Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
02-07-2024 14:15
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
KFlauncher.exe
Resource
win7-20240508-en
2 signatures
150 seconds
General
-
Target
KFlauncher.exe
-
Size
937KB
-
MD5
edfa515fb1995ccaa53ba97259bdc552
-
SHA1
4840b49873edc09129a3d725e861a5d3edb8924b
-
SHA256
7d0ca7b717b408404ea0d4ce98ef1cd2947402d23a7fb8c4429d18707041396c
-
SHA512
864d2012340b4835c22a8b8a3fd6b42b87b2f1a4d79f2d6e48883a1819a84ca427b0a9c6d73078aad15a4c1696e0e54aed7f56f68a6e00d205b4444610aafed7
-
SSDEEP
24576:flj0NdQCg30ly0HsqzDC3UALO6FIb+ayoiWF3pw:tLEY0Hsqz+AcIbinWF5w
Malware Config
Extracted
Family
lumma
C2
https://potterryisiw.shop/api
https://foodypannyjsud.shop/api
https://contintnetksows.shop/api
https://reinforcedirectorywd.shop/api
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
KFlauncher.exedescription pid process target process PID 2820 set thread context of 4240 2820 KFlauncher.exe RegAsm.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1768 2820 WerFault.exe KFlauncher.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
KFlauncher.exedescription pid process target process PID 2820 wrote to memory of 4240 2820 KFlauncher.exe RegAsm.exe PID 2820 wrote to memory of 4240 2820 KFlauncher.exe RegAsm.exe PID 2820 wrote to memory of 4240 2820 KFlauncher.exe RegAsm.exe PID 2820 wrote to memory of 4240 2820 KFlauncher.exe RegAsm.exe PID 2820 wrote to memory of 4240 2820 KFlauncher.exe RegAsm.exe PID 2820 wrote to memory of 4240 2820 KFlauncher.exe RegAsm.exe PID 2820 wrote to memory of 4240 2820 KFlauncher.exe RegAsm.exe PID 2820 wrote to memory of 4240 2820 KFlauncher.exe RegAsm.exe PID 2820 wrote to memory of 4240 2820 KFlauncher.exe RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\KFlauncher.exe"C:\Users\Admin\AppData\Local\Temp\KFlauncher.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2820 -s 5602⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2820 -ip 28201⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2820-0-0x0000000000500000-0x0000000000501000-memory.dmpFilesize
4KB
-
memory/4240-1-0x0000000000400000-0x0000000000457000-memory.dmpFilesize
348KB
-
memory/4240-3-0x0000000000400000-0x0000000000457000-memory.dmpFilesize
348KB
-
memory/4240-4-0x0000000000400000-0x0000000000457000-memory.dmpFilesize
348KB