Malware Analysis Report

2024-11-30 05:31

Sample ID 240709-2ak6bs1dlc
Target !!SetUp_22334_Pa$sW0rd$$!.zip
SHA256 a042293778a18f71dc448b16c6b782490534789d43f59608678b3e89367b3a34
Tags
lumma stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a042293778a18f71dc448b16c6b782490534789d43f59608678b3e89367b3a34

Threat Level: Known bad

The file !!SetUp_22334_Pa$sW0rd$$!.zip was found to be: Known bad.

Malicious Activity Summary

lumma stealer

Lumma Stealer

Suspicious use of SetThreadContext

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-07-09 22:22

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-09 22:22

Reported

2024-07-09 22:28

Platform

win7-20240704-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\!!SetUp_22334_Pa$sW0rd$$!\Setup.exe"

Signatures

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\!!SetUp_22334_Pa$sW0rd$$!\Setup.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\!!SetUp_22334_Pa$sW0rd$$!\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\!!SetUp_22334_Pa$sW0rd$$!\Setup.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2116 -s 92

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-09 22:22

Reported

2024-07-09 22:28

Platform

win10v2004-20240709-en

Max time kernel

208s

Max time network

275s

Command Line

"C:\Users\Admin\AppData\Local\Temp\!!SetUp_22334_Pa$sW0rd$$!\Setup.exe"

Signatures

Lumma Stealer

stealer lumma

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1876 set thread context of 2136 N/A C:\Users\Admin\AppData\Local\Temp\!!SetUp_22334_Pa$sW0rd$$!\Setup.exe C:\Windows\SysWOW64\more.com

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\!!SetUp_22334_Pa$sW0rd$$!\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A

Processes

C:\Users\Admin\AppData\Local\Temp\!!SetUp_22334_Pa$sW0rd$$!\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\!!SetUp_22334_Pa$sW0rd$$!\Setup.exe"

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\SearchIndexer.exe

C:\Windows\SysWOW64\SearchIndexer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 unwielldyzpwo.shop udp
US 172.67.158.68:443 unwielldyzpwo.shop tcp
US 8.8.8.8:53 bouncedgowp.shop udp
US 172.67.214.52:443 bouncedgowp.shop tcp
US 8.8.8.8:53 bannngwko.shop udp
US 172.67.146.61:443 bannngwko.shop tcp
US 8.8.8.8:53 bargainnykwo.shop udp
US 104.21.47.93:443 bargainnykwo.shop tcp
US 8.8.8.8:53 affecthorsedpo.shop udp
US 172.67.135.137:443 affecthorsedpo.shop tcp
US 8.8.8.8:53 68.158.67.172.in-addr.arpa udp
US 8.8.8.8:53 52.214.67.172.in-addr.arpa udp
US 8.8.8.8:53 61.146.67.172.in-addr.arpa udp
US 8.8.8.8:53 93.47.21.104.in-addr.arpa udp
US 8.8.8.8:53 radiationnopp.shop udp
US 104.21.68.158:443 radiationnopp.shop tcp
US 8.8.8.8:53 answerrsdo.shop udp
US 172.67.203.63:443 answerrsdo.shop tcp
US 8.8.8.8:53 137.135.67.172.in-addr.arpa udp
US 8.8.8.8:53 publicitttyps.shop udp
US 104.21.25.154:443 publicitttyps.shop tcp
US 8.8.8.8:53 benchillppwo.shop udp
US 172.67.160.230:443 benchillppwo.shop tcp
US 8.8.8.8:53 steamcommunity.com udp
US 8.8.8.8:53 158.68.21.104.in-addr.arpa udp
US 8.8.8.8:53 63.203.67.172.in-addr.arpa udp
US 8.8.8.8:53 154.25.21.104.in-addr.arpa udp
US 8.8.8.8:53 230.160.67.172.in-addr.arpa udp
GB 23.214.143.155:443 steamcommunity.com tcp
US 8.8.8.8:53 reinforcedirectorywd.shop udp
US 172.67.214.98:443 reinforcedirectorywd.shop tcp
US 8.8.8.8:53 155.143.214.23.in-addr.arpa udp
US 8.8.8.8:53 98.214.67.172.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 90.16.208.104.in-addr.arpa udp

Files

memory/1876-0-0x00007FF9805C0000-0x00007FF980A32000-memory.dmp

memory/1876-10-0x00007FF9805D8000-0x00007FF9805D9000-memory.dmp

memory/1876-11-0x00007FF9805C0000-0x00007FF980A32000-memory.dmp

memory/1876-12-0x00007FF9805C0000-0x00007FF980A32000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3ff2a876

MD5 e81b3b2dcfd3c63612ac4456fa1f949d
SHA1 b104c45b78d8d780d2b3147220ebdb877ccd2dab
SHA256 599cd20575921f827ecd2bb104d05f32591901083a893b5237b1d9e3947b94d0
SHA512 234464c2c9aaa290a0c0b53463d1677f0e6a03f05c993dae2f1faee238843cf43e099de0ba2812b9e2539aedcbe6ff071162877eefe02f0273a9691db2536762

memory/2136-15-0x00007FF982390000-0x00007FF982585000-memory.dmp

memory/2136-17-0x000000007706E000-0x0000000077070000-memory.dmp

memory/2136-16-0x0000000077060000-0x000000007749C000-memory.dmp

memory/2136-18-0x0000000077060000-0x000000007749C000-memory.dmp

memory/2136-20-0x0000000077060000-0x000000007749C000-memory.dmp

memory/4188-21-0x00007FF982390000-0x00007FF982585000-memory.dmp

memory/4188-22-0x0000000000B50000-0x0000000000BB7000-memory.dmp

memory/4188-24-0x0000000000FEB000-0x0000000000FF2000-memory.dmp

memory/2136-23-0x000000007706E000-0x0000000077070000-memory.dmp

memory/4188-25-0x0000000000B50000-0x0000000000BB7000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-07-09 22:22

Reported

2024-07-09 22:28

Platform

win11-20240709-en

Max time kernel

213s

Max time network

282s

Command Line

"C:\Users\Admin\AppData\Local\Temp\!!SetUp_22334_Pa$sW0rd$$!\Setup.exe"

Signatures

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3572 set thread context of 3184 N/A C:\Users\Admin\AppData\Local\Temp\!!SetUp_22334_Pa$sW0rd$$!\Setup.exe C:\Windows\SysWOW64\more.com

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\!!SetUp_22334_Pa$sW0rd$$!\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A

Processes

C:\Users\Admin\AppData\Local\Temp\!!SetUp_22334_Pa$sW0rd$$!\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\!!SetUp_22334_Pa$sW0rd$$!\Setup.exe"

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\SearchIndexer.exe

C:\Windows\SysWOW64\SearchIndexer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 unwielldyzpwo.shop udp
US 104.21.73.56:443 unwielldyzpwo.shop tcp
US 104.21.93.198:443 bouncedgowp.shop tcp
US 104.21.81.196:443 bannngwko.shop tcp
US 8.8.8.8:53 56.73.21.104.in-addr.arpa udp
US 8.8.8.8:53 198.93.21.104.in-addr.arpa udp
US 172.67.146.97:443 bargainnykwo.shop tcp
US 172.67.135.137:443 affecthorsedpo.shop tcp
US 104.21.68.158:443 radiationnopp.shop tcp
US 104.21.44.192:443 answerrsdo.shop tcp
US 104.21.25.154:443 publicitttyps.shop tcp
US 104.21.81.128:443 benchillppwo.shop tcp
GB 23.214.143.155:443 steamcommunity.com tcp
US 104.21.83.48:443 reinforcedirectorywd.shop tcp

Files

memory/3572-0-0x00007FF9ED800000-0x00007FF9EDC6C000-memory.dmp

memory/3572-10-0x00007FF9ED818000-0x00007FF9ED819000-memory.dmp

memory/3572-11-0x00007FF9ED800000-0x00007FF9EDC6C000-memory.dmp

memory/3572-12-0x00007FF9ED800000-0x00007FF9EDC6C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3d760bd7

MD5 e0ff9fd6082b9db866cae7f8590735da
SHA1 25d7b67af05b3b04cb5200b466edd3a83caaca7e
SHA256 7a698feee8bbe791439db638d81a446dac7d1f06938e4224bf5a507444090e3a
SHA512 7e533c2cd137456ea575d975ecedebb5499a6fb3c11af8bee1f0611d547857347c1272057b6e6aba136d27442386901aeaaa6a2f49000f2825772b4e3281658c

memory/3184-15-0x00007FF9EDDA0000-0x00007FF9EDFA9000-memory.dmp

memory/3184-17-0x000000007634E000-0x0000000076350000-memory.dmp

memory/3184-16-0x0000000076340000-0x000000007677B000-memory.dmp

memory/3184-18-0x0000000076340000-0x000000007677B000-memory.dmp

memory/3184-20-0x0000000076340000-0x000000007677B000-memory.dmp

memory/1244-21-0x00007FF9EDDA0000-0x00007FF9EDFA9000-memory.dmp

memory/1244-22-0x00000000006C0000-0x0000000000727000-memory.dmp

memory/1244-25-0x00000000005AB000-0x00000000005B2000-memory.dmp

memory/3184-26-0x000000007634E000-0x0000000076350000-memory.dmp

memory/1244-27-0x00000000006C0000-0x0000000000727000-memory.dmp