Analysis
-
max time kernel
132s -
max time network
142s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
21/10/2024, 13:41
Static task
static1
Behavioral task
behavioral2
Sample
-Password-1885.txt
Resource
win10-20240611-en
Behavioral task
behavioral3
Sample
-data/config/config.dll
Resource
win10-20240404-en
Behavioral task
behavioral4
Sample
-data/config/d4d1.dll
Resource
win10-20240404-en
Behavioral task
behavioral5
Sample
-data/programmfiles.json
Resource
win10-20240404-en
General
-
Target
installer.exe
-
Size
550KB
-
MD5
baa49579fe5b7ca9c12de5dfd4a23f39
-
SHA1
c7476ceb3d586e93e2fdee7d29226923b80fa642
-
SHA256
644b45fa0d076c6a9cfe6a966948085aefadc31ed454fee09cf583b41c7e92eb
-
SHA512
473e02dded86b15dfed5d7cd6b82188ff6610a246143cb911f03b244961e1dd6a4faf19ac4062d2d66941d94bc7d2ef77196e51959b424d8217f3a22d8486c04
-
SSDEEP
12288:RjUMVFCEJXd7QxVp1Gvu4P9z9SFcuT5VU7rsKUfRUQKS:1VLJX5Qt34FZEcuzKUfRUX
Malware Config
Extracted
lumma
https://snailyeductyi.sbs
https://ferrycheatyk.sbs
https://deepymouthi.sbs
https://wrigglesight.sbs
https://captaitwik.sbs
https://sidercotay.sbs
https://heroicmint.sbs
https://monstourtu.sbs
Signatures
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3080 set thread context of 5048 3080 installer.exe 74 -
Program crash 1 IoCs
pid pid_target Process procid_target 4516 3080 WerFault.exe 72 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language installer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language installer.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 5048 installer.exe 5048 installer.exe 5048 installer.exe 5048 installer.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3080 wrote to memory of 64 3080 installer.exe 73 PID 3080 wrote to memory of 64 3080 installer.exe 73 PID 3080 wrote to memory of 64 3080 installer.exe 73 PID 3080 wrote to memory of 5048 3080 installer.exe 74 PID 3080 wrote to memory of 5048 3080 installer.exe 74 PID 3080 wrote to memory of 5048 3080 installer.exe 74 PID 3080 wrote to memory of 5048 3080 installer.exe 74 PID 3080 wrote to memory of 5048 3080 installer.exe 74 PID 3080 wrote to memory of 5048 3080 installer.exe 74 PID 3080 wrote to memory of 5048 3080 installer.exe 74 PID 3080 wrote to memory of 5048 3080 installer.exe 74 PID 3080 wrote to memory of 5048 3080 installer.exe 74
Processes
-
C:\Users\Admin\AppData\Local\Temp\installer.exe"C:\Users\Admin\AppData\Local\Temp\installer.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3080 -
C:\Users\Admin\AppData\Local\Temp\installer.exe"C:\Users\Admin\AppData\Local\Temp\installer.exe"2⤵PID:64
-
-
C:\Users\Admin\AppData\Local\Temp\installer.exe"C:\Users\Admin\AppData\Local\Temp\installer.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5048
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3080 -s 2482⤵
- Program crash
PID:4516
-