Analysis
-
max time kernel
148s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
24-02-2024 21:22
Static task
static1
Behavioral task
behavioral1
Sample
a2c6d851a502187a0146351ba636c1d1.exe
Resource
win7-20240221-en
General
-
Target
a2c6d851a502187a0146351ba636c1d1.exe
-
Size
150KB
-
MD5
a2c6d851a502187a0146351ba636c1d1
-
SHA1
1a865903b5e20020083ef5d6dc99292b58024e5c
-
SHA256
1b77cac1dad528685fb7f2f19ddff24e6080a0024039671db5774b4a7ffbf68c
-
SHA512
b79432127887a718f8707e5e767296b11f2cc8ff55da513f3bcf5c93b79f4bea9d9e5135c2d024ac05ac3fb7543133a07c22e270ed00761a0955f6b0374b4200
-
SSDEEP
3072:/vVi7IdvHF/PG5iKg2ZdUZICiuErVCU/cU3cedK9zpDqi4:/WIFl/u5iwZdUZKuuFxK9zxqr
Malware Config
Signatures
-
Detect Lumma Stealer payload V4 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1244-12-0x0000000000400000-0x00000000007C8000-memory.dmp family_lumma_v4 behavioral1/memory/1244-11-0x0000000002CC0000-0x0000000003088000-memory.dmp family_lumma_v4 behavioral1/memory/1668-18-0x0000000000400000-0x00000000007C8000-memory.dmp family_lumma_v4 -
Executes dropped EXE 1 IoCs
Processes:
winscrne.exepid process 1668 winscrne.exe -
Loads dropped DLL 2 IoCs
Processes:
a2c6d851a502187a0146351ba636c1d1.exepid process 1244 a2c6d851a502187a0146351ba636c1d1.exe 1244 a2c6d851a502187a0146351ba636c1d1.exe -
Drops file in System32 directory 20 IoCs
Processes:
winscrne.exea2c6d851a502187a0146351ba636c1d1.exedescription ioc process File created C:\Windows\SysWOW64\winscrne.exe\winscrne.exe\winscrne.exe winscrne.exe File created C:\Windows\SysWOW64\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe winscrne.exe File created C:\Windows\SysWOW64\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe winscrne.exe File created C:\Windows\SysWOW64\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe winscrne.exe File created C:\Windows\SysWOW64\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe winscrne.exe File created C:\Windows\SysWOW64\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe winscrne.exe File opened for modification C:\Windows\SysWOW64\winscrne.exe a2c6d851a502187a0146351ba636c1d1.exe File created C:\Windows\SysWOW64\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe winscrne.exe File created C:\Windows\SysWOW64\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe winscrne.exe File created C:\Windows\SysWOW64\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe winscrne.exe File created C:\Windows\SysWOW64\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe winscrne.exe File created C:\Windows\SysWOW64\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe winscrne.exe File created C:\Windows\SysWOW64\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe winscrne.exe File created C:\Windows\SysWOW64\winscrne.exe a2c6d851a502187a0146351ba636c1d1.exe File created C:\Windows\SysWOW64\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe winscrne.exe File created C:\Windows\SysWOW64\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe winscrne.exe File created C:\Windows\SysWOW64\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe winscrne.exe File created C:\Windows\SysWOW64\winscrne.exe winscrne.exe File created C:\Windows\SysWOW64\winscrne.exe\winscrne.exe winscrne.exe File created C:\Windows\SysWOW64\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe\winscrne.exe winscrne.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
a2c6d851a502187a0146351ba636c1d1.exedescription pid process target process PID 1244 wrote to memory of 1668 1244 a2c6d851a502187a0146351ba636c1d1.exe winscrne.exe PID 1244 wrote to memory of 1668 1244 a2c6d851a502187a0146351ba636c1d1.exe winscrne.exe PID 1244 wrote to memory of 1668 1244 a2c6d851a502187a0146351ba636c1d1.exe winscrne.exe PID 1244 wrote to memory of 1668 1244 a2c6d851a502187a0146351ba636c1d1.exe winscrne.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a2c6d851a502187a0146351ba636c1d1.exe"C:\Users\Admin\AppData\Local\Temp\a2c6d851a502187a0146351ba636c1d1.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1244 -
C:\Windows\SysWOW64\winscrne.exeC:\Windows\system32\winscrne.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1668
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
150KB
MD5a2c6d851a502187a0146351ba636c1d1
SHA11a865903b5e20020083ef5d6dc99292b58024e5c
SHA2561b77cac1dad528685fb7f2f19ddff24e6080a0024039671db5774b4a7ffbf68c
SHA512b79432127887a718f8707e5e767296b11f2cc8ff55da513f3bcf5c93b79f4bea9d9e5135c2d024ac05ac3fb7543133a07c22e270ed00761a0955f6b0374b4200