Analysis
-
max time kernel
96s -
max time network
134s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
-
submitted
11-07-2024 01:03
General
-
Target
!ŞetUp_92517--#PaSꞨKḙy#$$/Setup.exe
-
Size
8.5MB
-
MD5
98169506fec94c2b12ba9930ad704515
-
SHA1
bce662a9fb94551f648ba2d7e29659957fd6a428
-
SHA256
9b8a5b0a45adf843e24214b46c285e44e73bc6eaf9e2a3b2c14a6d93ae541363
-
SHA512
7f4f7ac2326a1a8b7afc72822dae328753578eb0a4ffcec5adb4e4fb0c49703070f71e7411df221ee9f44d6b43a0a94921fe530877c5d5e71640b807e96def30
-
SSDEEP
196608:vdoUox8PFOegKz+qE1cnuyHgv3eZaOxqeXY4K:vC0O9m7EWEvbOxqetK
Malware Config
Extracted
lumma
https://unwielldyzpwo.shop/api
https://bouncedgowp.shop/api
https://bannngwko.shop/api
https://bargainnykwo.shop/api
https://affecthorsedpo.shop/api
https://radiationnopp.shop/api
https://answerrsdo.shop/api
https://publicitttyps.shop/api
https://benchillppwo.shop/api
https://reinforcedirectorywd.shop/api
Signatures
-
Banload
Banload variants download malicious files, then install and execute the files.
-
Lumma Stealer
An infostealer written in C++ first seen in August 2022.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Suspicious use of SetThreadContext 1 IoCs
-
Modifies registry class 5 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\!ŞetUp_92517--#PaSꞨKḙy#$$\Setup.exe"C:\Users\Admin\AppData\Local\Temp\!ŞetUp_92517--#PaSꞨKḙy#$$\Setup.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\more.comC:\Windows\SysWOW64\more.com2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\SearchIndexer.exeC:\Windows\SysWOW64\SearchIndexer.exe3⤵
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD5b9e4b48b4ebeb97843ccadde063948eb
SHA16999b6d97f7c5908c022dc27da701158b5d63869
SHA2565cf2ef04f987382061c276aa5969e3ceb07edbfc94ddc4329d76b9c3e7d5516a
SHA51222a7b46f0d7f1890543e793ccc9c2c9412090406538e3325ce464bbbcecfc3bbe63699fbdf09fa342e960a40cb6c2d211873369d8a5d3f668dbc0048786dfb2e
-
Filesize
4.4MB
-
Filesize
25.0MB
-
Filesize
4.4MB
-
Filesize
25.0MB
-
Filesize
25.0MB
-
Filesize
25.0MB
-
Filesize
25.0MB
-
Filesize
4.4MB
-
Filesize
4KB
-
Filesize
1.9MB
-
Filesize
25.0MB
-
Filesize
25.0MB
-
Filesize
2.0MB
-
Filesize
8KB
-
Filesize
4.2MB
-
Filesize
4.2MB
-
Filesize
4.2MB
-
Filesize
8KB
-
Filesize
2.0MB
-
Filesize
440KB
-
Filesize
440KB