Analysis
-
max time kernel
146s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
27-02-2024 05:22
Static task
static1
General
-
Target
Laun4er___Pswrd--1231.rar
-
Size
33.6MB
-
MD5
453fd9bbbfbfea164a42dee426e9794f
-
SHA1
49cfef6bf483c3ce0007e5e80826a5eec96c5552
-
SHA256
0f6f7876e556d8a0aaa9079710e980901cba752cc159f437b16e2d4a44bc693a
-
SHA512
8124cd65fb01585b1b3c21ede1c9659f4bc566df207a026c9379816f5b7ead4c4ff00d0b9bd997b2b118cfb4dcfbbca1808debbbca478d714d683559a3513aa8
-
SSDEEP
786432:8YbTvWtBX/D1KVygpK4H7Wmv/+5+eyELqJsul1i+6i/:8YbTvWzYcoCU/+nMsM7R/
Malware Config
Extracted
lumma
https://sermonundressolcow.shop/api
https://technologyenterdo.shop/api
https://detectordiscusser.shop/api
https://turkeyunlikelyofw.shop/api
https://associationokeo.shop/api
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation cmd.exe -
Executes dropped EXE 2 IoCs
Processes:
Setupp.exeSetupp.exepid process 1340 Setupp.exe 1408 Setupp.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Setupp.exedescription pid process target process PID 1340 set thread context of 3776 1340 Setupp.exe BitLockerToGo.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
cmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings cmd.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Setupp.exeSetupp.exepid process 1340 Setupp.exe 1408 Setupp.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
7zFM.exepid process 2132 7zFM.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
7zFM.exedescription pid process Token: SeRestorePrivilege 2132 7zFM.exe Token: 35 2132 7zFM.exe Token: SeSecurityPrivilege 2132 7zFM.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
7zFM.exepid process 2132 7zFM.exe 2132 7zFM.exe 2132 7zFM.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
cmd.exeSetupp.exedescription pid process target process PID 1556 wrote to memory of 2132 1556 cmd.exe 7zFM.exe PID 1556 wrote to memory of 2132 1556 cmd.exe 7zFM.exe PID 1340 wrote to memory of 3776 1340 Setupp.exe BitLockerToGo.exe PID 1340 wrote to memory of 3776 1340 Setupp.exe BitLockerToGo.exe PID 1340 wrote to memory of 3776 1340 Setupp.exe BitLockerToGo.exe PID 1340 wrote to memory of 3776 1340 Setupp.exe BitLockerToGo.exe PID 1340 wrote to memory of 3776 1340 Setupp.exe BitLockerToGo.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Laun4er___Pswrd--1231.rar1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Laun4er___Pswrd--1231.rar"2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2132
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3916
-
C:\Users\Admin\Desktop\Laun4er___Pswrd--1231\Setupp.exe"C:\Users\Admin\Desktop\Laun4er___Pswrd--1231\Setupp.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1340 -
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeC:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe2⤵PID:3776
-
-
C:\Users\Admin\Desktop\Laun4er___Pswrd--1231\Setupp.exe"C:\Users\Admin\Desktop\Laun4er___Pswrd--1231\Setupp.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1408
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.7MB
MD5c3ca6e54a505d3a6c5d05c60959f1951
SHA151ebe39cc258b27a67db249c46b90d9640d789b9
SHA256d5c9d3b60aa9d7eb387edcc90de3f5088658a531620ab6089752c4e501e94b8c
SHA5128486ad593c7cc0d3dd6b03a38f0dde6fe85f1a32a3ee8a09095463dde72472db8c41a26dd1242940beeb9bc6a39a5973539257ad7113728596a0847bce7fb82f
-
Filesize
3.0MB
MD5d7891655b042e952eaddd9bca6e2766d
SHA1efd3a91d3f87d3d459a173d88a45ecdf24392e1f
SHA2566e2f740731ac28de1a9e107add1128f47046e7fab01b13c37df3e13e0cd7832b
SHA51219ce3734ff698dd830866134d169d178e92a4e5ae1f72e3313c9c159431d17c5941118d1fef87c93edfa405e88394d76606e06000877d8c3f14a00fd11081057
-
Filesize
2.5MB
MD5d9bd8b7a158589e5f209c49fd6dd6951
SHA1538dd485892a827da29c8815803f16b0992e6212
SHA2569540e760bd0b0f38f117812b301d746076df9991cd882e094739723d874fb93d
SHA512aadb08ca50a4cfb7225441954888266f2b37fe00ad081049d9bf073c8632f54f9791c659ef34672e1ec8ec459d2839f63dce9e2e6824a1f341f21de71c637360