Analysis
-
max time kernel
149s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
06-07-2024 05:19
Static task
static1
Behavioral task
behavioral1
Sample
Adobe Installer.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
Adobe Installer.exe
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
Adobe Installer.exe
Resource
win10v2004-20240704-en
Behavioral task
behavioral4
Sample
Adobe Installer.exe
Resource
win11-20240704-en
General
-
Target
Adobe Installer.exe
-
Size
22.9MB
-
MD5
eefcbf5a048a4035bde572a53d4b3796
-
SHA1
39fbc3604afe3703dcb87efc4752050044998277
-
SHA256
22a0e808dc6971d2135da47e2e7ab470b0bcbe0d07e4c91df047d85981847752
-
SHA512
2c3cffd921d9ef573ebec598bb8a780d74e4be1c9aae1d6a0fd2d013353804807f1ace496785d44851b1f833e97e1058875963ac522b5aa4b7afdc4f90762a59
-
SSDEEP
196608:sOQ8raUTGNhy9jdon1nWxhhGYULhwG48:sT8rps09bGYULhL4
Malware Config
Extracted
lumma
https://nobledpcowep.shop/api
Signatures
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
Adobe Installer.exedescription pid process target process PID 60 set thread context of 216 60 Adobe Installer.exe BitLockerToGo.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
BitLockerToGo.exepid process 216 BitLockerToGo.exe 216 BitLockerToGo.exe 216 BitLockerToGo.exe 216 BitLockerToGo.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Adobe Installer.exedescription pid process Token: SeDebugPrivilege 60 Adobe Installer.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
Adobe Installer.exedescription pid process target process PID 60 wrote to memory of 216 60 Adobe Installer.exe BitLockerToGo.exe PID 60 wrote to memory of 216 60 Adobe Installer.exe BitLockerToGo.exe PID 60 wrote to memory of 216 60 Adobe Installer.exe BitLockerToGo.exe PID 60 wrote to memory of 216 60 Adobe Installer.exe BitLockerToGo.exe PID 60 wrote to memory of 216 60 Adobe Installer.exe BitLockerToGo.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Adobe Installer.exe"C:\Users\Admin\AppData\Local\Temp\Adobe Installer.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:60 -
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeC:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe2⤵
- Suspicious behavior: EnumeratesProcesses
PID:216
-