Analysis
-
max time kernel
92s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
26/04/2024, 09:51
Static task
static1
Behavioral task
behavioral1
Sample
OwnCheat.exe
Resource
win7-20240221-en
General
-
Target
OwnCheat.exe
-
Size
490KB
-
MD5
3d34c5809bdf1ef75f887ef2df935093
-
SHA1
744f4ec59d47b0ea7f37ee68a6fd9cc781b760b4
-
SHA256
b4182812c8fde0c6daed1683da1bc7ba8b1ccea701d07a90586e7960dd2ef4d0
-
SHA512
2dea322a442c50457b3357a2eedca606e38f77371c4c03b4d47125912009794e147989668ade9e682d8b3f9bfc9085e09fcdadf556122cda7d11b2da181af733
-
SSDEEP
12288:54J4ZH65jJMP0iLZDjF90NY93uaXffuSsjo4ldDv2xmDVXRa:m4ZGM7R9+MuSDidDv2xmxB
Malware Config
Extracted
lumma
https://liabilitynighstjsko.shop/api
https://productivelookewr.shop/api
https://tolerateilusidjukl.shop/api
https://shatterbreathepsw.shop/api
https://shortsvelventysjo.shop/api
https://incredibleextedwj.shop/api
https://alcojoldwograpciw.shop/api
https://demonstationfukewko.shop/api
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1932 set thread context of 212 1932 OwnCheat.exe 86 -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1932 wrote to memory of 212 1932 OwnCheat.exe 86 PID 1932 wrote to memory of 212 1932 OwnCheat.exe 86 PID 1932 wrote to memory of 212 1932 OwnCheat.exe 86 PID 1932 wrote to memory of 212 1932 OwnCheat.exe 86 PID 1932 wrote to memory of 212 1932 OwnCheat.exe 86 PID 1932 wrote to memory of 212 1932 OwnCheat.exe 86 PID 1932 wrote to memory of 212 1932 OwnCheat.exe 86 PID 1932 wrote to memory of 212 1932 OwnCheat.exe 86 PID 1932 wrote to memory of 212 1932 OwnCheat.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\OwnCheat.exe"C:\Users\Admin\AppData\Local\Temp\OwnCheat.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:212
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2428