Analysis
-
max time kernel
149s -
max time network
277s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
10-07-2024 19:29
Static task
static1
Behavioral task
behavioral1
Sample
!!SetUp_!PaS$Kḙy$!_39168/Setup.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
!!SetUp_!PaS$Kḙy$!_39168/Setup.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral3
Sample
!!SetUp_!PaS$Kḙy$!_39168/Setup.exe
Resource
win11-20240709-en
General
-
Target
!!SetUp_!PaS$Kḙy$!_39168/Setup.exe
-
Size
250KB
-
MD5
850a43e323656b86ae665d8b4fd71369
-
SHA1
099d6e80c394ccc5233e1cbd6b29769da9e0e2aa
-
SHA256
539423d2e436e198df15b5577d816dc306ba4c03b1362f7731e675b51f4a5f42
-
SHA512
1f2778040e906ea2939a8b0a682e267599aa8422f81ea83bb6c980a304b569ad750ef3e81e1490edd5b1d74e734a2cb82f428f47096c55436037e03e516d2378
-
SSDEEP
6144:WEq38uejOBA0ItZ1PNWPQqLlXXXXVXDBsXdZC/R0EjW0VnXNvdroJ:/q0jOBARWPRLlXXXXVXSXdZk0EjW0VnM
Malware Config
Extracted
lumma
https://bittercoldzzdwu.shop/api
https://bouncedgowp.shop/api
https://bannngwko.shop/api
https://bargainnykwo.shop/api
https://affecthorsedpo.shop/api
https://radiationnopp.shop/api
https://answerrsdo.shop/api
https://publicitttyps.shop/api
https://benchillppwo.shop/api
https://reinforcedirectorywd.shop/api
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
Setup.exedescription pid Process procid_target PID 4744 set thread context of 4692 4744 Setup.exe 84 -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
Setup.exemore.compid Process 4744 Setup.exe 4744 Setup.exe 4692 more.com 4692 more.com -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
Setup.exemore.compid Process 4744 Setup.exe 4692 more.com -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
Setup.exemore.comdescription pid Process procid_target PID 4744 wrote to memory of 4692 4744 Setup.exe 84 PID 4744 wrote to memory of 4692 4744 Setup.exe 84 PID 4744 wrote to memory of 4692 4744 Setup.exe 84 PID 4744 wrote to memory of 4692 4744 Setup.exe 84 PID 4692 wrote to memory of 3016 4692 more.com 86 PID 4692 wrote to memory of 3016 4692 more.com 86 PID 4692 wrote to memory of 3016 4692 more.com 86 PID 4692 wrote to memory of 3016 4692 more.com 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\!!SetUp_!PaS$Kḙy$!_39168\Setup.exe"C:\Users\Admin\AppData\Local\Temp\!!SetUp_!PaS$Kḙy$!_39168\Setup.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4744 -
C:\Windows\SysWOW64\more.comC:\Windows\SysWOW64\more.com2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4692 -
C:\Windows\SysWOW64\SearchIndexer.exeC:\Windows\SysWOW64\SearchIndexer.exe3⤵PID:3016
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD58cca99049e18c24030795656904bc622
SHA188de7cb1c0823dce88cc9e8347bd0fbc3882dfd0
SHA25696770590120f1c1933a5fa126fdb922843a11df8bf9e31aa7f4cbbe2a90dece7
SHA5125313e1dadd975009de12f0768186bb2007a7458157da0957438096625c251ed16711aeca2030ee29b80a986c8b37b6058768dade5a2ce7ac621e7921886b3083