Analysis
-
max time kernel
145s -
max time network
105s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
04-07-2024 19:35
Static task
static1
Behavioral task
behavioral1
Sample
!ŞetUp_51286--#PaSꞨKḙy#$$/Setup.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
!ŞetUp_51286--#PaSꞨKḙy#$$/Setup.exe
Resource
win10v2004-20240704-en
Behavioral task
behavioral3
Sample
!ŞetUp_51286--#PaSꞨKḙy#$$/Setup.exe
Resource
win11-20240508-en
General
-
Target
!ŞetUp_51286--#PaSꞨKḙy#$$/Setup.exe
-
Size
1.1MB
-
MD5
f975a2d83d63a473fa2fc5206b66bb79
-
SHA1
e49d21f112ab27ae0953aff30ae122440cf164b9
-
SHA256
6a2d3876003f6c68f824df4f0033564d8c230716908ba2e6c06ea1dd6d5f98e8
-
SHA512
4af4ce56bf131432d488ed112f8858c1e1392d013c6ac0603f2fd70ed513091e35854c0f678efeab7fa9a551517c6b9698f40a92729112de4b852fa3c0c69d64
-
SSDEEP
12288:IbCylcTVPbi7vT1K7n6HpVkg8KHIo5u0K1VmMxEnbuvuY2jTU+LHMA+nk2oG1ts:4lcTVPbikTMkg8KH/mmMxnvfphx8
Malware Config
Extracted
lumma
https://unwielldyzpwo.shop/api
Signatures
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Downloads MZ/PE file
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
Setup.exe3XJKGGKKAP7WHKELR8UQONZC35RFI.exe5N57UY572XC7M2XUVGVS7NN55FL.exedescription pid process target process PID 4604 set thread context of 1552 4604 Setup.exe more.com PID 3908 set thread context of 4212 3908 3XJKGGKKAP7WHKELR8UQONZC35RFI.exe comp.exe PID 3288 set thread context of 4172 3288 5N57UY572XC7M2XUVGVS7NN55FL.exe comp.exe -
Drops file in Windows directory 2 IoCs
Processes:
comp.execomp.exedescription ioc process File created C:\Windows\Tasks\CefSharp.BrowserSubprocess.job comp.exe File created C:\Windows\Tasks\Managed Machine Service Mini.job comp.exe -
Executes dropped EXE 2 IoCs
Processes:
3XJKGGKKAP7WHKELR8UQONZC35RFI.exe5N57UY572XC7M2XUVGVS7NN55FL.exepid process 3908 3XJKGGKKAP7WHKELR8UQONZC35RFI.exe 3288 5N57UY572XC7M2XUVGVS7NN55FL.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
Setup.exemore.comSearchIndexer.exe3XJKGGKKAP7WHKELR8UQONZC35RFI.exe5N57UY572XC7M2XUVGVS7NN55FL.execomp.execomp.exepowershell.exepid process 4604 Setup.exe 4604 Setup.exe 1552 more.com 1552 more.com 216 SearchIndexer.exe 216 SearchIndexer.exe 216 SearchIndexer.exe 216 SearchIndexer.exe 3908 3XJKGGKKAP7WHKELR8UQONZC35RFI.exe 3908 3XJKGGKKAP7WHKELR8UQONZC35RFI.exe 3288 5N57UY572XC7M2XUVGVS7NN55FL.exe 3288 5N57UY572XC7M2XUVGVS7NN55FL.exe 4212 comp.exe 4212 comp.exe 4172 comp.exe 4172 comp.exe 2580 powershell.exe 2580 powershell.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
Setup.exemore.com3XJKGGKKAP7WHKELR8UQONZC35RFI.exe5N57UY572XC7M2XUVGVS7NN55FL.execomp.execomp.exepid process 4604 Setup.exe 1552 more.com 3908 3XJKGGKKAP7WHKELR8UQONZC35RFI.exe 3288 5N57UY572XC7M2XUVGVS7NN55FL.exe 4212 comp.exe 4172 comp.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2580 powershell.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
3XJKGGKKAP7WHKELR8UQONZC35RFI.exe5N57UY572XC7M2XUVGVS7NN55FL.exepid process 3908 3XJKGGKKAP7WHKELR8UQONZC35RFI.exe 3908 3XJKGGKKAP7WHKELR8UQONZC35RFI.exe 3288 5N57UY572XC7M2XUVGVS7NN55FL.exe 3288 5N57UY572XC7M2XUVGVS7NN55FL.exe -
Suspicious use of WriteProcessMemory 35 IoCs
Processes:
Setup.exemore.comSearchIndexer.exe3XJKGGKKAP7WHKELR8UQONZC35RFI.exe5N57UY572XC7M2XUVGVS7NN55FL.execomp.execomp.exeexplorer.exedescription pid process target process PID 4604 wrote to memory of 1552 4604 Setup.exe more.com PID 4604 wrote to memory of 1552 4604 Setup.exe more.com PID 4604 wrote to memory of 1552 4604 Setup.exe more.com PID 4604 wrote to memory of 1552 4604 Setup.exe more.com PID 1552 wrote to memory of 216 1552 more.com SearchIndexer.exe PID 1552 wrote to memory of 216 1552 more.com SearchIndexer.exe PID 1552 wrote to memory of 216 1552 more.com SearchIndexer.exe PID 1552 wrote to memory of 216 1552 more.com SearchIndexer.exe PID 216 wrote to memory of 3908 216 SearchIndexer.exe 3XJKGGKKAP7WHKELR8UQONZC35RFI.exe PID 216 wrote to memory of 3908 216 SearchIndexer.exe 3XJKGGKKAP7WHKELR8UQONZC35RFI.exe PID 216 wrote to memory of 3908 216 SearchIndexer.exe 3XJKGGKKAP7WHKELR8UQONZC35RFI.exe PID 3908 wrote to memory of 4212 3908 3XJKGGKKAP7WHKELR8UQONZC35RFI.exe comp.exe PID 3908 wrote to memory of 4212 3908 3XJKGGKKAP7WHKELR8UQONZC35RFI.exe comp.exe PID 3908 wrote to memory of 4212 3908 3XJKGGKKAP7WHKELR8UQONZC35RFI.exe comp.exe PID 216 wrote to memory of 3288 216 SearchIndexer.exe 5N57UY572XC7M2XUVGVS7NN55FL.exe PID 216 wrote to memory of 3288 216 SearchIndexer.exe 5N57UY572XC7M2XUVGVS7NN55FL.exe PID 216 wrote to memory of 3288 216 SearchIndexer.exe 5N57UY572XC7M2XUVGVS7NN55FL.exe PID 3288 wrote to memory of 4172 3288 5N57UY572XC7M2XUVGVS7NN55FL.exe comp.exe PID 3288 wrote to memory of 4172 3288 5N57UY572XC7M2XUVGVS7NN55FL.exe comp.exe PID 3288 wrote to memory of 4172 3288 5N57UY572XC7M2XUVGVS7NN55FL.exe comp.exe PID 3908 wrote to memory of 4212 3908 3XJKGGKKAP7WHKELR8UQONZC35RFI.exe comp.exe PID 3288 wrote to memory of 4172 3288 5N57UY572XC7M2XUVGVS7NN55FL.exe comp.exe PID 4212 wrote to memory of 2044 4212 comp.exe explorer.exe PID 4212 wrote to memory of 2044 4212 comp.exe explorer.exe PID 4212 wrote to memory of 2044 4212 comp.exe explorer.exe PID 4172 wrote to memory of 2996 4172 comp.exe explorer.exe PID 4172 wrote to memory of 2996 4172 comp.exe explorer.exe PID 4172 wrote to memory of 2996 4172 comp.exe explorer.exe PID 4212 wrote to memory of 2044 4212 comp.exe explorer.exe PID 4212 wrote to memory of 2044 4212 comp.exe explorer.exe PID 4172 wrote to memory of 2996 4172 comp.exe explorer.exe PID 4172 wrote to memory of 2996 4172 comp.exe explorer.exe PID 2996 wrote to memory of 2580 2996 explorer.exe powershell.exe PID 2996 wrote to memory of 2580 2996 explorer.exe powershell.exe PID 2996 wrote to memory of 2580 2996 explorer.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\Setup.exe"C:\Users\Admin\AppData\Local\Temp\!ŞetUp_51286--#PaSꞨKḙy#$$\Setup.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4604 -
C:\Windows\SysWOW64\more.comC:\Windows\SysWOW64\more.com2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1552 -
C:\Windows\SysWOW64\SearchIndexer.exeC:\Windows\SysWOW64\SearchIndexer.exe3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:216 -
C:\Users\Admin\AppData\Local\Temp\3XJKGGKKAP7WHKELR8UQONZC35RFI.exe"C:\Users\Admin\AppData\Local\Temp\3XJKGGKKAP7WHKELR8UQONZC35RFI.exe"4⤵
- Suspicious use of SetThreadContext
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3908 -
C:\Windows\SysWOW64\comp.exeC:\Windows\SysWOW64\comp.exe5⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4212 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe6⤵PID:2044
-
C:\Users\Admin\AppData\Local\Temp\5N57UY572XC7M2XUVGVS7NN55FL.exe"C:\Users\Admin\AppData\Local\Temp\5N57UY572XC7M2XUVGVS7NN55FL.exe"4⤵
- Suspicious use of SetThreadContext
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3288 -
C:\Windows\SysWOW64\comp.exeC:\Windows\SysWOW64\comp.exe5⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4172 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe6⤵
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\1000003041\run.ps1"7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2580
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
15KB
MD50fb684cc15d197c0b937e5528359d7c8
SHA17d963246f52f42012bdcddb31214283c84c954ed
SHA256e767d70fc57483aae7a20cb094a9bfc1fd4f04e97fb772cd6892d057e5be4260
SHA512c40335f72f802479dc0926704d87670a782362fedae5bb50179d427fc343c6a33cfe09f4640acb15624d1511d3d66f76d87f663f9ad430fc2ddb00c54056103c
-
Filesize
1.3MB
MD5388667ede854ace9db095fe44c660697
SHA1aea9cf775e19bca4aa3d371c2a63c558bb43c77a
SHA25625e56853d565a313574317ddd22ac95e8c4bb742b3fb0773a4d8dbed62d14b79
SHA5120c8b5a5385fdd91619c0c271d526a0a8b0dcf7170452b3cd0f4ebb9549ca2761cc9661d86a8a85a90e5db6d884d14ddeeae8c83b1c40e1c0197743220222e94d
-
Filesize
1.1MB
MD51f6c231ab1add6380bcdcadda16d6ac1
SHA1ad820342b92e92e04584d643f474a7b73dcd3257
SHA2567ad83f3bf45cbe15e7bc562215544f6233e6354f8e7be26cdd8e3afc91cafef9
SHA51225e33a57c9b455dcea59df74831aa10f35ec8bd025e7acec472b337733e7f99fbc6c29be6be51331b847a3c65044b151dbc74ba9352e650d3f77f4a29ca064a2
-
Filesize
4.2MB
MD5024547ee3841ed6035b7bb9866452713
SHA18f1c8a12cecaeb4f15f3d2a3332073a0b1aefb36
SHA256f89e565d3e73984e9b538fba979c8798f06775706cde8ecd1a921c61fecf2d28
SHA512fc846fa5432d41973f30c4ee16b197079fb344322d1023c5bf31aa1bbab72d53094f2b17422471a292fbc9250dcb176b6ae2b78a883087689ca2bb9db1205545
-
Filesize
1011KB
MD5394f9e41d44bbdbd7b5e9816a0801b3b
SHA1431ee4529ca5c29c7ff692dc76b83692f3762dbd
SHA25611f9555e4825e41ab00b47a726f2a95484fdeea780a34508cf60f196eacfb734
SHA512c3188313126c3f0b222ef86eb379cf9b06968f3667d25e81f4b1c18f106517469d746838982ac19008bd36fa55e575459ad81974de520dd792c81670d48cb5b2
-
Filesize
4.2MB
MD57c6730f484b1727b976fdad0f565b048
SHA1c8a4a74d3a6e6025614d689a632dda845a7a8ec1
SHA256d39f60dbce9c26f2b6336d8b8931f6bcb949022413d602344432eca8cdea8b45
SHA512a3a763902e78c0d9ebaff810df2208cebfb22dbe9f7059dc641c301f7f88469cd52e1d04eaed9029ec7e045328fa062e56dad5b5b418a6a65a1511c1d266baad
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1.2MB
MD5d39e706474d16261ec9b1cb57adbd1ee
SHA1a0b19ed7e6ceb4ef12fedf717f019b1c6f07864a
SHA25621a8d114f403a17e319eed493d5bd411201fdc8a6077d6da016fba16cc711135
SHA5120e786655120af5cff93bb574aa1568fccdebcaf0ffe56ce4338a407947b9cc4b34f4e2be6f4300f9d868e5160b5129a98a1c04c359efe3e2ff7a7b365eb12699
-
Filesize
1.1MB
MD5893841decbf4c6332ed2875006d01aea
SHA156dbe95018c3b2ce9d0d5c3bc6f618bf854ae319
SHA25624d16abe464ff47607b8cc6f9c46dc2664789b3b6c4cb71bff68f873340f2efa
SHA51247a6a05a24558df37a276e411d1adc06a4d6caca7230f6fb9f14d88e5b9af8160d11cdbf7626acc34ae204001000cd58393868366853f991d9e89ee7810cbb38