Analysis
-
max time kernel
31s -
max time network
37s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
25-05-2024 14:25
Static task
static1
Behavioral task
behavioral1
Sample
Setup.exe
Resource
win7-20240221-en
General
-
Target
Setup.exe
-
Size
457KB
-
MD5
ee80b9f0a83d2da66013b0bb69964171
-
SHA1
047e1549b4e9c8a3de441297bdc2656b1430a64c
-
SHA256
bbd4ebadb6cf95a4eca65d3c77a250c88d54c31ce76ae11b7fa3fb13d1c4588a
-
SHA512
7eaeb5c1c2efc57f42ef1da91ac836fdf2316cd2cd32626a8b7178b4e1cca81ef6f38e8775260f836f1c06033fbc3b29688886574aa7e9035f96d2bb8e295008
-
SSDEEP
6144:P0KBmV04bcIGQ43L6kHUuXfwL//Vpbaq5G8QVmtGBdFzOMgdHyCwykoc4oSrSy5B:MKBmV00f7Vf6QM2SCCaomh5QIde
Malware Config
Extracted
lumma
https://museumtespaceorsp.shop/api
https://buttockdecarderwiso.shop/api
https://averageaattractiionsl.shop/api
https://femininiespywageg.shop/api
https://employhabragaomlsp.shop/api
https://stalfbaclcalorieeis.shop/api
https://civilianurinedtsraov.shop/api
https://roomabolishsnifftwk.shop/api
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
Setup.exedescription pid process target process PID 4812 set thread context of 1084 4812 Setup.exe RegAsm.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 22 IoCs
Processes:
taskmgr.exepid process 464 taskmgr.exe 464 taskmgr.exe 464 taskmgr.exe 464 taskmgr.exe 464 taskmgr.exe 464 taskmgr.exe 464 taskmgr.exe 464 taskmgr.exe 464 taskmgr.exe 464 taskmgr.exe 464 taskmgr.exe 464 taskmgr.exe 464 taskmgr.exe 464 taskmgr.exe 464 taskmgr.exe 464 taskmgr.exe 464 taskmgr.exe 464 taskmgr.exe 464 taskmgr.exe 464 taskmgr.exe 464 taskmgr.exe 464 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
taskmgr.exedescription pid process Token: SeDebugPrivilege 464 taskmgr.exe Token: SeSystemProfilePrivilege 464 taskmgr.exe Token: SeCreateGlobalPrivilege 464 taskmgr.exe -
Suspicious use of FindShellTrayWindow 31 IoCs
Processes:
taskmgr.exepid process 464 taskmgr.exe 464 taskmgr.exe 464 taskmgr.exe 464 taskmgr.exe 464 taskmgr.exe 464 taskmgr.exe 464 taskmgr.exe 464 taskmgr.exe 464 taskmgr.exe 464 taskmgr.exe 464 taskmgr.exe 464 taskmgr.exe 464 taskmgr.exe 464 taskmgr.exe 464 taskmgr.exe 464 taskmgr.exe 464 taskmgr.exe 464 taskmgr.exe 464 taskmgr.exe 464 taskmgr.exe 464 taskmgr.exe 464 taskmgr.exe 464 taskmgr.exe 464 taskmgr.exe 464 taskmgr.exe 464 taskmgr.exe 464 taskmgr.exe 464 taskmgr.exe 464 taskmgr.exe 464 taskmgr.exe 464 taskmgr.exe -
Suspicious use of SendNotifyMessage 31 IoCs
Processes:
taskmgr.exepid process 464 taskmgr.exe 464 taskmgr.exe 464 taskmgr.exe 464 taskmgr.exe 464 taskmgr.exe 464 taskmgr.exe 464 taskmgr.exe 464 taskmgr.exe 464 taskmgr.exe 464 taskmgr.exe 464 taskmgr.exe 464 taskmgr.exe 464 taskmgr.exe 464 taskmgr.exe 464 taskmgr.exe 464 taskmgr.exe 464 taskmgr.exe 464 taskmgr.exe 464 taskmgr.exe 464 taskmgr.exe 464 taskmgr.exe 464 taskmgr.exe 464 taskmgr.exe 464 taskmgr.exe 464 taskmgr.exe 464 taskmgr.exe 464 taskmgr.exe 464 taskmgr.exe 464 taskmgr.exe 464 taskmgr.exe 464 taskmgr.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
Setup.exedescription pid process target process PID 4812 wrote to memory of 1084 4812 Setup.exe RegAsm.exe PID 4812 wrote to memory of 1084 4812 Setup.exe RegAsm.exe PID 4812 wrote to memory of 1084 4812 Setup.exe RegAsm.exe PID 4812 wrote to memory of 1084 4812 Setup.exe RegAsm.exe PID 4812 wrote to memory of 1084 4812 Setup.exe RegAsm.exe PID 4812 wrote to memory of 1084 4812 Setup.exe RegAsm.exe PID 4812 wrote to memory of 1084 4812 Setup.exe RegAsm.exe PID 4812 wrote to memory of 1084 4812 Setup.exe RegAsm.exe PID 4812 wrote to memory of 1084 4812 Setup.exe RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4812 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:1084
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:464