Analysis
-
max time kernel
133s -
max time network
103s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
01-07-2024 07:22
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0309dd0131150796ea99b30a62194fae.exe
Resource
win7-20240221-en
2 signatures
150 seconds
General
-
Target
0309dd0131150796ea99b30a62194fae.exe
-
Size
516KB
-
MD5
0309dd0131150796ea99b30a62194fae
-
SHA1
2df6e334708eae810a74b844fd57e18e9fdc34cd
-
SHA256
07c09ba5a84f619e5b83a54298ffc58d20b00f14399c7a94b7f02b70efc60f35
-
SHA512
3d4e5a0718d04fee92d8040880b631107d1e23a6b3bce430d58769179af999c28b99e50c5cd45f283339f7bbb24ffacbf601a5447edb12e28da4517fbfa282e8
-
SSDEEP
12288:YwFARGxNB+mIuUOI+J0X6KALNGK34y1sB2Y+Jg4c:Yj4xb+mrZj1VHSB2Y6d
Malware Config
Extracted
Family
lumma
C2
https://potterryisiw.shop/api
https://foodypannyjsud.shop/api
https://contintnetksows.shop/api
https://reinforcedirectorywd.shop/api
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
0309dd0131150796ea99b30a62194fae.exedescription pid process target process PID 3892 set thread context of 2508 3892 0309dd0131150796ea99b30a62194fae.exe RegAsm.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3184 3892 WerFault.exe 0309dd0131150796ea99b30a62194fae.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0309dd0131150796ea99b30a62194fae.exedescription pid process target process PID 3892 wrote to memory of 2508 3892 0309dd0131150796ea99b30a62194fae.exe RegAsm.exe PID 3892 wrote to memory of 2508 3892 0309dd0131150796ea99b30a62194fae.exe RegAsm.exe PID 3892 wrote to memory of 2508 3892 0309dd0131150796ea99b30a62194fae.exe RegAsm.exe PID 3892 wrote to memory of 2508 3892 0309dd0131150796ea99b30a62194fae.exe RegAsm.exe PID 3892 wrote to memory of 2508 3892 0309dd0131150796ea99b30a62194fae.exe RegAsm.exe PID 3892 wrote to memory of 2508 3892 0309dd0131150796ea99b30a62194fae.exe RegAsm.exe PID 3892 wrote to memory of 2508 3892 0309dd0131150796ea99b30a62194fae.exe RegAsm.exe PID 3892 wrote to memory of 2508 3892 0309dd0131150796ea99b30a62194fae.exe RegAsm.exe PID 3892 wrote to memory of 2508 3892 0309dd0131150796ea99b30a62194fae.exe RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0309dd0131150796ea99b30a62194fae.exe"C:\Users\Admin\AppData\Local\Temp\0309dd0131150796ea99b30a62194fae.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3892 -s 1362⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3892 -ip 38921⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2508-1-0x0000000000400000-0x000000000045A000-memory.dmpFilesize
360KB
-
memory/2508-3-0x0000000000400000-0x000000000045A000-memory.dmpFilesize
360KB
-
memory/2508-4-0x0000000000400000-0x000000000045A000-memory.dmpFilesize
360KB
-
memory/3892-0-0x0000000001120000-0x0000000001121000-memory.dmpFilesize
4KB