Analysis Overview
SHA256
d57b10e9d526efa1bd489c873ec7df24614816de093610d5f47c843728814053
Threat Level: Known bad
The file !@ŜetUp__64911--Pas̈ᶊW0rd!$!$!.zip was found to be: Known bad.
Malicious Activity Summary
Amadey
Lumma Stealer
Accesses cryptocurrency files/wallets, possible credential harvesting
Downloads MZ/PE file
Suspicious use of SetThreadContext
Drops file in Windows directory
Executes dropped EXE
Unsigned PE
Event Triggered Execution: Netsh Helper DLL
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-09 17:20
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-09 17:20
Reported
2024-07-09 17:23
Platform
win7-20240704-en
Max time kernel
45s
Max time network
23s
Command Line
Signatures
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2520 set thread context of 3068 | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | C:\Windows\SysWOW64\more.com |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
C:\Windows\SysWOW64\more.com
C:\Windows\SysWOW64\more.com
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Windows\SysWOW64\SearchIndexer.exe
C:\Windows\SysWOW64\SearchIndexer.exe
Network
Files
memory/2520-0-0x000007FEFFB60000-0x000007FEFFD37000-memory.dmp
memory/2520-4-0x000007FEFFB78000-0x000007FEFFB79000-memory.dmp
memory/2520-5-0x000007FEFFB60000-0x000007FEFFD37000-memory.dmp
memory/2520-6-0x000007FEFFB60000-0x000007FEFFD37000-memory.dmp
memory/2520-8-0x0000000000400000-0x000000000045E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\b128e61e
| MD5 | 502762228a6eb276935fe3d7f9ad8e64 |
| SHA1 | 412795aeac52e00c455169dbc4ed73439cb1389a |
| SHA256 | 259eb236f504086a08dfdb9da95447ccc3440e51bb12543d1b8cc10045e23677 |
| SHA512 | 15b5df21d006db2f6c8a5c13fcc3a657d4fdd30dc12b5cf91c352283d94a196649a2d3ede89eee66c619ffe82d76166565fa44513a3696c9fa5e7a2d767ea875 |
memory/3068-10-0x0000000077B90000-0x0000000077D39000-memory.dmp
memory/3068-12-0x0000000075A1E000-0x0000000075A20000-memory.dmp
memory/3068-11-0x0000000075A10000-0x0000000075BAD000-memory.dmp
memory/3068-13-0x0000000075A10000-0x0000000075BAD000-memory.dmp
memory/3068-15-0x0000000075A10000-0x0000000075BAD000-memory.dmp
memory/1992-16-0x0000000077B90000-0x0000000077D39000-memory.dmp
memory/1992-17-0x0000000000400000-0x0000000000452000-memory.dmp
memory/1992-18-0x0000000000400000-0x0000000000452000-memory.dmp
memory/3068-19-0x0000000075A1E000-0x0000000075A20000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-09 17:20
Reported
2024-07-09 17:23
Platform
win10v2004-20240709-en
Max time kernel
145s
Max time network
128s
Command Line
Signatures
Amadey
Lumma Stealer
Accesses cryptocurrency files/wallets, possible credential harvesting
Downloads MZ/PE file
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1420 set thread context of 4876 | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | C:\Windows\SysWOW64\more.com |
| PID 4676 set thread context of 1248 | N/A | C:\Users\Admin\AppData\Local\Temp\EEUA7QKYYYCLNHUKB318HR0YK2ZRV1U.exe | C:\Windows\SysWOW64\netsh.exe |
| PID 2112 set thread context of 848 | N/A | C:\Users\Admin\AppData\Local\Temp\TMDTXCKUMSXN9CX1ETRNX.exe | C:\Windows\SysWOW64\netsh.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\ToolUpdate.job | C:\Windows\SysWOW64\netsh.exe | N/A |
| File created | C:\Windows\Tasks\MH Beacon Helper.job | C:\Windows\SysWOW64\netsh.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TMDTXCKUMSXN9CX1ETRNX.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\EEUA7QKYYYCLNHUKB318HR0YK2ZRV1U.exe | N/A |
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SearchIndexer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SearchIndexer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SearchIndexer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SearchIndexer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TMDTXCKUMSXN9CX1ETRNX.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TMDTXCKUMSXN9CX1ETRNX.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\EEUA7QKYYYCLNHUKB318HR0YK2ZRV1U.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\EEUA7QKYYYCLNHUKB318HR0YK2ZRV1U.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\EEUA7QKYYYCLNHUKB318HR0YK2ZRV1U.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TMDTXCKUMSXN9CX1ETRNX.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TMDTXCKUMSXN9CX1ETRNX.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
C:\Windows\SysWOW64\more.com
C:\Windows\SysWOW64\more.com
C:\Windows\SysWOW64\SearchIndexer.exe
C:\Windows\SysWOW64\SearchIndexer.exe
C:\Users\Admin\AppData\Local\Temp\TMDTXCKUMSXN9CX1ETRNX.exe
"C:\Users\Admin\AppData\Local\Temp\TMDTXCKUMSXN9CX1ETRNX.exe"
C:\Windows\SysWOW64\netsh.exe
C:\Windows\SysWOW64\netsh.exe
C:\Users\Admin\AppData\Local\Temp\EEUA7QKYYYCLNHUKB318HR0YK2ZRV1U.exe
"C:\Users\Admin\AppData\Local\Temp\EEUA7QKYYYCLNHUKB318HR0YK2ZRV1U.exe"
C:\Windows\SysWOW64\netsh.exe
C:\Windows\SysWOW64\netsh.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bittercoldzzdwu.shop | udp |
| US | 172.67.134.113:443 | bittercoldzzdwu.shop | tcp |
| US | 172.67.134.113:443 | bittercoldzzdwu.shop | tcp |
| US | 8.8.8.8:53 | 113.134.67.172.in-addr.arpa | udp |
| US | 172.67.134.113:443 | bittercoldzzdwu.shop | tcp |
| US | 172.67.134.113:443 | bittercoldzzdwu.shop | tcp |
| US | 172.67.134.113:443 | bittercoldzzdwu.shop | tcp |
| US | 172.67.134.113:443 | bittercoldzzdwu.shop | tcp |
| US | 8.8.8.8:53 | foodupdates.shop | udp |
| US | 172.67.182.166:443 | foodupdates.shop | tcp |
| US | 8.8.8.8:53 | 166.182.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cdn.steamstatic.com | udp |
| GB | 2.16.170.35:443 | cdn.steamstatic.com | tcp |
| US | 8.8.8.8:53 | 35.170.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | downloaddining3.com | udp |
| US | 8.8.8.8:53 | downloaddining.com | udp |
| US | 8.8.8.8:53 | downloaddining2.com | udp |
| US | 104.21.53.53:80 | downloaddining2.com | tcp |
| RU | 45.140.19.240:80 | downloaddining.com | tcp |
| US | 172.67.208.139:80 | downloaddining3.com | tcp |
| US | 8.8.8.8:53 | 53.53.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.19.140.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 139.208.67.172.in-addr.arpa | udp |
Files
memory/1420-0-0x00007FFE7B200000-0x00007FFE7B672000-memory.dmp
memory/1420-4-0x00007FFE7B218000-0x00007FFE7B219000-memory.dmp
memory/1420-5-0x00007FFE7B200000-0x00007FFE7B672000-memory.dmp
memory/1420-6-0x00007FFE7B200000-0x00007FFE7B672000-memory.dmp
memory/1420-8-0x0000000000400000-0x000000000045E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\332bcc4c
| MD5 | 23680d35a83bda9ca52c897f139ec791 |
| SHA1 | 5681dd9f64ec8a26e6c84ec22776530aab255c02 |
| SHA256 | 097cde2f374c0480f3350292400f7e9812e884d68710ff377dae25d54d52ee19 |
| SHA512 | 4259f348326a2363f499fe51dba1e30607aba162544c81d205e465e2c0d1bf7ec3f14fedcb5e1d5c9eb7a45cb3f85d725376dec8574b0d6a13f9fe63ff891625 |
memory/4876-10-0x00007FFE7C0F0000-0x00007FFE7C2E5000-memory.dmp
memory/4876-12-0x000000007630E000-0x0000000076310000-memory.dmp
memory/4876-11-0x0000000076300000-0x000000007673C000-memory.dmp
memory/4876-13-0x0000000076300000-0x000000007673C000-memory.dmp
memory/4876-15-0x0000000076300000-0x000000007673C000-memory.dmp
memory/2572-16-0x00007FFE7C0F0000-0x00007FFE7C2E5000-memory.dmp
memory/2572-17-0x0000000000110000-0x0000000000162000-memory.dmp
memory/2572-20-0x0000000000A5B000-0x0000000000A62000-memory.dmp
memory/4876-21-0x000000007630E000-0x0000000076310000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TMDTXCKUMSXN9CX1ETRNX.exe
| MD5 | d8d3eaf3756ec2fd01063f9fd2623c7e |
| SHA1 | 0e63c687984112e96bbfcf985c1fbf602f1c86e4 |
| SHA256 | 0ac72e797e244a733d5357b9fc90a5efaee168b5ab9b751493c080183be58829 |
| SHA512 | d87f33d7b6596719545899be6f54eb0f3b9f4ccf2ab4afea16d2a05386201c77243a6c80890ace81940ae2a09f743329bc3ed38b03499b2f6700da363668fa6c |
memory/2572-25-0x0000000000110000-0x0000000000162000-memory.dmp
memory/2112-27-0x00000000002C0000-0x00000000005F3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\14ff0e91
| MD5 | 0bb8b2b96cd95f9a6fb8192883c94ca7 |
| SHA1 | 16b7b4cfcacef943b4824e21b475c295cb4d9dff |
| SHA256 | 42139a8703db654c15f60607495822317b23a29b7c64b1b083428cc3716c14ec |
| SHA512 | 44d45b97bf76b3194375f2a63314dacf47add2223b37a9e080ddcfe49cb30a844436686ae62842cb08589b1b248c864b5d17ee7ae3e766931722824bd205565b |
memory/2112-33-0x00000000739F0000-0x0000000073B6B000-memory.dmp
memory/2112-34-0x00007FFE7C0F0000-0x00007FFE7C2E5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\EEUA7QKYYYCLNHUKB318HR0YK2ZRV1U.exe
| MD5 | 753234a5fa72cf7ff8c56fd867478f31 |
| SHA1 | 9d689ec16a5da11eea5e60c800ef2bce6f4212f3 |
| SHA256 | 211646612334caf8f5779788e6b9bd3a47a23c35c9cdcddddca34cba4e12379f |
| SHA512 | f641b30948127a0ee9bd538d4ad3aaae1047720a141eb71f2f82276cbd2bb5393e174a7f5a79778ef248ca43781dd55bdaa1d7cf84ef12a8e99028b5fb0a9e82 |
memory/2572-38-0x0000000000110000-0x0000000000162000-memory.dmp
memory/4676-39-0x0000000000FC0000-0x000000000157E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\21af5029
| MD5 | f74f23c47dbb6ed0a1422be1c86ba44d |
| SHA1 | 585956eab70da3892bd82cf21470be142daec324 |
| SHA256 | aa2cc4edd00008635d8c09a5706b5e5b28886825065895afe733426c794af041 |
| SHA512 | 9db56c720c03f87d332cdab8d61ff22f0b2dd376bb22ef91b6b8a52dbcb6893bdf7a7db0a55dc10e23619ed1099a8a773f1bdacdad70ca04733bc60b440280dd |
memory/4676-46-0x00000000739F0000-0x0000000073B6B000-memory.dmp
memory/4676-47-0x00007FFE7C0F0000-0x00007FFE7C2E5000-memory.dmp
memory/4676-48-0x00000000739F0000-0x0000000073B6B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\25c11d16
| MD5 | 9a382aee7bcd376af960e3259e3501d2 |
| SHA1 | 8ec17dd789343523c41d7e1b9926fd45e9989eac |
| SHA256 | 942296b7bbacf93d4ba0e23e1dd0a7a3cdc83d53daab7c68838c2d8c6f6fb132 |
| SHA512 | 2c43eba2c1382798cfb9122fcfb959ea966bc28a126f5c0f5dc1cb5173034394d90ca75be32b9189a25430c44eeda6039166adf9709821e1b18a78c45da5dd57 |
memory/1248-51-0x00007FFE7C0F0000-0x00007FFE7C2E5000-memory.dmp
memory/2112-54-0x00000000739F0000-0x0000000073B6B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\17e8d690
| MD5 | 2b3beb60cdbb91fbe0b4c86b6de97fbb |
| SHA1 | 18c53785e19ae2978befe4edab906a5df75511fa |
| SHA256 | abf28cfb177a28bdc4a6ba5254f26cdd1b3d3821b4608b89120742b7acbe8801 |
| SHA512 | 33663d7eb9d00d26fd35224447268f6663bcee27ce18eaea5ddc872f6e773c2406edb337d1b509086f65869aee6c49d73e2d3d41a93fa1352afe3895b4ebdbef |
memory/848-57-0x00007FFE7C0F0000-0x00007FFE7C2E5000-memory.dmp
memory/1448-61-0x00007FFE7C0F0000-0x00007FFE7C2E5000-memory.dmp
memory/1448-62-0x00000000001F0000-0x0000000000261000-memory.dmp
memory/3672-64-0x00007FFE7C0F0000-0x00007FFE7C2E5000-memory.dmp
memory/3672-66-0x00000000004C0000-0x0000000000527000-memory.dmp
memory/1448-67-0x00000000001F0000-0x0000000000261000-memory.dmp
memory/3672-69-0x00000000004C0000-0x0000000000527000-memory.dmp