Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
04-07-2024 19:28
Static task
static1
Behavioral task
behavioral1
Sample
1d19a11b77dccb759dd86f9d0481bc144ea353118865ac8476be21733af1678b.exe
Resource
win7-20240221-en
General
-
Target
1d19a11b77dccb759dd86f9d0481bc144ea353118865ac8476be21733af1678b.exe
-
Size
565KB
-
MD5
efdc51a044c4265b8623d212737a4b84
-
SHA1
b26024ce65d9585070b7af5b4e7f4e3647e4be7e
-
SHA256
1d19a11b77dccb759dd86f9d0481bc144ea353118865ac8476be21733af1678b
-
SHA512
a68a83c1054d2b1dfb43144e58ccaddc1f58468e02e2f40978c1fe9119747f737de65930ed3f500c00e9d8ae5e00e42a7a30f8e366af1e58178729536dd514e5
-
SSDEEP
12288:sENv3ccWd6SUCVBsQLyfXgOKyDFzKIHB4ladY8kqqwhyvT5NkeTEWYRqWXYLlmlV:sENvMFd6xuLyfXglOpm
Malware Config
Extracted
lumma
https://bitchsafettyudjwu.shop/api
Signatures
-
Loads dropped DLL 1 IoCs
Processes:
1d19a11b77dccb759dd86f9d0481bc144ea353118865ac8476be21733af1678b.exepid process 4536 1d19a11b77dccb759dd86f9d0481bc144ea353118865ac8476be21733af1678b.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
1d19a11b77dccb759dd86f9d0481bc144ea353118865ac8476be21733af1678b.exedescription pid process target process PID 4536 set thread context of 3228 4536 1d19a11b77dccb759dd86f9d0481bc144ea353118865ac8476be21733af1678b.exe aspnet_regiis.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
aspnet_regiis.exepid process 3228 aspnet_regiis.exe 3228 aspnet_regiis.exe 3228 aspnet_regiis.exe 3228 aspnet_regiis.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
1d19a11b77dccb759dd86f9d0481bc144ea353118865ac8476be21733af1678b.exedescription pid process target process PID 4536 wrote to memory of 3228 4536 1d19a11b77dccb759dd86f9d0481bc144ea353118865ac8476be21733af1678b.exe aspnet_regiis.exe PID 4536 wrote to memory of 3228 4536 1d19a11b77dccb759dd86f9d0481bc144ea353118865ac8476be21733af1678b.exe aspnet_regiis.exe PID 4536 wrote to memory of 3228 4536 1d19a11b77dccb759dd86f9d0481bc144ea353118865ac8476be21733af1678b.exe aspnet_regiis.exe PID 4536 wrote to memory of 3228 4536 1d19a11b77dccb759dd86f9d0481bc144ea353118865ac8476be21733af1678b.exe aspnet_regiis.exe PID 4536 wrote to memory of 3228 4536 1d19a11b77dccb759dd86f9d0481bc144ea353118865ac8476be21733af1678b.exe aspnet_regiis.exe PID 4536 wrote to memory of 3228 4536 1d19a11b77dccb759dd86f9d0481bc144ea353118865ac8476be21733af1678b.exe aspnet_regiis.exe PID 4536 wrote to memory of 3228 4536 1d19a11b77dccb759dd86f9d0481bc144ea353118865ac8476be21733af1678b.exe aspnet_regiis.exe PID 4536 wrote to memory of 3228 4536 1d19a11b77dccb759dd86f9d0481bc144ea353118865ac8476be21733af1678b.exe aspnet_regiis.exe PID 4536 wrote to memory of 3228 4536 1d19a11b77dccb759dd86f9d0481bc144ea353118865ac8476be21733af1678b.exe aspnet_regiis.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1d19a11b77dccb759dd86f9d0481bc144ea353118865ac8476be21733af1678b.exe"C:\Users\Admin\AppData\Local\Temp\1d19a11b77dccb759dd86f9d0481bc144ea353118865ac8476be21733af1678b.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4536 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3228
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
452KB
MD5b0774c8d79fb4ba12d2dbb647ade2a8f
SHA18f91d3922240734f01db7aa2118eb0973d1c5a15
SHA2565de43f8c8868e9e42b3187817dd376f868f7f3c5324b4907ce74badd226e7b6a
SHA512c675b10f0d71434d8b547ddda0041a6d920f01efefa310877cf9ec14f3c1a2a762fda5c6669f3261f8351b0f9afbdcb78d8fd7d68df6dc993ff1ddb3b1443ffe