Overview
overview
10Static
static
3SapphireX/Core.dll
windows7-x64
1SapphireX/Core.dll
windows10-2004-x64
1SapphireX/Data.dll
windows7-x64
1SapphireX/Data.dll
windows10-2004-x64
1SapphireX/Drawing.dll
windows7-x64
1SapphireX/Drawing.dll
windows10-2004-x64
1SapphireX/...eX.exe
windows7-x64
1SapphireX/...eX.exe
windows10-2004-x64
10Analysis
-
max time kernel
134s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
01-07-2024 14:54
Static task
static1
Behavioral task
behavioral1
Sample
SapphireX/Core.dll
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
SapphireX/Core.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
SapphireX/Data.dll
Resource
win7-20240508-en
Behavioral task
behavioral4
Sample
SapphireX/Data.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral5
Sample
SapphireX/Drawing.dll
Resource
win7-20231129-en
Behavioral task
behavioral6
Sample
SapphireX/Drawing.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
SapphireX/SapphireX.exe
Resource
win7-20240508-en
General
-
Target
SapphireX/SapphireX.exe
-
Size
97.4MB
-
MD5
2fd6ab9ede29579295b396a7d9c8e935
-
SHA1
9a8207071c65e19c360f2d574c7205aa710582be
-
SHA256
0fef0b66199dc27ed7691e63852b9c19b9f2a1a19d16811e08a834013b038576
-
SHA512
e64b442f021a17d4b9cda50c99cec33594d42e496f4afd6ce48d91c3d1d664fa5082598f04cf9f1186a2d03d3d2361666e4c0f12500cdbefecaebbc48255146d
-
SSDEEP
393216:TMgE1A1/9F6DncvuyJAlgoy7AacE7+fa:TXE1AB9MncvuzEMS
Malware Config
Extracted
lumma
https://citizencenturygoodwk.shop/api
https://potterryisiw.shop/api
https://foodypannyjsud.shop/api
https://contintnetksows.shop/api
https://reinforcedirectorywd.shop/api
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
SapphireX.exedescription pid process target process PID 388 set thread context of 3648 388 SapphireX.exe BitLockerToGo.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
SapphireX.exedescription pid process target process PID 388 wrote to memory of 3648 388 SapphireX.exe BitLockerToGo.exe PID 388 wrote to memory of 3648 388 SapphireX.exe BitLockerToGo.exe PID 388 wrote to memory of 3648 388 SapphireX.exe BitLockerToGo.exe PID 388 wrote to memory of 3648 388 SapphireX.exe BitLockerToGo.exe PID 388 wrote to memory of 3648 388 SapphireX.exe BitLockerToGo.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SapphireX\SapphireX.exe"C:\Users\Admin\AppData\Local\Temp\SapphireX\SapphireX.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeC:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe2⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/388-2-0x00007FF72F320000-0x00007FF73193C000-memory.dmpFilesize
38.1MB
-
memory/388-6-0x00007FF72F320000-0x00007FF73193C000-memory.dmpFilesize
38.1MB
-
memory/388-9-0x00007FF72F320000-0x00007FF73193C000-memory.dmpFilesize
38.1MB
-
memory/3648-5-0x0000000000B10000-0x0000000000B69000-memory.dmpFilesize
356KB
-
memory/3648-8-0x0000000000B10000-0x0000000000B69000-memory.dmpFilesize
356KB
-
memory/3648-10-0x0000000000B10000-0x0000000000B69000-memory.dmpFilesize
356KB