Analysis
-
max time kernel
146s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240221-en -
resource tags
arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system -
submitted
24-02-2024 21:22
Static task
static1
Behavioral task
behavioral1
Sample
a2c6d851a502187a0146351ba636c1d1.exe
Resource
win7-20240221-en
General
-
Target
a2c6d851a502187a0146351ba636c1d1.exe
-
Size
150KB
-
MD5
a2c6d851a502187a0146351ba636c1d1
-
SHA1
1a865903b5e20020083ef5d6dc99292b58024e5c
-
SHA256
1b77cac1dad528685fb7f2f19ddff24e6080a0024039671db5774b4a7ffbf68c
-
SHA512
b79432127887a718f8707e5e767296b11f2cc8ff55da513f3bcf5c93b79f4bea9d9e5135c2d024ac05ac3fb7543133a07c22e270ed00761a0955f6b0374b4200
-
SSDEEP
3072:/vVi7IdvHF/PG5iKg2ZdUZICiuErVCU/cU3cedK9zpDqi4:/WIFl/u5iwZdUZKuuFxK9zxqr
Malware Config
Signatures
-
Detect Lumma Stealer payload V4 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3988-8-0x0000000000400000-0x00000000007C8000-memory.dmp family_lumma_v4 behavioral2/memory/1080-13-0x0000000000400000-0x00000000007C8000-memory.dmp family_lumma_v4 -
Executes dropped EXE 1 IoCs
Processes:
winscrne.exepid process 1080 winscrne.exe -
Drops file in System32 directory 2 IoCs
Processes:
a2c6d851a502187a0146351ba636c1d1.exedescription ioc process File opened for modification C:\Windows\SysWOW64\winscrne.exe a2c6d851a502187a0146351ba636c1d1.exe File created C:\Windows\SysWOW64\winscrne.exe a2c6d851a502187a0146351ba636c1d1.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
a2c6d851a502187a0146351ba636c1d1.exedescription pid process target process PID 3988 wrote to memory of 1080 3988 a2c6d851a502187a0146351ba636c1d1.exe winscrne.exe PID 3988 wrote to memory of 1080 3988 a2c6d851a502187a0146351ba636c1d1.exe winscrne.exe PID 3988 wrote to memory of 1080 3988 a2c6d851a502187a0146351ba636c1d1.exe winscrne.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a2c6d851a502187a0146351ba636c1d1.exe"C:\Users\Admin\AppData\Local\Temp\a2c6d851a502187a0146351ba636c1d1.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3988 -
C:\Windows\SysWOW64\winscrne.exeC:\Windows\system32\winscrne.exe2⤵
- Executes dropped EXE
PID:1080
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
150KB
MD5a2c6d851a502187a0146351ba636c1d1
SHA11a865903b5e20020083ef5d6dc99292b58024e5c
SHA2561b77cac1dad528685fb7f2f19ddff24e6080a0024039671db5774b4a7ffbf68c
SHA512b79432127887a718f8707e5e767296b11f2cc8ff55da513f3bcf5c93b79f4bea9d9e5135c2d024ac05ac3fb7543133a07c22e270ed00761a0955f6b0374b4200