Analysis
-
max time kernel
140s -
max time network
132s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
14/01/2024, 07:44
Static task
static1
Behavioral task
behavioral1
Sample
6a8a4bbb19d86c40938a18771c9ff4c1.exe
Resource
win7-20231215-en
General
-
Target
6a8a4bbb19d86c40938a18771c9ff4c1.exe
-
Size
3.9MB
-
MD5
6a8a4bbb19d86c40938a18771c9ff4c1
-
SHA1
9416b64c873fafd2835cabeae9a322ee6671de10
-
SHA256
bf7942c4a7de7c08083c2bb5961fe1b3fd7f5ab22f8bec2b0494d294aa4db32c
-
SHA512
0523dfb127be53033b593ae1a410d6f08d4f8fee30b07f930244619a2cf21b5e0cf50c5ba5ea6060918bba3fd9029e0940b29ba90fab5886d91f5ef915450a28
-
SSDEEP
49152:v3Pgz0GsP/7CYR3UTBb0xLCrSnBS4Guvx99yeUgncOVS/Ay06hPXql022:fPu0FP2jBbsnM4rvlyeUgcISB00S
Malware Config
Extracted
lumma
https://goddirtybrilliancece.fun/api
Signatures
-
Loads dropped DLL 1 IoCs
pid Process 1364 6a8a4bbb19d86c40938a18771c9ff4c1.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1364 set thread context of 1264 1364 6a8a4bbb19d86c40938a18771c9ff4c1.exe 103 -
Program crash 2 IoCs
pid pid_target Process procid_target 4592 1364 WerFault.exe 88 4740 1264 WerFault.exe 103 -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1364 wrote to memory of 1264 1364 6a8a4bbb19d86c40938a18771c9ff4c1.exe 103 PID 1364 wrote to memory of 1264 1364 6a8a4bbb19d86c40938a18771c9ff4c1.exe 103 PID 1364 wrote to memory of 1264 1364 6a8a4bbb19d86c40938a18771c9ff4c1.exe 103 PID 1364 wrote to memory of 1264 1364 6a8a4bbb19d86c40938a18771c9ff4c1.exe 103 PID 1364 wrote to memory of 1264 1364 6a8a4bbb19d86c40938a18771c9ff4c1.exe 103 PID 1364 wrote to memory of 1264 1364 6a8a4bbb19d86c40938a18771c9ff4c1.exe 103 PID 1364 wrote to memory of 1264 1364 6a8a4bbb19d86c40938a18771c9ff4c1.exe 103 PID 1364 wrote to memory of 1264 1364 6a8a4bbb19d86c40938a18771c9ff4c1.exe 103 PID 1364 wrote to memory of 1264 1364 6a8a4bbb19d86c40938a18771c9ff4c1.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\6a8a4bbb19d86c40938a18771c9ff4c1.exe"C:\Users\Admin\AppData\Local\Temp\6a8a4bbb19d86c40938a18771c9ff4c1.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1364 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe2⤵PID:1264
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1264 -s 9003⤵
- Program crash
PID:4740
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1364 -s 10122⤵
- Program crash
PID:4592
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1364 -ip 13641⤵PID:2664
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1264 -ip 12641⤵PID:736
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
261KB
MD56f9627a9c6cb99bfb4cb01679d40ed28
SHA1278097b131c737c306be4e8c064b104c1911fe58
SHA256f8fdd38f0d90bf025b959a47985aa6f04eeda24e3705b90ddf177f906e492504
SHA512a682bd6f8822814332b396bdda2b43f27485bc2b396f1aef582fb33a8d1213c9be65a8869b5167a347bbbc2dd35ffa184fc38467da9805570399da47d618a430