Analysis
-
max time kernel
133s -
max time network
109s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
26-05-2024 16:54
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20240215-en
General
-
Target
file.exe
-
Size
8.8MB
-
MD5
abe4d6f2f3fc583003b70c8c0e24e268
-
SHA1
9090db13cf2cb3e8036b2911c0124b6de6d1e3a0
-
SHA256
454be1f15b87f6ca55ad6b5438fa262d83dc041e6bd40b6aceca92f9e0936be5
-
SHA512
1dac0f0d1642061642f4e945a4bb8caf5b19d631bf6209f89257d439be059df89282962f9a3dd0f44c8859f300d1206c6996cf1b9e8bc63c5ed6e321f207b29a
-
SSDEEP
49152:oA1RVfVkJix2rb/TXvO90d7HjmAFd4A64nsfJCzGoi5Upu19lpH5pIm/Y3dNdvns:D2JisGW097Im/Y43uLw7nvE7Qwuiq9
Malware Config
Extracted
lumma
https://questionconservawuts.shop/api
https://museumtespaceorsp.shop/api
https://buttockdecarderwiso.shop/api
https://averageaattractiionsl.shop/api
https://femininiespywageg.shop/api
https://employhabragaomlsp.shop/api
https://stalfbaclcalorieeis.shop/api
https://civilianurinedtsraov.shop/api
https://roomabolishsnifftwk.shop/api
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
file.exedescription pid process target process PID 532 set thread context of 4000 532 file.exe BitLockerToGo.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
file.exedescription pid process target process PID 532 wrote to memory of 4000 532 file.exe BitLockerToGo.exe PID 532 wrote to memory of 4000 532 file.exe BitLockerToGo.exe PID 532 wrote to memory of 4000 532 file.exe BitLockerToGo.exe PID 532 wrote to memory of 4000 532 file.exe BitLockerToGo.exe PID 532 wrote to memory of 4000 532 file.exe BitLockerToGo.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:532 -
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeC:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe2⤵PID:4000