Analysis
-
max time kernel
36s -
max time network
13s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
04-07-2024 18:59
Static task
static1
Behavioral task
behavioral1
Sample
Installer/Installer.exe
Resource
win7-20240221-en
General
-
Target
Installer/Installer.exe
-
Size
627KB
-
MD5
fb34d2867b0e9b76b7397308d06a1f99
-
SHA1
8f78602c6f94e37d411e2d93f609fc4d83fc6e7c
-
SHA256
3552f5481c4c102368def25f8836b823ff99f709637c1f4c2df05006d7bbe68e
-
SHA512
d3f99a78b93dba8d60f1ec2e5b60038a24ed9dccf9cf212e2d7e54cdcf5a240be418443efe7d6b6fe5550ff351bfc60076f6422c3f6746ffb0992c440ec2df1a
-
SSDEEP
12288:xSjzAHddkL4iiO2xqC+JuQDZMRRG5DUvYEOhIwC59VETELZ5rW2steZxSAQMirjE:xSjzA9dBD2I
Malware Config
Extracted
lumma
https://stationacutwo.shop/api
Signatures
-
Loads dropped DLL 1 IoCs
Processes:
Installer.exepid process 4592 Installer.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
Installer.exedescription pid process target process PID 4592 set thread context of 4332 4592 Installer.exe aspnet_regiis.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
aspnet_regiis.exepid process 4332 aspnet_regiis.exe 4332 aspnet_regiis.exe 4332 aspnet_regiis.exe 4332 aspnet_regiis.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
Installer.exedescription pid process target process PID 4592 wrote to memory of 4332 4592 Installer.exe aspnet_regiis.exe PID 4592 wrote to memory of 4332 4592 Installer.exe aspnet_regiis.exe PID 4592 wrote to memory of 4332 4592 Installer.exe aspnet_regiis.exe PID 4592 wrote to memory of 4332 4592 Installer.exe aspnet_regiis.exe PID 4592 wrote to memory of 4332 4592 Installer.exe aspnet_regiis.exe PID 4592 wrote to memory of 4332 4592 Installer.exe aspnet_regiis.exe PID 4592 wrote to memory of 4332 4592 Installer.exe aspnet_regiis.exe PID 4592 wrote to memory of 4332 4592 Installer.exe aspnet_regiis.exe PID 4592 wrote to memory of 4332 4592 Installer.exe aspnet_regiis.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Installer\Installer.exe"C:\Users\Admin\AppData\Local\Temp\Installer\Installer.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4592 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4332
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2672
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
442KB
MD5036ad99c0cd556d3c78370d54d9d5cb8
SHA1917cabadff79e6b3ae9fccceb4255c72dce545c2
SHA256219c10326c4a2b864645ceb28f79dfb09b609123a7da18c0798f5bac051063f9
SHA5127593c832147d3bc7c6ebc4efd625370bdfcb9e1ff7dc45ae9ba91107c79c19ff6f75129583077a6bc30fb52f35f3c9ec5b1c16bed4436e6dd62060ca8cace531