Malware Analysis Report

2024-11-15 06:25

Sample ID 240706-cd8y5asejp
Target a4f7b21dc88bdcf27cbe929d4bba979f759320b53f7e826bc0a77f55ebbf866c
SHA256 a4f7b21dc88bdcf27cbe929d4bba979f759320b53f7e826bc0a77f55ebbf866c
Tags
lumma spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a4f7b21dc88bdcf27cbe929d4bba979f759320b53f7e826bc0a77f55ebbf866c

Threat Level: Known bad

The file a4f7b21dc88bdcf27cbe929d4bba979f759320b53f7e826bc0a77f55ebbf866c was found to be: Known bad.

Malicious Activity Summary

lumma spyware stealer

Lumma Stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of SetThreadContext

Unsigned PE

Program crash

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Enumerates system info in registry

Suspicious behavior: AddClipboardFormatListener

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-06 01:58

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-07-06 01:58

Reported

2024-07-06 02:01

Platform

win7-20240220-en

Max time kernel

118s

Max time network

119s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\Debugs\License.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\Debugs\License.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-07-06 01:58

Reported

2024-07-06 02:01

Platform

win10v2004-20240704-en

Max time kernel

149s

Max time network

158s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\Debugs\License.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\Debugs\License.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 8.167.79.40.in-addr.arpa udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-07-06 01:58

Reported

2024-07-06 02:01

Platform

win7-20240705-en

Max time kernel

119s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\Debugs\VersionStable.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2220 wrote to memory of 2004 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2220 wrote to memory of 2004 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2220 wrote to memory of 2004 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\Debugs\VersionStable.dll,#1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2220 -s 80

Network

N/A

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-07-06 01:58

Reported

2024-07-06 02:01

Platform

win7-20240508-en

Max time kernel

121s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\Libs\Extreme.Net.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\Libs\Extreme.Net.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-07-06 01:58

Reported

2024-07-06 02:02

Platform

win10v2004-20240704-en

Max time kernel

93s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\Setup.exe"

Signatures

Lumma Stealer

stealer lumma

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3012 set thread context of 3412 N/A C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\Setup.exe C:\Windows\SysWOW64\more.com

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A

Processes

C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\Setup.exe"

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\SearchIndexer.exe

C:\Windows\SysWOW64\SearchIndexer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 unwielldyzpwo.shop udp
US 104.21.73.56:443 unwielldyzpwo.shop tcp
US 104.21.73.56:443 unwielldyzpwo.shop tcp
US 104.21.73.56:443 unwielldyzpwo.shop tcp
US 8.8.8.8:53 56.73.21.104.in-addr.arpa udp
US 104.21.73.56:443 unwielldyzpwo.shop tcp
US 104.21.73.56:443 unwielldyzpwo.shop tcp
US 104.21.73.56:443 unwielldyzpwo.shop tcp
US 8.8.8.8:53 downloadfile123.xyz udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

memory/3012-0-0x00007FFC2FD20000-0x00007FFC2FD3C000-memory.dmp

memory/3012-4-0x00007FFC2FD38000-0x00007FFC2FD39000-memory.dmp

memory/3012-5-0x00007FFC2FD20000-0x00007FFC2FD3C000-memory.dmp

memory/3012-6-0x00007FFC2FD20000-0x00007FFC2FD3C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\544fcc85

MD5 1f91f8fd0c398fc357a064e6e990180d
SHA1 4ebef6bd3901aff518e76c6dfd7457d663002ead
SHA256 5eb272104510bfb8700a6d68e2a5051a4086c7853b8e0a32398061dd521d5c64
SHA512 51d888a7ea94318fc75852d7dca08d2f5ed6c68ab79546622d9fb53d49a1ba125530b4537ae964468f708d1438ab5f84ceaaf357f24582ddc9caa352f06bd18f

memory/3412-10-0x00007FFC36C30000-0x00007FFC36E25000-memory.dmp

memory/3412-11-0x00000000752B0000-0x00000000752C4000-memory.dmp

memory/3412-13-0x00000000752B0000-0x00000000752C4000-memory.dmp

memory/3412-12-0x00000000752BE000-0x00000000752C0000-memory.dmp

memory/3412-15-0x00000000752B0000-0x00000000752C4000-memory.dmp

memory/2332-16-0x00007FFC36C30000-0x00007FFC36E25000-memory.dmp

memory/2332-17-0x0000000000FD0000-0x0000000001028000-memory.dmp

memory/2332-18-0x00000000008BB000-0x00000000008C2000-memory.dmp

memory/3412-20-0x00000000752BE000-0x00000000752C0000-memory.dmp

memory/2332-19-0x0000000000FD0000-0x0000000001028000-memory.dmp

Analysis: behavioral22

Detonation Overview

Submitted

2024-07-06 01:58

Reported

2024-07-06 02:02

Platform

win10v2004-20240704-en

Max time kernel

101s

Max time network

107s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\caret.xls"

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\caret.xls"

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.32.109.52.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 214.143.182.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp

Files

memory/3240-0-0x00007FFB527D0000-0x00007FFB527E0000-memory.dmp

memory/3240-2-0x00007FFB527D0000-0x00007FFB527E0000-memory.dmp

memory/3240-1-0x00007FFB527D0000-0x00007FFB527E0000-memory.dmp

memory/3240-4-0x00007FFB927ED000-0x00007FFB927EE000-memory.dmp

memory/3240-3-0x00007FFB527D0000-0x00007FFB527E0000-memory.dmp

memory/3240-5-0x00007FFB527D0000-0x00007FFB527E0000-memory.dmp

memory/3240-8-0x00007FFB92750000-0x00007FFB92945000-memory.dmp

memory/3240-9-0x00007FFB92750000-0x00007FFB92945000-memory.dmp

memory/3240-7-0x00007FFB92750000-0x00007FFB92945000-memory.dmp

memory/3240-6-0x00007FFB92750000-0x00007FFB92945000-memory.dmp

memory/3240-10-0x00007FFB50580000-0x00007FFB50590000-memory.dmp

memory/3240-11-0x00007FFB50580000-0x00007FFB50590000-memory.dmp

memory/3240-14-0x00007FFB92750000-0x00007FFB92945000-memory.dmp

memory/3240-16-0x00007FFB92750000-0x00007FFB92945000-memory.dmp

memory/3240-18-0x00007FFB92750000-0x00007FFB92945000-memory.dmp

memory/3240-21-0x00007FFB92750000-0x00007FFB92945000-memory.dmp

memory/3240-19-0x00007FFB92750000-0x00007FFB92945000-memory.dmp

memory/3240-17-0x00007FFB92750000-0x00007FFB92945000-memory.dmp

memory/3240-20-0x00007FFB92750000-0x00007FFB92945000-memory.dmp

memory/3240-15-0x00007FFB92750000-0x00007FFB92945000-memory.dmp

memory/3240-13-0x00007FFB92750000-0x00007FFB92945000-memory.dmp

memory/3240-12-0x00007FFB92750000-0x00007FFB92945000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

MD5 53bb2b5e8ec8cfd58b6e7dcea55fcae1
SHA1 a5da3bfbc4b05017dc5d493acd0b00cc1ef72d76
SHA256 67c7181a3c54d66dedf5107aba64aefef1c835c02e4c2e98a1bfffdda21b16cf
SHA512 5925ff5edad43a159a48f42b29a7a41bf75d376ecde51444db8b051b370acf0a46bea0a8ce04a6ebf7acef16adbc768bc3e7133670051cf4b5fe2206ba66afb6

memory/3240-33-0x00007FFB92750000-0x00007FFB92945000-memory.dmp

memory/3240-47-0x00007FFB527D0000-0x00007FFB527E0000-memory.dmp

memory/3240-49-0x00007FFB527D0000-0x00007FFB527E0000-memory.dmp

memory/3240-50-0x00007FFB527D0000-0x00007FFB527E0000-memory.dmp

memory/3240-48-0x00007FFB527D0000-0x00007FFB527E0000-memory.dmp

memory/3240-51-0x00007FFB92750000-0x00007FFB92945000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-07-06 01:58

Reported

2024-07-06 02:01

Platform

win10v2004-20240704-en

Max time kernel

149s

Max time network

152s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\Debugs\Newtonsoft.Json.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\Debugs\Newtonsoft.Json.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-07-06 01:58

Reported

2024-07-06 02:01

Platform

win10v2004-20240704-en

Max time kernel

150s

Max time network

152s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\Libs\Extreme.Net.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\Libs\Extreme.Net.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-07-06 01:58

Reported

2024-07-06 02:02

Platform

win10v2004-20240704-en

Max time kernel

149s

Max time network

154s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\test.asp

Signatures

Enumerates physical storage devices

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\test.asp

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 4.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-06 01:58

Reported

2024-07-06 02:01

Platform

win10v2004-20240704-en

Max time kernel

150s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\Debugs\AlphaFS.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\Debugs\AlphaFS.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-07-06 01:58

Reported

2024-07-06 02:01

Platform

win10v2004-20240704-en

Max time kernel

144s

Max time network

148s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\Debugs\VersionStable.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\Debugs\VersionStable.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 10.179.89.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-07-06 01:58

Reported

2024-07-06 02:01

Platform

win7-20240704-en

Max time kernel

122s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\ErrorLog\DirectoryMonitor_[1MB]_[1].exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\ErrorLog\DirectoryMonitor_[1MB]_[1].exe

"C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\ErrorLog\DirectoryMonitor_[1MB]_[1].exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2908 -s 532

Network

N/A

Files

memory/2908-0-0x000007FEF5883000-0x000007FEF5884000-memory.dmp

memory/2908-1-0x0000000000E50000-0x0000000001040000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2024-07-06 01:58

Reported

2024-07-06 02:01

Platform

win10v2004-20240704-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\ErrorLog\DirectoryMonitor_[1MB]_[1].exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\ErrorLog\DirectoryMonitor_[1MB]_[1].exe

"C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\ErrorLog\DirectoryMonitor_[1MB]_[1].exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/3996-0-0x00007FF8CCA43000-0x00007FF8CCA45000-memory.dmp

memory/3996-1-0x0000000000830000-0x0000000000A20000-memory.dmp

Analysis: behavioral18

Detonation Overview

Submitted

2024-07-06 01:58

Reported

2024-07-06 02:02

Platform

win10v2004-20240704-en

Max time kernel

120s

Max time network

149s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\Libs\libgcc_s_dw2-1.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4904 wrote to memory of 3248 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4904 wrote to memory of 3248 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4904 wrote to memory of 3248 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\Libs\libgcc_s_dw2-1.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\Libs\libgcc_s_dw2-1.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3248 -ip 3248

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3248 -s 624

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-07-06 01:58

Reported

2024-07-06 02:02

Platform

win10v2004-20240704-en

Max time kernel

96s

Max time network

101s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\msedge_elf.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\msedge_elf.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-07-06 01:58

Reported

2024-07-06 02:02

Platform

win7-20240705-en

Max time kernel

117s

Max time network

121s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\test.asp

Signatures

Enumerates physical storage devices

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\test.asp

Network

N/A

Files

memory/2384-21-0x00000000024A0000-0x00000000024A1000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-07-06 01:58

Reported

2024-07-06 02:01

Platform

win7-20240220-en

Max time kernel

120s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\Debugs\Newtonsoft.Json.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\Debugs\Newtonsoft.Json.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-07-06 01:58

Reported

2024-07-06 02:01

Platform

win7-20240704-en

Max time kernel

118s

Max time network

119s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\Libs\Injecting.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1936 wrote to memory of 2392 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 1936 wrote to memory of 2392 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 1936 wrote to memory of 2392 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\Libs\Injecting.dll,#1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 1936 -s 88

Network

N/A

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-07-06 01:58

Reported

2024-07-06 02:02

Platform

win10v2004-20240704-en

Max time kernel

95s

Max time network

99s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\Libs\libEGL.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2304 wrote to memory of 3588 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2304 wrote to memory of 3588 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2304 wrote to memory of 3588 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\Libs\libEGL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\Libs\libEGL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 3588 -ip 3588

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 604

Network

Country Destination Domain Proto
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-07-06 01:58

Reported

2024-07-06 02:02

Platform

win7-20240704-en

Max time kernel

13s

Max time network

20s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\msedge_elf.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\msedge_elf.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-07-06 01:58

Reported

2024-07-06 02:01

Platform

win10v2004-20240704-en

Max time kernel

93s

Max time network

97s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\Libs\Injecting.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\Libs\Injecting.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-06 01:58

Reported

2024-07-06 02:01

Platform

win7-20240508-en

Max time kernel

119s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\Debugs\AlphaFS.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\Debugs\AlphaFS.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-07-06 01:58

Reported

2024-07-06 02:02

Platform

win7-20240704-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\Setup.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\Setup.exe"

Network

N/A

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-07-06 01:58

Reported

2024-07-06 02:02

Platform

win7-20240705-en

Max time kernel

121s

Max time network

124s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\caret.xls

Signatures

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\caret.xls

Network

N/A

Files

memory/2672-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2672-1-0x000000007208D000-0x0000000072098000-memory.dmp

memory/2672-2-0x000000007208D000-0x0000000072098000-memory.dmp

memory/2672-3-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2672-4-0x000000007208D000-0x0000000072098000-memory.dmp

Analysis: behavioral15

Detonation Overview

Submitted

2024-07-06 01:58

Reported

2024-07-06 02:02

Platform

win7-20240221-en

Max time kernel

121s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\Libs\libEGL.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2164 wrote to memory of 2172 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2164 wrote to memory of 2172 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2164 wrote to memory of 2172 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2164 wrote to memory of 2172 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2164 wrote to memory of 2172 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2164 wrote to memory of 2172 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2164 wrote to memory of 2172 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\Libs\libEGL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\Libs\libEGL.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-07-06 01:58

Reported

2024-07-06 02:02

Platform

win7-20240704-en

Max time kernel

117s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\Libs\libgcc_s_dw2-1.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\Libs\libgcc_s_dw2-1.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\Libs\libgcc_s_dw2-1.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1948 -s 224

Network

N/A

Files

N/A