Malware Analysis Report

2024-11-30 05:21

Sample ID 240709-23yl5atanc
Target 22613505c3fea6ac505f3ed2c8e0df9998331832f405fbba4f9f5a48de753055.zip
SHA256 672ac4cdbb001fb51206fa708d6daf9f9972d757e97ba2ff3730bab05aef90a8
Tags
lumma stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

672ac4cdbb001fb51206fa708d6daf9f9972d757e97ba2ff3730bab05aef90a8

Threat Level: Known bad

The file 22613505c3fea6ac505f3ed2c8e0df9998331832f405fbba4f9f5a48de753055.zip was found to be: Known bad.

Malicious Activity Summary

lumma stealer

Lumma Stealer

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Suspicious use of SetWindowsHookEx

Modifies registry class

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-09 23:07

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-07-09 23:07

Reported

2024-07-09 23:10

Platform

win10v2004-20240709-en

Max time kernel

142s

Max time network

145s

Command Line

"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\!ŞetUp_64851--#PaSꞨKḙy#$$\rondure.flv"

Signatures

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Processes

C:\Program Files\VideoLAN\VLC\vlc.exe

"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\!ŞetUp_64851--#PaSꞨKḙy#$$\rondure.flv"

Network

Country Destination Domain Proto
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 13.173.189.20.in-addr.arpa udp

Files

memory/5336-1-0x00007FFA71940000-0x00007FFA71974000-memory.dmp

memory/5336-0-0x00007FF630910000-0x00007FF630A08000-memory.dmp

memory/5336-3-0x00007FFA73580000-0x00007FFA73598000-memory.dmp

memory/5336-9-0x00007FFA6E0A0000-0x00007FFA6E0B1000-memory.dmp

memory/5336-8-0x00007FFA6E0C0000-0x00007FFA6E0DD000-memory.dmp

memory/5336-7-0x00007FFA6E0E0000-0x00007FFA6E0F1000-memory.dmp

memory/5336-17-0x00007FFA6DD50000-0x00007FFA6DD61000-memory.dmp

memory/5336-11-0x00007FFA5CD20000-0x00007FFA5DDD0000-memory.dmp

memory/5336-16-0x00007FFA6DD70000-0x00007FFA6DD81000-memory.dmp

memory/5336-15-0x00007FFA6DE60000-0x00007FFA6DE71000-memory.dmp

memory/5336-14-0x00007FFA6DE80000-0x00007FFA6DE98000-memory.dmp

memory/5336-13-0x00007FFA6DEA0000-0x00007FFA6DEC1000-memory.dmp

memory/5336-12-0x00007FFA6DED0000-0x00007FFA6DF11000-memory.dmp

memory/5336-6-0x00007FFA6E100000-0x00007FFA6E117000-memory.dmp

memory/5336-5-0x00007FFA6E120000-0x00007FFA6E131000-memory.dmp

memory/5336-4-0x00007FFA71860000-0x00007FFA71877000-memory.dmp

memory/5336-2-0x00007FFA5E1D0000-0x00007FFA5E486000-memory.dmp

memory/5336-10-0x00007FFA5DDD0000-0x00007FFA5DFDB000-memory.dmp

memory/5336-47-0x00007FFA5CD20000-0x00007FFA5DDD0000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2024-07-09 23:07

Reported

2024-07-09 23:10

Platform

win7-20240704-en

Max time kernel

12s

Max time network

19s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!ŞetUp_64851--#PaSꞨKḙy#$$\tak_deco_lib.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!ŞetUp_64851--#PaSꞨKḙy#$$\tak_deco_lib.dll,#1

Network

N/A

Files

memory/1272-1-0x0000000000290000-0x00000000002EE000-memory.dmp

memory/1272-0-0x0000000000290000-0x00000000002EE000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2024-07-09 23:07

Reported

2024-07-09 23:11

Platform

win10v2004-20240709-en

Max time kernel

208s

Max time network

210s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!ŞetUp_64851--#PaSꞨKḙy#$$\tak_deco_lib.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!ŞetUp_64851--#PaSꞨKḙy#$$\tak_deco_lib.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 209.143.182.52.in-addr.arpa udp

Files

memory/680-0-0x0000000000400000-0x000000000045E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-09 23:07

Reported

2024-07-09 23:10

Platform

win10v2004-20240709-en

Max time kernel

92s

Max time network

126s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\22613505c3fea6ac505f3ed2c8e0df9998331832f405fbba4f9f5a48de753055.zip

Signatures

N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\22613505c3fea6ac505f3ed2c8e0df9998331832f405fbba4f9f5a48de753055.zip

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
IE 52.111.236.23:443 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-07-09 23:07

Reported

2024-07-09 23:10

Platform

win7-20240704-en

Max time kernel

117s

Max time network

118s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\!ŞetUp_64851--#PaSꞨKḙy#$$\formwork.gz

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\!ŞetUp_64851--#PaSꞨKḙy#$$\formwork.gz

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\!ŞetUp_64851--#PaSꞨKḙy#$$\formwork.gz

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\!ŞetUp_64851--#PaSꞨKḙy#$$\formwork.gz

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\!ŞetUp_64851--#PaSꞨKḙy#$$\formwork.gz"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 e28a3f329514fafda7924d7e528ff51a
SHA1 b3f5773beab17ebdca04f3e9f82284e9842aa4ef
SHA256 5160e91b8bbbd0bc052409eb8b4d89d27b6a4cc66fe16df2c0df5345a6a37853
SHA512 4fcb6d15851fe75eb331b10074890f77fbcd0cc67383d28b64028c83ea8d5aa81046d08e162eb66661ea36ce6f956e7072bce4e518c538d6add19bccbd9578df

Analysis: behavioral8

Detonation Overview

Submitted

2024-07-09 23:07

Reported

2024-07-09 23:10

Platform

win10v2004-20240709-en

Max time kernel

150s

Max time network

150s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\!ŞetUp_64851--#PaSꞨKḙy#$$\formwork.gz

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\!ŞetUp_64851--#PaSꞨKḙy#$$\formwork.gz

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-07-09 23:07

Reported

2024-07-09 23:10

Platform

win7-20240704-en

Max time kernel

141s

Max time network

130s

Command Line

"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\!ŞetUp_64851--#PaSꞨKḙy#$$\rondure.flv"

Signatures

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Processes

C:\Program Files\VideoLAN\VLC\vlc.exe

"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\!ŞetUp_64851--#PaSꞨKḙy#$$\rondure.flv"

Network

N/A

Files

memory/2220-1-0x000007FEFACD0000-0x000007FEFAD04000-memory.dmp

memory/2220-0-0x000000013F3E0000-0x000000013F4D8000-memory.dmp

memory/2220-3-0x000007FEFB2C0000-0x000007FEFB2D8000-memory.dmp

memory/2220-8-0x000007FEFAB20000-0x000007FEFAB3D000-memory.dmp

memory/2220-4-0x000007FEFADC0000-0x000007FEFADD7000-memory.dmp

memory/2220-9-0x000007FEFAB00000-0x000007FEFAB11000-memory.dmp

memory/2220-7-0x000007FEFAB40000-0x000007FEFAB51000-memory.dmp

memory/2220-6-0x000007FEFAB60000-0x000007FEFAB77000-memory.dmp

memory/2220-5-0x000007FEFAB80000-0x000007FEFAB91000-memory.dmp

memory/2220-2-0x000007FEF7350000-0x000007FEF7606000-memory.dmp

memory/2220-11-0x000007FEF6660000-0x000007FEF66A1000-memory.dmp

memory/2220-10-0x000007FEF5EB0000-0x000007FEF60BB000-memory.dmp

memory/2220-13-0x000007FEF6630000-0x000007FEF6651000-memory.dmp

memory/2220-14-0x000007FEF7330000-0x000007FEF7348000-memory.dmp

memory/2220-25-0x000007FEF4BC0000-0x000007FEF4C17000-memory.dmp

memory/2220-24-0x000007FEF4C20000-0x000007FEF4C31000-memory.dmp

memory/2220-23-0x000007FEF4C40000-0x000007FEF4CBC000-memory.dmp

memory/2220-22-0x000007FEF4CC0000-0x000007FEF4D27000-memory.dmp

memory/2220-21-0x000007FEF4D30000-0x000007FEF4D60000-memory.dmp

memory/2220-20-0x000007FEF4D60000-0x000007FEF4D78000-memory.dmp

memory/2220-19-0x000007FEF4D80000-0x000007FEF4D91000-memory.dmp

memory/2220-18-0x000007FEF4DA0000-0x000007FEF4DBB000-memory.dmp

memory/2220-17-0x000007FEF4DC0000-0x000007FEF4DD1000-memory.dmp

memory/2220-16-0x000007FEF4DE0000-0x000007FEF4DF1000-memory.dmp

memory/2220-15-0x000007FEF6FE0000-0x000007FEF6FF1000-memory.dmp

memory/2220-27-0x000007FEF4B60000-0x000007FEF4B84000-memory.dmp

memory/2220-26-0x000007FEF4B90000-0x000007FEF4BB8000-memory.dmp

memory/2220-29-0x000007FEF4B10000-0x000007FEF4B33000-memory.dmp

memory/2220-28-0x000007FEF4B40000-0x000007FEF4B58000-memory.dmp

memory/2220-30-0x000007FEF4AF0000-0x000007FEF4B01000-memory.dmp

memory/2220-12-0x000007FEF4E00000-0x000007FEF5EB0000-memory.dmp

memory/2220-33-0x000007FEF4A80000-0x000007FEF4A93000-memory.dmp

memory/2220-32-0x000007FEF4AA0000-0x000007FEF4AC1000-memory.dmp

memory/2220-34-0x000007FEF3D80000-0x000007FEF3D91000-memory.dmp

memory/2220-31-0x000007FEF4AD0000-0x000007FEF4AE2000-memory.dmp

memory/2220-35-0x000007FEF3D60000-0x000007FEF3D71000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-07-09 23:07

Reported

2024-07-09 23:10

Platform

win7-20240705-en

Max time kernel

121s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\!ŞetUp_64851--#PaSꞨKḙy#$$\Setup.exe"

Signatures

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2680 set thread context of 2684 N/A C:\Users\Admin\AppData\Local\Temp\!ŞetUp_64851--#PaSꞨKḙy#$$\Setup.exe C:\Windows\SysWOW64\more.com

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\!ŞetUp_64851--#PaSꞨKḙy#$$\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A

Processes

C:\Users\Admin\AppData\Local\Temp\!ŞetUp_64851--#PaSꞨKḙy#$$\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\!ŞetUp_64851--#PaSꞨKḙy#$$\Setup.exe"

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\SearchIndexer.exe

C:\Windows\SysWOW64\SearchIndexer.exe

Network

N/A

Files

memory/2680-0-0x000007FEFEAF0000-0x000007FEFECC7000-memory.dmp

memory/2680-4-0x000007FEFEB08000-0x000007FEFEB09000-memory.dmp

memory/2680-5-0x000007FEFEAF0000-0x000007FEFECC7000-memory.dmp

memory/2680-6-0x000007FEFEAF0000-0x000007FEFECC7000-memory.dmp

memory/2680-8-0x0000000000400000-0x000000000045E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\af6d1feb

MD5 97adf0b10306f6dc0df85c0329f9ca98
SHA1 1fe7a9bb951d648cc75d6f0339848bb5dba93c22
SHA256 ef01862a3b909cf2918cb3ccede391895072cd6538b94cb3d2a2b56cd254c815
SHA512 0c3bafb5577611fbe6d7e615b0e7257b8443a446c5b65abf45117926fd7b1ba5813d6e22152e291047c670f6450ba1127cfcfccb8a56d462c373a3de8ba2b08c

memory/2684-10-0x0000000077850000-0x00000000779F9000-memory.dmp

memory/2684-12-0x000000007578E000-0x0000000075790000-memory.dmp

memory/2684-11-0x0000000075780000-0x000000007591D000-memory.dmp

memory/2684-13-0x0000000075780000-0x000000007591D000-memory.dmp

memory/2684-15-0x0000000075780000-0x000000007591D000-memory.dmp

memory/2704-16-0x0000000077850000-0x00000000779F9000-memory.dmp

memory/2704-17-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2704-18-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2704-19-0x0000000000D9D000-0x0000000000DA5000-memory.dmp

memory/2684-20-0x000000007578E000-0x0000000075790000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-07-09 23:07

Reported

2024-07-09 23:10

Platform

win10v2004-20240709-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\!ŞetUp_64851--#PaSꞨKḙy#$$\Setup.exe"

Signatures

Lumma Stealer

stealer lumma

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4312 set thread context of 2556 N/A C:\Users\Admin\AppData\Local\Temp\!ŞetUp_64851--#PaSꞨKḙy#$$\Setup.exe C:\Windows\SysWOW64\more.com

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\!ŞetUp_64851--#PaSꞨKḙy#$$\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A

Processes

C:\Users\Admin\AppData\Local\Temp\!ŞetUp_64851--#PaSꞨKḙy#$$\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\!ŞetUp_64851--#PaSꞨKḙy#$$\Setup.exe"

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\SearchIndexer.exe

C:\Windows\SysWOW64\SearchIndexer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 bittercoldzzdwu.shop udp
US 172.67.134.113:443 bittercoldzzdwu.shop tcp
US 8.8.8.8:53 bouncedgowp.shop udp
US 104.21.93.198:443 bouncedgowp.shop tcp
US 8.8.8.8:53 113.134.67.172.in-addr.arpa udp
US 8.8.8.8:53 bannngwko.shop udp
US 172.67.146.61:443 bannngwko.shop tcp
US 8.8.8.8:53 bargainnykwo.shop udp
US 172.67.146.97:443 bargainnykwo.shop tcp
US 8.8.8.8:53 198.93.21.104.in-addr.arpa udp
US 8.8.8.8:53 61.146.67.172.in-addr.arpa udp
US 8.8.8.8:53 affecthorsedpo.shop udp
US 104.21.6.254:443 affecthorsedpo.shop tcp
US 8.8.8.8:53 radiationnopp.shop udp
US 172.67.196.169:443 radiationnopp.shop tcp
US 8.8.8.8:53 97.146.67.172.in-addr.arpa udp
US 8.8.8.8:53 254.6.21.104.in-addr.arpa udp
US 8.8.8.8:53 answerrsdo.shop udp
US 104.21.44.192:443 answerrsdo.shop tcp
US 8.8.8.8:53 publicitttyps.shop udp
US 172.67.134.88:443 publicitttyps.shop tcp
US 8.8.8.8:53 benchillppwo.shop udp
US 104.21.81.128:443 benchillppwo.shop tcp
US 8.8.8.8:53 169.196.67.172.in-addr.arpa udp
US 8.8.8.8:53 192.44.21.104.in-addr.arpa udp
US 8.8.8.8:53 88.134.67.172.in-addr.arpa udp
US 8.8.8.8:53 steamcommunity.com udp
GB 23.214.143.155:443 steamcommunity.com tcp
US 8.8.8.8:53 reinforcedirectorywd.shop udp
US 104.21.83.48:443 reinforcedirectorywd.shop tcp
US 8.8.8.8:53 128.81.21.104.in-addr.arpa udp
US 8.8.8.8:53 155.143.214.23.in-addr.arpa udp
US 8.8.8.8:53 48.83.21.104.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/4312-0-0x00000000004D0000-0x000000000052E000-memory.dmp

memory/4312-1-0x00007FFABE560000-0x00007FFABE9D2000-memory.dmp

memory/4312-5-0x00007FFABE578000-0x00007FFABE579000-memory.dmp

memory/4312-6-0x00007FFABE560000-0x00007FFABE9D2000-memory.dmp

memory/4312-7-0x00007FFABE560000-0x00007FFABE9D2000-memory.dmp

memory/4312-9-0x00000000004D0000-0x000000000052E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\65448f5

MD5 375e791b0a0c6e6a9ab224cdb8748192
SHA1 71b63c1c1dd5c52bb137dd31dbb69dfe8904173a
SHA256 15a4d4072ef12062e7343d4ee3cb0fbc389442102be2320fd2dee06c3b8150ab
SHA512 f0ec93941d8d83e2436039a78079bc084d6e979729c1daf4e55aa04c4bd5752e74881b0af21c74c50e7e859c350d7f1486656e22a067fe0853bdfed873253fa7

memory/2556-11-0x00007FFAC01B0000-0x00007FFAC03A5000-memory.dmp

memory/2556-13-0x000000007621E000-0x0000000076220000-memory.dmp

memory/2556-12-0x0000000076210000-0x000000007664C000-memory.dmp

memory/2556-14-0x0000000076210000-0x000000007664C000-memory.dmp

memory/2556-16-0x0000000076210000-0x000000007664C000-memory.dmp

memory/3276-17-0x00007FFAC01B0000-0x00007FFAC03A5000-memory.dmp

memory/3276-18-0x0000000000F20000-0x0000000000F73000-memory.dmp

memory/3276-20-0x000000000081B000-0x0000000000822000-memory.dmp

memory/2556-19-0x000000007621E000-0x0000000076220000-memory.dmp

memory/3276-21-0x0000000000F20000-0x0000000000F73000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-09 23:07

Reported

2024-07-09 23:10

Platform

win7-20240705-en

Max time kernel

119s

Max time network

121s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\22613505c3fea6ac505f3ed2c8e0df9998331832f405fbba4f9f5a48de753055.zip

Signatures

N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\22613505c3fea6ac505f3ed2c8e0df9998331832f405fbba4f9f5a48de753055.zip

Network

N/A

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-07-09 23:07

Reported

2024-07-09 23:10

Platform

win7-20240704-en

Max time kernel

117s

Max time network

122s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\22613505c3fea6ac505f3ed2c8e0df9998331832f405fbba4f9f5a48de753055.zip

Signatures

N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\22613505c3fea6ac505f3ed2c8e0df9998331832f405fbba4f9f5a48de753055.zip

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-07-09 23:07

Reported

2024-07-09 23:10

Platform

win10v2004-20240709-en

Max time kernel

93s

Max time network

125s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\22613505c3fea6ac505f3ed2c8e0df9998331832f405fbba4f9f5a48de753055.zip

Signatures

N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\22613505c3fea6ac505f3ed2c8e0df9998331832f405fbba4f9f5a48de753055.zip

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

N/A