Analysis
-
max time kernel
57s -
max time network
78s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
28-05-2024 19:09
General
-
Target
Hamster Combat Bot.exe
-
Size
6.0MB
-
MD5
e4b54540b9179f0e0a33c0f2ceda41f9
-
SHA1
17188578cea65d937f53ad8613169ef9cf57d234
-
SHA256
b245e96d0038864a580de095bc6280d512482bf5f562737becf725f78220492b
-
SHA512
9b08a555e194edb4cd5a536cf85aef9623bc8b9892bc2ccfb2e757593e86ecc66e884884aaf2ce5b2bf49ff866ad72656908d33c762a01737330e6c18ae2bc7f
-
SSDEEP
196608:Lhj8W8xzimuukA7cfDCUWOWXSaioVAxUfcOd7:qcbmOWYoS2fFd
Malware Config
Extracted
Protocol: ftp- Host:
146.19.207.14 - Port:
21 - Username:
anonymous - Password:
anonymous@
Extracted
lumma
https://varianntyfeecterd.shop/api
https://horsedwollfedrwos.shop/api
https://patternapplauderw.shop/api
https://understanndtytonyguw.shop/api
https://considerrycurrentyws.shop/api
https://messtimetabledkolvk.shop/api
https://detailbaconroollyws.shop/api
https://deprivedrinkyfaiir.shop/api
https://relaxtionflouwerwi.shop/api
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
update.exepid process 1564 update.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
update.exedescription pid process target process PID 1564 set thread context of 3644 1564 update.exe RegAsm.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3484 1564 WerFault.exe update.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
Hamster Combat Bot.exepid process 752 Hamster Combat Bot.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
Hamster Combat Bot.execmd.exeupdate.exedescription pid process target process PID 752 wrote to memory of 4972 752 Hamster Combat Bot.exe cmd.exe PID 752 wrote to memory of 4972 752 Hamster Combat Bot.exe cmd.exe PID 4972 wrote to memory of 1564 4972 cmd.exe update.exe PID 4972 wrote to memory of 1564 4972 cmd.exe update.exe PID 4972 wrote to memory of 1564 4972 cmd.exe update.exe PID 1564 wrote to memory of 3644 1564 update.exe RegAsm.exe PID 1564 wrote to memory of 3644 1564 update.exe RegAsm.exe PID 1564 wrote to memory of 3644 1564 update.exe RegAsm.exe PID 1564 wrote to memory of 3644 1564 update.exe RegAsm.exe PID 1564 wrote to memory of 3644 1564 update.exe RegAsm.exe PID 1564 wrote to memory of 3644 1564 update.exe RegAsm.exe PID 1564 wrote to memory of 3644 1564 update.exe RegAsm.exe PID 1564 wrote to memory of 3644 1564 update.exe RegAsm.exe PID 1564 wrote to memory of 3644 1564 update.exe RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Hamster Combat Bot.exe"C:\Users\Admin\AppData\Local\Temp\Hamster Combat Bot.exe"1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dll\update.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\dll\update.exeC:\Users\Admin\AppData\Local\Temp\dll\update.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1564 -s 2564⤵
- Program crash
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1344 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:81⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1564 -ip 15641⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\dll\update.exeFilesize
1.2MB
MD5913af85d4f776d4d483e76dc50d04cbf
SHA1ef324792fc1bf48227b69e5ecb146da9d3350af5
SHA256285c0431be18594bcc9496b004cf1079418c70d673dcbe43195745ffccf796b1
SHA5121085fce0d5b2e97f0c2b70d7a24919b34a1f8edc54810c8ce79e6c18222e6c2fd0238c32833c7227ca58fb0502554bcd1104659164090b640461c68af2e7d0c4
-
memory/1564-9-0x0000000000DD0000-0x0000000000DD1000-memory.dmpFilesize
4KB
-
memory/1564-10-0x0000000000DD0000-0x0000000000DD1000-memory.dmpFilesize
4KB
-
memory/1564-12-0x0000000000DD0000-0x0000000000DD1000-memory.dmpFilesize
4KB
-
memory/3644-11-0x0000000000400000-0x0000000000459000-memory.dmpFilesize
356KB
-
memory/3644-14-0x0000000000400000-0x0000000000459000-memory.dmpFilesize
356KB
-
memory/3644-15-0x0000000000400000-0x0000000000459000-memory.dmpFilesize
356KB
-
memory/3644-16-0x0000000000400000-0x0000000000459000-memory.dmpFilesize
356KB