Analysis Overview
SHA256
22613505c3fea6ac505f3ed2c8e0df9998331832f405fbba4f9f5a48de753055
Threat Level: Known bad
The file 22613505c3fea6ac505f3ed2c8e0df9998331832f405fbba4f9f5a48de753055.zip was found to be: Known bad.
Malicious Activity Summary
Lumma Stealer
Suspicious use of SetThreadContext
Unsigned PE
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-07-10 15:27
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-10 15:27
Reported
2024-07-10 15:30
Platform
win7-20240708-en
Max time kernel
122s
Max time network
124s
Command Line
Signatures
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 464 set thread context of 2548 | N/A | C:\Users\Admin\AppData\Local\Temp\!ŞetUp_64851--#PaSꞨKḙy#$$\Setup.exe | C:\Windows\SysWOW64\more.com |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\!ŞetUp_64851--#PaSꞨKḙy#$$\Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\!ŞetUp_64851--#PaSꞨKḙy#$$\Setup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\!ŞetUp_64851--#PaSꞨKḙy#$$\Setup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\!ŞetUp_64851--#PaSꞨKḙy#$$\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\!ŞetUp_64851--#PaSꞨKḙy#$$\Setup.exe"
C:\Windows\SysWOW64\more.com
C:\Windows\SysWOW64\more.com
C:\Windows\SysWOW64\SearchIndexer.exe
C:\Windows\SysWOW64\SearchIndexer.exe
Network
Files
memory/464-0-0x00000000001D0000-0x000000000022E000-memory.dmp
memory/464-1-0x000007FEFEC00000-0x000007FEFEDD7000-memory.dmp
memory/464-5-0x000007FEFEC18000-0x000007FEFEC19000-memory.dmp
memory/464-6-0x000007FEFEC00000-0x000007FEFEDD7000-memory.dmp
memory/464-7-0x000007FEFEC00000-0x000007FEFEDD7000-memory.dmp
memory/464-9-0x00000000001D0000-0x000000000022E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\889ce1be
| MD5 | 0d1d30bab4e4fbea1b15804efcb3db77 |
| SHA1 | 77f050a8f31daffece5977070d3a441e3d5bb880 |
| SHA256 | 3f6b75fb73929b0a36b0017f779b0a86ec491f6782a53c9e92204c7b42af4d93 |
| SHA512 | c4cc7566176c5bd7a4ffaff93ff204152f09213fdba00b98774c5355642fc02929a1cf1dfe3de2885cee8a10b3e6bf51c49edc77f220d418f6b99c8c6c599a0d |
memory/2548-11-0x00000000775C0000-0x0000000077769000-memory.dmp
memory/2548-13-0x000000007699E000-0x00000000769A0000-memory.dmp
memory/2548-12-0x0000000076990000-0x0000000076B2D000-memory.dmp
memory/2548-14-0x0000000076990000-0x0000000076B2D000-memory.dmp
memory/2548-16-0x0000000076990000-0x0000000076B2D000-memory.dmp
memory/2468-17-0x00000000775C0000-0x0000000077769000-memory.dmp
memory/2468-18-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2468-20-0x000000000007D000-0x0000000000085000-memory.dmp
memory/2468-19-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2548-21-0x000000007699E000-0x00000000769A0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-10 15:27
Reported
2024-07-10 15:30
Platform
win10v2004-20240709-en
Max time kernel
94s
Max time network
95s
Command Line
Signatures
Lumma Stealer
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3984 set thread context of 4672 | N/A | C:\Users\Admin\AppData\Local\Temp\!ŞetUp_64851--#PaSꞨKḙy#$$\Setup.exe | C:\Windows\SysWOW64\more.com |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\!ŞetUp_64851--#PaSꞨKḙy#$$\Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\!ŞetUp_64851--#PaSꞨKḙy#$$\Setup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\!ŞetUp_64851--#PaSꞨKḙy#$$\Setup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3984 wrote to memory of 4672 | N/A | C:\Users\Admin\AppData\Local\Temp\!ŞetUp_64851--#PaSꞨKḙy#$$\Setup.exe | C:\Windows\SysWOW64\more.com |
| PID 3984 wrote to memory of 4672 | N/A | C:\Users\Admin\AppData\Local\Temp\!ŞetUp_64851--#PaSꞨKḙy#$$\Setup.exe | C:\Windows\SysWOW64\more.com |
| PID 3984 wrote to memory of 4672 | N/A | C:\Users\Admin\AppData\Local\Temp\!ŞetUp_64851--#PaSꞨKḙy#$$\Setup.exe | C:\Windows\SysWOW64\more.com |
| PID 3984 wrote to memory of 4672 | N/A | C:\Users\Admin\AppData\Local\Temp\!ŞetUp_64851--#PaSꞨKḙy#$$\Setup.exe | C:\Windows\SysWOW64\more.com |
| PID 4672 wrote to memory of 436 | N/A | C:\Windows\SysWOW64\more.com | C:\Windows\SysWOW64\SearchIndexer.exe |
| PID 4672 wrote to memory of 436 | N/A | C:\Windows\SysWOW64\more.com | C:\Windows\SysWOW64\SearchIndexer.exe |
| PID 4672 wrote to memory of 436 | N/A | C:\Windows\SysWOW64\more.com | C:\Windows\SysWOW64\SearchIndexer.exe |
| PID 4672 wrote to memory of 436 | N/A | C:\Windows\SysWOW64\more.com | C:\Windows\SysWOW64\SearchIndexer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\!ŞetUp_64851--#PaSꞨKḙy#$$\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\!ŞetUp_64851--#PaSꞨKḙy#$$\Setup.exe"
C:\Windows\SysWOW64\more.com
C:\Windows\SysWOW64\more.com
C:\Windows\SysWOW64\SearchIndexer.exe
C:\Windows\SysWOW64\SearchIndexer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bittercoldzzdwu.shop | udp |
| US | 104.21.25.179:443 | bittercoldzzdwu.shop | tcp |
| US | 8.8.8.8:53 | bouncedgowp.shop | udp |
| US | 172.67.214.52:443 | bouncedgowp.shop | tcp |
| US | 8.8.8.8:53 | 179.25.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bannngwko.shop | udp |
| US | 172.67.146.61:443 | bannngwko.shop | tcp |
| US | 8.8.8.8:53 | bargainnykwo.shop | udp |
| US | 104.21.47.93:443 | bargainnykwo.shop | tcp |
| US | 8.8.8.8:53 | affecthorsedpo.shop | udp |
| US | 104.21.6.254:443 | affecthorsedpo.shop | tcp |
| US | 8.8.8.8:53 | 61.146.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 52.214.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 93.47.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | radiationnopp.shop | udp |
| US | 104.21.68.158:443 | radiationnopp.shop | tcp |
| US | 8.8.8.8:53 | answerrsdo.shop | udp |
| US | 172.67.203.63:443 | answerrsdo.shop | tcp |
| US | 8.8.8.8:53 | publicitttyps.shop | udp |
| US | 104.21.25.154:443 | publicitttyps.shop | tcp |
| US | 8.8.8.8:53 | 254.6.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.68.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 63.203.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | benchillppwo.shop | udp |
| US | 172.67.160.230:443 | benchillppwo.shop | tcp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 23.214.143.155:443 | steamcommunity.com | tcp |
| US | 8.8.8.8:53 | reinforcedirectorywd.shop | udp |
| US | 104.21.83.48:443 | reinforcedirectorywd.shop | tcp |
| US | 8.8.8.8:53 | 154.25.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 230.160.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.83.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 155.143.214.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
Files
memory/3984-0-0x00000000004D0000-0x000000000052E000-memory.dmp
memory/3984-1-0x00007FFA9ABE0000-0x00007FFA9B052000-memory.dmp
memory/3984-5-0x00007FFA9ABF8000-0x00007FFA9ABF9000-memory.dmp
memory/3984-6-0x00007FFA9ABE0000-0x00007FFA9B052000-memory.dmp
memory/3984-7-0x00007FFA9ABE0000-0x00007FFA9B052000-memory.dmp
memory/3984-9-0x00000000004D0000-0x000000000052E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\404cb3f8
| MD5 | a920a9aaa30a6912b54e9dba7da5c5e5 |
| SHA1 | 6631d48d307e90f8d0b09c2d168806c773af546a |
| SHA256 | 36719a6d4321835b81a9696d1045104e0fffae70e4ddc799da91700eee23e9ce |
| SHA512 | 68a16526bfef75a78257501530fad08e167dcd51988b8ac0afa38dd8a3047616d63e78465d608ab9ed0d147f50c9cdf881fa1844a0b4fb2e7272c57348a00522 |
memory/4672-11-0x00007FFA9C730000-0x00007FFA9C925000-memory.dmp
memory/4672-13-0x00000000768AE000-0x00000000768B0000-memory.dmp
memory/4672-12-0x00000000768A0000-0x0000000076CDC000-memory.dmp
memory/4672-14-0x00000000768A0000-0x0000000076CDC000-memory.dmp
memory/4672-16-0x00000000768A0000-0x0000000076CDC000-memory.dmp
memory/436-17-0x00007FFA9C730000-0x00007FFA9C925000-memory.dmp
memory/436-18-0x0000000000B60000-0x0000000000BB3000-memory.dmp
memory/436-21-0x000000000020B000-0x0000000000212000-memory.dmp
memory/4672-22-0x00000000768AE000-0x00000000768B0000-memory.dmp
memory/436-23-0x0000000000B60000-0x0000000000BB3000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-07-10 15:27
Reported
2024-07-10 15:30
Platform
win7-20240708-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\!ŞetUp_64851--#PaSꞨKḙy#$$\tak_deco_lib.dll,#1
Network
Files
memory/1812-1-0x00000000001B0000-0x000000000020E000-memory.dmp
memory/1812-0-0x00000000001B0000-0x000000000020E000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-07-10 15:27
Reported
2024-07-10 15:30
Platform
win10v2004-20240709-en
Max time kernel
92s
Max time network
94s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\!ŞetUp_64851--#PaSꞨKḙy#$$\tak_deco_lib.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.135.221.88.in-addr.arpa | udp |
Files
memory/1908-0-0x0000000000400000-0x000000000045E000-memory.dmp