Analysis
-
max time kernel
132s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
28-06-2024 09:37
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
github.software.1.2.2.exe
Resource
win7-20240419-en
2 signatures
150 seconds
General
-
Target
github.software.1.2.2.exe
-
Size
520KB
-
MD5
aaf7cbc3351d2a7dc6e44aa409ba2516
-
SHA1
e25f6668f571da4cec99e8587ee2f52fc2f50652
-
SHA256
4e090a508e83582035b3f77ac28f7938595596e17c2fa4c150d429828a7eeae1
-
SHA512
0b2da9b21f4ca5d69d0a9172681d818270e633c8b272a26a4baa702475f0293b1ccfc795df5f5f91e13ac286453c57915c5374a73a86a195ac2783dac6584217
-
SSDEEP
12288:AhEf+bfJjHdny8z01jdYN74UeBG7pMdW2mf:AQ8fJLdyL+7BKdW2m
Malware Config
Extracted
Family
lumma
C2
https://closedjuruwk.shop/api
https://potterryisiw.shop/api
https://foodypannyjsud.shop/api
https://contintnetksows.shop/api
https://reinforcedirectorywd.shop/api
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
github.software.1.2.2.exedescription pid process target process PID 3176 set thread context of 676 3176 github.software.1.2.2.exe RegAsm.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2912 3176 WerFault.exe github.software.1.2.2.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
github.software.1.2.2.exedescription pid process target process PID 3176 wrote to memory of 676 3176 github.software.1.2.2.exe RegAsm.exe PID 3176 wrote to memory of 676 3176 github.software.1.2.2.exe RegAsm.exe PID 3176 wrote to memory of 676 3176 github.software.1.2.2.exe RegAsm.exe PID 3176 wrote to memory of 676 3176 github.software.1.2.2.exe RegAsm.exe PID 3176 wrote to memory of 676 3176 github.software.1.2.2.exe RegAsm.exe PID 3176 wrote to memory of 676 3176 github.software.1.2.2.exe RegAsm.exe PID 3176 wrote to memory of 676 3176 github.software.1.2.2.exe RegAsm.exe PID 3176 wrote to memory of 676 3176 github.software.1.2.2.exe RegAsm.exe PID 3176 wrote to memory of 676 3176 github.software.1.2.2.exe RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\github.software.1.2.2.exe"C:\Users\Admin\AppData\Local\Temp\github.software.1.2.2.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3176 -s 3002⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 3176 -ip 31761⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/676-1-0x0000000000400000-0x0000000000459000-memory.dmpFilesize
356KB
-
memory/676-3-0x0000000000400000-0x0000000000459000-memory.dmpFilesize
356KB
-
memory/676-4-0x0000000000400000-0x0000000000459000-memory.dmpFilesize
356KB
-
memory/676-5-0x0000000000400000-0x0000000000459000-memory.dmpFilesize
356KB
-
memory/3176-0-0x0000000001030000-0x0000000001031000-memory.dmpFilesize
4KB