Analysis
-
max time kernel
165s -
max time network
204s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
05-07-2024 20:10
Static task
static1
Behavioral task
behavioral1
Sample
infected.zip
Resource
win10v2004-20240704-en
Behavioral task
behavioral2
Sample
infected.zip
Resource
win11-20240704-en
General
-
Target
infected.zip
-
Size
4.0MB
-
MD5
101a3061619bdb9e71bb91fa32eefb9b
-
SHA1
41b3a2605900d72ed4221a4c2c8e79bd3c6aa5d6
-
SHA256
78921f75ee30f950b9cfa43a79f92edc2589cc0e813f22ebdb4993ab5b4926ac
-
SHA512
6198e59f69502ca9e9cd65d90270907e932c46db51c125cc0c23d1ba7702e03a4c9f0d42822648e2a5d49d8d676447d9d3ec125b7b4f29790dde4b8f940c1bec
-
SSDEEP
98304:g6aZ3ofc1iwhDYibIQ4QvIHQvgfcuJQF4sZvjtAoIyuUu5rayqWeoB7/:g6u3ec1iwhDcQ4Qr+AtZuUWraysGr
Malware Config
Extracted
lumma
https://unwielldyzpwo.shop/api
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Setup.exepid process 1720 Setup.exe -
Loads dropped DLL 1 IoCs
Processes:
Setup.exepid process 1720 Setup.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
Setup.exedescription pid process target process PID 1720 set thread context of 4232 1720 Setup.exe more.com -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
Setup.exemore.comSearchIndexer.exepid process 1720 Setup.exe 1720 Setup.exe 4232 more.com 4232 more.com 1908 SearchIndexer.exe 1908 SearchIndexer.exe 1908 SearchIndexer.exe 1908 SearchIndexer.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
Setup.exemore.compid process 1720 Setup.exe 4232 more.com -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
7zG.exedescription pid process Token: SeRestorePrivilege 628 7zG.exe Token: 35 628 7zG.exe Token: SeSecurityPrivilege 628 7zG.exe Token: SeSecurityPrivilege 628 7zG.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
7zG.exepid process 628 7zG.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
Setup.exemore.comdescription pid process target process PID 1720 wrote to memory of 4232 1720 Setup.exe more.com PID 1720 wrote to memory of 4232 1720 Setup.exe more.com PID 1720 wrote to memory of 4232 1720 Setup.exe more.com PID 1720 wrote to memory of 4232 1720 Setup.exe more.com PID 4232 wrote to memory of 1908 4232 more.com SearchIndexer.exe PID 4232 wrote to memory of 1908 4232 more.com SearchIndexer.exe PID 4232 wrote to memory of 1908 4232 more.com SearchIndexer.exe PID 4232 wrote to memory of 1908 4232 more.com SearchIndexer.exe
Processes
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\infected.zip1⤵PID:4136
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2288
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\" -an -ai#7zMap19623:96:7zEvent119001⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:628
-
C:\Users\Admin\AppData\Local\Temp\Program\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Program\Setup.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\SysWOW64\more.comC:\Windows\SysWOW64\more.com2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4232 -
C:\Windows\SysWOW64\SearchIndexer.exeC:\Windows\SysWOW64\SearchIndexer.exe3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1908
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD5f975a2d83d63a473fa2fc5206b66bb79
SHA1e49d21f112ab27ae0953aff30ae122440cf164b9
SHA2566a2d3876003f6c68f824df4f0033564d8c230716908ba2e6c06ea1dd6d5f98e8
SHA5124af4ce56bf131432d488ed112f8858c1e1392d013c6ac0603f2fd70ed513091e35854c0f678efeab7fa9a551517c6b9698f40a92729112de4b852fa3c0c69d64
-
Filesize
779KB
MD54d4b5ccd0ff38d099e68792ee07c4a99
SHA1f529d6bb59e1edd6ee57b7ceca20afaa2272d157
SHA25690b7b1dbc330af1f1d80403bacb25b46506b666aa9182fef90aaec5d612507a7
SHA512b8113fef6c0e7dea4ad6615fa0a451e72f481d72691d9f4001196be7784df8620ea8b7c00456a546204e0540580eaa13a4bb7ed18ef90ba7a7022682573484f6
-
Filesize
3.9MB
MD5b37d0df4c44e4e1e9502f6b90adbd73d
SHA12164d4fd7184f2ed4ebb225f2ea36b84c001f7ee
SHA2560b16174a0a47cfcabf5dd427e56355b806467ac3284d5d55f66aa19fbcf91e92
SHA512f5fbb1d506835a4cedd2843a7ff1e1b750ad0c147730e9de521de0c1b67cece4ded32ea0bf153341f9fe6630febb7af785b117d4c49fdfe01e65a18fc450a265
-
Filesize
53KB
MD5012206c2a828f8687db2a3e5e878068f
SHA1ee75d067cebca73b982546e1d4c7c7cf32569e8a
SHA25642f229a1430516ca02825a0b8ead2aa296c1a1cd7e1b41165d918e6657fe4ac4
SHA5128a0c894cdf75f675b692a3e5fd0db278536c7b8044490fd1a83b47ca606996d9d36190017f33ff9874e0223dd6e2dbb9f5173c870d501e0ae57fbc2bb6ca323b
-
Filesize
1011KB
MD5c5adcef29ab7b7bd62fae63abab9188d
SHA1fbb16ddb70d87f46d104c3d0f2326f792b71a768
SHA256ae25c79823a569ce6914fd5ec487d3ccb0137ef518e2b005f500a5ad9e83853a
SHA51231ab8c3a4890aedc4a19160ab503bdd0d5934837f5a98104d7863ec12fc5a114e67c4e5c43150b6fc9cd324bad60bdefe425b9072aaf28b4b32a8253600dbfc6