Analysis
-
max time kernel
93s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20240221-en -
resource tags
arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system -
submitted
22-02-2024 02:24
Static task
static1
Behavioral task
behavioral1
Sample
9a25ab8bdaa157c47a64fc2b0a1e443a.exe
Resource
win7-20240221-en
2 signatures
150 seconds
General
-
Target
9a25ab8bdaa157c47a64fc2b0a1e443a.exe
-
Size
432KB
-
MD5
9a25ab8bdaa157c47a64fc2b0a1e443a
-
SHA1
c96cc57a7bfeaf3415005965974ad721ffebdbbe
-
SHA256
14123370ea7689a1be3d067a5a53c96c47aaf2573714a08b65a25369a7523517
-
SHA512
010a8f22d17a7b17afc70c9ed12ca9a532108e99d1f3fb0dc59a0339473395aaf87781d83a14aff4bce751d4b2417f1d0edf16b6afe186ff9c325100058fed41
-
SSDEEP
12288:yh1Fk70Tnvjc2VlQeYvNdJ5rIHrtrwM/22w:8k70Trc2V96NdcHrtm5
Malware Config
Extracted
Family
lumma
C2
https://technologyenterdo.shop/api
https://detectordiscusser.shop/api
https://turkeyunlikelyofw.shop/api
https://associationokeo.shop/api
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
9a25ab8bdaa157c47a64fc2b0a1e443a.exedescription pid Process procid_target PID 4476 set thread context of 3200 4476 9a25ab8bdaa157c47a64fc2b0a1e443a.exe 87 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
9a25ab8bdaa157c47a64fc2b0a1e443a.exedescription pid Process procid_target PID 4476 wrote to memory of 2304 4476 9a25ab8bdaa157c47a64fc2b0a1e443a.exe 86 PID 4476 wrote to memory of 2304 4476 9a25ab8bdaa157c47a64fc2b0a1e443a.exe 86 PID 4476 wrote to memory of 2304 4476 9a25ab8bdaa157c47a64fc2b0a1e443a.exe 86 PID 4476 wrote to memory of 3200 4476 9a25ab8bdaa157c47a64fc2b0a1e443a.exe 87 PID 4476 wrote to memory of 3200 4476 9a25ab8bdaa157c47a64fc2b0a1e443a.exe 87 PID 4476 wrote to memory of 3200 4476 9a25ab8bdaa157c47a64fc2b0a1e443a.exe 87 PID 4476 wrote to memory of 3200 4476 9a25ab8bdaa157c47a64fc2b0a1e443a.exe 87 PID 4476 wrote to memory of 3200 4476 9a25ab8bdaa157c47a64fc2b0a1e443a.exe 87 PID 4476 wrote to memory of 3200 4476 9a25ab8bdaa157c47a64fc2b0a1e443a.exe 87 PID 4476 wrote to memory of 3200 4476 9a25ab8bdaa157c47a64fc2b0a1e443a.exe 87 PID 4476 wrote to memory of 3200 4476 9a25ab8bdaa157c47a64fc2b0a1e443a.exe 87 PID 4476 wrote to memory of 3200 4476 9a25ab8bdaa157c47a64fc2b0a1e443a.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\9a25ab8bdaa157c47a64fc2b0a1e443a.exe"C:\Users\Admin\AppData\Local\Temp\9a25ab8bdaa157c47a64fc2b0a1e443a.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4476 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:2304
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:3200
-