Analysis Overview
SHA256
7660d3946a9cc923cc27539dbbe7f333eb45cd0c37cf71497f7e8e58c835b6ea
Threat Level: Known bad
The file !!SetUp_!PaS$Kḙy$!_94166.zip was found to be: Known bad.
Malicious Activity Summary
Lumma Stealer
Suspicious use of SetThreadContext
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-07-09 22:30
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral3
Detonation Overview
Submitted
2024-07-09 22:29
Reported
2024-07-09 22:35
Platform
win11-20240709-en
Max time kernel
212s
Max time network
285s
Command Line
Signatures
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 240 set thread context of 2384 | N/A | C:\Users\Admin\AppData\Local\Temp\!!SetUp_!PaS$Kḙy$!_94166\Setup.exe | C:\Windows\SysWOW64\more.com |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\!!SetUp_!PaS$Kḙy$!_94166\Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\!!SetUp_!PaS$Kḙy$!_94166\Setup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\!!SetUp_!PaS$Kḙy$!_94166\Setup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 240 wrote to memory of 2384 | N/A | C:\Users\Admin\AppData\Local\Temp\!!SetUp_!PaS$Kḙy$!_94166\Setup.exe | C:\Windows\SysWOW64\more.com |
| PID 240 wrote to memory of 2384 | N/A | C:\Users\Admin\AppData\Local\Temp\!!SetUp_!PaS$Kḙy$!_94166\Setup.exe | C:\Windows\SysWOW64\more.com |
| PID 240 wrote to memory of 2384 | N/A | C:\Users\Admin\AppData\Local\Temp\!!SetUp_!PaS$Kḙy$!_94166\Setup.exe | C:\Windows\SysWOW64\more.com |
| PID 240 wrote to memory of 2384 | N/A | C:\Users\Admin\AppData\Local\Temp\!!SetUp_!PaS$Kḙy$!_94166\Setup.exe | C:\Windows\SysWOW64\more.com |
| PID 2384 wrote to memory of 4632 | N/A | C:\Windows\SysWOW64\more.com | C:\Windows\SysWOW64\SearchIndexer.exe |
| PID 2384 wrote to memory of 4632 | N/A | C:\Windows\SysWOW64\more.com | C:\Windows\SysWOW64\SearchIndexer.exe |
| PID 2384 wrote to memory of 4632 | N/A | C:\Windows\SysWOW64\more.com | C:\Windows\SysWOW64\SearchIndexer.exe |
| PID 2384 wrote to memory of 4632 | N/A | C:\Windows\SysWOW64\more.com | C:\Windows\SysWOW64\SearchIndexer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\!!SetUp_!PaS$Kḙy$!_94166\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\!!SetUp_!PaS$Kḙy$!_94166\Setup.exe"
C:\Windows\SysWOW64\more.com
C:\Windows\SysWOW64\more.com
C:\Windows\SysWOW64\SearchIndexer.exe
C:\Windows\SysWOW64\SearchIndexer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | unwielldyzpwo.shop | udp |
| US | 172.67.158.68:443 | unwielldyzpwo.shop | tcp |
| US | 104.21.93.198:443 | bouncedgowp.shop | tcp |
| US | 104.21.81.196:443 | bannngwko.shop | tcp |
| US | 172.67.146.97:443 | bargainnykwo.shop | tcp |
| US | 8.8.8.8:53 | 198.93.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.158.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.81.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.146.67.172.in-addr.arpa | udp |
| US | 172.67.135.137:443 | affecthorsedpo.shop | tcp |
| US | 104.21.68.158:443 | radiationnopp.shop | tcp |
| US | 104.21.44.192:443 | answerrsdo.shop | tcp |
| US | 104.21.25.154:443 | publicitttyps.shop | tcp |
| US | 104.21.81.128:443 | benchillppwo.shop | tcp |
| GB | 23.214.143.155:443 | steamcommunity.com | tcp |
| US | 104.21.83.48:443 | reinforcedirectorywd.shop | tcp |
Files
memory/240-0-0x00007FFF9A2A0000-0x00007FFF9A70C000-memory.dmp
memory/240-7-0x00007FFF9A2B8000-0x00007FFF9A2B9000-memory.dmp
memory/240-8-0x00007FFF9A2A0000-0x00007FFF9A70C000-memory.dmp
memory/240-9-0x00007FFF9A2A0000-0x00007FFF9A70C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\dae85c89
| MD5 | 0b0f6cded8de9850f50751e82e0151e9 |
| SHA1 | 9b71daa89aba1949db51c44cdb9cfcf905d30a38 |
| SHA256 | 120e00ab76e2b496de2b11aabcdfac0866051ee04f971a05d014fdd166539050 |
| SHA512 | ceace49edec27e4530ddbb6ceba72346a6e11a7e63d3342169f4abecbbb900d29b80772eca8c622a4074b4de787f59e48ec36df0b58db67a909ac2de076a10ad |
memory/2384-12-0x00007FFF9AF20000-0x00007FFF9B129000-memory.dmp
memory/2384-14-0x00000000765EE000-0x00000000765F0000-memory.dmp
memory/2384-13-0x00000000765E0000-0x0000000076A1B000-memory.dmp
memory/2384-15-0x00000000765E0000-0x0000000076A1B000-memory.dmp
memory/2384-17-0x00000000765E0000-0x0000000076A1B000-memory.dmp
memory/4632-18-0x00007FFF9AF20000-0x00007FFF9B129000-memory.dmp
memory/4632-19-0x0000000000370000-0x00000000003DF000-memory.dmp
memory/4632-20-0x000000000102B000-0x0000000001032000-memory.dmp
memory/2384-21-0x00000000765EE000-0x00000000765F0000-memory.dmp
memory/4632-22-0x0000000000370000-0x00000000003DF000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-09 22:29
Reported
2024-07-09 22:30
Platform
win7-20240708-en
Max time kernel
0s
Max time network
3s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\!!SetUp_!PaS$Kḙy$!_94166\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\!!SetUp_!PaS$Kḙy$!_94166\Setup.exe"
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-09 22:29
Reported
2024-07-09 22:35
Platform
win10v2004-20240709-en
Max time kernel
93s
Max time network
205s
Command Line
Signatures
Lumma Stealer
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3196 set thread context of 1368 | N/A | C:\Users\Admin\AppData\Local\Temp\!!SetUp_!PaS$Kḙy$!_94166\Setup.exe | C:\Windows\SysWOW64\more.com |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\!!SetUp_!PaS$Kḙy$!_94166\Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\!!SetUp_!PaS$Kḙy$!_94166\Setup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\!!SetUp_!PaS$Kḙy$!_94166\Setup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3196 wrote to memory of 1368 | N/A | C:\Users\Admin\AppData\Local\Temp\!!SetUp_!PaS$Kḙy$!_94166\Setup.exe | C:\Windows\SysWOW64\more.com |
| PID 3196 wrote to memory of 1368 | N/A | C:\Users\Admin\AppData\Local\Temp\!!SetUp_!PaS$Kḙy$!_94166\Setup.exe | C:\Windows\SysWOW64\more.com |
| PID 3196 wrote to memory of 1368 | N/A | C:\Users\Admin\AppData\Local\Temp\!!SetUp_!PaS$Kḙy$!_94166\Setup.exe | C:\Windows\SysWOW64\more.com |
| PID 3196 wrote to memory of 1368 | N/A | C:\Users\Admin\AppData\Local\Temp\!!SetUp_!PaS$Kḙy$!_94166\Setup.exe | C:\Windows\SysWOW64\more.com |
| PID 1368 wrote to memory of 2600 | N/A | C:\Windows\SysWOW64\more.com | C:\Windows\SysWOW64\SearchIndexer.exe |
| PID 1368 wrote to memory of 2600 | N/A | C:\Windows\SysWOW64\more.com | C:\Windows\SysWOW64\SearchIndexer.exe |
| PID 1368 wrote to memory of 2600 | N/A | C:\Windows\SysWOW64\more.com | C:\Windows\SysWOW64\SearchIndexer.exe |
| PID 1368 wrote to memory of 2600 | N/A | C:\Windows\SysWOW64\more.com | C:\Windows\SysWOW64\SearchIndexer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\!!SetUp_!PaS$Kḙy$!_94166\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\!!SetUp_!PaS$Kḙy$!_94166\Setup.exe"
C:\Windows\SysWOW64\more.com
C:\Windows\SysWOW64\more.com
C:\Windows\SysWOW64\SearchIndexer.exe
C:\Windows\SysWOW64\SearchIndexer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.19.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | unwielldyzpwo.shop | udp |
| US | 172.67.158.68:443 | unwielldyzpwo.shop | tcp |
| US | 8.8.8.8:53 | bouncedgowp.shop | udp |
| US | 172.67.214.52:443 | bouncedgowp.shop | tcp |
| US | 8.8.8.8:53 | bannngwko.shop | udp |
| US | 104.21.81.196:443 | bannngwko.shop | tcp |
| US | 8.8.8.8:53 | bargainnykwo.shop | udp |
| US | 8.8.8.8:53 | 68.158.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 52.214.67.172.in-addr.arpa | udp |
| US | 172.67.146.97:443 | bargainnykwo.shop | tcp |
| US | 8.8.8.8:53 | affecthorsedpo.shop | udp |
| US | 104.21.6.254:443 | affecthorsedpo.shop | tcp |
| US | 8.8.8.8:53 | radiationnopp.shop | udp |
| US | 104.21.68.158:443 | radiationnopp.shop | tcp |
| US | 8.8.8.8:53 | 97.146.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.81.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.6.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.68.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | answerrsdo.shop | udp |
| US | 104.21.44.192:443 | answerrsdo.shop | tcp |
| US | 8.8.8.8:53 | publicitttyps.shop | udp |
| US | 172.67.134.88:443 | publicitttyps.shop | tcp |
| US | 8.8.8.8:53 | 192.44.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | benchillppwo.shop | udp |
| US | 104.21.81.128:443 | benchillppwo.shop | tcp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 23.214.143.155:443 | steamcommunity.com | tcp |
| US | 8.8.8.8:53 | reinforcedirectorywd.shop | udp |
| US | 104.21.83.48:443 | reinforcedirectorywd.shop | tcp |
| US | 8.8.8.8:53 | 128.81.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.134.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.83.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 155.143.214.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
memory/3196-0-0x00007FFDD96D0000-0x00007FFDD9B42000-memory.dmp
memory/3196-7-0x00007FFDD96E8000-0x00007FFDD96E9000-memory.dmp
memory/3196-8-0x00007FFDD96D0000-0x00007FFDD9B42000-memory.dmp
memory/3196-9-0x00007FFDD96D0000-0x00007FFDD9B42000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\34f5b3e9
| MD5 | a679a0469f65c884c0c9fa0bbbf11cdf |
| SHA1 | e963ac9f4f288c4f7bbfaf985780681a3fe72403 |
| SHA256 | 8275d55836e938e2394e5a30d0e4928605775ce62dbde299300e4107a4fcd9cd |
| SHA512 | 562bfafb57ed2e3e24dc96b42f31676b163a2c80be211ca4acac25f72d0aca345f205331aa568efe82ca4f940e244dde15ff36074e2ee9ef2f189c4caf36013c |
memory/1368-12-0x00007FFDDB490000-0x00007FFDDB685000-memory.dmp
memory/1368-14-0x000000007506E000-0x0000000075070000-memory.dmp
memory/1368-13-0x0000000075060000-0x000000007549C000-memory.dmp
memory/1368-15-0x0000000075060000-0x000000007549C000-memory.dmp
memory/1368-17-0x0000000075060000-0x000000007549C000-memory.dmp
memory/2600-18-0x00007FFDDB490000-0x00007FFDDB685000-memory.dmp
memory/2600-19-0x0000000000E40000-0x0000000000EAF000-memory.dmp
memory/2600-22-0x00000000007EB000-0x00000000007F2000-memory.dmp
memory/2600-23-0x0000000000E40000-0x0000000000EAF000-memory.dmp
memory/1368-24-0x000000007506E000-0x0000000075070000-memory.dmp