Analysis Overview
SHA256
0a89f60c9186d7e4ea96d84bd2634a50e68b2eac0859e7185ea5bf4d6709a725
Threat Level: Known bad
The file #!SETuP_9050_PA@$sW0rd!~!.zip was found to be: Known bad.
Malicious Activity Summary
Lumma Stealer
Suspicious use of SetThreadContext
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-07-10 10:23
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral3
Detonation Overview
Submitted
2024-07-10 10:23
Reported
2024-07-10 10:29
Platform
win11-20240709-en
Max time kernel
90s
Max time network
205s
Command Line
Signatures
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 5028 set thread context of 2300 | N/A | C:\Users\Admin\AppData\Local\Temp\#!SETuP_9050_PA@$sW0rd!~!\Setup.exe | C:\Windows\SysWOW64\more.com |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\#!SETuP_9050_PA@$sW0rd!~!\Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\#!SETuP_9050_PA@$sW0rd!~!\Setup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\#!SETuP_9050_PA@$sW0rd!~!\Setup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5028 wrote to memory of 2300 | N/A | C:\Users\Admin\AppData\Local\Temp\#!SETuP_9050_PA@$sW0rd!~!\Setup.exe | C:\Windows\SysWOW64\more.com |
| PID 5028 wrote to memory of 2300 | N/A | C:\Users\Admin\AppData\Local\Temp\#!SETuP_9050_PA@$sW0rd!~!\Setup.exe | C:\Windows\SysWOW64\more.com |
| PID 5028 wrote to memory of 2300 | N/A | C:\Users\Admin\AppData\Local\Temp\#!SETuP_9050_PA@$sW0rd!~!\Setup.exe | C:\Windows\SysWOW64\more.com |
| PID 5028 wrote to memory of 2300 | N/A | C:\Users\Admin\AppData\Local\Temp\#!SETuP_9050_PA@$sW0rd!~!\Setup.exe | C:\Windows\SysWOW64\more.com |
| PID 2300 wrote to memory of 3568 | N/A | C:\Windows\SysWOW64\more.com | C:\Windows\SysWOW64\SearchIndexer.exe |
| PID 2300 wrote to memory of 3568 | N/A | C:\Windows\SysWOW64\more.com | C:\Windows\SysWOW64\SearchIndexer.exe |
| PID 2300 wrote to memory of 3568 | N/A | C:\Windows\SysWOW64\more.com | C:\Windows\SysWOW64\SearchIndexer.exe |
| PID 2300 wrote to memory of 3568 | N/A | C:\Windows\SysWOW64\more.com | C:\Windows\SysWOW64\SearchIndexer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\#!SETuP_9050_PA@$sW0rd!~!\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\#!SETuP_9050_PA@$sW0rd!~!\Setup.exe"
C:\Windows\SysWOW64\more.com
C:\Windows\SysWOW64\more.com
C:\Windows\SysWOW64\SearchIndexer.exe
C:\Windows\SysWOW64\SearchIndexer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | unwielldyzpwo.shop | udp |
| US | 172.67.158.68:443 | unwielldyzpwo.shop | tcp |
| US | 172.67.214.52:443 | bouncedgowp.shop | tcp |
| US | 172.67.146.61:443 | bannngwko.shop | tcp |
| US | 8.8.8.8:53 | 52.214.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.158.67.172.in-addr.arpa | udp |
| US | 172.67.146.97:443 | bargainnykwo.shop | tcp |
| US | 104.21.6.254:443 | affecthorsedpo.shop | tcp |
| US | 104.21.68.158:443 | radiationnopp.shop | tcp |
| US | 104.21.44.192:443 | answerrsdo.shop | tcp |
| US | 104.21.25.154:443 | publicitttyps.shop | tcp |
| US | 104.21.81.128:443 | benchillppwo.shop | tcp |
| GB | 23.214.143.155:443 | steamcommunity.com | tcp |
| US | 104.21.83.48:443 | reinforcedirectorywd.shop | tcp |
Files
memory/5028-0-0x00007FFC1C2F0000-0x00007FFC1C75C000-memory.dmp
memory/5028-4-0x00007FFC1C308000-0x00007FFC1C309000-memory.dmp
memory/5028-5-0x00007FFC1C2F0000-0x00007FFC1C75C000-memory.dmp
memory/5028-6-0x00007FFC1C2F0000-0x00007FFC1C75C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\eea07689
| MD5 | 9b6228bc521bff5684d643138e2b5e34 |
| SHA1 | f0f70e635c90582d44da4ffabd09b3e29be4114d |
| SHA256 | d434c7c4b6b48835e939956b5d33c22279e73b54685fab0fe9ec3b49e1795ca0 |
| SHA512 | 8400606c87ec53d03e6233b8f892b65da94ea3fc05fc63777b7c2c7675f9e127b930a86f8f61b0d5f8944d1a44808f93e3db4879f305d7e062d58fbd07fe9e38 |
memory/2300-9-0x00007FFC1E380000-0x00007FFC1E589000-memory.dmp
memory/2300-11-0x00000000751AE000-0x00000000751B0000-memory.dmp
memory/2300-10-0x00000000751A0000-0x00000000755DB000-memory.dmp
memory/2300-12-0x00000000751A0000-0x00000000755DB000-memory.dmp
memory/2300-14-0x00000000751A0000-0x00000000755DB000-memory.dmp
memory/3568-15-0x00007FFC1E380000-0x00007FFC1E589000-memory.dmp
memory/3568-16-0x0000000000AA0000-0x0000000000B07000-memory.dmp
memory/3568-17-0x0000000000A0B000-0x0000000000A12000-memory.dmp
memory/3568-18-0x0000000000AA0000-0x0000000000B07000-memory.dmp
memory/2300-19-0x00000000751AE000-0x00000000751B0000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-10 10:23
Reported
2024-07-10 10:30
Platform
win7-20240704-en
Max time kernel
119s
Max time network
125s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\#!SETuP_9050_PA@$sW0rd!~!\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\#!SETuP_9050_PA@$sW0rd!~!\Setup.exe"
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-10 10:23
Reported
2024-07-10 10:29
Platform
win10v2004-20240709-en
Max time kernel
92s
Max time network
207s
Command Line
Signatures
Lumma Stealer
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 560 set thread context of 2044 | N/A | C:\Users\Admin\AppData\Local\Temp\#!SETuP_9050_PA@$sW0rd!~!\Setup.exe | C:\Windows\SysWOW64\more.com |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\#!SETuP_9050_PA@$sW0rd!~!\Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\#!SETuP_9050_PA@$sW0rd!~!\Setup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\#!SETuP_9050_PA@$sW0rd!~!\Setup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 560 wrote to memory of 2044 | N/A | C:\Users\Admin\AppData\Local\Temp\#!SETuP_9050_PA@$sW0rd!~!\Setup.exe | C:\Windows\SysWOW64\more.com |
| PID 560 wrote to memory of 2044 | N/A | C:\Users\Admin\AppData\Local\Temp\#!SETuP_9050_PA@$sW0rd!~!\Setup.exe | C:\Windows\SysWOW64\more.com |
| PID 560 wrote to memory of 2044 | N/A | C:\Users\Admin\AppData\Local\Temp\#!SETuP_9050_PA@$sW0rd!~!\Setup.exe | C:\Windows\SysWOW64\more.com |
| PID 560 wrote to memory of 2044 | N/A | C:\Users\Admin\AppData\Local\Temp\#!SETuP_9050_PA@$sW0rd!~!\Setup.exe | C:\Windows\SysWOW64\more.com |
| PID 2044 wrote to memory of 3256 | N/A | C:\Windows\SysWOW64\more.com | C:\Windows\SysWOW64\SearchIndexer.exe |
| PID 2044 wrote to memory of 3256 | N/A | C:\Windows\SysWOW64\more.com | C:\Windows\SysWOW64\SearchIndexer.exe |
| PID 2044 wrote to memory of 3256 | N/A | C:\Windows\SysWOW64\more.com | C:\Windows\SysWOW64\SearchIndexer.exe |
| PID 2044 wrote to memory of 3256 | N/A | C:\Windows\SysWOW64\more.com | C:\Windows\SysWOW64\SearchIndexer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\#!SETuP_9050_PA@$sW0rd!~!\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\#!SETuP_9050_PA@$sW0rd!~!\Setup.exe"
C:\Windows\SysWOW64\more.com
C:\Windows\SysWOW64\more.com
C:\Windows\SysWOW64\SearchIndexer.exe
C:\Windows\SysWOW64\SearchIndexer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | unwielldyzpwo.shop | udp |
| US | 104.21.73.56:443 | unwielldyzpwo.shop | tcp |
| US | 8.8.8.8:53 | bouncedgowp.shop | udp |
| US | 172.67.214.52:443 | bouncedgowp.shop | tcp |
| US | 8.8.8.8:53 | bannngwko.shop | udp |
| US | 104.21.81.196:443 | bannngwko.shop | tcp |
| US | 8.8.8.8:53 | bargainnykwo.shop | udp |
| US | 104.21.47.93:443 | bargainnykwo.shop | tcp |
| US | 8.8.8.8:53 | 52.214.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.73.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | affecthorsedpo.shop | udp |
| US | 172.67.135.137:443 | affecthorsedpo.shop | tcp |
| US | 8.8.8.8:53 | radiationnopp.shop | udp |
| US | 172.67.196.169:443 | radiationnopp.shop | tcp |
| US | 8.8.8.8:53 | answerrsdo.shop | udp |
| US | 104.21.44.192:443 | answerrsdo.shop | tcp |
| US | 8.8.8.8:53 | 196.81.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 93.47.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 169.196.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 137.135.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | publicitttyps.shop | udp |
| US | 172.67.134.88:443 | publicitttyps.shop | tcp |
| US | 8.8.8.8:53 | benchillppwo.shop | udp |
| US | 172.67.160.230:443 | benchillppwo.shop | tcp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 23.214.143.155:443 | steamcommunity.com | tcp |
| US | 8.8.8.8:53 | 192.44.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.134.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 230.160.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | reinforcedirectorywd.shop | udp |
| US | 104.21.83.48:443 | reinforcedirectorywd.shop | tcp |
| US | 8.8.8.8:53 | 155.143.214.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.83.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
Files
memory/560-0-0x00007FF80DB10000-0x00007FF80DF82000-memory.dmp
memory/560-4-0x00007FF80DB28000-0x00007FF80DB29000-memory.dmp
memory/560-5-0x00007FF80DB10000-0x00007FF80DF82000-memory.dmp
memory/560-6-0x00007FF80DB10000-0x00007FF80DF82000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2bf26277
| MD5 | 3c86d53901d761a894864f5fd9aa515f |
| SHA1 | a88c42d0cde8434db6211d0facdca55316349cbf |
| SHA256 | bc81c8c917d4f6a72882bbd00abaecc3cb9204f6d42634f75f59dd8949d0fb1d |
| SHA512 | fdb36b4bdfa745fa345568b588e0e9f00083e367a46e1743133c7333d9071848eaafbdb490c371d8ae15a9a0164343dc53044667a1b33f98627161046538d71a |
memory/2044-9-0x00007FF80E030000-0x00007FF80E225000-memory.dmp
memory/2044-11-0x000000007751E000-0x0000000077520000-memory.dmp
memory/2044-10-0x0000000077510000-0x000000007794C000-memory.dmp
memory/2044-12-0x0000000077510000-0x000000007794C000-memory.dmp
memory/2044-14-0x0000000077510000-0x000000007794C000-memory.dmp
memory/3256-15-0x00007FF80E030000-0x00007FF80E225000-memory.dmp
memory/3256-16-0x0000000000130000-0x0000000000197000-memory.dmp
memory/2044-19-0x000000007751E000-0x0000000077520000-memory.dmp
memory/3256-20-0x000000000066B000-0x0000000000672000-memory.dmp
memory/3256-21-0x0000000000130000-0x0000000000197000-memory.dmp