Overview
overview
10Static
static
3tera1.zip
windows10-2004-x64
100a4scandoc.exe
windows10-2004-x64
107z.dll
windows10-2004-x64
3AppointmentApis.dll
windows10-2004-x64
1Microsoft....ty.dll
windows10-2004-x64
1WINSSNAP.dll
windows10-2004-x64
1appraiser.dll
windows10-2004-x64
1msvcr100.dll
windows10-2004-x64
3wlanpref.dll
windows10-2004-x64
1wxmsw32u_x...om.dll
windows10-2004-x64
1Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
04/09/2024, 20:56
Static task
static1
Behavioral task
behavioral1
Sample
tera1.zip
Resource
win10v2004-20240802-en
Behavioral task
behavioral2
Sample
0a4scandoc.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
7z.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral4
Sample
AppointmentApis.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
Microsoft.PowerShell.Commands.Utility.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral6
Sample
WINSSNAP.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
appraiser.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral8
Sample
msvcr100.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral9
Sample
wlanpref.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral10
Sample
wxmsw32u_xrc_gcc_custom.dll
Resource
win10v2004-20240802-en
General
-
Target
0a4scandoc.exe
-
Size
17.0MB
-
MD5
c5d283a74907d1412156895127aa5224
-
SHA1
4bbc9e531de97c260dc903aab71777ee132b6fe0
-
SHA256
c81a5047622abb1e31710776528bf84c69db3302e03dc54ea737b6c4096955db
-
SHA512
5358265f5d830bdee8f62f96d3b300f4f3172efeae805ea25368b62aec7b70c470ac8aa16a29b4c1d7a9ceacf2adf08ff17a365f4d0715f3403a978740f4b47c
-
SSDEEP
98304:5yVrgKLz2unHNWUc10CNuazXsLhAZteYCcZDmtzavCnkjGmtBPVbd:8gKnzW08XKetDCCmCCnk/tBtbd
Malware Config
Extracted
lumma
https://fisstyconsumerosp.shop/api
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1960 set thread context of 4644 1960 0a4scandoc.exe 91 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0a4scandoc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BitLockerToGo.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1960 wrote to memory of 4644 1960 0a4scandoc.exe 91 PID 1960 wrote to memory of 4644 1960 0a4scandoc.exe 91 PID 1960 wrote to memory of 4644 1960 0a4scandoc.exe 91 PID 1960 wrote to memory of 4644 1960 0a4scandoc.exe 91 PID 1960 wrote to memory of 4644 1960 0a4scandoc.exe 91 PID 1960 wrote to memory of 4644 1960 0a4scandoc.exe 91 PID 1960 wrote to memory of 4644 1960 0a4scandoc.exe 91 PID 1960 wrote to memory of 4644 1960 0a4scandoc.exe 91 PID 1960 wrote to memory of 4644 1960 0a4scandoc.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\0a4scandoc.exe"C:\Users\Admin\AppData\Local\Temp\0a4scandoc.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"2⤵
- System Location Discovery: System Language Discovery
PID:4644
-