Malware Analysis Report

2025-01-23 13:20

Sample ID 241223-zlbpxs1kav
Target Release.zip
SHA256 f41fb55c41a0af6a511bbfe8aecabbb7ad67abcb7a7c4ffae7b517d6750787a7
Tags
cryptone packer lumma discovery stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f41fb55c41a0af6a511bbfe8aecabbb7ad67abcb7a7c4ffae7b517d6750787a7

Threat Level: Known bad

The file Release.zip was found to be: Known bad.

Malicious Activity Summary

cryptone packer lumma discovery stealer

Lumma family

Lumma Stealer, LummaC

CryptOne packer

Executes dropped EXE

Program crash

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-23 20:48

Signatures

CryptOne packer

cryptone packer
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-23 20:47

Reported

2024-12-23 20:49

Platform

win10v2004-20241007-en

Max time kernel

54s

Max time network

57s

Command Line

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Release.zip"

Signatures

Lumma Stealer, LummaC

stealer lumma

Lumma family

lumma

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\Release\BootstrapperClient.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\Release\BootstrapperClient.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\Release\BootstrapperClient.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Processes

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Release.zip"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\Desktop\Release\BootstrapperClient.exe

"C:\Users\Admin\Desktop\Release\BootstrapperClient.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4856 -ip 4856

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 1268

C:\Users\Admin\Desktop\Release\BootstrapperClient.exe

"C:\Users\Admin\Desktop\Release\BootstrapperClient.exe"

C:\Windows\system32\notepad.exe

"C:\Windows\system32\notepad.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 4928 -ip 4928

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 1268

C:\Users\Admin\Desktop\Release\BootstrapperClient.exe

"C:\Users\Admin\Desktop\Release\BootstrapperClient.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4120 -ip 4120

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4120 -s 1340

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 156.133.100.95.in-addr.arpa udp
US 8.8.8.8:53 enterwahsh.biz udp
US 172.67.198.176:443 enterwahsh.biz tcp
US 8.8.8.8:53 wordyfindy.lat udp
US 104.21.19.35:443 wordyfindy.lat tcp
US 8.8.8.8:53 slipperyloo.lat udp
US 104.21.20.143:443 slipperyloo.lat tcp
US 8.8.8.8:53 35.19.21.104.in-addr.arpa udp
US 8.8.8.8:53 176.198.67.172.in-addr.arpa udp
US 8.8.8.8:53 manyrestro.lat udp
US 172.67.130.32:443 manyrestro.lat tcp
US 8.8.8.8:53 shapestickyr.lat udp
US 104.21.62.10:443 shapestickyr.lat tcp
US 8.8.8.8:53 143.20.21.104.in-addr.arpa udp
US 8.8.8.8:53 talkynicer.lat udp
US 104.21.32.1:443 talkynicer.lat tcp
US 8.8.8.8:53 curverpluch.lat udp
US 172.67.215.87:443 curverpluch.lat tcp
US 8.8.8.8:53 32.130.67.172.in-addr.arpa udp
US 8.8.8.8:53 10.62.21.104.in-addr.arpa udp
US 8.8.8.8:53 1.32.21.104.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 tentabatte.lat udp
US 104.21.30.58:443 tentabatte.lat tcp
US 8.8.8.8:53 bashfulacid.lat udp
US 104.21.59.136:443 bashfulacid.lat tcp
US 8.8.8.8:53 steamcommunity.com udp
GB 104.124.170.33:443 steamcommunity.com tcp
US 8.8.8.8:53 87.215.67.172.in-addr.arpa udp
US 8.8.8.8:53 58.30.21.104.in-addr.arpa udp
US 8.8.8.8:53 136.59.21.104.in-addr.arpa udp
US 8.8.8.8:53 lev-tolstoi.com udp
US 172.67.157.254:443 lev-tolstoi.com tcp
US 8.8.8.8:53 33.170.124.104.in-addr.arpa udp
US 8.8.8.8:53 254.157.67.172.in-addr.arpa udp
US 172.67.198.176:443 enterwahsh.biz tcp
US 104.21.19.35:443 wordyfindy.lat tcp
US 104.21.20.143:443 slipperyloo.lat tcp
US 172.67.130.32:443 manyrestro.lat tcp
US 104.21.62.10:443 shapestickyr.lat tcp
US 104.21.32.1:443 talkynicer.lat tcp
US 172.67.215.87:443 curverpluch.lat tcp
US 104.21.30.58:443 tentabatte.lat tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 104.21.59.136:443 bashfulacid.lat tcp
GB 104.124.170.33:443 steamcommunity.com tcp
US 8.8.8.8:53 20.49.80.91.in-addr.arpa udp
US 172.67.157.254:443 lev-tolstoi.com tcp
US 172.67.198.176:443 enterwahsh.biz tcp
US 104.21.19.35:443 wordyfindy.lat tcp
US 104.21.20.143:443 slipperyloo.lat tcp
US 172.67.130.32:443 manyrestro.lat tcp
US 104.21.62.10:443 shapestickyr.lat tcp
US 104.21.32.1:443 talkynicer.lat tcp
US 172.67.215.87:443 curverpluch.lat tcp
US 104.21.30.58:443 tentabatte.lat tcp
US 104.21.59.136:443 bashfulacid.lat tcp
US 8.8.8.8:53 steamcommunity.com udp
GB 104.124.170.33:443 steamcommunity.com tcp
US 172.67.157.254:443 lev-tolstoi.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\7zE0326E197\Release\workspace\.tests\isfile.txt

MD5 260ca9dd8a4577fc00b7bd5810298076
SHA1 53a5687cb26dc41f2ab4033e97e13adefd3740d6
SHA256 aee408847d35e44e99430f0979c3357b85fe8dbb4535a494301198adbee85f27
SHA512 51e85deb51c2b909a21ec5b8e83b1cb28da258b1be227620105a345a2bd4c6aea549cd5429670f2df33324667b9f623a420b3a0bdbbd03ad48602211e75478a7

C:\Users\Admin\AppData\Local\Temp\7zE0326E197\Release\workspace\Xeno.exe.WebView2\EBWebView\Default\DawnWebGPUCache\data_2

MD5 0962291d6d367570bee5454721c17e11
SHA1 59d10a893ef321a706a9255176761366115bedcb
SHA256 ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512 f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

C:\Users\Admin\AppData\Local\Temp\7zE0326E197\Release\workspace\Xeno.exe.WebView2\EBWebView\Default\Extension State\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Temp\7zE0326E197\Release\workspace\Xeno.exe.WebView2\EBWebView\Default\Extension State\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

C:\Users\Admin\AppData\Local\Temp\7zE0326E197\Release\workspace\Xeno.exe.WebView2\EBWebView\Default\GPUCache\data_3

MD5 41876349cb12d6db992f1309f22df3f0
SHA1 5cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256 e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512 e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

C:\Users\Admin\AppData\Local\Temp\7zE0326E197\Release\workspace\Xeno.exe.WebView2\EBWebView\Default\GPUCache\data_1

MD5 a833653a021f29ee2ec1a845e0c2308f
SHA1 05071159d3c2516d67b765cef012a0a2d3337759
SHA256 8e9f3538e43a68caa472fd47adaf43906e097cfb53ef55d1361caf1cc97efca7
SHA512 0902a886c95cee1b34f9419ab0a10ce0fe96eae57c59ab4cefba99ba3fc2a0237741f31076ce065db14fe3dfecd325458209f0d1e9fcc8b9ac7bff8328e1744f

C:\Users\Admin\AppData\Local\Temp\7zE0326E197\Release\workspace\Xeno.exe.WebView2\EBWebView\Default\GPUCache\data_0

MD5 cf89d16bb9107c631daabf0c0ee58efb
SHA1 3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256 d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA512 8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

C:\Users\Admin\AppData\Local\Temp\7zE0326E197\Release\workspace\Xeno.exe.WebView2\EBWebView\Default\Shared Dictionary\cache\index

MD5 54cb446f628b2ea4a5bce5769910512e
SHA1 c27ca848427fe87f5cf4d0e0e3cd57151b0d820d
SHA256 fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d
SHA512 8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

C:\Users\Admin\Desktop\Release\BootstrapperClient.exe

MD5 0d9e5d646d10bdf00e044b35e2915a78
SHA1 6ca9c97bc5a97cf4165a19250691ec75391168b5
SHA256 ccc8068a6c0e80093c5cf63397dceace198035ddd09b4576c201b895cd578866
SHA512 902a08d270684efb55cf3677a3ab634cc879f6e14f6426bb99902f9e8195cb95a89ba75951b44223b3b1f21c693a05ae504d874812e6a80b8c52804c31aac55d

memory/4856-548-0x00000000021A0000-0x00000000021CC000-memory.dmp

memory/4856-549-0x0000000002210000-0x000000000225C000-memory.dmp

memory/4856-550-0x0000000000400000-0x0000000000459000-memory.dmp

memory/4856-551-0x0000000000400000-0x0000000000459000-memory.dmp

memory/4856-553-0x0000000002210000-0x000000000225C000-memory.dmp

memory/4856-552-0x00000000021A0000-0x00000000021CC000-memory.dmp

memory/4928-555-0x0000000000400000-0x0000000000459000-memory.dmp

memory/4928-556-0x0000000000400000-0x0000000000459000-memory.dmp

memory/4928-557-0x0000000000400000-0x0000000000459000-memory.dmp

memory/4120-561-0x0000000000400000-0x0000000000459000-memory.dmp