Analysis Overview
SHA256
98c5e35d44da52d963e466216156cec0f62832fb03e3d27ac4bfa63b567639c5
Threat Level: Known bad
The file ##!!SetUp_2244_Pa$sW0rd$$!!.zip was found to be: Known bad.
Malicious Activity Summary
Lumma Stealer
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Suspicious use of SetThreadContext
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-10 19:47
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral3
Detonation Overview
Submitted
2024-07-10 19:47
Reported
2024-07-10 19:53
Platform
win11-20240709-en
Max time kernel
91s
Max time network
203s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\iTopDataRecovery.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SGP\iTopDataRecovery.exe | N/A |
Loads dropped DLL
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2176 set thread context of 1448 | N/A | C:\Users\Admin\AppData\Roaming\SGP\iTopDataRecovery.exe | C:\Windows\SysWOW64\more.com |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\iTopDataRecovery.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SGP\iTopDataRecovery.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SGP\iTopDataRecovery.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SGP\iTopDataRecovery.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\##!!SetUp_2244_Pa$sW0rd$$!!\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\##!!SetUp_2244_Pa$sW0rd$$!!\Setup.exe"
C:\Users\Admin\AppData\Local\Temp\iTopDataRecovery.exe
"C:\Users\Admin\AppData\Local\Temp\iTopDataRecovery.exe"
C:\Users\Admin\AppData\Roaming\SGP\iTopDataRecovery.exe
C:\Users\Admin\AppData\Roaming\SGP\iTopDataRecovery.exe
C:\Windows\SysWOW64\more.com
C:\Windows\SysWOW64\more.com
C:\Windows\SysWOW64\SearchIndexer.exe
C:\Windows\SysWOW64\SearchIndexer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bittercoldzzdwu.shop | udp |
| US | 104.21.25.179:443 | bittercoldzzdwu.shop | tcp |
| US | 172.67.214.52:443 | bouncedgowp.shop | tcp |
| US | 172.67.146.61:443 | bannngwko.shop | tcp |
| US | 104.21.47.93:443 | bargainnykwo.shop | tcp |
| US | 8.8.8.8:53 | 179.25.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 52.214.67.172.in-addr.arpa | udp |
| US | 172.67.135.137:443 | affecthorsedpo.shop | tcp |
| US | 104.21.68.158:443 | radiationnopp.shop | tcp |
| US | 104.21.44.192:443 | answerrsdo.shop | tcp |
| US | 8.8.8.8:53 | 137.135.67.172.in-addr.arpa | udp |
| US | 104.21.25.154:443 | publicitttyps.shop | tcp |
| US | 104.21.81.128:443 | benchillppwo.shop | tcp |
| FR | 104.85.26.126:443 | steamcommunity.com | tcp |
| US | 172.67.214.98:443 | reinforcedirectorywd.shop | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\iTopDataRecovery.exe
| MD5 | 95387cc85dacad60b3e10665b43602e6 |
| SHA1 | d9aafd45fe3ad10d28716d6289fe76b4fdce1869 |
| SHA256 | 3c317dbab70d3ab4fce944c92532d111f69fd71dca5c7f7c7b8d57e657f26a1a |
| SHA512 | 82cb0983739a76d15beacbc50f1bf7fa5cca1650b18444c204a3e6a6656aaba5ac94341fa394aaad78b3ff2d51f17c6623f0a882692881d6506af5dae544a02b |
C:\Users\Admin\AppData\Local\Temp\madExcept_.bpl
| MD5 | 21068dfd733435c866312d35b9432733 |
| SHA1 | 3d5336c676d3dd94500d0d2fe853b9de457f10fd |
| SHA256 | 835f1141ece59c36b18e76927572d229136aeb12eff44cb4ba98d7808257c299 |
| SHA512 | 54664a9e60e5a0b148fc4684125b7eac9cfc57d0bc5838204ed587d62e44c3347c0bae3192d5c375b6a74335b4fed4fc53248ba542c59022e9761872e09e3ee7 |
C:\Users\Admin\AppData\Local\Temp\pdf2bmp.dll
| MD5 | f65c3b116281fd23e5748ad73e9501cf |
| SHA1 | ebda8a741833c4fcbfcb72591a7c173d69a01ebd |
| SHA256 | eb48e0e36be7b0a89a0b8cc129a3b004a8525e5f60445e5ca48a7810d9d93725 |
| SHA512 | 78ec4ade61c6abf87283d5858ffe119e10d119bcaa2c678d20cb7d45bb1d244a9aaf70b50ab365509b615e7323081292bae156d665a471990863c83a8b233cbc |
C:\Users\Admin\AppData\Local\Temp\pdfium.dll
| MD5 | 65a63bd3e6c4ce54299bf494582304f3 |
| SHA1 | e6f63f69388dd5a3cda90403711b78fe5c667981 |
| SHA256 | 5b8d7269ed5ca414208ff017f52ee65f14d4d8a707a39a7dc3f9879c0c0ce335 |
| SHA512 | f8ff930aa55222478967b7865465c3f75138b9ff172fdcc1aab47a0172641c5a790e73b5d98bf47fc772002437ad2153846dec626e020408c8d6daee0c630b59 |
C:\Users\Admin\AppData\Local\Temp\datastate.dll
| MD5 | 626dd52ec6cf2e1e00948586b649cb2a |
| SHA1 | b8aaee43554ec9eb6d0d05a81cf186b330390745 |
| SHA256 | 4696b31b9efef6eb60464d0a18abc398338f3616d7189dbd8555937cb85645fd |
| SHA512 | e1e3537d9782cb344bc9925fcea42ffc8125a753caaf713c1fdd521cda36a0513ac89634b3de93ed732557a5649ef3eac2fc9f365bdefdc615d466275788883b |
C:\Users\Admin\AppData\Local\Temp\vclx120.bpl
| MD5 | 7daa2b7fe529b45101a399b5ebf0a416 |
| SHA1 | fd73f3561d0cebe341a6c380681fb08841fa5ce6 |
| SHA256 | 2bdf023c439010ce0a786ec75d943a80a8f01363712bbf69afc29d3e2b5306ed |
| SHA512 | 8e9ec71943c412fe95563e488d91e6ef0041c16a08654ff14b11953f134007657d1e6ec95952f6b9c8b8567a35368840618db06e5cd99abc43ae495a3fbc6b96 |
C:\Users\Admin\AppData\Local\Temp\vcl120.bpl
| MD5 | 849070ebd34cbaedc525599d6c3f8914 |
| SHA1 | b0543d13f4d0cb787abdaaf1d3c9a5af17c87afa |
| SHA256 | b6f321a48812dc922b26953020c9a60949ec429a921033cfaf1e9f7d088ee628 |
| SHA512 | f2ca685b01be9d1b77d8d924e0097ddacee7628cc1aad8a87d8b18a699558d38a7851e6cff8bb2b8ae1980824588af5c3ac75b7b4198b620144dff61611f3aeb |
C:\Users\Admin\AppData\Local\Temp\maddisAsm_.bpl
| MD5 | 84bc072f8ea30746f0982afbda3c638f |
| SHA1 | f39343933ff3fc7934814d6d3b7b098bc92540a0 |
| SHA256 | 52019f47f96ca868fa4e747c3b99cba1b7aa57317bf8ebf9fcbf09aa576fe006 |
| SHA512 | 6e7648194738e8e49e48c2450eef1d482473cd4e5c0e83f292ac9174488f3f22a3b6ba96f07e024c2ab96613d9db1a97084ca0b3973ed5d88502e0d28e120ef5 |
C:\Users\Admin\AppData\Local\Temp\rtl120.bpl
| MD5 | 630991830afe0b969bd0995e697ab16e |
| SHA1 | feda243d83fba15b23d654513dc1f0d70787ba18 |
| SHA256 | b1fcb0339b9ef4860bb1ed1e5ba0e148321be64696af64f3b1643d1311028cb3 |
| SHA512 | 2f2bf30be615f44e56ecca972a9fcbe27187045e13c468d039645e5cc6d01f990cde32b322965f245bc8fccfd0920f09a0afa1d4de0748ed01dd9ffc1bd24692 |
C:\Users\Admin\AppData\Local\Temp\madbasic_.bpl
| MD5 | dc6655a38ffdc3c349f13828fc8ec36e |
| SHA1 | 95db71ef7bff8c16ce955c760292bad9f09bb06d |
| SHA256 | 16126ff5daa3787a159cf4a39aa040b8050ebb66ab90dbb97c503110ef72824a |
| SHA512 | 84b85f2aaad773cbe039022db3d0c35263343243f0d021d7aa3086904b80dd309e6d2a93613cc774b5db27335f4d2850151e2bc8f4648b0065f66bd3722c3d69 |
C:\Users\Admin\AppData\Local\Temp\charr.dbf
| MD5 | 9424382dbaeb4890c9c1a52fc90f712a |
| SHA1 | 6f4d7fe82fbd617b7bea45e9f18a195ebfbd3042 |
| SHA256 | 7ae3088de2f2b20ef4644b42d2ba4f55e29861bfeb19960a5ada00e621a77168 |
| SHA512 | 138b16a0ae8b5af42dd805a01b60737bdefe9445a699a7dbd7967a25d0e6284e66866695575f670167d324d9f60960c9b8c99588bcb41a77c9e699048c2bf949 |
C:\Users\Admin\AppData\Local\Temp\rebbe.pkg
| MD5 | 3456f0fe789f38cf5d58b359ac1e8727 |
| SHA1 | 5b39e9e71a07102036386bdd0651dcc267400723 |
| SHA256 | c6e43d099efea12aabe41fdfe7c6201c94b44fe79fa3d802944e30c019e29e65 |
| SHA512 | bc2c941019d27f0b2bee5be1ecf5e497c546f9862cc615e18b7ea8fff799bfdaeec2bc05cb17035f44fb1dde16899f21ea9a129a0c3a22a83200d6697c4b4aed |
memory/2460-57-0x0000000073180000-0x0000000073195000-memory.dmp
memory/2460-58-0x00007FFCA8160000-0x00007FFCA8369000-memory.dmp
memory/2460-75-0x0000000057000000-0x000000005703F000-memory.dmp
memory/2460-80-0x0000000050310000-0x0000000050349000-memory.dmp
memory/2460-79-0x0000000050120000-0x000000005030D000-memory.dmp
memory/2460-78-0x0000000057800000-0x0000000057812000-memory.dmp
memory/2460-77-0x0000000059800000-0x000000005986E000-memory.dmp
memory/2460-76-0x0000000050000000-0x0000000050116000-memory.dmp
memory/2460-74-0x0000000000400000-0x0000000000845000-memory.dmp
memory/2176-102-0x0000000075140000-0x0000000075155000-memory.dmp
memory/2176-103-0x00007FFCA8160000-0x00007FFCA8369000-memory.dmp
memory/2176-104-0x0000000075140000-0x0000000075155000-memory.dmp
memory/2176-111-0x0000000050120000-0x000000005030D000-memory.dmp
memory/2176-109-0x0000000059800000-0x000000005986E000-memory.dmp
memory/2176-107-0x0000000050000000-0x0000000050116000-memory.dmp
memory/2176-106-0x0000000000400000-0x0000000000845000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\15a4b15f
| MD5 | 8e09ecc2c3197e4e97e1aba0de94f438 |
| SHA1 | 06ebb8ea17d070d0947ab667bac21d83010cde3f |
| SHA256 | e9ce8f5d88dcbdd0856db902a6796fad499a5b2b74190592747fe55959321898 |
| SHA512 | aa8c79b8664ecc0f5093031bda9fa46725cb3b6796edb5803f74b0e9dbf79f97dd33d74c6668f7f699eab937ad998937f0894963bce823060ebd3dca90ebae6a |
memory/1448-115-0x00007FFCA8160000-0x00007FFCA8369000-memory.dmp
memory/1448-116-0x0000000075140000-0x0000000075155000-memory.dmp
memory/4976-118-0x00007FFCA8160000-0x00007FFCA8369000-memory.dmp
memory/4976-119-0x0000000000A90000-0x0000000000AF9000-memory.dmp
memory/4976-120-0x0000000000A90000-0x0000000000AF9000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-10 19:47
Reported
2024-07-10 19:53
Platform
win7-20240704-en
Max time kernel
117s
Max time network
119s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\iTopDataRecovery.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SGP\iTopDataRecovery.exe | N/A |
Loads dropped DLL
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2564 set thread context of 2484 | N/A | C:\Users\Admin\AppData\Roaming\SGP\iTopDataRecovery.exe | C:\Windows\SysWOW64\more.com |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\iTopDataRecovery.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SGP\iTopDataRecovery.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SGP\iTopDataRecovery.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SGP\iTopDataRecovery.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\##!!SetUp_2244_Pa$sW0rd$$!!\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\##!!SetUp_2244_Pa$sW0rd$$!!\Setup.exe"
C:\Users\Admin\AppData\Local\Temp\iTopDataRecovery.exe
"C:\Users\Admin\AppData\Local\Temp\iTopDataRecovery.exe"
C:\Users\Admin\AppData\Roaming\SGP\iTopDataRecovery.exe
C:\Users\Admin\AppData\Roaming\SGP\iTopDataRecovery.exe
C:\Windows\SysWOW64\more.com
C:\Windows\SysWOW64\more.com
C:\Windows\SysWOW64\SearchIndexer.exe
C:\Windows\SysWOW64\SearchIndexer.exe
Network
Files
\Users\Admin\AppData\Local\Temp\iTopDataRecovery.exe
| MD5 | 95387cc85dacad60b3e10665b43602e6 |
| SHA1 | d9aafd45fe3ad10d28716d6289fe76b4fdce1869 |
| SHA256 | 3c317dbab70d3ab4fce944c92532d111f69fd71dca5c7f7c7b8d57e657f26a1a |
| SHA512 | 82cb0983739a76d15beacbc50f1bf7fa5cca1650b18444c204a3e6a6656aaba5ac94341fa394aaad78b3ff2d51f17c6623f0a882692881d6506af5dae544a02b |
\Users\Admin\AppData\Local\Temp\rtl120.bpl
| MD5 | 630991830afe0b969bd0995e697ab16e |
| SHA1 | feda243d83fba15b23d654513dc1f0d70787ba18 |
| SHA256 | b1fcb0339b9ef4860bb1ed1e5ba0e148321be64696af64f3b1643d1311028cb3 |
| SHA512 | 2f2bf30be615f44e56ecca972a9fcbe27187045e13c468d039645e5cc6d01f990cde32b322965f245bc8fccfd0920f09a0afa1d4de0748ed01dd9ffc1bd24692 |
C:\Users\Admin\AppData\Local\Temp\madBasic_.bpl
| MD5 | dc6655a38ffdc3c349f13828fc8ec36e |
| SHA1 | 95db71ef7bff8c16ce955c760292bad9f09bb06d |
| SHA256 | 16126ff5daa3787a159cf4a39aa040b8050ebb66ab90dbb97c503110ef72824a |
| SHA512 | 84b85f2aaad773cbe039022db3d0c35263343243f0d021d7aa3086904b80dd309e6d2a93613cc774b5db27335f4d2850151e2bc8f4648b0065f66bd3722c3d69 |
C:\Users\Admin\AppData\Local\Temp\vcl120.bpl
| MD5 | 849070ebd34cbaedc525599d6c3f8914 |
| SHA1 | b0543d13f4d0cb787abdaaf1d3c9a5af17c87afa |
| SHA256 | b6f321a48812dc922b26953020c9a60949ec429a921033cfaf1e9f7d088ee628 |
| SHA512 | f2ca685b01be9d1b77d8d924e0097ddacee7628cc1aad8a87d8b18a699558d38a7851e6cff8bb2b8ae1980824588af5c3ac75b7b4198b620144dff61611f3aeb |
C:\Users\Admin\AppData\Local\Temp\madExcept_.bpl
| MD5 | 21068dfd733435c866312d35b9432733 |
| SHA1 | 3d5336c676d3dd94500d0d2fe853b9de457f10fd |
| SHA256 | 835f1141ece59c36b18e76927572d229136aeb12eff44cb4ba98d7808257c299 |
| SHA512 | 54664a9e60e5a0b148fc4684125b7eac9cfc57d0bc5838204ed587d62e44c3347c0bae3192d5c375b6a74335b4fed4fc53248ba542c59022e9761872e09e3ee7 |
C:\Users\Admin\AppData\Local\Temp\madDisAsm_.bpl
| MD5 | 84bc072f8ea30746f0982afbda3c638f |
| SHA1 | f39343933ff3fc7934814d6d3b7b098bc92540a0 |
| SHA256 | 52019f47f96ca868fa4e747c3b99cba1b7aa57317bf8ebf9fcbf09aa576fe006 |
| SHA512 | 6e7648194738e8e49e48c2450eef1d482473cd4e5c0e83f292ac9174488f3f22a3b6ba96f07e024c2ab96613d9db1a97084ca0b3973ed5d88502e0d28e120ef5 |
\Users\Admin\AppData\Local\Temp\vclx120.bpl
| MD5 | 7daa2b7fe529b45101a399b5ebf0a416 |
| SHA1 | fd73f3561d0cebe341a6c380681fb08841fa5ce6 |
| SHA256 | 2bdf023c439010ce0a786ec75d943a80a8f01363712bbf69afc29d3e2b5306ed |
| SHA512 | 8e9ec71943c412fe95563e488d91e6ef0041c16a08654ff14b11953f134007657d1e6ec95952f6b9c8b8567a35368840618db06e5cd99abc43ae495a3fbc6b96 |
C:\Users\Admin\AppData\Local\Temp\pdfium.dll
| MD5 | 65a63bd3e6c4ce54299bf494582304f3 |
| SHA1 | e6f63f69388dd5a3cda90403711b78fe5c667981 |
| SHA256 | 5b8d7269ed5ca414208ff017f52ee65f14d4d8a707a39a7dc3f9879c0c0ce335 |
| SHA512 | f8ff930aa55222478967b7865465c3f75138b9ff172fdcc1aab47a0172641c5a790e73b5d98bf47fc772002437ad2153846dec626e020408c8d6daee0c630b59 |
\Users\Admin\AppData\Local\Temp\pdf2bmp.dll
| MD5 | f65c3b116281fd23e5748ad73e9501cf |
| SHA1 | ebda8a741833c4fcbfcb72591a7c173d69a01ebd |
| SHA256 | eb48e0e36be7b0a89a0b8cc129a3b004a8525e5f60445e5ca48a7810d9d93725 |
| SHA512 | 78ec4ade61c6abf87283d5858ffe119e10d119bcaa2c678d20cb7d45bb1d244a9aaf70b50ab365509b615e7323081292bae156d665a471990863c83a8b233cbc |
C:\Users\Admin\AppData\Local\Temp\datastate.dll
| MD5 | 626dd52ec6cf2e1e00948586b649cb2a |
| SHA1 | b8aaee43554ec9eb6d0d05a81cf186b330390745 |
| SHA256 | 4696b31b9efef6eb60464d0a18abc398338f3616d7189dbd8555937cb85645fd |
| SHA512 | e1e3537d9782cb344bc9925fcea42ffc8125a753caaf713c1fdd521cda36a0513ac89634b3de93ed732557a5649ef3eac2fc9f365bdefdc615d466275788883b |
C:\Users\Admin\AppData\Local\Temp\charr.dbf
| MD5 | 9424382dbaeb4890c9c1a52fc90f712a |
| SHA1 | 6f4d7fe82fbd617b7bea45e9f18a195ebfbd3042 |
| SHA256 | 7ae3088de2f2b20ef4644b42d2ba4f55e29861bfeb19960a5ada00e621a77168 |
| SHA512 | 138b16a0ae8b5af42dd805a01b60737bdefe9445a699a7dbd7967a25d0e6284e66866695575f670167d324d9f60960c9b8c99588bcb41a77c9e699048c2bf949 |
C:\Users\Admin\AppData\Local\Temp\rebbe.pkg
| MD5 | 3456f0fe789f38cf5d58b359ac1e8727 |
| SHA1 | 5b39e9e71a07102036386bdd0651dcc267400723 |
| SHA256 | c6e43d099efea12aabe41fdfe7c6201c94b44fe79fa3d802944e30c019e29e65 |
| SHA512 | bc2c941019d27f0b2bee5be1ecf5e497c546f9862cc615e18b7ea8fff799bfdaeec2bc05cb17035f44fb1dde16899f21ea9a129a0c3a22a83200d6697c4b4aed |
memory/1872-49-0x0000000073FE0000-0x0000000074077000-memory.dmp
memory/1872-50-0x0000000077410000-0x00000000775B9000-memory.dmp
memory/1872-78-0x0000000057800000-0x0000000057812000-memory.dmp
memory/1872-79-0x0000000050310000-0x0000000050349000-memory.dmp
memory/1872-77-0x0000000059800000-0x000000005986E000-memory.dmp
memory/1872-76-0x0000000050120000-0x000000005030D000-memory.dmp
memory/2564-97-0x0000000077410000-0x00000000775B9000-memory.dmp
memory/1872-75-0x0000000057000000-0x000000005703F000-memory.dmp
memory/1872-71-0x0000000050000000-0x0000000050116000-memory.dmp
memory/1872-69-0x0000000000400000-0x0000000000845000-memory.dmp
memory/2564-104-0x0000000059800000-0x000000005986E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ac1af14c
| MD5 | 45aa5e81fd75c7a776fbe51deb2ac9e5 |
| SHA1 | d031c134a8ef66e97828c6b09b5325346e386af9 |
| SHA256 | 3da6d99b5081b38e745700b8df7ce77570483c248e6199eb4e3c65bdd5323507 |
| SHA512 | a84a867aeca86c216f00d364362f2c926625d754eb7bfbfb28c21b98dde97e51b2e611a87ac8b27e4346de7ec8f9e7f1d7235bca081e0bcc70c9860ca7f7fe28 |
memory/2564-98-0x0000000073FE0000-0x0000000074077000-memory.dmp
memory/2564-103-0x0000000050120000-0x000000005030D000-memory.dmp
memory/2564-101-0x0000000050000000-0x0000000050116000-memory.dmp
memory/2564-100-0x0000000000400000-0x0000000000845000-memory.dmp
memory/2484-109-0x0000000077410000-0x00000000775B9000-memory.dmp
memory/2484-110-0x0000000073FE0000-0x0000000074077000-memory.dmp
memory/1752-112-0x0000000077410000-0x00000000775B9000-memory.dmp
memory/1752-113-0x0000000000400000-0x0000000000469000-memory.dmp
memory/1752-114-0x0000000000400000-0x0000000000469000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-10 19:47
Reported
2024-07-10 19:53
Platform
win10v2004-20240709-en
Max time kernel
120s
Max time network
207s
Command Line
Signatures
Lumma Stealer
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\##!!SetUp_2244_Pa$sW0rd$$!!\Setup.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\iTopDataRecovery.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SGP\iTopDataRecovery.exe | N/A |
Loads dropped DLL
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4964 set thread context of 4688 | N/A | C:\Users\Admin\AppData\Roaming\SGP\iTopDataRecovery.exe | C:\Windows\SysWOW64\more.com |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\iTopDataRecovery.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SGP\iTopDataRecovery.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SGP\iTopDataRecovery.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SGP\iTopDataRecovery.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\##!!SetUp_2244_Pa$sW0rd$$!!\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\##!!SetUp_2244_Pa$sW0rd$$!!\Setup.exe"
C:\Users\Admin\AppData\Local\Temp\iTopDataRecovery.exe
"C:\Users\Admin\AppData\Local\Temp\iTopDataRecovery.exe"
C:\Users\Admin\AppData\Roaming\SGP\iTopDataRecovery.exe
C:\Users\Admin\AppData\Roaming\SGP\iTopDataRecovery.exe
C:\Windows\SysWOW64\more.com
C:\Windows\SysWOW64\more.com
C:\Windows\SysWOW64\SearchIndexer.exe
C:\Windows\SysWOW64\SearchIndexer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bittercoldzzdwu.shop | udp |
| US | 172.67.134.113:443 | bittercoldzzdwu.shop | tcp |
| US | 8.8.8.8:53 | bouncedgowp.shop | udp |
| US | 104.21.93.198:443 | bouncedgowp.shop | tcp |
| US | 8.8.8.8:53 | bannngwko.shop | udp |
| US | 104.21.81.196:443 | bannngwko.shop | tcp |
| US | 8.8.8.8:53 | 198.93.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 113.134.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bargainnykwo.shop | udp |
| US | 172.67.146.97:443 | bargainnykwo.shop | tcp |
| US | 8.8.8.8:53 | affecthorsedpo.shop | udp |
| US | 172.67.135.137:443 | affecthorsedpo.shop | tcp |
| US | 8.8.8.8:53 | 196.81.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.146.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | radiationnopp.shop | udp |
| US | 172.67.196.169:443 | radiationnopp.shop | tcp |
| US | 8.8.8.8:53 | answerrsdo.shop | udp |
| US | 104.21.44.192:443 | answerrsdo.shop | tcp |
| US | 8.8.8.8:53 | 169.196.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 137.135.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | publicitttyps.shop | udp |
| US | 172.67.134.88:443 | publicitttyps.shop | tcp |
| US | 8.8.8.8:53 | benchillppwo.shop | udp |
| US | 104.21.81.128:443 | benchillppwo.shop | tcp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| FR | 104.85.26.126:443 | steamcommunity.com | tcp |
| US | 8.8.8.8:53 | 192.44.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.134.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 128.81.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | reinforcedirectorywd.shop | udp |
| US | 104.21.83.48:443 | reinforcedirectorywd.shop | tcp |
| US | 8.8.8.8:53 | 48.83.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.26.85.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.211.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\iTopDataRecovery.exe
| MD5 | 95387cc85dacad60b3e10665b43602e6 |
| SHA1 | d9aafd45fe3ad10d28716d6289fe76b4fdce1869 |
| SHA256 | 3c317dbab70d3ab4fce944c92532d111f69fd71dca5c7f7c7b8d57e657f26a1a |
| SHA512 | 82cb0983739a76d15beacbc50f1bf7fa5cca1650b18444c204a3e6a6656aaba5ac94341fa394aaad78b3ff2d51f17c6623f0a882692881d6506af5dae544a02b |
C:\Users\Admin\AppData\Local\Temp\madBasic_.bpl
| MD5 | dc6655a38ffdc3c349f13828fc8ec36e |
| SHA1 | 95db71ef7bff8c16ce955c760292bad9f09bb06d |
| SHA256 | 16126ff5daa3787a159cf4a39aa040b8050ebb66ab90dbb97c503110ef72824a |
| SHA512 | 84b85f2aaad773cbe039022db3d0c35263343243f0d021d7aa3086904b80dd309e6d2a93613cc774b5db27335f4d2850151e2bc8f4648b0065f66bd3722c3d69 |
C:\Users\Admin\AppData\Local\Temp\rtl120.bpl
| MD5 | 630991830afe0b969bd0995e697ab16e |
| SHA1 | feda243d83fba15b23d654513dc1f0d70787ba18 |
| SHA256 | b1fcb0339b9ef4860bb1ed1e5ba0e148321be64696af64f3b1643d1311028cb3 |
| SHA512 | 2f2bf30be615f44e56ecca972a9fcbe27187045e13c468d039645e5cc6d01f990cde32b322965f245bc8fccfd0920f09a0afa1d4de0748ed01dd9ffc1bd24692 |
C:\Users\Admin\AppData\Local\Temp\vcl120.bpl
| MD5 | 849070ebd34cbaedc525599d6c3f8914 |
| SHA1 | b0543d13f4d0cb787abdaaf1d3c9a5af17c87afa |
| SHA256 | b6f321a48812dc922b26953020c9a60949ec429a921033cfaf1e9f7d088ee628 |
| SHA512 | f2ca685b01be9d1b77d8d924e0097ddacee7628cc1aad8a87d8b18a699558d38a7851e6cff8bb2b8ae1980824588af5c3ac75b7b4198b620144dff61611f3aeb |
C:\Users\Admin\AppData\Local\Temp\datastate.dll
| MD5 | 626dd52ec6cf2e1e00948586b649cb2a |
| SHA1 | b8aaee43554ec9eb6d0d05a81cf186b330390745 |
| SHA256 | 4696b31b9efef6eb60464d0a18abc398338f3616d7189dbd8555937cb85645fd |
| SHA512 | e1e3537d9782cb344bc9925fcea42ffc8125a753caaf713c1fdd521cda36a0513ac89634b3de93ed732557a5649ef3eac2fc9f365bdefdc615d466275788883b |
C:\Users\Admin\AppData\Local\Temp\pdfium.dll
| MD5 | 65a63bd3e6c4ce54299bf494582304f3 |
| SHA1 | e6f63f69388dd5a3cda90403711b78fe5c667981 |
| SHA256 | 5b8d7269ed5ca414208ff017f52ee65f14d4d8a707a39a7dc3f9879c0c0ce335 |
| SHA512 | f8ff930aa55222478967b7865465c3f75138b9ff172fdcc1aab47a0172641c5a790e73b5d98bf47fc772002437ad2153846dec626e020408c8d6daee0c630b59 |
C:\Users\Admin\AppData\Local\Temp\pdf2bmp.dll
| MD5 | f65c3b116281fd23e5748ad73e9501cf |
| SHA1 | ebda8a741833c4fcbfcb72591a7c173d69a01ebd |
| SHA256 | eb48e0e36be7b0a89a0b8cc129a3b004a8525e5f60445e5ca48a7810d9d93725 |
| SHA512 | 78ec4ade61c6abf87283d5858ffe119e10d119bcaa2c678d20cb7d45bb1d244a9aaf70b50ab365509b615e7323081292bae156d665a471990863c83a8b233cbc |
C:\Users\Admin\AppData\Local\Temp\vclx120.bpl
| MD5 | 7daa2b7fe529b45101a399b5ebf0a416 |
| SHA1 | fd73f3561d0cebe341a6c380681fb08841fa5ce6 |
| SHA256 | 2bdf023c439010ce0a786ec75d943a80a8f01363712bbf69afc29d3e2b5306ed |
| SHA512 | 8e9ec71943c412fe95563e488d91e6ef0041c16a08654ff14b11953f134007657d1e6ec95952f6b9c8b8567a35368840618db06e5cd99abc43ae495a3fbc6b96 |
C:\Users\Admin\AppData\Local\Temp\maddisAsm_.bpl
| MD5 | 84bc072f8ea30746f0982afbda3c638f |
| SHA1 | f39343933ff3fc7934814d6d3b7b098bc92540a0 |
| SHA256 | 52019f47f96ca868fa4e747c3b99cba1b7aa57317bf8ebf9fcbf09aa576fe006 |
| SHA512 | 6e7648194738e8e49e48c2450eef1d482473cd4e5c0e83f292ac9174488f3f22a3b6ba96f07e024c2ab96613d9db1a97084ca0b3973ed5d88502e0d28e120ef5 |
C:\Users\Admin\AppData\Local\Temp\madexcept_.bpl
| MD5 | 21068dfd733435c866312d35b9432733 |
| SHA1 | 3d5336c676d3dd94500d0d2fe853b9de457f10fd |
| SHA256 | 835f1141ece59c36b18e76927572d229136aeb12eff44cb4ba98d7808257c299 |
| SHA512 | 54664a9e60e5a0b148fc4684125b7eac9cfc57d0bc5838204ed587d62e44c3347c0bae3192d5c375b6a74335b4fed4fc53248ba542c59022e9761872e09e3ee7 |
C:\Users\Admin\AppData\Local\Temp\charr.dbf
| MD5 | 9424382dbaeb4890c9c1a52fc90f712a |
| SHA1 | 6f4d7fe82fbd617b7bea45e9f18a195ebfbd3042 |
| SHA256 | 7ae3088de2f2b20ef4644b42d2ba4f55e29861bfeb19960a5ada00e621a77168 |
| SHA512 | 138b16a0ae8b5af42dd805a01b60737bdefe9445a699a7dbd7967a25d0e6284e66866695575f670167d324d9f60960c9b8c99588bcb41a77c9e699048c2bf949 |
C:\Users\Admin\AppData\Local\Temp\rebbe.pkg
| MD5 | 3456f0fe789f38cf5d58b359ac1e8727 |
| SHA1 | 5b39e9e71a07102036386bdd0651dcc267400723 |
| SHA256 | c6e43d099efea12aabe41fdfe7c6201c94b44fe79fa3d802944e30c019e29e65 |
| SHA512 | bc2c941019d27f0b2bee5be1ecf5e497c546f9862cc615e18b7ea8fff799bfdaeec2bc05cb17035f44fb1dde16899f21ea9a129a0c3a22a83200d6697c4b4aed |
memory/4760-58-0x0000000072CC0000-0x0000000072CD4000-memory.dmp
memory/4760-59-0x00007FFD87230000-0x00007FFD87425000-memory.dmp
memory/4760-75-0x0000000050000000-0x0000000050116000-memory.dmp
memory/4760-80-0x0000000050310000-0x0000000050349000-memory.dmp
memory/4964-107-0x00000000749C0000-0x00000000749D4000-memory.dmp
memory/4964-108-0x00007FFD87230000-0x00007FFD87425000-memory.dmp
memory/4760-79-0x0000000050120000-0x000000005030D000-memory.dmp
memory/4760-78-0x0000000057800000-0x0000000057812000-memory.dmp
memory/4760-77-0x0000000057000000-0x000000005703F000-memory.dmp
memory/4760-76-0x0000000059800000-0x000000005986E000-memory.dmp
memory/4760-74-0x0000000000400000-0x0000000000845000-memory.dmp
memory/4964-109-0x00000000749C0000-0x00000000749D4000-memory.dmp
memory/4964-111-0x0000000000400000-0x0000000000845000-memory.dmp
memory/4964-117-0x0000000050310000-0x0000000050349000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\53d56564
| MD5 | eb0cbdd7068e206d8217ef85361de801 |
| SHA1 | 046a62486954898cec3aade62cc9001b1327fafe |
| SHA256 | 6b44a1abb191730b51b14122943190cba632948dab06dc9bfe4f0f6db1775508 |
| SHA512 | cba594433749e0faac07b94d22378bdee4035f12ef7ffd872f54401a130ded6d828809214dc44e63015d29af30b659385ce7e8d502c52ee9d1c88aa100c88a8b |
memory/4964-116-0x0000000050120000-0x000000005030D000-memory.dmp
memory/4964-114-0x0000000059800000-0x000000005986E000-memory.dmp
memory/4964-112-0x0000000050000000-0x0000000050116000-memory.dmp
memory/4688-120-0x00007FFD87230000-0x00007FFD87425000-memory.dmp
memory/4688-121-0x00000000749C0000-0x00000000749D4000-memory.dmp
memory/5032-123-0x00007FFD87230000-0x00007FFD87425000-memory.dmp
memory/5032-124-0x0000000001200000-0x0000000001269000-memory.dmp
memory/5032-127-0x0000000001200000-0x0000000001269000-memory.dmp