Overview
overview
10Static
static
3Language/c...1].exe
windows7-x64
Language/c...1].exe
windows10-2004-x64
Language/e...eN.dll
windows7-x64
1Language/e...eN.dll
windows10-2004-x64
1Language/e...32.dll
windows7-x64
1Language/e...32.dll
windows10-2004-x64
1Setup.exe
windows7-x64
5Setup.exe
windows10-2004-x64
10barchan.pptx
windows7-x64
1barchan.pptx
windows10-2004-x64
1madHcNet32.dll
windows7-x64
3madHcNet32.dll
windows10-2004-x64
3mvrSettings32.dll
windows7-x64
3mvrSettings32.dll
windows10-2004-x64
3unrar.dll
windows7-x64
1unrar.dll
windows10-2004-x64
1vcruntime140.dll
windows7-x64
1vcruntime140.dll
windows10-2004-x64
1Analysis
-
max time kernel
95s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
06-07-2024 08:21
Static task
static1
Behavioral task
behavioral1
Sample
Language/chrome_[1MB]_[1].exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
Language/chrome_[1MB]_[1].exe
Resource
win10v2004-20240704-en
Behavioral task
behavioral3
Sample
Language/en-US/AutoWorkplaceN.dll
Resource
win7-20240705-en
Behavioral task
behavioral4
Sample
Language/en-US/AutoWorkplaceN.dll
Resource
win10v2004-20240704-en
Behavioral task
behavioral5
Sample
Language/en-US/avicap32.dll
Resource
win7-20240220-en
Behavioral task
behavioral6
Sample
Language/en-US/avicap32.dll
Resource
win10v2004-20240704-en
Behavioral task
behavioral7
Sample
Setup.exe
Resource
win7-20240704-en
Behavioral task
behavioral8
Sample
Setup.exe
Resource
win10v2004-20240704-en
Behavioral task
behavioral9
Sample
barchan.pptx
Resource
win7-20240220-en
Behavioral task
behavioral10
Sample
barchan.pptx
Resource
win10v2004-20240704-en
Behavioral task
behavioral11
Sample
madHcNet32.dll
Resource
win7-20240705-en
Behavioral task
behavioral12
Sample
madHcNet32.dll
Resource
win10v2004-20240704-en
Behavioral task
behavioral13
Sample
mvrSettings32.dll
Resource
win7-20240704-en
Behavioral task
behavioral14
Sample
mvrSettings32.dll
Resource
win10v2004-20240704-en
Behavioral task
behavioral15
Sample
unrar.dll
Resource
win7-20240221-en
Behavioral task
behavioral16
Sample
unrar.dll
Resource
win10v2004-20240704-en
Behavioral task
behavioral17
Sample
vcruntime140.dll
Resource
win7-20240705-en
Behavioral task
behavioral18
Sample
vcruntime140.dll
Resource
win10v2004-20240508-en
General
-
Target
Setup.exe
-
Size
3.1MB
-
MD5
b841d408448f2a07f308ced1589e7673
-
SHA1
f5b5095c0ed69d42110df6d39810d12b1fa32a1e
-
SHA256
69a90665113bd73b30360d87f7f6ed2c789a90a67f3b6e86474e21273a64f699
-
SHA512
a689734048109ab7bec9491bbb7781686c19c7885166b3ca2975e2f49e956fcc388cd8ca85a4e5a8bf9efe6056f1e0d80197b7f521d4f0d4cadb10ba9ef1fa93
-
SSDEEP
49152:pvFg5qg9BtIAHE3SM4ahx6LK2SamuZob+tCjNrv8:Jm5qGBHBLRKuZfkjNrv8
Malware Config
Extracted
lumma
https://bittercoldzzdwu.shop/api
Signatures
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
Setup.exedescription pid process target process PID 2224 set thread context of 1096 2224 Setup.exe more.com -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
Setup.exemore.comSearchIndexer.exepid process 2224 Setup.exe 2224 Setup.exe 2224 Setup.exe 2224 Setup.exe 1096 more.com 1096 more.com 1280 SearchIndexer.exe 1280 SearchIndexer.exe 1280 SearchIndexer.exe 1280 SearchIndexer.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
Setup.exemore.compid process 2224 Setup.exe 1096 more.com -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
Setup.exemore.comdescription pid process target process PID 2224 wrote to memory of 1096 2224 Setup.exe more.com PID 2224 wrote to memory of 1096 2224 Setup.exe more.com PID 2224 wrote to memory of 1096 2224 Setup.exe more.com PID 2224 wrote to memory of 1096 2224 Setup.exe more.com PID 1096 wrote to memory of 1280 1096 more.com SearchIndexer.exe PID 1096 wrote to memory of 1280 1096 more.com SearchIndexer.exe PID 1096 wrote to memory of 1280 1096 more.com SearchIndexer.exe PID 1096 wrote to memory of 1280 1096 more.com SearchIndexer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\SysWOW64\more.comC:\Windows\SysWOW64\more.com2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Windows\SysWOW64\SearchIndexer.exeC:\Windows\SysWOW64\SearchIndexer.exe3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1280
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1014KB
MD5ebbd5c96ca5bb25476a002289a01892e
SHA1be811343b60ae6f2f45b96654e859330be0f0bea
SHA25600665eb1c208a5398ce8392dda4b723a1303c0c115ebe792c3a0fe4d206ca994
SHA512da13dc57e07c6b1ade1cc6aad2e84469357c3ca4f02319e93512289922e1c36a06d317c5b96df8a45b105bc4c35dd310d9a002d8940c3763ed5576310d6f2c37