Analysis
-
max time kernel
141s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
19-05-2024 17:44
Static task
static1
Behavioral task
behavioral1
Sample
installer.exe
Resource
win7-20240221-en
General
-
Target
installer.exe
-
Size
461KB
-
MD5
884f5848d30cf185a5a71d4f8ddbcda2
-
SHA1
a8148b8d3b8ffaa3f4acafe524b2f3bbc8c7c069
-
SHA256
cbd2c1968efc201812143c4d37f51493f5be63865d1a106ecddfe174ff9c4505
-
SHA512
14b3a23a05a37cb75f11ee7edeba27d63c73c9cebbf190c7b38b6dd3f182c60fdb9ee39dbd011b7be79e621674db282cce392ff464e7cdbe7ac4c5db3623b668
-
SSDEEP
12288:HnIIAxNYp+Of87ZO533+zcjg7VYztOXFn:HIIGYpvmKuzb7gen
Malware Config
Extracted
lumma
https://museumtespaceorsp.shop/api
https://buttockdecarderwiso.shop/api
https://averageaattractiionsl.shop/api
https://femininiespywageg.shop/api
https://employhabragaomlsp.shop/api
https://stalfbaclcalorieeis.shop/api
https://civilianurinedtsraov.shop/api
https://roomabolishsnifftwk.shop/api
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
installer.exedescription pid Process procid_target PID 912 set thread context of 4004 912 installer.exe 84 -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
installer.exedescription pid Process procid_target PID 912 wrote to memory of 4004 912 installer.exe 84 PID 912 wrote to memory of 4004 912 installer.exe 84 PID 912 wrote to memory of 4004 912 installer.exe 84 PID 912 wrote to memory of 4004 912 installer.exe 84 PID 912 wrote to memory of 4004 912 installer.exe 84 PID 912 wrote to memory of 4004 912 installer.exe 84 PID 912 wrote to memory of 4004 912 installer.exe 84 PID 912 wrote to memory of 4004 912 installer.exe 84 PID 912 wrote to memory of 4004 912 installer.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\installer.exe"C:\Users\Admin\AppData\Local\Temp\installer.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:912 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:4004
-