Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
21-04-2024 04:51
Static task
static1
Behavioral task
behavioral1
Sample
cff5657843fe7039f6e15fbfdb8728b1b752d66503d0564dbe5b3bb4c567a529.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral2
Sample
cff5657843fe7039f6e15fbfdb8728b1b752d66503d0564dbe5b3bb4c567a529.exe
Resource
win11-20240412-en
General
-
Target
cff5657843fe7039f6e15fbfdb8728b1b752d66503d0564dbe5b3bb4c567a529.exe
-
Size
6.1MB
-
MD5
ff48ea9f90dadf5201438b1e9de131b9
-
SHA1
0adcbf8ef9f00875d10f4851fb8a2c23def7d1a4
-
SHA256
cff5657843fe7039f6e15fbfdb8728b1b752d66503d0564dbe5b3bb4c567a529
-
SHA512
1b4ac86e1315d8fe471aaa33eef9cac4809d48e1b949c1d6adb268b4b75038f8b716faa95575f9c89d98172259d09bad2cc3a85ae709e02d2ea9449b9cfe7d22
-
SSDEEP
98304:YNw/Xb1EVZoSip8lfNLtiyIaHgEPUD1J9IxAwST07NqWifSpO16eKMi+tt3HkDMi:NQgp8FvFHz491SsYQ6r5+tt3BWH9RzKo
Malware Config
Extracted
lumma
https://greetclassifytalk.shop/api
https://productivelookewr.shop/api
https://tolerateilusidjukl.shop/api
https://shatterbreathepsw.shop/api
https://shortsvelventysjo.shop/api
https://incredibleextedwj.shop/api
https://alcojoldwograpciw.shop/api
https://liabilitynighstjsko.shop/api
https://demonstationfukewko.shop/api
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cff5657843fe7039f6e15fbfdb8728b1b752d66503d0564dbe5b3bb4c567a529.exework.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation cff5657843fe7039f6e15fbfdb8728b1b752d66503d0564dbe5b3bb4c567a529.exe Key value queried \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation work.exe -
Executes dropped EXE 2 IoCs
Processes:
work.exefesth.exepid process 2832 work.exe 4244 festh.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\RarSFX1\festh.exe vmprotect behavioral1/memory/4244-21-0x0000000000930000-0x000000000122C000-memory.dmp vmprotect behavioral1/memory/4244-20-0x0000000000930000-0x000000000122C000-memory.dmp vmprotect behavioral1/memory/4244-23-0x0000000000930000-0x000000000122C000-memory.dmp vmprotect behavioral1/memory/4244-24-0x0000000000930000-0x000000000122C000-memory.dmp vmprotect -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
festh.exepid process 4244 festh.exe 4244 festh.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
cff5657843fe7039f6e15fbfdb8728b1b752d66503d0564dbe5b3bb4c567a529.execmd.exework.exedescription pid process target process PID 2596 wrote to memory of 3536 2596 cff5657843fe7039f6e15fbfdb8728b1b752d66503d0564dbe5b3bb4c567a529.exe cmd.exe PID 2596 wrote to memory of 3536 2596 cff5657843fe7039f6e15fbfdb8728b1b752d66503d0564dbe5b3bb4c567a529.exe cmd.exe PID 2596 wrote to memory of 3536 2596 cff5657843fe7039f6e15fbfdb8728b1b752d66503d0564dbe5b3bb4c567a529.exe cmd.exe PID 3536 wrote to memory of 2832 3536 cmd.exe work.exe PID 3536 wrote to memory of 2832 3536 cmd.exe work.exe PID 3536 wrote to memory of 2832 3536 cmd.exe work.exe PID 2832 wrote to memory of 4244 2832 work.exe festh.exe PID 2832 wrote to memory of 4244 2832 work.exe festh.exe PID 2832 wrote to memory of 4244 2832 work.exe festh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cff5657843fe7039f6e15fbfdb8728b1b752d66503d0564dbe5b3bb4c567a529.exe"C:\Users\Admin\AppData\Local\Temp\cff5657843fe7039f6e15fbfdb8728b1b752d66503d0564dbe5b3bb4c567a529.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exework.exe -priverdD3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\festh.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\festh.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.batFilesize
35B
MD5ff59d999beb970447667695ce3273f75
SHA1316fa09f467ba90ac34a054daf2e92e6e2854ff8
SHA256065d2b17ad499587dc9de7ee9ecda4938b45da1df388bc72e6627dff220f64d2
SHA512d5ac72cb065a3cd3cb118a69a2f356314eeed24dcb4880751e1a3683895e66cedc62607967e29f77a0c27adf1c9fe0efd86e804f693f0a63a5b51b0bf0056b5d
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exeFilesize
5.8MB
MD59eecde1399cc9081d8e2c3b228ce34ea
SHA17951e70bd9231d7a88cd2b9ed151ef9c936da11f
SHA2563095b5364a984068acd8d54e6d4740db378750160657e50705bdba5be66f35c6
SHA512cd1ebfa6e8a8d4ac03f8b89bc56e7abd8caaa54c813c1da8aebcdb5443b9d95c651ab26580994bf3c05b90a99bc07b56aeeb2d070456adefd64edd26919d31dd
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\festh.exeFilesize
5.5MB
MD59e5880b7c48bb2b7532b0a1b68ef8747
SHA11cc4383ea2879b960edc6516e682d21f42fceef7
SHA256195669b35daa53ca30d9b9bf7e93eaef8f48c610abfd039e74e015d50a3034af
SHA512a62c2797aaf4215ab648266ee37b690304f66bb947b46eb7c98f1b47956aee589a2bbe8ab89c9a4984b8be4ac7bb6ffa1440c9e32251e15bea5d2f87f4e134df
-
memory/4244-19-0x0000000001260000-0x0000000001261000-memory.dmpFilesize
4KB
-
memory/4244-21-0x0000000000930000-0x000000000122C000-memory.dmpFilesize
9.0MB
-
memory/4244-20-0x0000000000930000-0x000000000122C000-memory.dmpFilesize
9.0MB
-
memory/4244-23-0x0000000000930000-0x000000000122C000-memory.dmpFilesize
9.0MB
-
memory/4244-24-0x0000000000930000-0x000000000122C000-memory.dmpFilesize
9.0MB