Malware Analysis Report

2024-11-30 05:35

Sample ID 240709-vwl67awhrh
Target !@ŜetUp__64911--Pas̈ᶊW0rd!$!$!.zip
SHA256 d57b10e9d526efa1bd489c873ec7df24614816de093610d5f47c843728814053
Tags
amadey lumma persistence privilege_escalation spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d57b10e9d526efa1bd489c873ec7df24614816de093610d5f47c843728814053

Threat Level: Known bad

The file !@ŜetUp__64911--Pas̈ᶊW0rd!$!$!.zip was found to be: Known bad.

Malicious Activity Summary

amadey lumma persistence privilege_escalation spyware stealer trojan

Amadey

Lumma Stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

Downloads MZ/PE file

Suspicious use of SetThreadContext

Drops file in Windows directory

Executes dropped EXE

Unsigned PE

Event Triggered Execution: Netsh Helper DLL

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-09 17:20

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-09 17:20

Reported

2024-07-09 17:23

Platform

win7-20240704-en

Max time kernel

45s

Max time network

23s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

Signatures

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2520 set thread context of 3068 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\more.com

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\more.com

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

C:\Windows\SysWOW64\SearchIndexer.exe

C:\Windows\SysWOW64\SearchIndexer.exe

Network

N/A

Files

memory/2520-0-0x000007FEFFB60000-0x000007FEFFD37000-memory.dmp

memory/2520-4-0x000007FEFFB78000-0x000007FEFFB79000-memory.dmp

memory/2520-5-0x000007FEFFB60000-0x000007FEFFD37000-memory.dmp

memory/2520-6-0x000007FEFFB60000-0x000007FEFFD37000-memory.dmp

memory/2520-8-0x0000000000400000-0x000000000045E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\b128e61e

MD5 502762228a6eb276935fe3d7f9ad8e64
SHA1 412795aeac52e00c455169dbc4ed73439cb1389a
SHA256 259eb236f504086a08dfdb9da95447ccc3440e51bb12543d1b8cc10045e23677
SHA512 15b5df21d006db2f6c8a5c13fcc3a657d4fdd30dc12b5cf91c352283d94a196649a2d3ede89eee66c619ffe82d76166565fa44513a3696c9fa5e7a2d767ea875

memory/3068-10-0x0000000077B90000-0x0000000077D39000-memory.dmp

memory/3068-12-0x0000000075A1E000-0x0000000075A20000-memory.dmp

memory/3068-11-0x0000000075A10000-0x0000000075BAD000-memory.dmp

memory/3068-13-0x0000000075A10000-0x0000000075BAD000-memory.dmp

memory/3068-15-0x0000000075A10000-0x0000000075BAD000-memory.dmp

memory/1992-16-0x0000000077B90000-0x0000000077D39000-memory.dmp

memory/1992-17-0x0000000000400000-0x0000000000452000-memory.dmp

memory/1992-18-0x0000000000400000-0x0000000000452000-memory.dmp

memory/3068-19-0x0000000075A1E000-0x0000000075A20000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-09 17:20

Reported

2024-07-09 17:23

Platform

win10v2004-20240709-en

Max time kernel

145s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

Signatures

Amadey

trojan amadey

Lumma Stealer

stealer lumma

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Downloads MZ/PE file

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1420 set thread context of 4876 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\more.com
PID 4676 set thread context of 1248 N/A C:\Users\Admin\AppData\Local\Temp\EEUA7QKYYYCLNHUKB318HR0YK2ZRV1U.exe C:\Windows\SysWOW64\netsh.exe
PID 2112 set thread context of 848 N/A C:\Users\Admin\AppData\Local\Temp\TMDTXCKUMSXN9CX1ETRNX.exe C:\Windows\SysWOW64\netsh.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\ToolUpdate.job C:\Windows\SysWOW64\netsh.exe N/A
File created C:\Windows\Tasks\MH Beacon Helper.job C:\Windows\SysWOW64\netsh.exe N/A

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\TMDTXCKUMSXN9CX1ETRNX.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1420 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\more.com
PID 1420 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\more.com
PID 1420 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\more.com
PID 1420 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\more.com
PID 4876 wrote to memory of 2572 N/A C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\SearchIndexer.exe
PID 4876 wrote to memory of 2572 N/A C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\SearchIndexer.exe
PID 4876 wrote to memory of 2572 N/A C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\SearchIndexer.exe
PID 4876 wrote to memory of 2572 N/A C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\SearchIndexer.exe
PID 2572 wrote to memory of 2112 N/A C:\Windows\SysWOW64\SearchIndexer.exe C:\Users\Admin\AppData\Local\Temp\TMDTXCKUMSXN9CX1ETRNX.exe
PID 2572 wrote to memory of 2112 N/A C:\Windows\SysWOW64\SearchIndexer.exe C:\Users\Admin\AppData\Local\Temp\TMDTXCKUMSXN9CX1ETRNX.exe
PID 2572 wrote to memory of 2112 N/A C:\Windows\SysWOW64\SearchIndexer.exe C:\Users\Admin\AppData\Local\Temp\TMDTXCKUMSXN9CX1ETRNX.exe
PID 2112 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\TMDTXCKUMSXN9CX1ETRNX.exe C:\Windows\SysWOW64\netsh.exe
PID 2112 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\TMDTXCKUMSXN9CX1ETRNX.exe C:\Windows\SysWOW64\netsh.exe
PID 2112 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\TMDTXCKUMSXN9CX1ETRNX.exe C:\Windows\SysWOW64\netsh.exe
PID 2572 wrote to memory of 4676 N/A C:\Windows\SysWOW64\SearchIndexer.exe C:\Users\Admin\AppData\Local\Temp\EEUA7QKYYYCLNHUKB318HR0YK2ZRV1U.exe
PID 2572 wrote to memory of 4676 N/A C:\Windows\SysWOW64\SearchIndexer.exe C:\Users\Admin\AppData\Local\Temp\EEUA7QKYYYCLNHUKB318HR0YK2ZRV1U.exe
PID 2572 wrote to memory of 4676 N/A C:\Windows\SysWOW64\SearchIndexer.exe C:\Users\Admin\AppData\Local\Temp\EEUA7QKYYYCLNHUKB318HR0YK2ZRV1U.exe
PID 4676 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\EEUA7QKYYYCLNHUKB318HR0YK2ZRV1U.exe C:\Windows\SysWOW64\netsh.exe
PID 4676 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\EEUA7QKYYYCLNHUKB318HR0YK2ZRV1U.exe C:\Windows\SysWOW64\netsh.exe
PID 4676 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\EEUA7QKYYYCLNHUKB318HR0YK2ZRV1U.exe C:\Windows\SysWOW64\netsh.exe
PID 4676 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\EEUA7QKYYYCLNHUKB318HR0YK2ZRV1U.exe C:\Windows\SysWOW64\netsh.exe
PID 2112 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\TMDTXCKUMSXN9CX1ETRNX.exe C:\Windows\SysWOW64\netsh.exe
PID 1248 wrote to memory of 1448 N/A C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\explorer.exe
PID 1248 wrote to memory of 1448 N/A C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\explorer.exe
PID 1248 wrote to memory of 1448 N/A C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\explorer.exe
PID 1248 wrote to memory of 1448 N/A C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\explorer.exe
PID 848 wrote to memory of 3672 N/A C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\explorer.exe
PID 848 wrote to memory of 3672 N/A C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\explorer.exe
PID 848 wrote to memory of 3672 N/A C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\explorer.exe
PID 848 wrote to memory of 3672 N/A C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\explorer.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\SearchIndexer.exe

C:\Windows\SysWOW64\SearchIndexer.exe

C:\Users\Admin\AppData\Local\Temp\TMDTXCKUMSXN9CX1ETRNX.exe

"C:\Users\Admin\AppData\Local\Temp\TMDTXCKUMSXN9CX1ETRNX.exe"

C:\Windows\SysWOW64\netsh.exe

C:\Windows\SysWOW64\netsh.exe

C:\Users\Admin\AppData\Local\Temp\EEUA7QKYYYCLNHUKB318HR0YK2ZRV1U.exe

"C:\Users\Admin\AppData\Local\Temp\EEUA7QKYYYCLNHUKB318HR0YK2ZRV1U.exe"

C:\Windows\SysWOW64\netsh.exe

C:\Windows\SysWOW64\netsh.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 bittercoldzzdwu.shop udp
US 172.67.134.113:443 bittercoldzzdwu.shop tcp
US 172.67.134.113:443 bittercoldzzdwu.shop tcp
US 8.8.8.8:53 113.134.67.172.in-addr.arpa udp
US 172.67.134.113:443 bittercoldzzdwu.shop tcp
US 172.67.134.113:443 bittercoldzzdwu.shop tcp
US 172.67.134.113:443 bittercoldzzdwu.shop tcp
US 172.67.134.113:443 bittercoldzzdwu.shop tcp
US 8.8.8.8:53 foodupdates.shop udp
US 172.67.182.166:443 foodupdates.shop tcp
US 8.8.8.8:53 166.182.67.172.in-addr.arpa udp
US 8.8.8.8:53 cdn.steamstatic.com udp
GB 2.16.170.35:443 cdn.steamstatic.com tcp
US 8.8.8.8:53 35.170.16.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 downloaddining3.com udp
US 8.8.8.8:53 downloaddining.com udp
US 8.8.8.8:53 downloaddining2.com udp
US 104.21.53.53:80 downloaddining2.com tcp
RU 45.140.19.240:80 downloaddining.com tcp
US 172.67.208.139:80 downloaddining3.com tcp
US 8.8.8.8:53 53.53.21.104.in-addr.arpa udp
US 8.8.8.8:53 240.19.140.45.in-addr.arpa udp
US 8.8.8.8:53 139.208.67.172.in-addr.arpa udp

Files

memory/1420-0-0x00007FFE7B200000-0x00007FFE7B672000-memory.dmp

memory/1420-4-0x00007FFE7B218000-0x00007FFE7B219000-memory.dmp

memory/1420-5-0x00007FFE7B200000-0x00007FFE7B672000-memory.dmp

memory/1420-6-0x00007FFE7B200000-0x00007FFE7B672000-memory.dmp

memory/1420-8-0x0000000000400000-0x000000000045E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\332bcc4c

MD5 23680d35a83bda9ca52c897f139ec791
SHA1 5681dd9f64ec8a26e6c84ec22776530aab255c02
SHA256 097cde2f374c0480f3350292400f7e9812e884d68710ff377dae25d54d52ee19
SHA512 4259f348326a2363f499fe51dba1e30607aba162544c81d205e465e2c0d1bf7ec3f14fedcb5e1d5c9eb7a45cb3f85d725376dec8574b0d6a13f9fe63ff891625

memory/4876-10-0x00007FFE7C0F0000-0x00007FFE7C2E5000-memory.dmp

memory/4876-12-0x000000007630E000-0x0000000076310000-memory.dmp

memory/4876-11-0x0000000076300000-0x000000007673C000-memory.dmp

memory/4876-13-0x0000000076300000-0x000000007673C000-memory.dmp

memory/4876-15-0x0000000076300000-0x000000007673C000-memory.dmp

memory/2572-16-0x00007FFE7C0F0000-0x00007FFE7C2E5000-memory.dmp

memory/2572-17-0x0000000000110000-0x0000000000162000-memory.dmp

memory/2572-20-0x0000000000A5B000-0x0000000000A62000-memory.dmp

memory/4876-21-0x000000007630E000-0x0000000076310000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TMDTXCKUMSXN9CX1ETRNX.exe

MD5 d8d3eaf3756ec2fd01063f9fd2623c7e
SHA1 0e63c687984112e96bbfcf985c1fbf602f1c86e4
SHA256 0ac72e797e244a733d5357b9fc90a5efaee168b5ab9b751493c080183be58829
SHA512 d87f33d7b6596719545899be6f54eb0f3b9f4ccf2ab4afea16d2a05386201c77243a6c80890ace81940ae2a09f743329bc3ed38b03499b2f6700da363668fa6c

memory/2572-25-0x0000000000110000-0x0000000000162000-memory.dmp

memory/2112-27-0x00000000002C0000-0x00000000005F3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\14ff0e91

MD5 0bb8b2b96cd95f9a6fb8192883c94ca7
SHA1 16b7b4cfcacef943b4824e21b475c295cb4d9dff
SHA256 42139a8703db654c15f60607495822317b23a29b7c64b1b083428cc3716c14ec
SHA512 44d45b97bf76b3194375f2a63314dacf47add2223b37a9e080ddcfe49cb30a844436686ae62842cb08589b1b248c864b5d17ee7ae3e766931722824bd205565b

memory/2112-33-0x00000000739F0000-0x0000000073B6B000-memory.dmp

memory/2112-34-0x00007FFE7C0F0000-0x00007FFE7C2E5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EEUA7QKYYYCLNHUKB318HR0YK2ZRV1U.exe

MD5 753234a5fa72cf7ff8c56fd867478f31
SHA1 9d689ec16a5da11eea5e60c800ef2bce6f4212f3
SHA256 211646612334caf8f5779788e6b9bd3a47a23c35c9cdcddddca34cba4e12379f
SHA512 f641b30948127a0ee9bd538d4ad3aaae1047720a141eb71f2f82276cbd2bb5393e174a7f5a79778ef248ca43781dd55bdaa1d7cf84ef12a8e99028b5fb0a9e82

memory/2572-38-0x0000000000110000-0x0000000000162000-memory.dmp

memory/4676-39-0x0000000000FC0000-0x000000000157E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\21af5029

MD5 f74f23c47dbb6ed0a1422be1c86ba44d
SHA1 585956eab70da3892bd82cf21470be142daec324
SHA256 aa2cc4edd00008635d8c09a5706b5e5b28886825065895afe733426c794af041
SHA512 9db56c720c03f87d332cdab8d61ff22f0b2dd376bb22ef91b6b8a52dbcb6893bdf7a7db0a55dc10e23619ed1099a8a773f1bdacdad70ca04733bc60b440280dd

memory/4676-46-0x00000000739F0000-0x0000000073B6B000-memory.dmp

memory/4676-47-0x00007FFE7C0F0000-0x00007FFE7C2E5000-memory.dmp

memory/4676-48-0x00000000739F0000-0x0000000073B6B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\25c11d16

MD5 9a382aee7bcd376af960e3259e3501d2
SHA1 8ec17dd789343523c41d7e1b9926fd45e9989eac
SHA256 942296b7bbacf93d4ba0e23e1dd0a7a3cdc83d53daab7c68838c2d8c6f6fb132
SHA512 2c43eba2c1382798cfb9122fcfb959ea966bc28a126f5c0f5dc1cb5173034394d90ca75be32b9189a25430c44eeda6039166adf9709821e1b18a78c45da5dd57

memory/1248-51-0x00007FFE7C0F0000-0x00007FFE7C2E5000-memory.dmp

memory/2112-54-0x00000000739F0000-0x0000000073B6B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\17e8d690

MD5 2b3beb60cdbb91fbe0b4c86b6de97fbb
SHA1 18c53785e19ae2978befe4edab906a5df75511fa
SHA256 abf28cfb177a28bdc4a6ba5254f26cdd1b3d3821b4608b89120742b7acbe8801
SHA512 33663d7eb9d00d26fd35224447268f6663bcee27ce18eaea5ddc872f6e773c2406edb337d1b509086f65869aee6c49d73e2d3d41a93fa1352afe3895b4ebdbef

memory/848-57-0x00007FFE7C0F0000-0x00007FFE7C2E5000-memory.dmp

memory/1448-61-0x00007FFE7C0F0000-0x00007FFE7C2E5000-memory.dmp

memory/1448-62-0x00000000001F0000-0x0000000000261000-memory.dmp

memory/3672-64-0x00007FFE7C0F0000-0x00007FFE7C2E5000-memory.dmp

memory/3672-66-0x00000000004C0000-0x0000000000527000-memory.dmp

memory/1448-67-0x00000000001F0000-0x0000000000261000-memory.dmp

memory/3672-69-0x00000000004C0000-0x0000000000527000-memory.dmp