Resubmissions
10-07-2024 23:37
240710-3mj98syeqb 1010-07-2024 23:31
240710-3hybaswcqj 1010-07-2024 23:21
240710-3b5f2awall 10Analysis
-
max time kernel
431s -
max time network
496s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
10-07-2024 23:37
Static task
static1
Behavioral task
behavioral1
Sample
!~!SetUp_2025_Pa$$W0rd$s!!%!~.zip
Resource
win10-20240404-en
General
-
Target
!~!SetUp_2025_Pa$$W0rd$s!!%!~.zip
-
Size
2.7MB
-
MD5
0bceb88aed8c6bb2f5d20c050af530b3
-
SHA1
6ec563e2cc84bd115ca4c325f25860d9c7a57149
-
SHA256
edef6777be8dbb15748bcf1332c0a7e49e5d8b8793ff23ccfb41da2d3ff1c0cc
-
SHA512
eb3c3d5622684fa4f2d55b8307d6fef898404382a7fc8f2dc350bf6633cb700e5cae778d3315367f88d2b605ebe71a6d691bfd10b9432ce4c164ada9c85842f4
-
SSDEEP
49152:c6B7KXGRde2dWchGri7yFjqsh+/Kq6AO96P2up7mnEhyha/h8:c6hKmdPWAx7DK+l6Q6EQX
Malware Config
Extracted
lumma
https://bittercoldzzdwu.shop/api
https://bouncedgowp.shop/api
https://bannngwko.shop/api
https://bargainnykwo.shop/api
https://affecthorsedpo.shop/api
https://radiationnopp.shop/api
https://answerrsdo.shop/api
https://publicitttyps.shop/api
https://benchillppwo.shop/api
https://reinforcedirectorywd.shop/api
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
Setup.exedescription pid Process procid_target PID 368 set thread context of 1416 368 Setup.exe 98 -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
Setup.exemore.compid Process 368 Setup.exe 368 Setup.exe 1416 more.com 1416 more.com -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
Setup.exemore.compid Process 368 Setup.exe 1416 more.com -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
Setup.exemore.comdescription pid Process procid_target PID 368 wrote to memory of 1416 368 Setup.exe 98 PID 368 wrote to memory of 1416 368 Setup.exe 98 PID 368 wrote to memory of 1416 368 Setup.exe 98 PID 368 wrote to memory of 1416 368 Setup.exe 98 PID 1416 wrote to memory of 2760 1416 more.com 100 PID 1416 wrote to memory of 2760 1416 more.com 100 PID 1416 wrote to memory of 2760 1416 more.com 100 PID 1416 wrote to memory of 2760 1416 more.com 100
Processes
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\!~!SetUp_2025_Pa$$W0rd$s!!%!~.zip1⤵PID:3216
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4788
-
C:\Users\Admin\Desktop\!~!SetUp_2025_Pa$$W0rd$s!!%!~\!~!SetUp_2025_Pa$$W0rd$s!!%!~\Setup.exe"C:\Users\Admin\Desktop\!~!SetUp_2025_Pa$$W0rd$s!!%!~\!~!SetUp_2025_Pa$$W0rd$s!!%!~\Setup.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:368 -
C:\Windows\SysWOW64\more.comC:\Windows\SysWOW64\more.com2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1416 -
C:\Windows\SysWOW64\SearchIndexer.exeC:\Windows\SysWOW64\SearchIndexer.exe3⤵PID:2760
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD5aaf4e828d55d05dfe071afe3381e9bd0
SHA1c3e80d9ca0c69b45a5d7983f162de4f200e34515
SHA256fbc8b61b5c3963cb9f31f3055813cadd3103d478208e84ad118418924fa9d33b
SHA512921f690ce51ac619ffd1c432a558f385493122d23d50c485bb8504f0600cbec3a0f492125bfbb6c66889d88f17f304718ddccf0ce8395450d4dc0782fb019093