Malware Analysis Report

2025-08-05 21:09

Sample ID 241021-qzdl1awbme
Target -(1885)[email protected]
SHA256 70ecfdcd8667bc24ade095f8c9c0d562be1bf31dc8851977a49773b316d83bfd
Tags
lumma discovery spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

70ecfdcd8667bc24ade095f8c9c0d562be1bf31dc8851977a49773b316d83bfd

Threat Level: Known bad

The file -(1885)[email protected] was found to be: Known bad.

Malicious Activity Summary

lumma discovery spyware stealer

Lumma Stealer, LummaC

Reads user/profile data of web browsers

Executes dropped EXE

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Suspicious use of SetThreadContext

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Program crash

Unsigned PE

Browser Information Discovery

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer settings

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-21 13:42

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-21 13:41

Reported

2024-10-21 13:45

Platform

win10-20240404-en

Max time kernel

133s

Max time network

150s

Command Line

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\-(1885)[email protected]"

Signatures

Lumma Stealer, LummaC

stealer lumma

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\installer.exe N/A
N/A N/A C:\Users\Admin\Desktop\installer.exe N/A
N/A N/A C:\Users\Admin\Desktop\installer.exe N/A
N/A N/A C:\Users\Admin\Desktop\installer.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1428 set thread context of 4756 N/A C:\Users\Admin\Desktop\installer.exe C:\Users\Admin\Desktop\installer.exe
PID 1092 set thread context of 684 N/A C:\Users\Admin\Desktop\installer.exe C:\Users\Admin\Desktop\installer.exe

Browser Information Discovery

discovery

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\installer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\installer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\installer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\installer.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000598930cd6eaf8b439c7e8e50b6f35f3300000000020000000000106600000001000020000000fa1260be8017469f4aa8223ec111802fd0f19ffb650781f5e31f22fdc231cc1b000000000e80000000020000200000009d00805b9f9bf3f804a553cb2c719dfd3d68e0dddd308d3e0a70e01a253b1576200000001a7a2b2595112fdb6e2fbd41766cd04e22dd92e6bf5a06eca2a83d58812a32c040000000f1e76a0f3520df618f61a23ba0651f43392cef40c847b3328fec220026dc6c0267b040041b5edaac8526692fb2c0f73048fb824f24b49c382daa16b47b152018 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31138751" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31138751" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "436283169" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\FlipAhead C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000598930cd6eaf8b439c7e8e50b6f35f330000000002000000000010660000000100002000000089343d9a8379f635b4688a1af467775ba7ddcc8537d16bd8d6c8b1772d678446000000000e8000000002000020000000b99fc16d2abb4a76e4c1a5b6d9f438359288fbc55498635e28b220a9433609b8200000001b9492f9bf428b47557c9ac13e0823edc033bfa185873965a2f3dcf4a0ab542f40000000324698e4b530a033e0fd52ae9164d27c356dd8cabfd843c71f1aefc89e844235439723c5ecbfc1d2012d0d396c6409ae5dbce024f0a3e2cd522bc6a7a4dfbf1d C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 806f3340bf23db01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60563f40bf23db01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31138751" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{6B9CB86F-8FB2-11EF-B03F-6AE1EDD98849} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1076807987" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31138751" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1076807987" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1078214373" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "436299763" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1078214373" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "436331754" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz! C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1428 wrote to memory of 4756 N/A C:\Users\Admin\Desktop\installer.exe C:\Users\Admin\Desktop\installer.exe
PID 1428 wrote to memory of 4756 N/A C:\Users\Admin\Desktop\installer.exe C:\Users\Admin\Desktop\installer.exe
PID 1428 wrote to memory of 4756 N/A C:\Users\Admin\Desktop\installer.exe C:\Users\Admin\Desktop\installer.exe
PID 1428 wrote to memory of 4756 N/A C:\Users\Admin\Desktop\installer.exe C:\Users\Admin\Desktop\installer.exe
PID 1428 wrote to memory of 4756 N/A C:\Users\Admin\Desktop\installer.exe C:\Users\Admin\Desktop\installer.exe
PID 1428 wrote to memory of 4756 N/A C:\Users\Admin\Desktop\installer.exe C:\Users\Admin\Desktop\installer.exe
PID 1428 wrote to memory of 4756 N/A C:\Users\Admin\Desktop\installer.exe C:\Users\Admin\Desktop\installer.exe
PID 1428 wrote to memory of 4756 N/A C:\Users\Admin\Desktop\installer.exe C:\Users\Admin\Desktop\installer.exe
PID 1428 wrote to memory of 4756 N/A C:\Users\Admin\Desktop\installer.exe C:\Users\Admin\Desktop\installer.exe
PID 1092 wrote to memory of 684 N/A C:\Users\Admin\Desktop\installer.exe C:\Users\Admin\Desktop\installer.exe
PID 1092 wrote to memory of 684 N/A C:\Users\Admin\Desktop\installer.exe C:\Users\Admin\Desktop\installer.exe
PID 1092 wrote to memory of 684 N/A C:\Users\Admin\Desktop\installer.exe C:\Users\Admin\Desktop\installer.exe
PID 1092 wrote to memory of 684 N/A C:\Users\Admin\Desktop\installer.exe C:\Users\Admin\Desktop\installer.exe
PID 1092 wrote to memory of 684 N/A C:\Users\Admin\Desktop\installer.exe C:\Users\Admin\Desktop\installer.exe
PID 1092 wrote to memory of 684 N/A C:\Users\Admin\Desktop\installer.exe C:\Users\Admin\Desktop\installer.exe
PID 1092 wrote to memory of 684 N/A C:\Users\Admin\Desktop\installer.exe C:\Users\Admin\Desktop\installer.exe
PID 1092 wrote to memory of 684 N/A C:\Users\Admin\Desktop\installer.exe C:\Users\Admin\Desktop\installer.exe
PID 1092 wrote to memory of 684 N/A C:\Users\Admin\Desktop\installer.exe C:\Users\Admin\Desktop\installer.exe
PID 2476 wrote to memory of 4236 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2476 wrote to memory of 4236 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2476 wrote to memory of 4236 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\-(1885)[email protected]"

C:\Users\Admin\Desktop\installer.exe

"C:\Users\Admin\Desktop\installer.exe"

C:\Users\Admin\Desktop\installer.exe

"C:\Users\Admin\Desktop\installer.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 248

C:\Users\Admin\Desktop\installer.exe

"C:\Users\Admin\Desktop\installer.exe"

C:\Users\Admin\Desktop\installer.exe

"C:\Users\Admin\Desktop\installer.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1092 -s 216

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\StopExpand.xht

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2476 CREDAT:82945 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 blowwyivot.cfd udp
US 104.21.32.118:443 blowwyivot.cfd tcp
US 104.21.32.118:443 blowwyivot.cfd tcp
US 8.8.8.8:53 157.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 118.32.21.104.in-addr.arpa udp
US 104.21.32.118:443 blowwyivot.cfd tcp
US 104.21.32.118:443 blowwyivot.cfd tcp
US 104.21.32.118:443 blowwyivot.cfd tcp
US 104.21.32.118:443 blowwyivot.cfd tcp
US 104.21.32.118:443 blowwyivot.cfd tcp
US 104.21.32.118:443 blowwyivot.cfd tcp
US 104.21.32.118:443 blowwyivot.cfd tcp
US 104.21.32.118:443 blowwyivot.cfd tcp
US 104.21.32.118:443 blowwyivot.cfd tcp
US 104.21.32.118:443 blowwyivot.cfd tcp
US 104.21.32.118:443 blowwyivot.cfd tcp
US 104.21.32.118:443 blowwyivot.cfd tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 167.205.23.2.in-addr.arpa udp
US 8.8.8.8:53 133.5.17.2.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 8.179.89.13.in-addr.arpa udp

Files

C:\Users\Admin\Desktop\installer.exe

MD5 baa49579fe5b7ca9c12de5dfd4a23f39
SHA1 c7476ceb3d586e93e2fdee7d29226923b80fa642
SHA256 644b45fa0d076c6a9cfe6a966948085aefadc31ed454fee09cf583b41c7e92eb
SHA512 473e02dded86b15dfed5d7cd6b82188ff6610a246143cb911f03b244961e1dd6a4faf19ac4062d2d66941d94bc7d2ef77196e51959b424d8217f3a22d8486c04

memory/1428-12-0x0000000000F20000-0x0000000000F22000-memory.dmp

memory/4756-13-0x0000000000400000-0x0000000000461000-memory.dmp

memory/4756-16-0x0000000000400000-0x0000000000461000-memory.dmp

memory/4756-17-0x0000000000EA0000-0x0000000000F2D000-memory.dmp

C:\Users\Admin\Desktop\-Password-1885.txt

MD5 4455ccee1fd4d896acf27e8d8601ce00
SHA1 58fc7e67bc0b69d0b96f5263dd3b46123bb25137
SHA256 94d6b7f986fa5a4429c1e91bcd3dd44de9903dd330117a1c89a2ab2d57f7749c
SHA512 dd70bf8003ba2b5c1ca48c5662204ebb80e4e829e095e05a251f142159acdf37cbaee0ecb840ce9c4c7805e77f5af6c5c981836e543add185d658109c0039518

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

MD5 068487c83bbcec00a2b1895bdb9e1931
SHA1 e8664385e98131dd832442f1cfc4945f22f37439
SHA256 af0dd13899a905b11683dcd2a29890b5e31bb4de64a4bce084e897ea0ea9eb7f
SHA512 2c743dc95b3744884102124a7e335f9c060cf15dd25bf863c674fc071786543fddd7f119eae75d87ef81d61a12deb9cd8366f700f92df94cf58c14c205745e82

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

MD5 1bfe591a4fe3d91b03cdf26eaacd8f89
SHA1 719c37c320f518ac168c86723724891950911cea
SHA256 9cf94355051bf0f4a45724ca20d1cc02f76371b963ab7d1e38bd8997737b13d8
SHA512 02f88da4b610678c31664609bcfa9d61db8d0b0617649981af948f670f41a6207b4ec19fecce7385a24e0c609cbbf3f2b79a8acaf09a03c2c432cc4dce75e9db

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 b909bfd2e03c49d34587e9cdb145c04b
SHA1 15db2aad70670817c64517672f68195503395aa4
SHA256 827c003c6df276ce196f529c9eec8e8e9432a77d7fbf305bf4610b958ab0cc62
SHA512 a89285a7493a5e06117c06b68849e9652e9f1a92c13ff9268c6a718369236637d557ec4f97edf36bb655d155e3f15756834fde9bb4f08b43e135e90b25e9c72e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 32e44ad206b2cf8078239e55b6f3d4a1
SHA1 0ab2ea47a607b5a8b6d0ea9287e989ccd81280d2
SHA256 07ce8296e3001ae9e3b1d6a3d648d27c44287c16268e9aff605b30884d4e5d92
SHA512 c6f4636455d83cac68adfcf4d1cfede25b1cd2b313bf7ebf595abfd3dd264e73e8d268ceeaeedbafd38328432e90f131de0a1ae9af6c68575ec0ea0ec28954e3

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver5C63.tmp

MD5 1a545d0052b581fbb2ab4c52133846bc
SHA1 62f3266a9b9925cd6d98658b92adec673cbe3dd3
SHA256 557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1
SHA512 bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\8F548OR5.cookie

MD5 6a58837d00ed8892c3ddce09d419a260
SHA1 f578a542fa55a0fc638220340617337eb37e6716
SHA256 7ce2216dca140d967ee4387a2a4f0ff79fdb8c7458c71d71c009c672264d3463
SHA512 19d71661249bf3b15dcf2d78f9745a3bd4efa1cad2171d4140f445ca5ffb4d608b1adf9ed85283f1c199978847056bbf09843238f1565585d97efdb023bdc0e4

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\V28C7N3J\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-21 13:41

Reported

2024-10-21 13:45

Platform

win10-20240611-en

Max time kernel

124s

Max time network

135s

Command Line

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\-Password-1885.txt

Signatures

N/A

Processes

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\-Password-1885.txt

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.141.79.40.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-10-21 13:41

Reported

2024-10-21 13:45

Platform

win10-20240404-en

Max time kernel

132s

Max time network

140s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\-data\config\config.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\-data\config\config.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 170.117.168.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-10-21 13:41

Reported

2024-10-21 13:45

Platform

win10-20240404-en

Max time kernel

132s

Max time network

144s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\-data\config\d4d1.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\-data\config\d4d1.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 4.73.50.20.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-10-21 13:41

Reported

2024-10-21 13:45

Platform

win10-20240404-en

Max time kernel

131s

Max time network

142s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\-data\programmfiles.json

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\-data\programmfiles.json

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 30.73.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-10-21 13:41

Reported

2024-10-21 13:45

Platform

win10-20240404-en

Max time kernel

132s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\installer.exe"

Signatures

Lumma Stealer, LummaC

stealer lumma

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3080 set thread context of 5048 N/A C:\Users\Admin\AppData\Local\Temp\installer.exe C:\Users\Admin\AppData\Local\Temp\installer.exe

Browser Information Discovery

discovery

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\installer.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\installer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\installer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3080 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\installer.exe C:\Users\Admin\AppData\Local\Temp\installer.exe
PID 3080 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\installer.exe C:\Users\Admin\AppData\Local\Temp\installer.exe
PID 3080 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\installer.exe C:\Users\Admin\AppData\Local\Temp\installer.exe
PID 3080 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Local\Temp\installer.exe C:\Users\Admin\AppData\Local\Temp\installer.exe
PID 3080 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Local\Temp\installer.exe C:\Users\Admin\AppData\Local\Temp\installer.exe
PID 3080 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Local\Temp\installer.exe C:\Users\Admin\AppData\Local\Temp\installer.exe
PID 3080 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Local\Temp\installer.exe C:\Users\Admin\AppData\Local\Temp\installer.exe
PID 3080 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Local\Temp\installer.exe C:\Users\Admin\AppData\Local\Temp\installer.exe
PID 3080 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Local\Temp\installer.exe C:\Users\Admin\AppData\Local\Temp\installer.exe
PID 3080 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Local\Temp\installer.exe C:\Users\Admin\AppData\Local\Temp\installer.exe
PID 3080 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Local\Temp\installer.exe C:\Users\Admin\AppData\Local\Temp\installer.exe
PID 3080 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Local\Temp\installer.exe C:\Users\Admin\AppData\Local\Temp\installer.exe

Processes

C:\Users\Admin\AppData\Local\Temp\installer.exe

"C:\Users\Admin\AppData\Local\Temp\installer.exe"

C:\Users\Admin\AppData\Local\Temp\installer.exe

"C:\Users\Admin\AppData\Local\Temp\installer.exe"

C:\Users\Admin\AppData\Local\Temp\installer.exe

"C:\Users\Admin\AppData\Local\Temp\installer.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3080 -s 248

Network

Country Destination Domain Proto
US 8.8.8.8:53 blowwyivot.cfd udp
US 172.67.151.179:443 blowwyivot.cfd tcp
US 8.8.8.8:53 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa udp
US 8.8.8.8:53 179.151.67.172.in-addr.arpa udp
US 8.8.8.8:53 157.117.19.2.in-addr.arpa udp
US 172.67.151.179:443 blowwyivot.cfd tcp
US 172.67.151.179:443 blowwyivot.cfd tcp
US 172.67.151.179:443 blowwyivot.cfd tcp
US 172.67.151.179:443 blowwyivot.cfd tcp
US 172.67.151.179:443 blowwyivot.cfd tcp
US 8.8.8.8:53 209.143.182.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp

Files

memory/3080-0-0x00000000009C0000-0x00000000009C2000-memory.dmp

memory/5048-1-0x0000000000400000-0x0000000000461000-memory.dmp

memory/5048-3-0x0000000000400000-0x0000000000461000-memory.dmp

memory/5048-4-0x0000000000940000-0x00000000009CD000-memory.dmp