Analysis Overview
SHA256
a042293778a18f71dc448b16c6b782490534789d43f59608678b3e89367b3a34
Threat Level: Known bad
The file !!SetUp_22334_Pa$sW0rd$$!.zip was found to be: Known bad.
Malicious Activity Summary
Lumma Stealer
Suspicious use of SetThreadContext
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-07-09 22:22
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-09 22:22
Reported
2024-07-09 22:28
Platform
win7-20240704-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\!!SetUp_22334_Pa$sW0rd$$!\Setup.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2116 wrote to memory of 2384 | N/A | C:\Users\Admin\AppData\Local\Temp\!!SetUp_22334_Pa$sW0rd$$!\Setup.exe | C:\Windows\system32\WerFault.exe |
| PID 2116 wrote to memory of 2384 | N/A | C:\Users\Admin\AppData\Local\Temp\!!SetUp_22334_Pa$sW0rd$$!\Setup.exe | C:\Windows\system32\WerFault.exe |
| PID 2116 wrote to memory of 2384 | N/A | C:\Users\Admin\AppData\Local\Temp\!!SetUp_22334_Pa$sW0rd$$!\Setup.exe | C:\Windows\system32\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\!!SetUp_22334_Pa$sW0rd$$!\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\!!SetUp_22334_Pa$sW0rd$$!\Setup.exe"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2116 -s 92
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-09 22:22
Reported
2024-07-09 22:28
Platform
win10v2004-20240709-en
Max time kernel
208s
Max time network
275s
Command Line
Signatures
Lumma Stealer
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1876 set thread context of 2136 | N/A | C:\Users\Admin\AppData\Local\Temp\!!SetUp_22334_Pa$sW0rd$$!\Setup.exe | C:\Windows\SysWOW64\more.com |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\!!SetUp_22334_Pa$sW0rd$$!\Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\!!SetUp_22334_Pa$sW0rd$$!\Setup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\!!SetUp_22334_Pa$sW0rd$$!\Setup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1876 wrote to memory of 2136 | N/A | C:\Users\Admin\AppData\Local\Temp\!!SetUp_22334_Pa$sW0rd$$!\Setup.exe | C:\Windows\SysWOW64\more.com |
| PID 1876 wrote to memory of 2136 | N/A | C:\Users\Admin\AppData\Local\Temp\!!SetUp_22334_Pa$sW0rd$$!\Setup.exe | C:\Windows\SysWOW64\more.com |
| PID 1876 wrote to memory of 2136 | N/A | C:\Users\Admin\AppData\Local\Temp\!!SetUp_22334_Pa$sW0rd$$!\Setup.exe | C:\Windows\SysWOW64\more.com |
| PID 1876 wrote to memory of 2136 | N/A | C:\Users\Admin\AppData\Local\Temp\!!SetUp_22334_Pa$sW0rd$$!\Setup.exe | C:\Windows\SysWOW64\more.com |
| PID 2136 wrote to memory of 4188 | N/A | C:\Windows\SysWOW64\more.com | C:\Windows\SysWOW64\SearchIndexer.exe |
| PID 2136 wrote to memory of 4188 | N/A | C:\Windows\SysWOW64\more.com | C:\Windows\SysWOW64\SearchIndexer.exe |
| PID 2136 wrote to memory of 4188 | N/A | C:\Windows\SysWOW64\more.com | C:\Windows\SysWOW64\SearchIndexer.exe |
| PID 2136 wrote to memory of 4188 | N/A | C:\Windows\SysWOW64\more.com | C:\Windows\SysWOW64\SearchIndexer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\!!SetUp_22334_Pa$sW0rd$$!\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\!!SetUp_22334_Pa$sW0rd$$!\Setup.exe"
C:\Windows\SysWOW64\more.com
C:\Windows\SysWOW64\more.com
C:\Windows\SysWOW64\SearchIndexer.exe
C:\Windows\SysWOW64\SearchIndexer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | unwielldyzpwo.shop | udp |
| US | 172.67.158.68:443 | unwielldyzpwo.shop | tcp |
| US | 8.8.8.8:53 | bouncedgowp.shop | udp |
| US | 172.67.214.52:443 | bouncedgowp.shop | tcp |
| US | 8.8.8.8:53 | bannngwko.shop | udp |
| US | 172.67.146.61:443 | bannngwko.shop | tcp |
| US | 8.8.8.8:53 | bargainnykwo.shop | udp |
| US | 104.21.47.93:443 | bargainnykwo.shop | tcp |
| US | 8.8.8.8:53 | affecthorsedpo.shop | udp |
| US | 172.67.135.137:443 | affecthorsedpo.shop | tcp |
| US | 8.8.8.8:53 | 68.158.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 52.214.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 61.146.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 93.47.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | radiationnopp.shop | udp |
| US | 104.21.68.158:443 | radiationnopp.shop | tcp |
| US | 8.8.8.8:53 | answerrsdo.shop | udp |
| US | 172.67.203.63:443 | answerrsdo.shop | tcp |
| US | 8.8.8.8:53 | 137.135.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | publicitttyps.shop | udp |
| US | 104.21.25.154:443 | publicitttyps.shop | tcp |
| US | 8.8.8.8:53 | benchillppwo.shop | udp |
| US | 172.67.160.230:443 | benchillppwo.shop | tcp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| US | 8.8.8.8:53 | 158.68.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 63.203.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.25.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 230.160.67.172.in-addr.arpa | udp |
| GB | 23.214.143.155:443 | steamcommunity.com | tcp |
| US | 8.8.8.8:53 | reinforcedirectorywd.shop | udp |
| US | 172.67.214.98:443 | reinforcedirectorywd.shop | tcp |
| US | 8.8.8.8:53 | 155.143.214.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.214.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.16.208.104.in-addr.arpa | udp |
Files
memory/1876-0-0x00007FF9805C0000-0x00007FF980A32000-memory.dmp
memory/1876-10-0x00007FF9805D8000-0x00007FF9805D9000-memory.dmp
memory/1876-11-0x00007FF9805C0000-0x00007FF980A32000-memory.dmp
memory/1876-12-0x00007FF9805C0000-0x00007FF980A32000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\3ff2a876
| MD5 | e81b3b2dcfd3c63612ac4456fa1f949d |
| SHA1 | b104c45b78d8d780d2b3147220ebdb877ccd2dab |
| SHA256 | 599cd20575921f827ecd2bb104d05f32591901083a893b5237b1d9e3947b94d0 |
| SHA512 | 234464c2c9aaa290a0c0b53463d1677f0e6a03f05c993dae2f1faee238843cf43e099de0ba2812b9e2539aedcbe6ff071162877eefe02f0273a9691db2536762 |
memory/2136-15-0x00007FF982390000-0x00007FF982585000-memory.dmp
memory/2136-17-0x000000007706E000-0x0000000077070000-memory.dmp
memory/2136-16-0x0000000077060000-0x000000007749C000-memory.dmp
memory/2136-18-0x0000000077060000-0x000000007749C000-memory.dmp
memory/2136-20-0x0000000077060000-0x000000007749C000-memory.dmp
memory/4188-21-0x00007FF982390000-0x00007FF982585000-memory.dmp
memory/4188-22-0x0000000000B50000-0x0000000000BB7000-memory.dmp
memory/4188-24-0x0000000000FEB000-0x0000000000FF2000-memory.dmp
memory/2136-23-0x000000007706E000-0x0000000077070000-memory.dmp
memory/4188-25-0x0000000000B50000-0x0000000000BB7000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-07-09 22:22
Reported
2024-07-09 22:28
Platform
win11-20240709-en
Max time kernel
213s
Max time network
282s
Command Line
Signatures
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3572 set thread context of 3184 | N/A | C:\Users\Admin\AppData\Local\Temp\!!SetUp_22334_Pa$sW0rd$$!\Setup.exe | C:\Windows\SysWOW64\more.com |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\!!SetUp_22334_Pa$sW0rd$$!\Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\!!SetUp_22334_Pa$sW0rd$$!\Setup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\!!SetUp_22334_Pa$sW0rd$$!\Setup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3572 wrote to memory of 3184 | N/A | C:\Users\Admin\AppData\Local\Temp\!!SetUp_22334_Pa$sW0rd$$!\Setup.exe | C:\Windows\SysWOW64\more.com |
| PID 3572 wrote to memory of 3184 | N/A | C:\Users\Admin\AppData\Local\Temp\!!SetUp_22334_Pa$sW0rd$$!\Setup.exe | C:\Windows\SysWOW64\more.com |
| PID 3572 wrote to memory of 3184 | N/A | C:\Users\Admin\AppData\Local\Temp\!!SetUp_22334_Pa$sW0rd$$!\Setup.exe | C:\Windows\SysWOW64\more.com |
| PID 3572 wrote to memory of 3184 | N/A | C:\Users\Admin\AppData\Local\Temp\!!SetUp_22334_Pa$sW0rd$$!\Setup.exe | C:\Windows\SysWOW64\more.com |
| PID 3184 wrote to memory of 1244 | N/A | C:\Windows\SysWOW64\more.com | C:\Windows\SysWOW64\SearchIndexer.exe |
| PID 3184 wrote to memory of 1244 | N/A | C:\Windows\SysWOW64\more.com | C:\Windows\SysWOW64\SearchIndexer.exe |
| PID 3184 wrote to memory of 1244 | N/A | C:\Windows\SysWOW64\more.com | C:\Windows\SysWOW64\SearchIndexer.exe |
| PID 3184 wrote to memory of 1244 | N/A | C:\Windows\SysWOW64\more.com | C:\Windows\SysWOW64\SearchIndexer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\!!SetUp_22334_Pa$sW0rd$$!\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\!!SetUp_22334_Pa$sW0rd$$!\Setup.exe"
C:\Windows\SysWOW64\more.com
C:\Windows\SysWOW64\more.com
C:\Windows\SysWOW64\SearchIndexer.exe
C:\Windows\SysWOW64\SearchIndexer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | unwielldyzpwo.shop | udp |
| US | 104.21.73.56:443 | unwielldyzpwo.shop | tcp |
| US | 104.21.93.198:443 | bouncedgowp.shop | tcp |
| US | 104.21.81.196:443 | bannngwko.shop | tcp |
| US | 8.8.8.8:53 | 56.73.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.93.21.104.in-addr.arpa | udp |
| US | 172.67.146.97:443 | bargainnykwo.shop | tcp |
| US | 172.67.135.137:443 | affecthorsedpo.shop | tcp |
| US | 104.21.68.158:443 | radiationnopp.shop | tcp |
| US | 104.21.44.192:443 | answerrsdo.shop | tcp |
| US | 104.21.25.154:443 | publicitttyps.shop | tcp |
| US | 104.21.81.128:443 | benchillppwo.shop | tcp |
| GB | 23.214.143.155:443 | steamcommunity.com | tcp |
| US | 104.21.83.48:443 | reinforcedirectorywd.shop | tcp |
Files
memory/3572-0-0x00007FF9ED800000-0x00007FF9EDC6C000-memory.dmp
memory/3572-10-0x00007FF9ED818000-0x00007FF9ED819000-memory.dmp
memory/3572-11-0x00007FF9ED800000-0x00007FF9EDC6C000-memory.dmp
memory/3572-12-0x00007FF9ED800000-0x00007FF9EDC6C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\3d760bd7
| MD5 | e0ff9fd6082b9db866cae7f8590735da |
| SHA1 | 25d7b67af05b3b04cb5200b466edd3a83caaca7e |
| SHA256 | 7a698feee8bbe791439db638d81a446dac7d1f06938e4224bf5a507444090e3a |
| SHA512 | 7e533c2cd137456ea575d975ecedebb5499a6fb3c11af8bee1f0611d547857347c1272057b6e6aba136d27442386901aeaaa6a2f49000f2825772b4e3281658c |
memory/3184-15-0x00007FF9EDDA0000-0x00007FF9EDFA9000-memory.dmp
memory/3184-17-0x000000007634E000-0x0000000076350000-memory.dmp
memory/3184-16-0x0000000076340000-0x000000007677B000-memory.dmp
memory/3184-18-0x0000000076340000-0x000000007677B000-memory.dmp
memory/3184-20-0x0000000076340000-0x000000007677B000-memory.dmp
memory/1244-21-0x00007FF9EDDA0000-0x00007FF9EDFA9000-memory.dmp
memory/1244-22-0x00000000006C0000-0x0000000000727000-memory.dmp
memory/1244-25-0x00000000005AB000-0x00000000005B2000-memory.dmp
memory/3184-26-0x000000007634E000-0x0000000076350000-memory.dmp
memory/1244-27-0x00000000006C0000-0x0000000000727000-memory.dmp