Analysis
-
max time kernel
544s -
max time network
1182s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
04-07-2024 17:28
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
setup.exe
Resource
win7-20240508-en
0 signatures
1800 seconds
General
-
Target
setup.exe
-
Size
12.5MB
-
MD5
0b7e6ef92b0cfa06d61ba19b250c3c7f
-
SHA1
1bfe28646c8b4e20e94926ea1987d64228095bfe
-
SHA256
15f779bef759b5566c409ab78d4fe244dc224c669cf3f67b0b93f89520261ae7
-
SHA512
2711d92c167ebbb060b2025062018ec67e4f39ed7783722b84ed145e32b7c1673341f993405070dea55ead256d38d6d97512d6087cb5685358f33fab4c906d2f
-
SSDEEP
49152:FLfQjGFDZLiY0JXPGgqbw++DwCJXfbS8nfoD3GZvv5dQux6hICgG7vAY6xEasrEW:DLuXO1+iGZvtzpspES6EIA4anfL
Malware Config
Extracted
Family
lumma
C2
https://bannngwko.shop/api
Signatures
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
setup.exedescription pid process target process PID 2300 set thread context of 1056 2300 setup.exe BitLockerToGo.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
BitLockerToGo.exepid process 1056 BitLockerToGo.exe 1056 BitLockerToGo.exe 1056 BitLockerToGo.exe 1056 BitLockerToGo.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
setup.exedescription pid process target process PID 2300 wrote to memory of 1056 2300 setup.exe BitLockerToGo.exe PID 2300 wrote to memory of 1056 2300 setup.exe BitLockerToGo.exe PID 2300 wrote to memory of 1056 2300 setup.exe BitLockerToGo.exe PID 2300 wrote to memory of 1056 2300 setup.exe BitLockerToGo.exe PID 2300 wrote to memory of 1056 2300 setup.exe BitLockerToGo.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeC:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1056