Overview
overview
10Static
static
3Main_Satup/Setup.exe
windows7-x64
1Main_Satup/Setup.exe
windows10-2004-x64
10Main_Satup...er.dll
windows7-x64
1Main_Satup...er.dll
windows10-2004-x64
1Main_Satup...ay.asp
windows7-x64
3Main_Satup...ay.asp
windows10-2004-x64
3Main_Satup/slavey.svg
windows7-x64
1Main_Satup/slavey.svg
windows10-2004-x64
1Analysis
-
max time kernel
134s -
max time network
131s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
26-05-2024 08:59
Static task
static1
Behavioral task
behavioral1
Sample
Main_Satup/Setup.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Main_Satup/Setup.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
Main_Satup/WebView2Loader.dll
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
Main_Satup/WebView2Loader.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
Main_Satup/rockaway.asp
Resource
win7-20240215-en
Behavioral task
behavioral6
Sample
Main_Satup/rockaway.asp
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
Main_Satup/slavey.svg
Resource
win7-20240508-en
Behavioral task
behavioral8
Sample
Main_Satup/slavey.svg
Resource
win10v2004-20240426-en
General
-
Target
Main_Satup/Setup.exe
-
Size
1.1MB
-
MD5
c047ae13fc1e25bc494b17ca10aa179e
-
SHA1
e293c7815c0eb8fbc44d60a3e9b27bd91b44b522
-
SHA256
6c30c8a2e827f48fcfc934dd34fb2cb10acb8747fd11faae085d8ad352c01fbf
-
SHA512
0cfb96d23b043bcb954cc307f85e5bbc349c0c8a0c6eaa335ea9a8fa19ce65b047f30ed0049562d40880400d4f70e3bb28975d6970f3ae4af6da1ba06e36d48c
-
SSDEEP
12288:a9hZPq27B7+x3dPC4gvgdVwTzDxsVyY4YoUwpf5kpRG6xsfJAYo2R0B5YD5sW91A:STS27B7+x3E4tdS/Dxkd4YoDfZ90gLS
Malware Config
Extracted
lumma
https://tubewelfaredopw.shop/api
https://museumtespaceorsp.shop/api
https://buttockdecarderwiso.shop/api
https://averageaattractiionsl.shop/api
https://femininiespywageg.shop/api
https://employhabragaomlsp.shop/api
https://stalfbaclcalorieeis.shop/api
https://civilianurinedtsraov.shop/api
https://roomabolishsnifftwk.shop/api
Signatures
-
Loads dropped DLL 1 IoCs
Processes:
Uhzi.au3pid process 3212 Uhzi.au3 -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Setup.exedescription pid process target process PID 1808 set thread context of 3000 1808 Setup.exe more.com -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
Setup.exemore.comtaskmgr.exepid process 1808 Setup.exe 1808 Setup.exe 3000 more.com 3000 more.com 1036 taskmgr.exe 1036 taskmgr.exe 1036 taskmgr.exe 1036 taskmgr.exe 1036 taskmgr.exe 1036 taskmgr.exe 1036 taskmgr.exe 1036 taskmgr.exe 1036 taskmgr.exe 1036 taskmgr.exe 1036 taskmgr.exe 1036 taskmgr.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
Setup.exemore.compid process 1808 Setup.exe 3000 more.com -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
taskmgr.exedescription pid process Token: SeDebugPrivilege 1036 taskmgr.exe Token: SeSystemProfilePrivilege 1036 taskmgr.exe Token: SeCreateGlobalPrivilege 1036 taskmgr.exe Token: 33 1036 taskmgr.exe Token: SeIncBasePriorityPrivilege 1036 taskmgr.exe -
Suspicious use of FindShellTrayWindow 38 IoCs
Processes:
taskmgr.exepid process 1036 taskmgr.exe 1036 taskmgr.exe 1036 taskmgr.exe 1036 taskmgr.exe 1036 taskmgr.exe 1036 taskmgr.exe 1036 taskmgr.exe 1036 taskmgr.exe 1036 taskmgr.exe 1036 taskmgr.exe 1036 taskmgr.exe 1036 taskmgr.exe 1036 taskmgr.exe 1036 taskmgr.exe 1036 taskmgr.exe 1036 taskmgr.exe 1036 taskmgr.exe 1036 taskmgr.exe 1036 taskmgr.exe 1036 taskmgr.exe 1036 taskmgr.exe 1036 taskmgr.exe 1036 taskmgr.exe 1036 taskmgr.exe 1036 taskmgr.exe 1036 taskmgr.exe 1036 taskmgr.exe 1036 taskmgr.exe 1036 taskmgr.exe 1036 taskmgr.exe 1036 taskmgr.exe 1036 taskmgr.exe 1036 taskmgr.exe 1036 taskmgr.exe 1036 taskmgr.exe 1036 taskmgr.exe 1036 taskmgr.exe 1036 taskmgr.exe -
Suspicious use of SendNotifyMessage 38 IoCs
Processes:
taskmgr.exepid process 1036 taskmgr.exe 1036 taskmgr.exe 1036 taskmgr.exe 1036 taskmgr.exe 1036 taskmgr.exe 1036 taskmgr.exe 1036 taskmgr.exe 1036 taskmgr.exe 1036 taskmgr.exe 1036 taskmgr.exe 1036 taskmgr.exe 1036 taskmgr.exe 1036 taskmgr.exe 1036 taskmgr.exe 1036 taskmgr.exe 1036 taskmgr.exe 1036 taskmgr.exe 1036 taskmgr.exe 1036 taskmgr.exe 1036 taskmgr.exe 1036 taskmgr.exe 1036 taskmgr.exe 1036 taskmgr.exe 1036 taskmgr.exe 1036 taskmgr.exe 1036 taskmgr.exe 1036 taskmgr.exe 1036 taskmgr.exe 1036 taskmgr.exe 1036 taskmgr.exe 1036 taskmgr.exe 1036 taskmgr.exe 1036 taskmgr.exe 1036 taskmgr.exe 1036 taskmgr.exe 1036 taskmgr.exe 1036 taskmgr.exe 1036 taskmgr.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
Setup.exemore.comdescription pid process target process PID 1808 wrote to memory of 3000 1808 Setup.exe more.com PID 1808 wrote to memory of 3000 1808 Setup.exe more.com PID 1808 wrote to memory of 3000 1808 Setup.exe more.com PID 1808 wrote to memory of 3000 1808 Setup.exe more.com PID 3000 wrote to memory of 3212 3000 more.com Uhzi.au3 PID 3000 wrote to memory of 3212 3000 more.com Uhzi.au3 PID 3000 wrote to memory of 3212 3000 more.com Uhzi.au3 PID 3000 wrote to memory of 3212 3000 more.com Uhzi.au3 PID 3000 wrote to memory of 3212 3000 more.com Uhzi.au3
Processes
-
C:\Users\Admin\AppData\Local\Temp\Main_Satup\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Main_Satup\Setup.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\Windows\SysWOW64\more.comC:\Windows\SysWOW64\more.com2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Users\Admin\AppData\Local\Temp\Uhzi.au3C:\Users\Admin\AppData\Local\Temp\Uhzi.au33⤵
- Loads dropped DLL
PID:3212
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1036
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService1⤵PID:3560
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.8MB
MD5dab8ad449fa107af11069be9181f3136
SHA1c4bb7f8ff07f21786c352450edde3e5d11362211
SHA256066817cc59d7783b02fdafb3c971ee12893fc1affacc58ae06298dfce3738c60
SHA5121f20b1f0bb52fc85af4481216e399639940511413c2b7c129f22ef7394c140597127303b6767dc6b2b7a11bd110ceca54106988dbe7b384c6be9550256185546
-
Filesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c