Analysis
-
max time kernel
193s -
max time network
300s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
01-07-2024 05:07
Static task
static1
Behavioral task
behavioral1
Sample
b2a10d42ed9b902a6a4a40b47da8448c9fa61f268f3ffb37d08bd5f5e213a0af.exe
Resource
win7-20240611-en
General
-
Target
b2a10d42ed9b902a6a4a40b47da8448c9fa61f268f3ffb37d08bd5f5e213a0af.exe
-
Size
6.2MB
-
MD5
b9265c31743db2e9698a08df7b0c5e9d
-
SHA1
aa01367b13f827a5773d0781692809ae175bc718
-
SHA256
b2a10d42ed9b902a6a4a40b47da8448c9fa61f268f3ffb37d08bd5f5e213a0af
-
SHA512
1678d62ad17ce27394599f2835f3c1f209f544fdfae4c54034e7da06936768fe487a55811d9f0919018113af50153437ea0631968814910db69df0ffda36a133
-
SSDEEP
49152:+qMb251mXUaFTyH5FYbRtQtD0gwbJBhOXg+QREJXNwrkjf5EfGd+NeDPk4A92+f9:ssyHA56IXg+TXfEfGVhgw6
Malware Config
Extracted
lumma
https://groundsmooors.shop/api
https://potterryisiw.shop/api
https://foodypannyjsud.shop/api
https://contintnetksows.shop/api
https://reinforcedirectorywd.shop/api
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
b2a10d42ed9b902a6a4a40b47da8448c9fa61f268f3ffb37d08bd5f5e213a0af.exedescription pid process target process PID 4140 set thread context of 5032 4140 b2a10d42ed9b902a6a4a40b47da8448c9fa61f268f3ffb37d08bd5f5e213a0af.exe BitLockerToGo.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
b2a10d42ed9b902a6a4a40b47da8448c9fa61f268f3ffb37d08bd5f5e213a0af.exedescription pid process target process PID 4140 wrote to memory of 5032 4140 b2a10d42ed9b902a6a4a40b47da8448c9fa61f268f3ffb37d08bd5f5e213a0af.exe BitLockerToGo.exe PID 4140 wrote to memory of 5032 4140 b2a10d42ed9b902a6a4a40b47da8448c9fa61f268f3ffb37d08bd5f5e213a0af.exe BitLockerToGo.exe PID 4140 wrote to memory of 5032 4140 b2a10d42ed9b902a6a4a40b47da8448c9fa61f268f3ffb37d08bd5f5e213a0af.exe BitLockerToGo.exe PID 4140 wrote to memory of 5032 4140 b2a10d42ed9b902a6a4a40b47da8448c9fa61f268f3ffb37d08bd5f5e213a0af.exe BitLockerToGo.exe PID 4140 wrote to memory of 5032 4140 b2a10d42ed9b902a6a4a40b47da8448c9fa61f268f3ffb37d08bd5f5e213a0af.exe BitLockerToGo.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b2a10d42ed9b902a6a4a40b47da8448c9fa61f268f3ffb37d08bd5f5e213a0af.exe"C:\Users\Admin\AppData\Local\Temp\b2a10d42ed9b902a6a4a40b47da8448c9fa61f268f3ffb37d08bd5f5e213a0af.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeC:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe2⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4140-4-0x00007FF636D40000-0x00007FF6373D6000-memory.dmpFilesize
6.6MB
-
memory/4140-6-0x00007FF636D40000-0x00007FF6373D6000-memory.dmpFilesize
6.6MB
-
memory/5032-5-0x0000000002B10000-0x0000000002B69000-memory.dmpFilesize
356KB
-
memory/5032-9-0x0000000002B10000-0x0000000002B69000-memory.dmpFilesize
356KB
-
memory/5032-8-0x0000000002B10000-0x0000000002B69000-memory.dmpFilesize
356KB