Malware Analysis Report

2024-11-30 05:32

Sample ID 240709-2gdd3a1glg
Target #!SETuP_8060_PA@$sW0rd!~!.zip
SHA256 080c42ae2c24a979a44cbf294aa5ac38e9c4a54b665e08840a089033c26ca098
Tags
lumma stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

080c42ae2c24a979a44cbf294aa5ac38e9c4a54b665e08840a089033c26ca098

Threat Level: Known bad

The file #!SETuP_8060_PA@$sW0rd!~!.zip was found to be: Known bad.

Malicious Activity Summary

lumma stealer

Lumma Stealer

Suspicious use of SetThreadContext

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-07-09 22:32

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-07-09 22:32

Reported

2024-07-09 22:36

Platform

win11-20240709-en

Max time kernel

133s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\#!SETuP_8060_PA@$sW0rd!~!\Setup.exe"

Signatures

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1772 set thread context of 928 N/A C:\Users\Admin\AppData\Local\Temp\#!SETuP_8060_PA@$sW0rd!~!\Setup.exe C:\Windows\SysWOW64\more.com

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\#!SETuP_8060_PA@$sW0rd!~!\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A

Processes

C:\Users\Admin\AppData\Local\Temp\#!SETuP_8060_PA@$sW0rd!~!\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\#!SETuP_8060_PA@$sW0rd!~!\Setup.exe"

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\SearchIndexer.exe

C:\Windows\SysWOW64\SearchIndexer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 104.21.73.56:443 unwielldyzpwo.shop tcp
US 104.21.93.198:443 bouncedgowp.shop tcp
US 172.67.146.61:443 bannngwko.shop tcp
US 104.21.47.93:443 bargainnykwo.shop tcp
US 172.67.135.137:443 affecthorsedpo.shop tcp
US 8.8.8.8:53 radiationnopp.shop udp
US 104.21.68.158:443 radiationnopp.shop tcp
US 104.21.44.192:443 answerrsdo.shop tcp
US 172.67.134.88:443 publicitttyps.shop tcp
US 172.67.160.230:443 benchillppwo.shop tcp
GB 23.214.143.155:443 steamcommunity.com tcp
US 172.67.214.98:443 reinforcedirectorywd.shop tcp

Files

memory/1772-0-0x00007FFBF0200000-0x00007FFBF066C000-memory.dmp

memory/1772-4-0x00007FFBF0218000-0x00007FFBF0219000-memory.dmp

memory/1772-5-0x00007FFBF0200000-0x00007FFBF066C000-memory.dmp

memory/1772-6-0x00007FFBF0200000-0x00007FFBF066C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4c7670f9

MD5 e9f187a432065472a6a5ab1f33384e59
SHA1 ab1bd8708a08d78974003b2491c09683615f53f6
SHA256 41bc84cccfa2fc8e715a02e24eb8f49879dfa02d2ad480d9e5ceb815079e45c2
SHA512 eb9315770c261c823e09a88943fd8f50498dc9d113e4c6c9cfafcc7a76cac7cd7e8c853ae2f850d387eea85db8fdde3f8e24c47029b273ba6e29348482c2dfa3

memory/928-9-0x00007FFBF1840000-0x00007FFBF1A49000-memory.dmp

memory/928-11-0x000000007748E000-0x0000000077490000-memory.dmp

memory/928-10-0x0000000077480000-0x00000000778BB000-memory.dmp

memory/928-12-0x0000000077480000-0x00000000778BB000-memory.dmp

memory/928-14-0x0000000077480000-0x00000000778BB000-memory.dmp

memory/3240-15-0x00007FFBF1840000-0x00007FFBF1A49000-memory.dmp

memory/3240-16-0x0000000000AD0000-0x0000000000B37000-memory.dmp

memory/3240-17-0x0000000000E3B000-0x0000000000E42000-memory.dmp

memory/928-18-0x000000007748E000-0x0000000077490000-memory.dmp

memory/3240-19-0x0000000000AD0000-0x0000000000B37000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-09 22:32

Reported

2024-07-09 22:35

Platform

win7-20240708-en

Max time kernel

118s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\#!SETuP_8060_PA@$sW0rd!~!\Setup.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\#!SETuP_8060_PA@$sW0rd!~!\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\#!SETuP_8060_PA@$sW0rd!~!\Setup.exe"

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-09 22:32

Reported

2024-07-09 22:36

Platform

win10v2004-20240709-en

Max time kernel

93s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\#!SETuP_8060_PA@$sW0rd!~!\Setup.exe"

Signatures

Lumma Stealer

stealer lumma

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2444 set thread context of 1112 N/A C:\Users\Admin\AppData\Local\Temp\#!SETuP_8060_PA@$sW0rd!~!\Setup.exe C:\Windows\SysWOW64\more.com

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\#!SETuP_8060_PA@$sW0rd!~!\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A

Processes

C:\Users\Admin\AppData\Local\Temp\#!SETuP_8060_PA@$sW0rd!~!\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\#!SETuP_8060_PA@$sW0rd!~!\Setup.exe"

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\SearchIndexer.exe

C:\Windows\SysWOW64\SearchIndexer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 unwielldyzpwo.shop udp
US 172.67.158.68:443 unwielldyzpwo.shop tcp
US 8.8.8.8:53 bouncedgowp.shop udp
US 104.21.93.198:443 bouncedgowp.shop tcp
US 8.8.8.8:53 bannngwko.shop udp
US 104.21.81.196:443 bannngwko.shop tcp
US 8.8.8.8:53 68.158.67.172.in-addr.arpa udp
US 8.8.8.8:53 198.93.21.104.in-addr.arpa udp
US 8.8.8.8:53 bargainnykwo.shop udp
US 104.21.47.93:443 bargainnykwo.shop tcp
US 8.8.8.8:53 affecthorsedpo.shop udp
US 172.67.135.137:443 affecthorsedpo.shop tcp
US 8.8.8.8:53 radiationnopp.shop udp
US 104.21.68.158:443 radiationnopp.shop tcp
US 8.8.8.8:53 answerrsdo.shop udp
US 104.21.44.192:443 answerrsdo.shop tcp
US 8.8.8.8:53 196.81.21.104.in-addr.arpa udp
US 8.8.8.8:53 93.47.21.104.in-addr.arpa udp
US 8.8.8.8:53 137.135.67.172.in-addr.arpa udp
US 8.8.8.8:53 158.68.21.104.in-addr.arpa udp
US 8.8.8.8:53 publicitttyps.shop udp
US 104.21.25.154:443 publicitttyps.shop tcp
US 8.8.8.8:53 benchillppwo.shop udp
US 172.67.160.230:443 benchillppwo.shop tcp
US 8.8.8.8:53 steamcommunity.com udp
GB 23.214.143.155:443 steamcommunity.com tcp
US 8.8.8.8:53 154.25.21.104.in-addr.arpa udp
US 8.8.8.8:53 230.160.67.172.in-addr.arpa udp
US 8.8.8.8:53 192.44.21.104.in-addr.arpa udp
US 8.8.8.8:53 reinforcedirectorywd.shop udp
US 172.67.214.98:443 reinforcedirectorywd.shop tcp
US 8.8.8.8:53 98.214.67.172.in-addr.arpa udp
US 8.8.8.8:53 155.143.214.23.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

memory/2444-0-0x00007FFA63610000-0x00007FFA63A82000-memory.dmp

memory/2444-4-0x00007FFA63628000-0x00007FFA63629000-memory.dmp

memory/2444-5-0x00007FFA63610000-0x00007FFA63A82000-memory.dmp

memory/2444-6-0x00007FFA63610000-0x00007FFA63A82000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d5b28b1a

MD5 e4bfc723dae1f60cbb9fff0b3b5aa40c
SHA1 9cc149db05155f4512a072cf4adcdc1b80901cfe
SHA256 522b0550ea39b1823367226d0ba0fe96818b526995316591bb594e6d6907c52b
SHA512 0e71fe35211c9f83906226e6f7a02bb53216eadbf8fd66310484e29db9c02b221b344814fa277800ad3409dff41fd55c88fc5750b069646cd30cc15be0bddb30

memory/1112-9-0x00007FFA64FF0000-0x00007FFA651E5000-memory.dmp

memory/1112-11-0x0000000076D0E000-0x0000000076D10000-memory.dmp

memory/1112-10-0x0000000076D00000-0x000000007713C000-memory.dmp

memory/1112-12-0x0000000076D00000-0x000000007713C000-memory.dmp

memory/1112-14-0x0000000076D00000-0x000000007713C000-memory.dmp

memory/724-15-0x00007FFA64FF0000-0x00007FFA651E5000-memory.dmp

memory/724-16-0x0000000000400000-0x0000000000467000-memory.dmp

memory/724-17-0x0000000000AEB000-0x0000000000AF2000-memory.dmp

memory/1112-18-0x0000000076D0E000-0x0000000076D10000-memory.dmp

memory/724-19-0x0000000000400000-0x0000000000467000-memory.dmp