Analysis Overview
SHA256
f41fb55c41a0af6a511bbfe8aecabbb7ad67abcb7a7c4ffae7b517d6750787a7
Threat Level: Known bad
The file Release.zip was found to be: Known bad.
Malicious Activity Summary
Lumma family
Lumma Stealer, LummaC
CryptOne packer
Executes dropped EXE
Program crash
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious behavior: GetForegroundWindowSpam
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-12-23 20:48
Signatures
CryptOne packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-23 20:47
Reported
2024-12-23 20:49
Platform
win10v2004-20241007-en
Max time kernel
54s
Max time network
57s
Command Line
Signatures
Lumma Stealer, LummaC
Lumma family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\Release\BootstrapperClient.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Release\BootstrapperClient.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Release\BootstrapperClient.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\Desktop\Release\BootstrapperClient.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\Desktop\Release\BootstrapperClient.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\Desktop\Release\BootstrapperClient.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\Release\BootstrapperClient.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\Release\BootstrapperClient.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\Release\BootstrapperClient.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Processes
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Release.zip"
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Admin\Desktop\Release\BootstrapperClient.exe
"C:\Users\Admin\Desktop\Release\BootstrapperClient.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4856 -ip 4856
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 1268
C:\Users\Admin\Desktop\Release\BootstrapperClient.exe
"C:\Users\Admin\Desktop\Release\BootstrapperClient.exe"
C:\Windows\system32\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 4928 -ip 4928
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 1268
C:\Users\Admin\Desktop\Release\BootstrapperClient.exe
"C:\Users\Admin\Desktop\Release\BootstrapperClient.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4120 -ip 4120
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4120 -s 1340
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 156.133.100.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | enterwahsh.biz | udp |
| US | 172.67.198.176:443 | enterwahsh.biz | tcp |
| US | 8.8.8.8:53 | wordyfindy.lat | udp |
| US | 104.21.19.35:443 | wordyfindy.lat | tcp |
| US | 8.8.8.8:53 | slipperyloo.lat | udp |
| US | 104.21.20.143:443 | slipperyloo.lat | tcp |
| US | 8.8.8.8:53 | 35.19.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 176.198.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | manyrestro.lat | udp |
| US | 172.67.130.32:443 | manyrestro.lat | tcp |
| US | 8.8.8.8:53 | shapestickyr.lat | udp |
| US | 104.21.62.10:443 | shapestickyr.lat | tcp |
| US | 8.8.8.8:53 | 143.20.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | talkynicer.lat | udp |
| US | 104.21.32.1:443 | talkynicer.lat | tcp |
| US | 8.8.8.8:53 | curverpluch.lat | udp |
| US | 172.67.215.87:443 | curverpluch.lat | tcp |
| US | 8.8.8.8:53 | 32.130.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.62.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.32.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tentabatte.lat | udp |
| US | 104.21.30.58:443 | tentabatte.lat | tcp |
| US | 8.8.8.8:53 | bashfulacid.lat | udp |
| US | 104.21.59.136:443 | bashfulacid.lat | tcp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 104.124.170.33:443 | steamcommunity.com | tcp |
| US | 8.8.8.8:53 | 87.215.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.30.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.59.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lev-tolstoi.com | udp |
| US | 172.67.157.254:443 | lev-tolstoi.com | tcp |
| US | 8.8.8.8:53 | 33.170.124.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.157.67.172.in-addr.arpa | udp |
| US | 172.67.198.176:443 | enterwahsh.biz | tcp |
| US | 104.21.19.35:443 | wordyfindy.lat | tcp |
| US | 104.21.20.143:443 | slipperyloo.lat | tcp |
| US | 172.67.130.32:443 | manyrestro.lat | tcp |
| US | 104.21.62.10:443 | shapestickyr.lat | tcp |
| US | 104.21.32.1:443 | talkynicer.lat | tcp |
| US | 172.67.215.87:443 | curverpluch.lat | tcp |
| US | 104.21.30.58:443 | tentabatte.lat | tcp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 104.21.59.136:443 | bashfulacid.lat | tcp |
| GB | 104.124.170.33:443 | steamcommunity.com | tcp |
| US | 8.8.8.8:53 | 20.49.80.91.in-addr.arpa | udp |
| US | 172.67.157.254:443 | lev-tolstoi.com | tcp |
| US | 172.67.198.176:443 | enterwahsh.biz | tcp |
| US | 104.21.19.35:443 | wordyfindy.lat | tcp |
| US | 104.21.20.143:443 | slipperyloo.lat | tcp |
| US | 172.67.130.32:443 | manyrestro.lat | tcp |
| US | 104.21.62.10:443 | shapestickyr.lat | tcp |
| US | 104.21.32.1:443 | talkynicer.lat | tcp |
| US | 172.67.215.87:443 | curverpluch.lat | tcp |
| US | 104.21.30.58:443 | tentabatte.lat | tcp |
| US | 104.21.59.136:443 | bashfulacid.lat | tcp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 104.124.170.33:443 | steamcommunity.com | tcp |
| US | 172.67.157.254:443 | lev-tolstoi.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\7zE0326E197\Release\workspace\.tests\isfile.txt
| MD5 | 260ca9dd8a4577fc00b7bd5810298076 |
| SHA1 | 53a5687cb26dc41f2ab4033e97e13adefd3740d6 |
| SHA256 | aee408847d35e44e99430f0979c3357b85fe8dbb4535a494301198adbee85f27 |
| SHA512 | 51e85deb51c2b909a21ec5b8e83b1cb28da258b1be227620105a345a2bd4c6aea549cd5429670f2df33324667b9f623a420b3a0bdbbd03ad48602211e75478a7 |
C:\Users\Admin\AppData\Local\Temp\7zE0326E197\Release\workspace\Xeno.exe.WebView2\EBWebView\Default\DawnWebGPUCache\data_2
| MD5 | 0962291d6d367570bee5454721c17e11 |
| SHA1 | 59d10a893ef321a706a9255176761366115bedcb |
| SHA256 | ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7 |
| SHA512 | f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed |
C:\Users\Admin\AppData\Local\Temp\7zE0326E197\Release\workspace\Xeno.exe.WebView2\EBWebView\Default\Extension State\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Temp\7zE0326E197\Release\workspace\Xeno.exe.WebView2\EBWebView\Default\Extension State\MANIFEST-000001
| MD5 | 5af87dfd673ba2115e2fcf5cfdb727ab |
| SHA1 | d5b5bbf396dc291274584ef71f444f420b6056f1 |
| SHA256 | f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4 |
| SHA512 | de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b |
C:\Users\Admin\AppData\Local\Temp\7zE0326E197\Release\workspace\Xeno.exe.WebView2\EBWebView\Default\GPUCache\data_3
| MD5 | 41876349cb12d6db992f1309f22df3f0 |
| SHA1 | 5cf26b3420fc0302cd0a71e8d029739b8765be27 |
| SHA256 | e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c |
| SHA512 | e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e |
C:\Users\Admin\AppData\Local\Temp\7zE0326E197\Release\workspace\Xeno.exe.WebView2\EBWebView\Default\GPUCache\data_1
| MD5 | a833653a021f29ee2ec1a845e0c2308f |
| SHA1 | 05071159d3c2516d67b765cef012a0a2d3337759 |
| SHA256 | 8e9f3538e43a68caa472fd47adaf43906e097cfb53ef55d1361caf1cc97efca7 |
| SHA512 | 0902a886c95cee1b34f9419ab0a10ce0fe96eae57c59ab4cefba99ba3fc2a0237741f31076ce065db14fe3dfecd325458209f0d1e9fcc8b9ac7bff8328e1744f |
C:\Users\Admin\AppData\Local\Temp\7zE0326E197\Release\workspace\Xeno.exe.WebView2\EBWebView\Default\GPUCache\data_0
| MD5 | cf89d16bb9107c631daabf0c0ee58efb |
| SHA1 | 3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b |
| SHA256 | d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e |
| SHA512 | 8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0 |
C:\Users\Admin\AppData\Local\Temp\7zE0326E197\Release\workspace\Xeno.exe.WebView2\EBWebView\Default\Shared Dictionary\cache\index
| MD5 | 54cb446f628b2ea4a5bce5769910512e |
| SHA1 | c27ca848427fe87f5cf4d0e0e3cd57151b0d820d |
| SHA256 | fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d |
| SHA512 | 8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0 |
C:\Users\Admin\Desktop\Release\BootstrapperClient.exe
| MD5 | 0d9e5d646d10bdf00e044b35e2915a78 |
| SHA1 | 6ca9c97bc5a97cf4165a19250691ec75391168b5 |
| SHA256 | ccc8068a6c0e80093c5cf63397dceace198035ddd09b4576c201b895cd578866 |
| SHA512 | 902a08d270684efb55cf3677a3ab634cc879f6e14f6426bb99902f9e8195cb95a89ba75951b44223b3b1f21c693a05ae504d874812e6a80b8c52804c31aac55d |
memory/4856-548-0x00000000021A0000-0x00000000021CC000-memory.dmp
memory/4856-549-0x0000000002210000-0x000000000225C000-memory.dmp
memory/4856-550-0x0000000000400000-0x0000000000459000-memory.dmp
memory/4856-551-0x0000000000400000-0x0000000000459000-memory.dmp
memory/4856-553-0x0000000002210000-0x000000000225C000-memory.dmp
memory/4856-552-0x00000000021A0000-0x00000000021CC000-memory.dmp
memory/4928-555-0x0000000000400000-0x0000000000459000-memory.dmp
memory/4928-556-0x0000000000400000-0x0000000000459000-memory.dmp
memory/4928-557-0x0000000000400000-0x0000000000459000-memory.dmp
memory/4120-561-0x0000000000400000-0x0000000000459000-memory.dmp