Analysis
-
max time kernel
136s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
14/01/2024, 07:46
Static task
static1
Behavioral task
behavioral1
Sample
6a8a4bbb19d86c40938a18771c9ff4c1.exe
Resource
win7-20231215-en
General
-
Target
6a8a4bbb19d86c40938a18771c9ff4c1.exe
-
Size
3.9MB
-
MD5
6a8a4bbb19d86c40938a18771c9ff4c1
-
SHA1
9416b64c873fafd2835cabeae9a322ee6671de10
-
SHA256
bf7942c4a7de7c08083c2bb5961fe1b3fd7f5ab22f8bec2b0494d294aa4db32c
-
SHA512
0523dfb127be53033b593ae1a410d6f08d4f8fee30b07f930244619a2cf21b5e0cf50c5ba5ea6060918bba3fd9029e0940b29ba90fab5886d91f5ef915450a28
-
SSDEEP
49152:v3Pgz0GsP/7CYR3UTBb0xLCrSnBS4Guvx99yeUgncOVS/Ay06hPXql022:fPu0FP2jBbsnM4rvlyeUgcISB00S
Malware Config
Extracted
lumma
https://goddirtybrilliancece.fun/api
Signatures
-
Loads dropped DLL 1 IoCs
pid Process 4852 6a8a4bbb19d86c40938a18771c9ff4c1.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4852 set thread context of 4244 4852 6a8a4bbb19d86c40938a18771c9ff4c1.exe 101 -
Program crash 2 IoCs
pid pid_target Process procid_target 212 4244 WerFault.exe 101 2588 4244 WerFault.exe 101 -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4852 wrote to memory of 4244 4852 6a8a4bbb19d86c40938a18771c9ff4c1.exe 101 PID 4852 wrote to memory of 4244 4852 6a8a4bbb19d86c40938a18771c9ff4c1.exe 101 PID 4852 wrote to memory of 4244 4852 6a8a4bbb19d86c40938a18771c9ff4c1.exe 101 PID 4852 wrote to memory of 4244 4852 6a8a4bbb19d86c40938a18771c9ff4c1.exe 101 PID 4852 wrote to memory of 4244 4852 6a8a4bbb19d86c40938a18771c9ff4c1.exe 101 PID 4852 wrote to memory of 4244 4852 6a8a4bbb19d86c40938a18771c9ff4c1.exe 101 PID 4852 wrote to memory of 4244 4852 6a8a4bbb19d86c40938a18771c9ff4c1.exe 101 PID 4852 wrote to memory of 4244 4852 6a8a4bbb19d86c40938a18771c9ff4c1.exe 101 PID 4852 wrote to memory of 4244 4852 6a8a4bbb19d86c40938a18771c9ff4c1.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\6a8a4bbb19d86c40938a18771c9ff4c1.exe"C:\Users\Admin\AppData\Local\Temp\6a8a4bbb19d86c40938a18771c9ff4c1.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4852 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe2⤵PID:4244
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4244 -s 10323⤵
- Program crash
PID:212
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4244 -s 6083⤵
- Program crash
PID:2588
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4244 -ip 42441⤵PID:1356
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4244 -ip 42441⤵PID:1940
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
337KB
MD599baf88be502e3e37b49607be3916f79
SHA13b471ff92c8872b27f36c97288c1dd9561e2dde7
SHA25696a25e6c6135b6715d163bbc51a2dfc0708650c5f5f96c20a7bf906326ac2887
SHA512d11019d70633ee3b02fe293065140eb184eb199a6787d3964cff761a7792f3ed809b7243edcc3c7e600f7053711f5dad82a208410ba394fd2109c3a8fc3872d4