Analysis Overview
SHA256
2da432765332b6dcd1243488d40e8bbe72bcaae31f39cb3082a9c70a78748b8d
Threat Level: Known bad
The file Win.Installer.x32-x64.bit (github).rar was found to be: Known bad.
Malicious Activity Summary
Lumma Stealer
Loads dropped DLL
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
Unsigned PE
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SendNotifyMessage
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-09 16:34
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-09 16:33
Reported
2024-07-09 16:35
Platform
win10v2004-20240709-en
Max time kernel
48s
Max time network
44s
Command Line
Signatures
Lumma Stealer
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Win.Installer.x32-x64.bit.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Win.Installer.x32-x64.bit.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3192 set thread context of 1404 | N/A | C:\Users\Admin\AppData\Local\Temp\Win.Installer.x32-x64.bit.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe |
| PID 1900 set thread context of 2968 | N/A | C:\Users\Admin\AppData\Local\Temp\Win.Installer.x32-x64.bit.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Win.Installer.x32-x64.bit.exe
"C:\Users\Admin\AppData\Local\Temp\Win.Installer.x32-x64.bit.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Admin\AppData\Local\Temp\Win.Installer.x32-x64.bit.exe
"C:\Users\Admin\AppData\Local\Temp\Win.Installer.x32-x64.bit.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | extorteauhhwigw.shop | udp |
| US | 172.67.189.174:443 | extorteauhhwigw.shop | tcp |
| US | 8.8.8.8:53 | 23.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 174.189.67.172.in-addr.arpa | udp |
| US | 172.67.189.174:443 | extorteauhhwigw.shop | tcp |
| US | 172.67.189.174:443 | extorteauhhwigw.shop | tcp |
| US | 172.67.189.174:443 | extorteauhhwigw.shop | tcp |
| US | 172.67.189.174:443 | extorteauhhwigw.shop | tcp |
| US | 172.67.189.174:443 | extorteauhhwigw.shop | tcp |
| US | 172.67.189.174:443 | extorteauhhwigw.shop | tcp |
| US | 172.67.189.174:443 | extorteauhhwigw.shop | tcp |
| US | 172.67.189.174:443 | extorteauhhwigw.shop | tcp |
| US | 172.67.189.174:443 | extorteauhhwigw.shop | tcp |
| US | 172.67.189.174:443 | extorteauhhwigw.shop | tcp |
| US | 172.67.189.174:443 | extorteauhhwigw.shop | tcp |
Files
memory/3192-0-0x00000000743CE000-0x00000000743CF000-memory.dmp
memory/3192-1-0x00000000004D0000-0x0000000000570000-memory.dmp
C:\Users\Admin\AppData\Roaming\d3d9.dll
| MD5 | a23bf63164756c6cfbadd9c3dea50275 |
| SHA1 | 78e2deea7fe6b166cd6aafe566b2fc63974f133b |
| SHA256 | 916965e176cad342767977e1c919a3122d627e33d4403dc22c983124f1fd8503 |
| SHA512 | 79460ab4a6e81e10f528ac09c3b5c2feffd18a499e3f48055e115c4ef456233f36b82eee76581da4584053427a27aeeb2fc6befee6c21a5b32850f6d28319649 |
memory/1404-8-0x0000000000600000-0x0000000000652000-memory.dmp
memory/1404-13-0x0000000000600000-0x0000000000652000-memory.dmp
memory/1404-16-0x0000000000600000-0x0000000000652000-memory.dmp
memory/3192-17-0x00000000743C0000-0x0000000074B70000-memory.dmp
memory/868-18-0x000001C26FDE0000-0x000001C26FDE1000-memory.dmp
memory/868-19-0x000001C26FDE0000-0x000001C26FDE1000-memory.dmp
memory/868-20-0x000001C26FDE0000-0x000001C26FDE1000-memory.dmp
memory/868-30-0x000001C26FDE0000-0x000001C26FDE1000-memory.dmp
memory/868-29-0x000001C26FDE0000-0x000001C26FDE1000-memory.dmp
memory/868-28-0x000001C26FDE0000-0x000001C26FDE1000-memory.dmp
memory/868-27-0x000001C26FDE0000-0x000001C26FDE1000-memory.dmp
memory/868-26-0x000001C26FDE0000-0x000001C26FDE1000-memory.dmp
memory/868-25-0x000001C26FDE0000-0x000001C26FDE1000-memory.dmp
memory/868-24-0x000001C26FDE0000-0x000001C26FDE1000-memory.dmp
memory/3192-31-0x00000000743C0000-0x0000000074B70000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Win.Installer.x32-x64.bit.exe.log
| MD5 | 84cfdb4b995b1dbf543b26b86c863adc |
| SHA1 | d2f47764908bf30036cf8248b9ff5541e2711fa2 |
| SHA256 | d8988d672d6915b46946b28c06ad8066c50041f6152a91d37ffa5cf129cc146b |
| SHA512 | 485f0ed45e13f00a93762cbf15b4b8f996553baa021152fae5aba051e3736bcd3ca8f4328f0e6d9e3e1f910c96c4a9ae055331123ee08e3c2ce3a99ac2e177ce |
memory/2968-41-0x0000000000400000-0x0000000000452000-memory.dmp