Analysis Overview
SHA256
44c183b28375248cb934a5d9f55f1f127f30f9f1f3371e0289401c04fad5d2b6
Threat Level: Known bad
The file file.zip was found to be: Known bad.
Malicious Activity Summary
Lumma Stealer
Suspicious use of SetThreadContext
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-07-09 22:30
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-09 22:30
Reported
2024-07-09 22:34
Platform
win10v2004-20240709-en
Max time kernel
91s
Max time network
128s
Command Line
Signatures
Lumma Stealer
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1632 set thread context of 5044 | N/A | C:\Users\Admin\AppData\Local\Temp\file\Setup.exe | C:\Windows\SysWOW64\more.com |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file\Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file\Setup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file\Setup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1632 wrote to memory of 5044 | N/A | C:\Users\Admin\AppData\Local\Temp\file\Setup.exe | C:\Windows\SysWOW64\more.com |
| PID 1632 wrote to memory of 5044 | N/A | C:\Users\Admin\AppData\Local\Temp\file\Setup.exe | C:\Windows\SysWOW64\more.com |
| PID 1632 wrote to memory of 5044 | N/A | C:\Users\Admin\AppData\Local\Temp\file\Setup.exe | C:\Windows\SysWOW64\more.com |
| PID 1632 wrote to memory of 5044 | N/A | C:\Users\Admin\AppData\Local\Temp\file\Setup.exe | C:\Windows\SysWOW64\more.com |
| PID 5044 wrote to memory of 3924 | N/A | C:\Windows\SysWOW64\more.com | C:\Windows\SysWOW64\SearchIndexer.exe |
| PID 5044 wrote to memory of 3924 | N/A | C:\Windows\SysWOW64\more.com | C:\Windows\SysWOW64\SearchIndexer.exe |
| PID 5044 wrote to memory of 3924 | N/A | C:\Windows\SysWOW64\more.com | C:\Windows\SysWOW64\SearchIndexer.exe |
| PID 5044 wrote to memory of 3924 | N/A | C:\Windows\SysWOW64\more.com | C:\Windows\SysWOW64\SearchIndexer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\file\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\file\Setup.exe"
C:\Windows\SysWOW64\more.com
C:\Windows\SysWOW64\more.com
C:\Windows\SysWOW64\SearchIndexer.exe
C:\Windows\SysWOW64\SearchIndexer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | unwielldyzpwo.shop | udp |
| US | 104.21.73.56:443 | unwielldyzpwo.shop | tcp |
| US | 8.8.8.8:53 | bouncedgowp.shop | udp |
| US | 104.21.93.198:443 | bouncedgowp.shop | tcp |
| US | 8.8.8.8:53 | bannngwko.shop | udp |
| US | 172.67.146.61:443 | bannngwko.shop | tcp |
| US | 8.8.8.8:53 | 56.73.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bargainnykwo.shop | udp |
| US | 104.21.47.93:443 | bargainnykwo.shop | tcp |
| US | 8.8.8.8:53 | affecthorsedpo.shop | udp |
| US | 104.21.6.254:443 | affecthorsedpo.shop | tcp |
| US | 8.8.8.8:53 | radiationnopp.shop | udp |
| US | 172.67.196.169:443 | radiationnopp.shop | tcp |
| US | 8.8.8.8:53 | answerrsdo.shop | udp |
| US | 8.8.8.8:53 | 198.93.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 61.146.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 93.47.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.6.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 169.196.67.172.in-addr.arpa | udp |
| US | 172.67.203.63:443 | answerrsdo.shop | tcp |
| US | 8.8.8.8:53 | publicitttyps.shop | udp |
| US | 104.21.25.154:443 | publicitttyps.shop | tcp |
| US | 8.8.8.8:53 | benchillppwo.shop | udp |
| US | 172.67.160.230:443 | benchillppwo.shop | tcp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 23.214.143.155:443 | steamcommunity.com | tcp |
| US | 8.8.8.8:53 | 154.25.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 63.203.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 230.160.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | reinforcedirectorywd.shop | udp |
| US | 172.67.214.98:443 | reinforcedirectorywd.shop | tcp |
| US | 8.8.8.8:53 | 98.214.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 155.143.214.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.140.123.92.in-addr.arpa | udp |
Files
memory/1632-0-0x00007FFDD91F0000-0x00007FFDD9662000-memory.dmp
memory/1632-7-0x00007FFDD9208000-0x00007FFDD9209000-memory.dmp
memory/1632-8-0x00007FFDD91F0000-0x00007FFDD9662000-memory.dmp
memory/1632-9-0x00007FFDD91F0000-0x00007FFDD9662000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\67cdaa50
| MD5 | 99915155844f6f202bf99a5f856e5fb1 |
| SHA1 | 3b6da09fec2a176e2847928e68678e1044e4318d |
| SHA256 | c7da314dcc9037ec3a456e0fa1fb462e83944f45b96ba09ecad48026bacb90f3 |
| SHA512 | 4c8c18937936eef7fff20dbf5c21fcc073b13a9fd02fb56ad594013de033cf42d5e2441db280ef59ce9e8dc2c2afebbdc53831fbe9497b19d11b6470add9d6df |
memory/5044-12-0x00007FFDD9B30000-0x00007FFDD9D25000-memory.dmp
memory/5044-14-0x0000000075B1E000-0x0000000075B20000-memory.dmp
memory/5044-13-0x0000000075B10000-0x0000000075F4C000-memory.dmp
memory/5044-15-0x0000000075B10000-0x0000000075F4C000-memory.dmp
memory/5044-17-0x0000000075B10000-0x0000000075F4C000-memory.dmp
memory/3924-18-0x00007FFDD9B30000-0x00007FFDD9D25000-memory.dmp
memory/3924-19-0x0000000000330000-0x000000000039F000-memory.dmp
memory/3924-22-0x0000000000C6B000-0x0000000000C72000-memory.dmp
memory/5044-23-0x0000000075B1E000-0x0000000075B20000-memory.dmp
memory/3924-24-0x0000000000330000-0x000000000039F000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-07-09 22:30
Reported
2024-07-09 22:34
Platform
win11-20240709-en
Max time kernel
146s
Max time network
152s
Command Line
Signatures
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3428 set thread context of 836 | N/A | C:\Users\Admin\AppData\Local\Temp\file\Setup.exe | C:\Windows\SysWOW64\more.com |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file\Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file\Setup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file\Setup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3428 wrote to memory of 836 | N/A | C:\Users\Admin\AppData\Local\Temp\file\Setup.exe | C:\Windows\SysWOW64\more.com |
| PID 3428 wrote to memory of 836 | N/A | C:\Users\Admin\AppData\Local\Temp\file\Setup.exe | C:\Windows\SysWOW64\more.com |
| PID 3428 wrote to memory of 836 | N/A | C:\Users\Admin\AppData\Local\Temp\file\Setup.exe | C:\Windows\SysWOW64\more.com |
| PID 3428 wrote to memory of 836 | N/A | C:\Users\Admin\AppData\Local\Temp\file\Setup.exe | C:\Windows\SysWOW64\more.com |
| PID 836 wrote to memory of 3080 | N/A | C:\Windows\SysWOW64\more.com | C:\Windows\SysWOW64\SearchIndexer.exe |
| PID 836 wrote to memory of 3080 | N/A | C:\Windows\SysWOW64\more.com | C:\Windows\SysWOW64\SearchIndexer.exe |
| PID 836 wrote to memory of 3080 | N/A | C:\Windows\SysWOW64\more.com | C:\Windows\SysWOW64\SearchIndexer.exe |
| PID 836 wrote to memory of 3080 | N/A | C:\Windows\SysWOW64\more.com | C:\Windows\SysWOW64\SearchIndexer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\file\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\file\Setup.exe"
C:\Windows\SysWOW64\more.com
C:\Windows\SysWOW64\more.com
C:\Windows\SysWOW64\SearchIndexer.exe
C:\Windows\SysWOW64\SearchIndexer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 104.21.73.56:443 | unwielldyzpwo.shop | tcp |
| US | 104.21.93.198:443 | bouncedgowp.shop | tcp |
| US | 104.21.81.196:443 | bannngwko.shop | tcp |
| US | 104.21.47.93:443 | bargainnykwo.shop | tcp |
| US | 172.67.135.137:443 | affecthorsedpo.shop | tcp |
| US | 8.8.8.8:53 | 93.47.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 54.120.234.20.in-addr.arpa | udp |
| US | 172.67.196.169:443 | radiationnopp.shop | tcp |
| US | 104.21.44.192:443 | answerrsdo.shop | tcp |
| US | 172.67.134.88:443 | publicitttyps.shop | tcp |
| US | 104.21.81.128:443 | benchillppwo.shop | tcp |
| GB | 23.214.143.155:443 | steamcommunity.com | tcp |
| US | 104.21.83.48:443 | reinforcedirectorywd.shop | tcp |
Files
memory/3428-0-0x00007FF918710000-0x00007FF918B7C000-memory.dmp
memory/3428-7-0x00007FF918728000-0x00007FF918729000-memory.dmp
memory/3428-8-0x00007FF918710000-0x00007FF918B7C000-memory.dmp
memory/3428-9-0x00007FF918710000-0x00007FF918B7C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\594c048b
| MD5 | a3c548595110d12af15f95386035ee4c |
| SHA1 | 6cddcc22e751cf7230d2a460f9df4658af1dcf76 |
| SHA256 | 92186f2ce9032a7e060009e95483455da22cabff72f36accb539bd80186a95cc |
| SHA512 | ad795bb3609630a89d61e304a157e7096d81f1b176a75e675cd2875a4cc07218acba0e1c74437b2b0085f61024d132a47e086a51d6fae2d4b943a92ab1227a53 |
memory/836-12-0x00007FF919280000-0x00007FF919489000-memory.dmp
memory/836-14-0x00000000752FE000-0x0000000075300000-memory.dmp
memory/836-15-0x00000000752F0000-0x000000007572B000-memory.dmp
memory/836-13-0x00000000752F0000-0x000000007572B000-memory.dmp
memory/836-17-0x00000000752F0000-0x000000007572B000-memory.dmp
memory/3080-18-0x00007FF919280000-0x00007FF919489000-memory.dmp
memory/3080-19-0x0000000000100000-0x000000000016F000-memory.dmp
memory/836-20-0x00000000752FE000-0x0000000075300000-memory.dmp
memory/3080-21-0x00000000009CB000-0x00000000009D2000-memory.dmp
memory/3080-22-0x0000000000100000-0x000000000016F000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-09 22:30
Reported
2024-07-09 22:32
Platform
win7-20240708-en
Max time kernel
0s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\file\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\file\Setup.exe"