Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
14/09/2024, 04:49
Static task
static1
Behavioral task
behavioral1
Sample
Larsson.exe
Resource
win7-20240903-en
General
-
Target
Larsson.exe
-
Size
351KB
-
MD5
09be66bbb52f8af439e8745d8f872cb6
-
SHA1
64038d25166fafdc9386fb5e88a4097b481c8204
-
SHA256
2e49a28f4a1d94d6d7cfd31e54bde4bebf4abb48d048f69fe241ec1502b40943
-
SHA512
aab694646234c08606387d5210de241bc5bb7c4ae0fafbb776de696464f19ff9b80f159f5329b2c5dcb4b2a6f3352c9a67dc56fdf2333962ecd82ae6bf16301f
-
SSDEEP
6144:9wcDxEzhXVwYx8I6V+MHzA6mlyoyK0LSvKXMVPMa+Y5hhw:9wXzhFwYd6C6mlyBK0LcK8V0axn
Malware Config
Extracted
lumma
https://turkeyunlikelyofw.shop/api
https://wisemassiveharmonious.shop/api
https://colorfulequalugliess.shop/api
https://relevantvoicelesskw.shop/api
https://detectordiscusser.shop/api
https://associationokeo.shop/api
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1448 set thread context of 2864 1448 Larsson.exe 31 -
Program crash 1 IoCs
pid pid_target Process procid_target 2876 2864 WerFault.exe 31 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Larsson.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 1448 wrote to memory of 2864 1448 Larsson.exe 31 PID 1448 wrote to memory of 2864 1448 Larsson.exe 31 PID 1448 wrote to memory of 2864 1448 Larsson.exe 31 PID 1448 wrote to memory of 2864 1448 Larsson.exe 31 PID 1448 wrote to memory of 2864 1448 Larsson.exe 31 PID 1448 wrote to memory of 2864 1448 Larsson.exe 31 PID 1448 wrote to memory of 2864 1448 Larsson.exe 31 PID 1448 wrote to memory of 2864 1448 Larsson.exe 31 PID 1448 wrote to memory of 2864 1448 Larsson.exe 31 PID 1448 wrote to memory of 2864 1448 Larsson.exe 31 PID 1448 wrote to memory of 2864 1448 Larsson.exe 31 PID 1448 wrote to memory of 2864 1448 Larsson.exe 31 PID 1448 wrote to memory of 2864 1448 Larsson.exe 31 PID 2864 wrote to memory of 2876 2864 RegAsm.exe 32 PID 2864 wrote to memory of 2876 2864 RegAsm.exe 32 PID 2864 wrote to memory of 2876 2864 RegAsm.exe 32 PID 2864 wrote to memory of 2876 2864 RegAsm.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\Larsson.exe"C:\Users\Admin\AppData\Local\Temp\Larsson.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2864 -s 2563⤵
- Program crash
PID:2876
-
-