Analysis
-
max time kernel
34s -
max time network
34s -
platform
windows10-2004_x64 -
resource
win10v2004-20240221-en -
resource tags
arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system -
submitted
24-02-2024 23:46
Static task
static1
Behavioral task
behavioral1
Sample
SoftWare.exe
Resource
win7-20240221-en
General
-
Target
SoftWare.exe
-
Size
317KB
-
MD5
715ce74cd987a5ac7f5dbc789e4511cb
-
SHA1
14ce91cd5b398d141c9ad53d8a5bd7ffee8cede3
-
SHA256
77cdd1d711ff6f068a60d15b058b66311eab2b0bf09eb86b4f66fe9007e66126
-
SHA512
1f274040704c266ab68e45077d296c077839ddf474d08f43e8debebf5d4cd472dab9a802858f0331f081ca9d037433336b833dd7ff8027cc198f639c3c13eea8
-
SSDEEP
6144:DBvk1y/RWNrZCV9QzoOr6iYZVSQXfku+CawXNijlVmGnLuzx:1vl/RWNrZw98MVPXfkuz0WGLU
Malware Config
Extracted
lumma
https://technologyenterdo.shop/api
https://detectordiscusser.shop/api
https://turkeyunlikelyofw.shop/api
https://associationokeo.shop/api
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
SoftWare.exedescription pid process target process PID 4028 set thread context of 3252 4028 SoftWare.exe RegAsm.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
Processes:
taskmgr.exepid process 4936 taskmgr.exe 4936 taskmgr.exe 4936 taskmgr.exe 4936 taskmgr.exe 4936 taskmgr.exe 4936 taskmgr.exe 4936 taskmgr.exe 4936 taskmgr.exe 4936 taskmgr.exe 4936 taskmgr.exe 4936 taskmgr.exe 4936 taskmgr.exe 4936 taskmgr.exe 4936 taskmgr.exe 4936 taskmgr.exe 4936 taskmgr.exe 4936 taskmgr.exe 4936 taskmgr.exe 4936 taskmgr.exe 4936 taskmgr.exe 4936 taskmgr.exe 4936 taskmgr.exe 4936 taskmgr.exe 4936 taskmgr.exe 4936 taskmgr.exe 4936 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
taskmgr.exedescription pid process Token: SeDebugPrivilege 4936 taskmgr.exe Token: SeSystemProfilePrivilege 4936 taskmgr.exe Token: SeCreateGlobalPrivilege 4936 taskmgr.exe -
Suspicious use of FindShellTrayWindow 37 IoCs
Processes:
taskmgr.exepid process 4936 taskmgr.exe 4936 taskmgr.exe 4936 taskmgr.exe 4936 taskmgr.exe 4936 taskmgr.exe 4936 taskmgr.exe 4936 taskmgr.exe 4936 taskmgr.exe 4936 taskmgr.exe 4936 taskmgr.exe 4936 taskmgr.exe 4936 taskmgr.exe 4936 taskmgr.exe 4936 taskmgr.exe 4936 taskmgr.exe 4936 taskmgr.exe 4936 taskmgr.exe 4936 taskmgr.exe 4936 taskmgr.exe 4936 taskmgr.exe 4936 taskmgr.exe 4936 taskmgr.exe 4936 taskmgr.exe 4936 taskmgr.exe 4936 taskmgr.exe 4936 taskmgr.exe 4936 taskmgr.exe 4936 taskmgr.exe 4936 taskmgr.exe 4936 taskmgr.exe 4936 taskmgr.exe 4936 taskmgr.exe 4936 taskmgr.exe 4936 taskmgr.exe 4936 taskmgr.exe 4936 taskmgr.exe 4936 taskmgr.exe -
Suspicious use of SendNotifyMessage 37 IoCs
Processes:
taskmgr.exepid process 4936 taskmgr.exe 4936 taskmgr.exe 4936 taskmgr.exe 4936 taskmgr.exe 4936 taskmgr.exe 4936 taskmgr.exe 4936 taskmgr.exe 4936 taskmgr.exe 4936 taskmgr.exe 4936 taskmgr.exe 4936 taskmgr.exe 4936 taskmgr.exe 4936 taskmgr.exe 4936 taskmgr.exe 4936 taskmgr.exe 4936 taskmgr.exe 4936 taskmgr.exe 4936 taskmgr.exe 4936 taskmgr.exe 4936 taskmgr.exe 4936 taskmgr.exe 4936 taskmgr.exe 4936 taskmgr.exe 4936 taskmgr.exe 4936 taskmgr.exe 4936 taskmgr.exe 4936 taskmgr.exe 4936 taskmgr.exe 4936 taskmgr.exe 4936 taskmgr.exe 4936 taskmgr.exe 4936 taskmgr.exe 4936 taskmgr.exe 4936 taskmgr.exe 4936 taskmgr.exe 4936 taskmgr.exe 4936 taskmgr.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
SoftWare.exedescription pid process target process PID 4028 wrote to memory of 3180 4028 SoftWare.exe RegAsm.exe PID 4028 wrote to memory of 3180 4028 SoftWare.exe RegAsm.exe PID 4028 wrote to memory of 3180 4028 SoftWare.exe RegAsm.exe PID 4028 wrote to memory of 3252 4028 SoftWare.exe RegAsm.exe PID 4028 wrote to memory of 3252 4028 SoftWare.exe RegAsm.exe PID 4028 wrote to memory of 3252 4028 SoftWare.exe RegAsm.exe PID 4028 wrote to memory of 3252 4028 SoftWare.exe RegAsm.exe PID 4028 wrote to memory of 3252 4028 SoftWare.exe RegAsm.exe PID 4028 wrote to memory of 3252 4028 SoftWare.exe RegAsm.exe PID 4028 wrote to memory of 3252 4028 SoftWare.exe RegAsm.exe PID 4028 wrote to memory of 3252 4028 SoftWare.exe RegAsm.exe PID 4028 wrote to memory of 3252 4028 SoftWare.exe RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SoftWare.exe"C:\Users\Admin\AppData\Local\Temp\SoftWare.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4028 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:3180
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:3252
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4936