Analysis
-
max time kernel
124s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
29-02-2024 06:56
Static task
static1
Behavioral task
behavioral1
Sample
468f6d2d76ac4e2e840f63a6cd1df0e64a1c8cb575d1e0b3e9864d9fb7fd5212.zip
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
468f6d2d76ac4e2e840f63a6cd1df0e64a1c8cb575d1e0b3e9864d9fb7fd5212.zip
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
lSetup.exe
Resource
win7-20240221-en
General
-
Target
lSetup.exe
-
Size
202KB
-
MD5
64179e64675e822559cac6652298bdfc
-
SHA1
cceed3b2441146762512918af7bf7f89fb055583
-
SHA256
c26db97858c427d92e393396f7cb7f9e7ed8f9ce616adcc123d0ec6b055b99c9
-
SHA512
ef740b35ea5190f8ee47776af1f15ebdd54d39c84da5665e64f67ae6dd0f4b181e955e9a35319a5d0bd764972562e8f2bc44dbdf83c3bedf05674eae902e7280
-
SSDEEP
3072:EMtKztOp6KfOQqoY3ltdNjlcwsSdplkrxf+Uyecgw:ELKfOQLY3l9jlcwnlUf+z7gw
Malware Config
Extracted
lumma
https://qualifiedbehaviorrykej.site/api
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
cmd.exeflow pid Process 31 952 cmd.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
lSetup.exedescription pid Process procid_target PID 4348 set thread context of 952 4348 lSetup.exe 88 -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 856 952 WerFault.exe 88 -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
lSetup.execmd.exepid Process 4348 lSetup.exe 4348 lSetup.exe 952 cmd.exe 952 cmd.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
lSetup.exepid Process 4348 lSetup.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
lSetup.exedescription pid Process procid_target PID 4348 wrote to memory of 952 4348 lSetup.exe 88 PID 4348 wrote to memory of 952 4348 lSetup.exe 88 PID 4348 wrote to memory of 952 4348 lSetup.exe 88 PID 4348 wrote to memory of 952 4348 lSetup.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\lSetup.exe"C:\Users\Admin\AppData\Local\Temp\lSetup.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4348 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:952 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 952 -s 11883⤵
- Program crash
PID:856
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 952 -ip 9521⤵PID:3800
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD5b00f8ca79f974c0e92558e637bffcd0d
SHA1e4591697f842b6b6200dcefa6eeaeeedab672236
SHA256b475aa4713df9f63a4f7c8298bec00900ec072865d53760dde9168c0486b3067
SHA512b90df2453e454cc5bae8d40b6fc226b6eae0cddbfb3e3534e4ec368dea7abac7ec48743accccc7222411e13da19a84058f62587c3672ad522ed1179e320a9a7d