Analysis
-
max time kernel
146s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
05-07-2024 14:59
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
setup.exe
Resource
win7-20240705-en
0 signatures
150 seconds
General
-
Target
setup.exe
-
Size
12.5MB
-
MD5
0b7e6ef92b0cfa06d61ba19b250c3c7f
-
SHA1
1bfe28646c8b4e20e94926ea1987d64228095bfe
-
SHA256
15f779bef759b5566c409ab78d4fe244dc224c669cf3f67b0b93f89520261ae7
-
SHA512
2711d92c167ebbb060b2025062018ec67e4f39ed7783722b84ed145e32b7c1673341f993405070dea55ead256d38d6d97512d6087cb5685358f33fab4c906d2f
-
SSDEEP
49152:FLfQjGFDZLiY0JXPGgqbw++DwCJXfbS8nfoD3GZvv5dQux6hICgG7vAY6xEasrEW:DLuXO1+iGZvtzpspES6EIA4anfL
Malware Config
Extracted
Family
lumma
C2
https://bannngwko.shop/api
Signatures
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
setup.exedescription pid process target process PID 2360 set thread context of 3396 2360 setup.exe BitLockerToGo.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
BitLockerToGo.exepid process 3396 BitLockerToGo.exe 3396 BitLockerToGo.exe 3396 BitLockerToGo.exe 3396 BitLockerToGo.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
setup.exedescription pid process target process PID 2360 wrote to memory of 3396 2360 setup.exe BitLockerToGo.exe PID 2360 wrote to memory of 3396 2360 setup.exe BitLockerToGo.exe PID 2360 wrote to memory of 3396 2360 setup.exe BitLockerToGo.exe PID 2360 wrote to memory of 3396 2360 setup.exe BitLockerToGo.exe PID 2360 wrote to memory of 3396 2360 setup.exe BitLockerToGo.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeC:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3396
-