Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
25-06-2024 02:14
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
5de143343cc0a2b03f076de338308ac58eda529f6814a2e2266531d8ae09fbb0.exe
Resource
win7-20240221-en
2 signatures
150 seconds
General
-
Target
5de143343cc0a2b03f076de338308ac58eda529f6814a2e2266531d8ae09fbb0.exe
-
Size
524KB
-
MD5
864fb28b0001b98ddd896dbdc604db30
-
SHA1
2c7691795b4313704b79c3dfe70b956e84b45a11
-
SHA256
5de143343cc0a2b03f076de338308ac58eda529f6814a2e2266531d8ae09fbb0
-
SHA512
a7bec87ea630cbcfb28770bda372ebb7435f753caf6b8255c06d546f11a56c60018ad75f16938d50bb88749b2a2be970c9a9708455b65e5619dc4acae5be1317
-
SSDEEP
12288:cckdVi3+T/Tvm4YqTwEa+1mieYTAk+tvC4hV8vTuNnlv:ccoNT/laKmu6K5vTuNl
Malware Config
Extracted
Family
lumma
C2
https://backcreammykiel.shop/api
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
5de143343cc0a2b03f076de338308ac58eda529f6814a2e2266531d8ae09fbb0.exedescription pid process target process PID 1012 set thread context of 336 1012 5de143343cc0a2b03f076de338308ac58eda529f6814a2e2266531d8ae09fbb0.exe RegAsm.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4824 1012 WerFault.exe 5de143343cc0a2b03f076de338308ac58eda529f6814a2e2266531d8ae09fbb0.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
5de143343cc0a2b03f076de338308ac58eda529f6814a2e2266531d8ae09fbb0.exedescription pid process target process PID 1012 wrote to memory of 336 1012 5de143343cc0a2b03f076de338308ac58eda529f6814a2e2266531d8ae09fbb0.exe RegAsm.exe PID 1012 wrote to memory of 336 1012 5de143343cc0a2b03f076de338308ac58eda529f6814a2e2266531d8ae09fbb0.exe RegAsm.exe PID 1012 wrote to memory of 336 1012 5de143343cc0a2b03f076de338308ac58eda529f6814a2e2266531d8ae09fbb0.exe RegAsm.exe PID 1012 wrote to memory of 336 1012 5de143343cc0a2b03f076de338308ac58eda529f6814a2e2266531d8ae09fbb0.exe RegAsm.exe PID 1012 wrote to memory of 336 1012 5de143343cc0a2b03f076de338308ac58eda529f6814a2e2266531d8ae09fbb0.exe RegAsm.exe PID 1012 wrote to memory of 336 1012 5de143343cc0a2b03f076de338308ac58eda529f6814a2e2266531d8ae09fbb0.exe RegAsm.exe PID 1012 wrote to memory of 336 1012 5de143343cc0a2b03f076de338308ac58eda529f6814a2e2266531d8ae09fbb0.exe RegAsm.exe PID 1012 wrote to memory of 336 1012 5de143343cc0a2b03f076de338308ac58eda529f6814a2e2266531d8ae09fbb0.exe RegAsm.exe PID 1012 wrote to memory of 336 1012 5de143343cc0a2b03f076de338308ac58eda529f6814a2e2266531d8ae09fbb0.exe RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5de143343cc0a2b03f076de338308ac58eda529f6814a2e2266531d8ae09fbb0.exe"C:\Users\Admin\AppData\Local\Temp\5de143343cc0a2b03f076de338308ac58eda529f6814a2e2266531d8ae09fbb0.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1012 -s 2802⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1012 -ip 10121⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/336-0-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB
-
memory/336-3-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB
-
memory/336-4-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB
-
memory/1012-1-0x0000000000EB0000-0x0000000000EB1000-memory.dmpFilesize
4KB