Analysis
-
max time kernel
147s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
29-02-2024 07:10
Static task
static1
Behavioral task
behavioral1
Sample
ea5ce8eb2a03e0aa77e2055061a3f2916952a32b578822707fde0818900653fc.zip
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
ea5ce8eb2a03e0aa77e2055061a3f2916952a32b578822707fde0818900653fc.zip
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
Setup.exe
Resource
win7-20240221-en
General
-
Target
Setup.exe
-
Size
202KB
-
MD5
64179e64675e822559cac6652298bdfc
-
SHA1
cceed3b2441146762512918af7bf7f89fb055583
-
SHA256
c26db97858c427d92e393396f7cb7f9e7ed8f9ce616adcc123d0ec6b055b99c9
-
SHA512
ef740b35ea5190f8ee47776af1f15ebdd54d39c84da5665e64f67ae6dd0f4b181e955e9a35319a5d0bd764972562e8f2bc44dbdf83c3bedf05674eae902e7280
-
SSDEEP
3072:EMtKztOp6KfOQqoY3ltdNjlcwsSdplkrxf+Uyecgw:ELKfOQLY3l9jlcwnlUf+z7gw
Malware Config
Extracted
lumma
https://qualifiedbehaviorrykej.site/api
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
cmd.exeflow pid Process 39 2156 cmd.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Setup.exedescription pid Process procid_target PID 2912 set thread context of 2156 2912 Setup.exe 89 -
Program crash 3 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exepid pid_target Process procid_target 4024 2156 WerFault.exe 89 2064 2156 WerFault.exe 89 1876 2156 WerFault.exe 89 -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
Setup.execmd.exepid Process 2912 Setup.exe 2912 Setup.exe 2156 cmd.exe 2156 cmd.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
Setup.exepid Process 2912 Setup.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
Setup.exedescription pid Process procid_target PID 2912 wrote to memory of 2156 2912 Setup.exe 89 PID 2912 wrote to memory of 2156 2912 Setup.exe 89 PID 2912 wrote to memory of 2156 2912 Setup.exe 89 PID 2912 wrote to memory of 2156 2912 Setup.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:2156 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 12203⤵
- Program crash
PID:4024
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 11683⤵
- Program crash
PID:2064
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 12043⤵
- Program crash
PID:1876
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2156 -ip 21561⤵PID:5092
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2156 -ip 21561⤵PID:1708
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2156 -ip 21561⤵PID:828
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD5246c235905bcb7988fa43f44f74eea82
SHA1e82e8d56a377555ec6d051fa6fda26251df00b63
SHA256233183408da64f55984e5d25f4ee9c3b4718f96887326ff9e51e066e89d0ea36
SHA512ff888a032726c6bdb14b7b3adc612671f8d9635193b37eea3c982582aec568d363865cfef4a1761532e1f59de963ce65e37275c49a8792bfb727c9b0b45e4990