Analysis
-
max time kernel
111s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
25-05-2024 15:39
Static task
static1
Behavioral task
behavioral1
Sample
Software_1.30.1.rar
Resource
win7-20240221-en
General
-
Target
Software_1.30.1.rar
-
Size
11.1MB
-
MD5
6b793466d2bd5f3518ba8f652c349bbc
-
SHA1
0074d126f0b4015d04b3261b3bdc6f82701e49cc
-
SHA256
513d2ec0c996a97c554741d6f021dd8fb2a2637bc06047c70e26e33f71998b40
-
SHA512
ff6e163ab3479c2d1217a4e9c69071f8d3326c25098587a53f5eb6ffb7438d4aa459a738f9def1cda9506dffb5d1964e1d89011a831158ef6fb20e20792833f4
-
SSDEEP
196608:VZ6u+eldqUsxKGyBhqQnDPNA92ILS1XezkIFRCCXqvO2IdfzNrYLdKkt:t+eDqPozBhqQnDPNmS1X76n9J1+Kkt
Malware Config
Extracted
lumma
https://femininiespywageg.shop/api
https://museumtespaceorsp.shop/api
https://buttockdecarderwiso.shop/api
https://averageaattractiionsl.shop/api
https://employhabragaomlsp.shop/api
https://stalfbaclcalorieeis.shop/api
https://civilianurinedtsraov.shop/api
https://roomabolishsnifftwk.shop/api
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Software_1.30.1.exepid process 1468 Software_1.30.1.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Software_1.30.1.exedescription pid process target process PID 1468 set thread context of 2180 1468 Software_1.30.1.exe RegAsm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe -
Modifies registry class 3 IoCs
Processes:
OpenWith.execmd.exeOpenWith.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings OpenWith.exe -
Suspicious behavior: EnumeratesProcesses 25 IoCs
Processes:
taskmgr.exepid process 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
OpenWith.exepid process 2168 OpenWith.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
7zG.exetaskmgr.exedescription pid process Token: SeRestorePrivilege 1060 7zG.exe Token: 35 1060 7zG.exe Token: SeSecurityPrivilege 1060 7zG.exe Token: SeSecurityPrivilege 1060 7zG.exe Token: SeDebugPrivilege 2612 taskmgr.exe Token: SeSystemProfilePrivilege 2612 taskmgr.exe Token: SeCreateGlobalPrivilege 2612 taskmgr.exe -
Suspicious use of FindShellTrayWindow 38 IoCs
Processes:
7zG.exetaskmgr.exepid process 1060 7zG.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe -
Suspicious use of SendNotifyMessage 36 IoCs
Processes:
taskmgr.exepid process 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe -
Suspicious use of SetWindowsHookEx 14 IoCs
Processes:
OpenWith.exeOpenWith.exepid process 2344 OpenWith.exe 2168 OpenWith.exe 2168 OpenWith.exe 2168 OpenWith.exe 2168 OpenWith.exe 2168 OpenWith.exe 2168 OpenWith.exe 2168 OpenWith.exe 2168 OpenWith.exe 2168 OpenWith.exe 2168 OpenWith.exe 2168 OpenWith.exe 2168 OpenWith.exe 2168 OpenWith.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
Software_1.30.1.exedescription pid process target process PID 1468 wrote to memory of 2180 1468 Software_1.30.1.exe RegAsm.exe PID 1468 wrote to memory of 2180 1468 Software_1.30.1.exe RegAsm.exe PID 1468 wrote to memory of 2180 1468 Software_1.30.1.exe RegAsm.exe PID 1468 wrote to memory of 2180 1468 Software_1.30.1.exe RegAsm.exe PID 1468 wrote to memory of 2180 1468 Software_1.30.1.exe RegAsm.exe PID 1468 wrote to memory of 2180 1468 Software_1.30.1.exe RegAsm.exe PID 1468 wrote to memory of 2180 1468 Software_1.30.1.exe RegAsm.exe PID 1468 wrote to memory of 2180 1468 Software_1.30.1.exe RegAsm.exe PID 1468 wrote to memory of 2180 1468 Software_1.30.1.exe RegAsm.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Software_1.30.1.rar1⤵
- Modifies registry class
PID:888
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2344
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1180
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2168
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\" -an -ai#7zMap19491:110:7zEvent38541⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1060
-
C:\Users\Admin\AppData\Local\Temp\Software_1.30.1.exe"C:\Users\Admin\AppData\Local\Temp\Software_1.30.1.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1468 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:2180
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /71⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2612
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
456KB
MD5c759ec5443cbfe889a818285fae8809a
SHA1be21bff0760e7a9f295ac7e347f8483afc353732
SHA25656cf084e470f460202e795ea244413c7445d3aa7c83bc64b3891b1c8e6a7151b
SHA512471a8a861ad0e43cabf699abfa1b7acaf422e2a90c8cadacd6d02dc068f4b74b3949f2a0abb8b894f6fd74886ba114410265efedf54402a49ab3a9117b01349d