612 wrote to memory of 2716 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3612 wrote to memory of 2716 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3612 wrote to memory of 2716 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\Libs\libgcc_s_dw2-1.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\Libs\libgcc_s_dw2-1.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2716 -ip 2716

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2716 -s 616

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 137.71.105.51.in-addr.arpa udp

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-07-06 01:07

Reported

2024-07-06 01:11

Platform

win7-20240705-en

Max time kernel

122s

Max time network

128s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\msedge_elf.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\msedge_elf.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-07-06 01:07

Reported

2024-07-06 01:11

Platform

win10v2004-20240704-en

Max time kernel

147s

Max time network

156s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\msedge_elf.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\msedge_elf.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 89.65.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-07-06 01:07

Reported

2024-07-06 01:11

Platform

win7-20240705-en

Max time kernel

13s

Max time network

19s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\Libs\libgcc_s_dw2-1.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\Libs\libgcc_s_dw2-1.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\Libs\libgcc_s_dw2-1.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2368 -s 224

Network

N/A

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-07-06 01:07

Reported

2024-07-06 01:10

Platform

win7-20240705-en

Max time kernel

15s

Max time network

22s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\Debugs\License.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\Debugs\License.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-07-06 01:07

Reported

2024-07-06 01:10

Platform

win10v2004-20240704-en

Max time kernel

147s

Max time network

163s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\Debugs\Newtonsoft.Json.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\Debugs\Newtonsoft.Json.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 100.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 131.72.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-07-06 01:07

Reported

2024-07-06 01:11

Platform

win10v2004-20240704-en

Max time kernel

148s

Max time network

161s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\Libs\Injecting.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\Libs\Injecting.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 89.16.208.104.in-addr.arpa udp

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-07-06 01:07

Reported

2024-07-06 01:11

Platform

win7-20240704-en

Max time kernel

117s

Max time network

122s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\caret.xls

Signatures

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\caret.xls

Network

N/A

Files

memory/2812-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2812-1-0x0000000071C4D000-0x0000000071C58000-memory.dmp

memory/2812-2-0x0000000071C4D000-0x0000000071C58000-memory.dmp

memory/2812-3-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2812-4-0x0000000071C4D000-0x0000000071C58000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-06 01:07

Reported

2024-07-06 01:11

Platform

win10v2004-20240704-en

Max time kernel

147s

Max time network

157s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\Debugs\AlphaFS.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\Debugs\AlphaFS.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 94.65.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-07-06 01:07

Reported

2024-07-06 01:11

Platform

win7-20240705-en

Max time kernel

122s

Max time network

129s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\Libs\libEGL.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1712 wrote to memory of 1716 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1712 wrote to memory of 1716 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1712 wrote to memory of 1716 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1712 wrote to memory of 1716 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1712 wrote to memory of 1716 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1712 wrote to memory of 1716 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1712 wrote to memory of 1716 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\Libs\libEGL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\Libs\libEGL.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-07-06 01:07

Reported

2024-07-06 01:11

Platform

win10v2004-20240704-en

Max time kernel

147s

Max time network

157s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\Debugs\License.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\Debugs\License.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 12.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-07-06 01:07

Reported

2024-07-06 01:10

Platform

win7-20240705-en

Max time kernel

118s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\Debugs\VersionStable.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\Debugs\VersionStable.dll,#1

Network

N/A

Files

N/A