Analysis
-
max time kernel
148s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
25-05-2024 14:28
Static task
static1
Behavioral task
behavioral1
Sample
Setup.exe
Resource
win7-20240220-en
General
-
Target
Setup.exe
-
Size
457KB
-
MD5
ee80b9f0a83d2da66013b0bb69964171
-
SHA1
047e1549b4e9c8a3de441297bdc2656b1430a64c
-
SHA256
bbd4ebadb6cf95a4eca65d3c77a250c88d54c31ce76ae11b7fa3fb13d1c4588a
-
SHA512
7eaeb5c1c2efc57f42ef1da91ac836fdf2316cd2cd32626a8b7178b4e1cca81ef6f38e8775260f836f1c06033fbc3b29688886574aa7e9035f96d2bb8e295008
-
SSDEEP
6144:P0KBmV04bcIGQ43L6kHUuXfwL//Vpbaq5G8QVmtGBdFzOMgdHyCwykoc4oSrSy5B:MKBmV00f7Vf6QM2SCCaomh5QIde
Malware Config
Extracted
lumma
https://museumtespaceorsp.shop/api
https://buttockdecarderwiso.shop/api
https://averageaattractiionsl.shop/api
https://femininiespywageg.shop/api
https://employhabragaomlsp.shop/api
https://stalfbaclcalorieeis.shop/api
https://civilianurinedtsraov.shop/api
https://roomabolishsnifftwk.shop/api
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
Setup.exedescription pid process target process PID 4796 set thread context of 4860 4796 Setup.exe RegAsm.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
Setup.exedescription pid process target process PID 4796 wrote to memory of 4860 4796 Setup.exe RegAsm.exe PID 4796 wrote to memory of 4860 4796 Setup.exe RegAsm.exe PID 4796 wrote to memory of 4860 4796 Setup.exe RegAsm.exe PID 4796 wrote to memory of 4860 4796 Setup.exe RegAsm.exe PID 4796 wrote to memory of 4860 4796 Setup.exe RegAsm.exe PID 4796 wrote to memory of 4860 4796 Setup.exe RegAsm.exe PID 4796 wrote to memory of 4860 4796 Setup.exe RegAsm.exe PID 4796 wrote to memory of 4860 4796 Setup.exe RegAsm.exe PID 4796 wrote to memory of 4860 4796 Setup.exe RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4796 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:4860
-