Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
09-05-2024 13:18
Behavioral task
behavioral1
Sample
Setup.exe
Resource
win7-20240419-en
General
-
Target
Setup.exe
-
Size
2.4MB
-
MD5
9fb4770ced09aae3b437c1c6eb6d7334
-
SHA1
fe54b31b0db8665aa5b22bed147e8295afc88a03
-
SHA256
a05b592a971fe5011554013bcfe9a4aaf9cfc633bdd1fe3a8197f213d557b8d3
-
SHA512
140fee6daf23fe8b7e441b3b4de83554af804f00ecedc421907a385ac79a63164bd9f28b4be061c2ea2262755d85e14d3a8e7dc910547837b664d78d93667256
-
SSDEEP
49152:Y8UMSn5cV2N9LNwtQ5gRR+moI1axGbYj6QAl4ImDkg7d5lROCDG5yzlC97W+uJUM:QMS5hN9OtQ5gRjoI8xGbYj6QAl4gg7dF
Malware Config
Extracted
lumma
https://penetratedworrsyw.shop/api
https://acceptabledcooeprs.shop/api
https://obsceneclassyjuwks.shop/api
https://zippyfinickysofwps.shop/api
https://miniaturefinerninewjs.shop/api
https://plaintediousidowsko.shop/api
https://sweetsquarediaslw.shop/api
https://holicisticscrarws.shop/api
https://boredimperissvieos.shop/api
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3948 set thread context of 552 3948 Setup.exe 84 -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3948 Setup.exe 3948 Setup.exe 552 netsh.exe 552 netsh.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 3948 Setup.exe 552 netsh.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3948 Setup.exe 3948 Setup.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 3948 wrote to memory of 552 3948 Setup.exe 84 PID 3948 wrote to memory of 552 3948 Setup.exe 84 PID 3948 wrote to memory of 552 3948 Setup.exe 84 PID 3948 wrote to memory of 552 3948 Setup.exe 84 PID 552 wrote to memory of 1716 552 netsh.exe 89 PID 552 wrote to memory of 1716 552 netsh.exe 89 PID 552 wrote to memory of 1716 552 netsh.exe 89 PID 552 wrote to memory of 1716 552 netsh.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3948 -
C:\Windows\SysWOW64\netsh.exeC:\Windows\SysWOW64\netsh.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:552 -
C:\Windows\SysWOW64\SearchIndexer.exeC:\Windows\SysWOW64\SearchIndexer.exe3⤵PID:1716
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD5766af7198185b728c5b7d98c3868555a
SHA15f59de943450d8ac9d7e51cf2a79093da64c560f
SHA2561c498970cdb076855faf2cc43bed2aa933617b4ff27cae5cc6aac1957c102bb4
SHA512000bb5e1c8fd12b411dbadcc0958a60231fb939280dc5aa55c5a2dc383534e6bc1a40aeca4b8ca4a1aaa828f766ba52568fc560dc917acff3901afedca14579a