Analysis
-
max time kernel
92s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
01-07-2024 01:21
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
25d66863ae6b40666fe4ea3031c00957.exe
Resource
win7-20240508-en
windows7-x64
2 signatures
150 seconds
General
-
Target
25d66863ae6b40666fe4ea3031c00957.exe
-
Size
526KB
-
MD5
25d66863ae6b40666fe4ea3031c00957
-
SHA1
07408d2073032c8fa07a1e3f1613274039183ef9
-
SHA256
ffeabd18beabd0c0090ca6ff166e7f724ee80c120c602e46a4ce2e427887b762
-
SHA512
03644f6de2da25939ec5b460f90d052718fce40f84d2d75788836a02d20f3352e967b6df80ddfd8b858f11af9ff9c08be419373f903063ee1aeb9a58385892a8
-
SSDEEP
12288:PnUB23lHRG/X5maWsBZUXHgBEDwAW8WrlrpQy7lQ:PUE1H2JmaWs0CeFmZ
Malware Config
Extracted
Family
lumma
C2
https://piedsiggnycliquieaw.shop/api
https://potterryisiw.shop/api
https://foodypannyjsud.shop/api
https://contintnetksows.shop/api
https://reinforcedirectorywd.shop/api
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
25d66863ae6b40666fe4ea3031c00957.exedescription pid process target process PID 2168 set thread context of 2160 2168 25d66863ae6b40666fe4ea3031c00957.exe RegAsm.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4360 2168 WerFault.exe 25d66863ae6b40666fe4ea3031c00957.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
25d66863ae6b40666fe4ea3031c00957.exedescription pid process target process PID 2168 wrote to memory of 2160 2168 25d66863ae6b40666fe4ea3031c00957.exe RegAsm.exe PID 2168 wrote to memory of 2160 2168 25d66863ae6b40666fe4ea3031c00957.exe RegAsm.exe PID 2168 wrote to memory of 2160 2168 25d66863ae6b40666fe4ea3031c00957.exe RegAsm.exe PID 2168 wrote to memory of 2160 2168 25d66863ae6b40666fe4ea3031c00957.exe RegAsm.exe PID 2168 wrote to memory of 2160 2168 25d66863ae6b40666fe4ea3031c00957.exe RegAsm.exe PID 2168 wrote to memory of 2160 2168 25d66863ae6b40666fe4ea3031c00957.exe RegAsm.exe PID 2168 wrote to memory of 2160 2168 25d66863ae6b40666fe4ea3031c00957.exe RegAsm.exe PID 2168 wrote to memory of 2160 2168 25d66863ae6b40666fe4ea3031c00957.exe RegAsm.exe PID 2168 wrote to memory of 2160 2168 25d66863ae6b40666fe4ea3031c00957.exe RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\25d66863ae6b40666fe4ea3031c00957.exe"C:\Users\Admin\AppData\Local\Temp\25d66863ae6b40666fe4ea3031c00957.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2168 -s 1482⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2168 -ip 21681⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2160-1-0x0000000000400000-0x000000000045A000-memory.dmpFilesize
360KB
-
memory/2160-3-0x0000000000400000-0x000000000045A000-memory.dmpFilesize
360KB
-
memory/2160-4-0x0000000000400000-0x000000000045A000-memory.dmpFilesize
360KB
-
memory/2168-0-0x0000000000E20000-0x0000000000E21000-memory.dmpFilesize
4KB