Analysis Overview
SHA256
080c42ae2c24a979a44cbf294aa5ac38e9c4a54b665e08840a089033c26ca098
Threat Level: Known bad
The file #!SETuP_8060_PA@$sW0rd!~!.zip was found to be: Known bad.
Malicious Activity Summary
Lumma Stealer
Suspicious use of SetThreadContext
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-07-09 22:32
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral3
Detonation Overview
Submitted
2024-07-09 22:32
Reported
2024-07-09 22:36
Platform
win11-20240709-en
Max time kernel
133s
Max time network
127s
Command Line
Signatures
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1772 set thread context of 928 | N/A | C:\Users\Admin\AppData\Local\Temp\#!SETuP_8060_PA@$sW0rd!~!\Setup.exe | C:\Windows\SysWOW64\more.com |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\#!SETuP_8060_PA@$sW0rd!~!\Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\#!SETuP_8060_PA@$sW0rd!~!\Setup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\#!SETuP_8060_PA@$sW0rd!~!\Setup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1772 wrote to memory of 928 | N/A | C:\Users\Admin\AppData\Local\Temp\#!SETuP_8060_PA@$sW0rd!~!\Setup.exe | C:\Windows\SysWOW64\more.com |
| PID 1772 wrote to memory of 928 | N/A | C:\Users\Admin\AppData\Local\Temp\#!SETuP_8060_PA@$sW0rd!~!\Setup.exe | C:\Windows\SysWOW64\more.com |
| PID 1772 wrote to memory of 928 | N/A | C:\Users\Admin\AppData\Local\Temp\#!SETuP_8060_PA@$sW0rd!~!\Setup.exe | C:\Windows\SysWOW64\more.com |
| PID 1772 wrote to memory of 928 | N/A | C:\Users\Admin\AppData\Local\Temp\#!SETuP_8060_PA@$sW0rd!~!\Setup.exe | C:\Windows\SysWOW64\more.com |
| PID 928 wrote to memory of 3240 | N/A | C:\Windows\SysWOW64\more.com | C:\Windows\SysWOW64\SearchIndexer.exe |
| PID 928 wrote to memory of 3240 | N/A | C:\Windows\SysWOW64\more.com | C:\Windows\SysWOW64\SearchIndexer.exe |
| PID 928 wrote to memory of 3240 | N/A | C:\Windows\SysWOW64\more.com | C:\Windows\SysWOW64\SearchIndexer.exe |
| PID 928 wrote to memory of 3240 | N/A | C:\Windows\SysWOW64\more.com | C:\Windows\SysWOW64\SearchIndexer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\#!SETuP_8060_PA@$sW0rd!~!\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\#!SETuP_8060_PA@$sW0rd!~!\Setup.exe"
C:\Windows\SysWOW64\more.com
C:\Windows\SysWOW64\more.com
C:\Windows\SysWOW64\SearchIndexer.exe
C:\Windows\SysWOW64\SearchIndexer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 104.21.73.56:443 | unwielldyzpwo.shop | tcp |
| US | 104.21.93.198:443 | bouncedgowp.shop | tcp |
| US | 172.67.146.61:443 | bannngwko.shop | tcp |
| US | 104.21.47.93:443 | bargainnykwo.shop | tcp |
| US | 172.67.135.137:443 | affecthorsedpo.shop | tcp |
| US | 8.8.8.8:53 | radiationnopp.shop | udp |
| US | 104.21.68.158:443 | radiationnopp.shop | tcp |
| US | 104.21.44.192:443 | answerrsdo.shop | tcp |
| US | 172.67.134.88:443 | publicitttyps.shop | tcp |
| US | 172.67.160.230:443 | benchillppwo.shop | tcp |
| GB | 23.214.143.155:443 | steamcommunity.com | tcp |
| US | 172.67.214.98:443 | reinforcedirectorywd.shop | tcp |
Files
memory/1772-0-0x00007FFBF0200000-0x00007FFBF066C000-memory.dmp
memory/1772-4-0x00007FFBF0218000-0x00007FFBF0219000-memory.dmp
memory/1772-5-0x00007FFBF0200000-0x00007FFBF066C000-memory.dmp
memory/1772-6-0x00007FFBF0200000-0x00007FFBF066C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\4c7670f9
| MD5 | e9f187a432065472a6a5ab1f33384e59 |
| SHA1 | ab1bd8708a08d78974003b2491c09683615f53f6 |
| SHA256 | 41bc84cccfa2fc8e715a02e24eb8f49879dfa02d2ad480d9e5ceb815079e45c2 |
| SHA512 | eb9315770c261c823e09a88943fd8f50498dc9d113e4c6c9cfafcc7a76cac7cd7e8c853ae2f850d387eea85db8fdde3f8e24c47029b273ba6e29348482c2dfa3 |
memory/928-9-0x00007FFBF1840000-0x00007FFBF1A49000-memory.dmp
memory/928-11-0x000000007748E000-0x0000000077490000-memory.dmp
memory/928-10-0x0000000077480000-0x00000000778BB000-memory.dmp
memory/928-12-0x0000000077480000-0x00000000778BB000-memory.dmp
memory/928-14-0x0000000077480000-0x00000000778BB000-memory.dmp
memory/3240-15-0x00007FFBF1840000-0x00007FFBF1A49000-memory.dmp
memory/3240-16-0x0000000000AD0000-0x0000000000B37000-memory.dmp
memory/3240-17-0x0000000000E3B000-0x0000000000E42000-memory.dmp
memory/928-18-0x000000007748E000-0x0000000077490000-memory.dmp
memory/3240-19-0x0000000000AD0000-0x0000000000B37000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-09 22:32
Reported
2024-07-09 22:35
Platform
win7-20240708-en
Max time kernel
118s
Max time network
121s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\#!SETuP_8060_PA@$sW0rd!~!\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\#!SETuP_8060_PA@$sW0rd!~!\Setup.exe"
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-09 22:32
Reported
2024-07-09 22:36
Platform
win10v2004-20240709-en
Max time kernel
93s
Max time network
123s
Command Line
Signatures
Lumma Stealer
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2444 set thread context of 1112 | N/A | C:\Users\Admin\AppData\Local\Temp\#!SETuP_8060_PA@$sW0rd!~!\Setup.exe | C:\Windows\SysWOW64\more.com |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\#!SETuP_8060_PA@$sW0rd!~!\Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\#!SETuP_8060_PA@$sW0rd!~!\Setup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\#!SETuP_8060_PA@$sW0rd!~!\Setup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2444 wrote to memory of 1112 | N/A | C:\Users\Admin\AppData\Local\Temp\#!SETuP_8060_PA@$sW0rd!~!\Setup.exe | C:\Windows\SysWOW64\more.com |
| PID 2444 wrote to memory of 1112 | N/A | C:\Users\Admin\AppData\Local\Temp\#!SETuP_8060_PA@$sW0rd!~!\Setup.exe | C:\Windows\SysWOW64\more.com |
| PID 2444 wrote to memory of 1112 | N/A | C:\Users\Admin\AppData\Local\Temp\#!SETuP_8060_PA@$sW0rd!~!\Setup.exe | C:\Windows\SysWOW64\more.com |
| PID 2444 wrote to memory of 1112 | N/A | C:\Users\Admin\AppData\Local\Temp\#!SETuP_8060_PA@$sW0rd!~!\Setup.exe | C:\Windows\SysWOW64\more.com |
| PID 1112 wrote to memory of 724 | N/A | C:\Windows\SysWOW64\more.com | C:\Windows\SysWOW64\SearchIndexer.exe |
| PID 1112 wrote to memory of 724 | N/A | C:\Windows\SysWOW64\more.com | C:\Windows\SysWOW64\SearchIndexer.exe |
| PID 1112 wrote to memory of 724 | N/A | C:\Windows\SysWOW64\more.com | C:\Windows\SysWOW64\SearchIndexer.exe |
| PID 1112 wrote to memory of 724 | N/A | C:\Windows\SysWOW64\more.com | C:\Windows\SysWOW64\SearchIndexer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\#!SETuP_8060_PA@$sW0rd!~!\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\#!SETuP_8060_PA@$sW0rd!~!\Setup.exe"
C:\Windows\SysWOW64\more.com
C:\Windows\SysWOW64\more.com
C:\Windows\SysWOW64\SearchIndexer.exe
C:\Windows\SysWOW64\SearchIndexer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | unwielldyzpwo.shop | udp |
| US | 172.67.158.68:443 | unwielldyzpwo.shop | tcp |
| US | 8.8.8.8:53 | bouncedgowp.shop | udp |
| US | 104.21.93.198:443 | bouncedgowp.shop | tcp |
| US | 8.8.8.8:53 | bannngwko.shop | udp |
| US | 104.21.81.196:443 | bannngwko.shop | tcp |
| US | 8.8.8.8:53 | 68.158.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.93.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bargainnykwo.shop | udp |
| US | 104.21.47.93:443 | bargainnykwo.shop | tcp |
| US | 8.8.8.8:53 | affecthorsedpo.shop | udp |
| US | 172.67.135.137:443 | affecthorsedpo.shop | tcp |
| US | 8.8.8.8:53 | radiationnopp.shop | udp |
| US | 104.21.68.158:443 | radiationnopp.shop | tcp |
| US | 8.8.8.8:53 | answerrsdo.shop | udp |
| US | 104.21.44.192:443 | answerrsdo.shop | tcp |
| US | 8.8.8.8:53 | 196.81.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 93.47.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 137.135.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.68.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | publicitttyps.shop | udp |
| US | 104.21.25.154:443 | publicitttyps.shop | tcp |
| US | 8.8.8.8:53 | benchillppwo.shop | udp |
| US | 172.67.160.230:443 | benchillppwo.shop | tcp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 23.214.143.155:443 | steamcommunity.com | tcp |
| US | 8.8.8.8:53 | 154.25.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 230.160.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.44.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | reinforcedirectorywd.shop | udp |
| US | 172.67.214.98:443 | reinforcedirectorywd.shop | tcp |
| US | 8.8.8.8:53 | 98.214.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 155.143.214.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
memory/2444-0-0x00007FFA63610000-0x00007FFA63A82000-memory.dmp
memory/2444-4-0x00007FFA63628000-0x00007FFA63629000-memory.dmp
memory/2444-5-0x00007FFA63610000-0x00007FFA63A82000-memory.dmp
memory/2444-6-0x00007FFA63610000-0x00007FFA63A82000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\d5b28b1a
| MD5 | e4bfc723dae1f60cbb9fff0b3b5aa40c |
| SHA1 | 9cc149db05155f4512a072cf4adcdc1b80901cfe |
| SHA256 | 522b0550ea39b1823367226d0ba0fe96818b526995316591bb594e6d6907c52b |
| SHA512 | 0e71fe35211c9f83906226e6f7a02bb53216eadbf8fd66310484e29db9c02b221b344814fa277800ad3409dff41fd55c88fc5750b069646cd30cc15be0bddb30 |
memory/1112-9-0x00007FFA64FF0000-0x00007FFA651E5000-memory.dmp
memory/1112-11-0x0000000076D0E000-0x0000000076D10000-memory.dmp
memory/1112-10-0x0000000076D00000-0x000000007713C000-memory.dmp
memory/1112-12-0x0000000076D00000-0x000000007713C000-memory.dmp
memory/1112-14-0x0000000076D00000-0x000000007713C000-memory.dmp
memory/724-15-0x00007FFA64FF0000-0x00007FFA651E5000-memory.dmp
memory/724-16-0x0000000000400000-0x0000000000467000-memory.dmp
memory/724-17-0x0000000000AEB000-0x0000000000AF2000-memory.dmp
memory/1112-18-0x0000000076D0E000-0x0000000076D10000-memory.dmp
memory/724-19-0x0000000000400000-0x0000000000467000-memory.dmp