Analysis
-
max time kernel
145s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
05-07-2024 13:19
Static task
static1
Behavioral task
behavioral1
Sample
Setup_Files/Setup.exe
Resource
win7-20240704-en
General
-
Target
Setup_Files/Setup.exe
-
Size
662.5MB
-
MD5
59839dad3c13480e4f29ad32afdc8fb1
-
SHA1
2d66cf175875f98784f9be66d832dee8cbad5a69
-
SHA256
002f5b2aa14a46544ac266bc78a348d71480c474fd00bc01708ce1dcba1291ee
-
SHA512
3ae89c0f7c0fba2f0b6f6db95abc12ba4f628a3615ae1fb4a8a402dfa7bc875890eb8c708bb68303eb9dde835572cef2ca45cdd93ff20d279525ba9b8514477e
-
SSDEEP
196608:Dpcugy7TlXNdj+P64+S+rt7hOD6ZJHXg4nhVUGbP4X3bOq2JRuwt:Dpcu7k6FkAZL
Malware Config
Extracted
lumma
https://absentjuks.shop/api
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
624OHNX8HXG7UC98X3MR1NHY.exepid process 2228 624OHNX8HXG7UC98X3MR1NHY.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
Setup.exe624OHNX8HXG7UC98X3MR1NHY.exemore.comdescription pid process target process PID 5048 set thread context of 1128 5048 Setup.exe comp.exe PID 2228 set thread context of 1632 2228 624OHNX8HXG7UC98X3MR1NHY.exe more.com PID 1632 set thread context of 1244 1632 more.com regsvr32.exe -
Drops file in Windows directory 1 IoCs
Processes:
more.comdescription ioc process File created C:\Windows\Tasks\NLSvc Service.job more.com -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
Setup.execomp.exeSearchIndexer.exe624OHNX8HXG7UC98X3MR1NHY.exemore.compid process 5048 Setup.exe 5048 Setup.exe 1128 comp.exe 1128 comp.exe 2304 SearchIndexer.exe 2304 SearchIndexer.exe 2304 SearchIndexer.exe 2304 SearchIndexer.exe 2228 624OHNX8HXG7UC98X3MR1NHY.exe 2228 624OHNX8HXG7UC98X3MR1NHY.exe 1632 more.com 1632 more.com -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
Setup.execomp.exe624OHNX8HXG7UC98X3MR1NHY.exemore.compid process 5048 Setup.exe 1128 comp.exe 2228 624OHNX8HXG7UC98X3MR1NHY.exe 1632 more.com 1632 more.com -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
Setup.execomp.exeSearchIndexer.exe624OHNX8HXG7UC98X3MR1NHY.exemore.comdescription pid process target process PID 5048 wrote to memory of 1128 5048 Setup.exe comp.exe PID 5048 wrote to memory of 1128 5048 Setup.exe comp.exe PID 5048 wrote to memory of 1128 5048 Setup.exe comp.exe PID 5048 wrote to memory of 1128 5048 Setup.exe comp.exe PID 1128 wrote to memory of 2304 1128 comp.exe SearchIndexer.exe PID 1128 wrote to memory of 2304 1128 comp.exe SearchIndexer.exe PID 1128 wrote to memory of 2304 1128 comp.exe SearchIndexer.exe PID 1128 wrote to memory of 2304 1128 comp.exe SearchIndexer.exe PID 2304 wrote to memory of 2228 2304 SearchIndexer.exe 624OHNX8HXG7UC98X3MR1NHY.exe PID 2304 wrote to memory of 2228 2304 SearchIndexer.exe 624OHNX8HXG7UC98X3MR1NHY.exe PID 2228 wrote to memory of 1632 2228 624OHNX8HXG7UC98X3MR1NHY.exe more.com PID 2228 wrote to memory of 1632 2228 624OHNX8HXG7UC98X3MR1NHY.exe more.com PID 2228 wrote to memory of 1632 2228 624OHNX8HXG7UC98X3MR1NHY.exe more.com PID 2228 wrote to memory of 1632 2228 624OHNX8HXG7UC98X3MR1NHY.exe more.com PID 1632 wrote to memory of 1244 1632 more.com regsvr32.exe PID 1632 wrote to memory of 1244 1632 more.com regsvr32.exe PID 1632 wrote to memory of 1244 1632 more.com regsvr32.exe PID 1632 wrote to memory of 1244 1632 more.com regsvr32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Setup_Files\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup_Files\Setup.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:5048 -
C:\Windows\SysWOW64\comp.exeC:\Windows\SysWOW64\comp.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1128 -
C:\Windows\SysWOW64\SearchIndexer.exeC:\Windows\SysWOW64\SearchIndexer.exe3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Users\Admin\AppData\Local\Temp\624OHNX8HXG7UC98X3MR1NHY.exe"C:\Users\Admin\AppData\Local\Temp\624OHNX8HXG7UC98X3MR1NHY.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Windows\SysWOW64\more.comC:\Windows\SysWOW64\more.com5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Windows\SysWOW64\regsvr32.exeC:\Windows\SysWOW64\regsvr32.exe6⤵PID:1244
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD529dee515f896949f1dc956e850cbd39a
SHA1eabef7d2f1974139a095adb800df9595c0a57807
SHA25648ba661aba5fe6491681f563e803accbfe0c9da7425bacd9aa2b35724c73892e
SHA5125e765d800f56bfb0d8c1e2ca0787b7178e5633e8d20fae048dc59e4e15eb6a2cc59e6a2e90313082588d45675e68f52597c821618edf7e1db8ef48ad6d04024c
-
Filesize
1.1MB
MD57a7c870fc189b757bf6ca20adb1a6123
SHA1af80548436f8fcbeeeba729f698b7fbdf489e0cc
SHA256f851c9b73bdd184e02336c8420039b0513596a31ea2db7aa2ab24e93ce4f1b31
SHA5121e4f3012f429d0a2f26c2f60e3f7742cfb05dcd46bdc43ca51c061f85e3dc89e80f281c9f669fa53ecacd79ea378197dc5a76cfcc5172b9528b744a9b5b56525
-
Filesize
955KB
MD5e0d9f835bdb67e0e2c96fd66d64d145b
SHA1fdd5fbbd361dcde42df1917d2e8be85e4ff62c19
SHA25677fb8d12be6343177dd32614d0eba28085b39f58769a608c9aa9b8a9e6054b63
SHA51215a9cadc9918965a8de775499e04900d820b9b022a96d8653da662ebc49033fbaa7b1403fccf7568967d4cff4faa00f6996ee5284f4d10d78eca420d48faa58b
-
Filesize
1008KB
MD5f9f8af7cfcbd44d4fa31ec7e3816d71c
SHA11b4df87c4da9e000fc0e5f44a141b2a2696ab72e
SHA2562af2b79cea23e7f82ff4c6468ed804aef90e1b7e65ff54c0b17953ea1b9eeda3
SHA512ce76cd7cd21a146f02308ee83fa8d9f51812b9d5648d652c5edaf527244fac9e51247b5d44c10fef63b81ec4eaec4074867e400015c6b47734e1ad287d7158e6
-
Filesize
5.8MB
MD51f31ec7d48dad631f1c3ae57998502b3
SHA13d1283396a65451a9f6815a9323fe66d90cfe3e7
SHA2567d4ece486621820c25c4f13350c9b5cf7e1b4d54112782f93c629b606df60777
SHA512ff905644efee747e43fd6950e0a05f8f328528d2822216536664581611ea9cb2a524f00e0ef1b42bae9767c5c1441b74000cbfb515c0a4b3252e9caea8cc7aa7