Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
30-06-2024 01:14
Behavioral task
behavioral1
Sample
edbfdd04d154060b82f386191ba772e0b9122e2f82a4e3c0e3ddf65fc7a8b55a.exe
Resource
win7-20240419-en
General
-
Target
edbfdd04d154060b82f386191ba772e0b9122e2f82a4e3c0e3ddf65fc7a8b55a.exe
-
Size
24.4MB
-
MD5
16b332205d167a6a6f76c5293aa8f201
-
SHA1
40c0fba9107d270cf006f58f4fecc9742f806a2b
-
SHA256
edbfdd04d154060b82f386191ba772e0b9122e2f82a4e3c0e3ddf65fc7a8b55a
-
SHA512
ff18c351f1f86134f79a535eb5f6045c5dfdf3ab9e632d15a5266c86e25c0cd675a88f457a99f3ae6a92d0929d35f703a366b0d11fac1ffaa09e6f44f39e11f5
-
SSDEEP
393216:Z8V2nhTIrvYzEWmn+FBhwFDbllTqkl6eFh3zZNgni9HkHxHLCA9arP1A0+3ERPWy:OV2h2QzE0FTIpt6eFl1NykmxeS3u
Malware Config
Extracted
lumma
https://potterryisiw.shop/api
https://foodypannyjsud.shop/api
https://contintnetksows.shop/api
https://reinforcedirectorywd.shop/api
Signatures
-
Processes:
resource yara_rule behavioral2/memory/4804-0-0x00007FF7EFA00000-0x00007FF7F3AB2000-memory.dmp upx behavioral2/memory/4804-3-0x00007FF7EFA00000-0x00007FF7F3AB2000-memory.dmp upx behavioral2/memory/4804-10-0x00007FF7EFA00000-0x00007FF7F3AB2000-memory.dmp upx -
Suspicious use of SetThreadContext 1 IoCs
Processes:
edbfdd04d154060b82f386191ba772e0b9122e2f82a4e3c0e3ddf65fc7a8b55a.exedescription pid process target process PID 4804 set thread context of 3100 4804 edbfdd04d154060b82f386191ba772e0b9122e2f82a4e3c0e3ddf65fc7a8b55a.exe BitLockerToGo.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
edbfdd04d154060b82f386191ba772e0b9122e2f82a4e3c0e3ddf65fc7a8b55a.exedescription pid process target process PID 4804 wrote to memory of 3100 4804 edbfdd04d154060b82f386191ba772e0b9122e2f82a4e3c0e3ddf65fc7a8b55a.exe BitLockerToGo.exe PID 4804 wrote to memory of 3100 4804 edbfdd04d154060b82f386191ba772e0b9122e2f82a4e3c0e3ddf65fc7a8b55a.exe BitLockerToGo.exe PID 4804 wrote to memory of 3100 4804 edbfdd04d154060b82f386191ba772e0b9122e2f82a4e3c0e3ddf65fc7a8b55a.exe BitLockerToGo.exe PID 4804 wrote to memory of 3100 4804 edbfdd04d154060b82f386191ba772e0b9122e2f82a4e3c0e3ddf65fc7a8b55a.exe BitLockerToGo.exe PID 4804 wrote to memory of 3100 4804 edbfdd04d154060b82f386191ba772e0b9122e2f82a4e3c0e3ddf65fc7a8b55a.exe BitLockerToGo.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\edbfdd04d154060b82f386191ba772e0b9122e2f82a4e3c0e3ddf65fc7a8b55a.exe"C:\Users\Admin\AppData\Local\Temp\edbfdd04d154060b82f386191ba772e0b9122e2f82a4e3c0e3ddf65fc7a8b55a.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeC:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe2⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3100-6-0x0000000000A60000-0x0000000000AB6000-memory.dmpFilesize
344KB
-
memory/3100-8-0x0000000000A60000-0x0000000000AB6000-memory.dmpFilesize
344KB
-
memory/3100-9-0x0000000000A60000-0x0000000000AB6000-memory.dmpFilesize
344KB
-
memory/3100-11-0x0000000000A60000-0x0000000000AB6000-memory.dmpFilesize
344KB
-
memory/4804-0-0x00007FF7EFA00000-0x00007FF7F3AB2000-memory.dmpFilesize
64.7MB
-
memory/4804-3-0x00007FF7EFA00000-0x00007FF7F3AB2000-memory.dmpFilesize
64.7MB
-
memory/4804-10-0x00007FF7EFA00000-0x00007FF7F3AB2000-memory.dmpFilesize
64.7MB