Overview
overview
10Static
static
31be1eb3fc9...a3.exe
windows7-x64
101be1eb3fc9...a3.exe
windows10-2004-x64
103b29f95096...37.exe
windows7-x64
103b29f95096...37.exe
windows10-2004-x64
1069cebec49a...97.exe
windows7-x64
1069cebec49a...97.exe
windows10-2004-x64
10cb3cd1f7db...e4.exe
windows7-x64
10cb3cd1f7db...e4.exe
windows10-2004-x64
10e164c86cf3...9b.exe
windows7-x64
1e164c86cf3...9b.exe
windows10-2004-x64
10Analysis
-
max time kernel
88s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231130-en -
resource tags
arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system -
submitted
02-12-2023 01:03
Static task
static1
Behavioral task
behavioral1
Sample
1be1eb3fc904fc5a9e9e555e3fa4a2b6a5a299917d5afa9a1570079195387fa3.exe
Resource
win7-20231130-en
Behavioral task
behavioral2
Sample
1be1eb3fc904fc5a9e9e555e3fa4a2b6a5a299917d5afa9a1570079195387fa3.exe
Resource
win10v2004-20231127-en
Behavioral task
behavioral3
Sample
3b29f950968c3e659a25e4d65085b3c2337db74cfcc88fb7172971b1c3f13837.exe
Resource
win7-20231023-en
Behavioral task
behavioral4
Sample
3b29f950968c3e659a25e4d65085b3c2337db74cfcc88fb7172971b1c3f13837.exe
Resource
win10v2004-20231127-en
Behavioral task
behavioral5
Sample
69cebec49aad7594157deb014e52b24580e3a6e05476aac000fd0cf7b1c3bd97.exe
Resource
win7-20231023-en
Behavioral task
behavioral6
Sample
69cebec49aad7594157deb014e52b24580e3a6e05476aac000fd0cf7b1c3bd97.exe
Resource
win10v2004-20231127-en
Behavioral task
behavioral7
Sample
cb3cd1f7db0ac8ef966e513358935676673bd972b8baad11ef0f2a8bfdb9cbe4.exe
Resource
win7-20231020-en
Behavioral task
behavioral8
Sample
cb3cd1f7db0ac8ef966e513358935676673bd972b8baad11ef0f2a8bfdb9cbe4.exe
Resource
win10v2004-20231127-en
Behavioral task
behavioral9
Sample
e164c86cf3eead4541a719f3cc5f08a7f0b36384fb8e95098116acadad23a69b.exe
Resource
win7-20231020-en
General
-
Target
e164c86cf3eead4541a719f3cc5f08a7f0b36384fb8e95098116acadad23a69b.exe
-
Size
3.2MB
-
MD5
f23d61d5ff249493e4b55e0690d7b3e4
-
SHA1
a6eccac18cc49aa7fe3863afb24d3975a5cf30a8
-
SHA256
e164c86cf3eead4541a719f3cc5f08a7f0b36384fb8e95098116acadad23a69b
-
SHA512
1782f63dc64baaf47d00ad0f8cf7d04587f8da2656aedf580147387df65b9481e4fdd7a4e34c6f01dfbefc4815d42a994dc7e6e065c84d2cf9821e602ac2446f
-
SSDEEP
49152:3osVZWC0R4XRbTaDmixqWsOFQlrYQBDcLatzB+L0iVBH+nBz0I7C:3Z0RkRbTaDmcsOFQpEwIN+d0n
Malware Config
Signatures
-
Detect Lumma Stealer payload V2 1 IoCs
Processes:
resource yara_rule behavioral10/memory/3920-15-0x0000000000400000-0x000000000047E000-memory.dmp family_lumma_V2 -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
e164c86cf3eead4541a719f3cc5f08a7f0b36384fb8e95098116acadad23a69b.exedescription pid process target process PID 3576 set thread context of 3920 3576 e164c86cf3eead4541a719f3cc5f08a7f0b36384fb8e95098116acadad23a69b.exe jsc.exe -
Suspicious behavior: EnumeratesProcesses 22 IoCs
Processes:
jsc.exepid process 3920 jsc.exe 3920 jsc.exe 3920 jsc.exe 3920 jsc.exe 3920 jsc.exe 3920 jsc.exe 3920 jsc.exe 3920 jsc.exe 3920 jsc.exe 3920 jsc.exe 3920 jsc.exe 3920 jsc.exe 3920 jsc.exe 3920 jsc.exe 3920 jsc.exe 3920 jsc.exe 3920 jsc.exe 3920 jsc.exe 3920 jsc.exe 3920 jsc.exe 3920 jsc.exe 3920 jsc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
e164c86cf3eead4541a719f3cc5f08a7f0b36384fb8e95098116acadad23a69b.exedescription pid process Token: SeDebugPrivilege 3576 e164c86cf3eead4541a719f3cc5f08a7f0b36384fb8e95098116acadad23a69b.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
e164c86cf3eead4541a719f3cc5f08a7f0b36384fb8e95098116acadad23a69b.exedescription pid process target process PID 3576 wrote to memory of 3920 3576 e164c86cf3eead4541a719f3cc5f08a7f0b36384fb8e95098116acadad23a69b.exe jsc.exe PID 3576 wrote to memory of 3920 3576 e164c86cf3eead4541a719f3cc5f08a7f0b36384fb8e95098116acadad23a69b.exe jsc.exe PID 3576 wrote to memory of 3920 3576 e164c86cf3eead4541a719f3cc5f08a7f0b36384fb8e95098116acadad23a69b.exe jsc.exe PID 3576 wrote to memory of 3920 3576 e164c86cf3eead4541a719f3cc5f08a7f0b36384fb8e95098116acadad23a69b.exe jsc.exe PID 3576 wrote to memory of 3920 3576 e164c86cf3eead4541a719f3cc5f08a7f0b36384fb8e95098116acadad23a69b.exe jsc.exe PID 3576 wrote to memory of 3920 3576 e164c86cf3eead4541a719f3cc5f08a7f0b36384fb8e95098116acadad23a69b.exe jsc.exe PID 3576 wrote to memory of 3920 3576 e164c86cf3eead4541a719f3cc5f08a7f0b36384fb8e95098116acadad23a69b.exe jsc.exe PID 3576 wrote to memory of 3920 3576 e164c86cf3eead4541a719f3cc5f08a7f0b36384fb8e95098116acadad23a69b.exe jsc.exe PID 3576 wrote to memory of 3920 3576 e164c86cf3eead4541a719f3cc5f08a7f0b36384fb8e95098116acadad23a69b.exe jsc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e164c86cf3eead4541a719f3cc5f08a7f0b36384fb8e95098116acadad23a69b.exe"C:\Users\Admin\AppData\Local\Temp\e164c86cf3eead4541a719f3cc5f08a7f0b36384fb8e95098116acadad23a69b.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3576 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3920