Analysis Overview
SHA256
22613505c3fea6ac505f3ed2c8e0df9998331832f405fbba4f9f5a48de753055
Threat Level: Known bad
The file 22613505c3fea6ac505f3ed2c8e0df9998331832f405fbba4f9f5a48de753055 was found to be: Known bad.
Malicious Activity Summary
Lumma Stealer
Suspicious use of SetThreadContext
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-07-09 22:46
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-09 22:46
Reported
2024-07-09 22:49
Platform
win7-20240704-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1924 set thread context of 2896 | N/A | C:\Users\Admin\AppData\Local\Temp\!ŞetUp_64851--#PaSꞨKḙy#$$\Setup.exe | C:\Windows\SysWOW64\more.com |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\!ŞetUp_64851--#PaSꞨKḙy#$$\Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\!ŞetUp_64851--#PaSꞨKḙy#$$\Setup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\!ŞetUp_64851--#PaSꞨKḙy#$$\Setup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\!ŞetUp_64851--#PaSꞨKḙy#$$\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\!ŞetUp_64851--#PaSꞨKḙy#$$\Setup.exe"
C:\Windows\SysWOW64\more.com
C:\Windows\SysWOW64\more.com
C:\Windows\SysWOW64\SearchIndexer.exe
C:\Windows\SysWOW64\SearchIndexer.exe
Network
Files
memory/1924-0-0x000007FEFF660000-0x000007FEFF837000-memory.dmp
memory/1924-4-0x000007FEFF678000-0x000007FEFF679000-memory.dmp
memory/1924-5-0x000007FEFF660000-0x000007FEFF837000-memory.dmp
memory/1924-9-0x000007FEFF660000-0x000007FEFF837000-memory.dmp
memory/1924-8-0x0000000000400000-0x000000000045E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\41fb1e36
| MD5 | 3deed7177071995dadc36ac81511bd29 |
| SHA1 | eeb39ac0891c8b620051122a54199d2ea3335ac6 |
| SHA256 | 7e4c3cead63ba7c0076553d8f02e9a86bb499008ab542dbdbe50304511b94400 |
| SHA512 | 7df24577082467fed73b920aeab562d11e5c6c20885c4b809d1c08e6882c3b2ce721b85016db6b150ae53b8771bb3d3d781726318882b2dda3fa40bd1d626f56 |
memory/2896-11-0x0000000077C40000-0x0000000077DE9000-memory.dmp
memory/2896-13-0x000000007672E000-0x0000000076730000-memory.dmp
memory/2896-12-0x0000000076720000-0x00000000768BD000-memory.dmp
memory/2896-14-0x0000000076720000-0x00000000768BD000-memory.dmp
memory/2896-16-0x0000000076720000-0x00000000768BD000-memory.dmp
memory/1572-17-0x0000000077C40000-0x0000000077DE9000-memory.dmp
memory/1572-18-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1572-19-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1572-20-0x000000000039D000-0x00000000003A5000-memory.dmp
memory/2896-21-0x000000007672E000-0x0000000076730000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-09 22:46
Reported
2024-07-09 22:49
Platform
win10v2004-20240709-en
Max time kernel
93s
Max time network
125s
Command Line
Signatures
Lumma Stealer
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1732 set thread context of 4000 | N/A | C:\Users\Admin\AppData\Local\Temp\!ŞetUp_64851--#PaSꞨKḙy#$$\Setup.exe | C:\Windows\SysWOW64\more.com |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\!ŞetUp_64851--#PaSꞨKḙy#$$\Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\!ŞetUp_64851--#PaSꞨKḙy#$$\Setup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\!ŞetUp_64851--#PaSꞨKḙy#$$\Setup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1732 wrote to memory of 4000 | N/A | C:\Users\Admin\AppData\Local\Temp\!ŞetUp_64851--#PaSꞨKḙy#$$\Setup.exe | C:\Windows\SysWOW64\more.com |
| PID 1732 wrote to memory of 4000 | N/A | C:\Users\Admin\AppData\Local\Temp\!ŞetUp_64851--#PaSꞨKḙy#$$\Setup.exe | C:\Windows\SysWOW64\more.com |
| PID 1732 wrote to memory of 4000 | N/A | C:\Users\Admin\AppData\Local\Temp\!ŞetUp_64851--#PaSꞨKḙy#$$\Setup.exe | C:\Windows\SysWOW64\more.com |
| PID 1732 wrote to memory of 4000 | N/A | C:\Users\Admin\AppData\Local\Temp\!ŞetUp_64851--#PaSꞨKḙy#$$\Setup.exe | C:\Windows\SysWOW64\more.com |
| PID 4000 wrote to memory of 2748 | N/A | C:\Windows\SysWOW64\more.com | C:\Windows\SysWOW64\SearchIndexer.exe |
| PID 4000 wrote to memory of 2748 | N/A | C:\Windows\SysWOW64\more.com | C:\Windows\SysWOW64\SearchIndexer.exe |
| PID 4000 wrote to memory of 2748 | N/A | C:\Windows\SysWOW64\more.com | C:\Windows\SysWOW64\SearchIndexer.exe |
| PID 4000 wrote to memory of 2748 | N/A | C:\Windows\SysWOW64\more.com | C:\Windows\SysWOW64\SearchIndexer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\!ŞetUp_64851--#PaSꞨKḙy#$$\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\!ŞetUp_64851--#PaSꞨKḙy#$$\Setup.exe"
C:\Windows\SysWOW64\more.com
C:\Windows\SysWOW64\more.com
C:\Windows\SysWOW64\SearchIndexer.exe
C:\Windows\SysWOW64\SearchIndexer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bittercoldzzdwu.shop | udp |
| US | 104.21.25.179:443 | bittercoldzzdwu.shop | tcp |
| US | 8.8.8.8:53 | bouncedgowp.shop | udp |
| US | 104.21.93.198:443 | bouncedgowp.shop | tcp |
| US | 8.8.8.8:53 | bannngwko.shop | udp |
| US | 8.8.8.8:53 | 198.93.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 179.25.21.104.in-addr.arpa | udp |
| US | 172.67.146.61:443 | bannngwko.shop | tcp |
| US | 8.8.8.8:53 | bargainnykwo.shop | udp |
| US | 172.67.146.97:443 | bargainnykwo.shop | tcp |
| US | 8.8.8.8:53 | affecthorsedpo.shop | udp |
| US | 104.21.6.254:443 | affecthorsedpo.shop | tcp |
| US | 8.8.8.8:53 | 61.146.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | radiationnopp.shop | udp |
| US | 172.67.196.169:443 | radiationnopp.shop | tcp |
| US | 8.8.8.8:53 | answerrsdo.shop | udp |
| US | 104.21.44.192:443 | answerrsdo.shop | tcp |
| US | 8.8.8.8:53 | publicitttyps.shop | udp |
| US | 104.21.25.154:443 | publicitttyps.shop | tcp |
| US | 8.8.8.8:53 | 97.146.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.6.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 169.196.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.44.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | benchillppwo.shop | udp |
| US | 104.21.81.128:443 | benchillppwo.shop | tcp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 23.214.143.155:443 | steamcommunity.com | tcp |
| US | 8.8.8.8:53 | reinforcedirectorywd.shop | udp |
| US | 104.21.83.48:443 | reinforcedirectorywd.shop | tcp |
| US | 8.8.8.8:53 | 128.81.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.25.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.83.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 155.143.214.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
memory/1732-0-0x0000000000800000-0x000000000085E000-memory.dmp
memory/1732-1-0x00007FFE3D4E0000-0x00007FFE3D952000-memory.dmp
memory/1732-5-0x00007FFE3D4F8000-0x00007FFE3D4F9000-memory.dmp
memory/1732-6-0x00007FFE3D4E0000-0x00007FFE3D952000-memory.dmp
memory/1732-7-0x00007FFE3D4E0000-0x00007FFE3D952000-memory.dmp
memory/1732-9-0x0000000000800000-0x000000000085E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\523d8469
| MD5 | 3bb1fcf31e480a973696f7944a2fd044 |
| SHA1 | 941b7319b6651731caf2a7c87e5266962ca772b2 |
| SHA256 | 019addab3b69601e3acebde736bf236cd001279becc4c8c24d17c8c9b4801d1c |
| SHA512 | 453bd67ff007cebad315470daa89d848c34b426ee17f423b91a621d3d29aef7136e8efb70f3fb620cb4453cb3dd45524bb0c2aceba417ebbd3d575e05a50a21e |
memory/4000-11-0x00007FFE3E050000-0x00007FFE3E245000-memory.dmp
memory/4000-13-0x0000000075EAE000-0x0000000075EB0000-memory.dmp
memory/4000-14-0x0000000075EA0000-0x00000000762DC000-memory.dmp
memory/4000-12-0x0000000075EA0000-0x00000000762DC000-memory.dmp
memory/4000-16-0x0000000075EA0000-0x00000000762DC000-memory.dmp
memory/2748-17-0x00007FFE3E050000-0x00007FFE3E245000-memory.dmp
memory/2748-18-0x0000000000710000-0x0000000000763000-memory.dmp
memory/2748-20-0x0000000000F0B000-0x0000000000F12000-memory.dmp
memory/4000-19-0x0000000075EAE000-0x0000000075EB0000-memory.dmp
memory/2748-21-0x0000000000710000-0x0000000000763000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-07-09 22:46
Reported
2024-07-09 22:49
Platform
win7-20240704-en
Max time kernel
117s
Max time network
121s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\!ŞetUp_64851--#PaSꞨKḙy#$$\tak_deco_lib.dll,#1
Network
Files
memory/2156-0-0x0000000000290000-0x00000000002EE000-memory.dmp
memory/2156-1-0x0000000000290000-0x00000000002EE000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-07-09 22:46
Reported
2024-07-09 22:49
Platform
win10v2004-20240709-en
Max time kernel
93s
Max time network
123s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\!ŞetUp_64851--#PaSꞨKḙy#$$\tak_deco_lib.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
Files
memory/2520-0-0x0000000000400000-0x000000000045E000-memory.dmp