Analysis
-
max time kernel
530s -
max time network
594s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
04-07-2024 21:15
Static task
static1
1 signatures
General
-
Target
s1.exe
-
Size
21.3MB
-
MD5
1e02feadcf0565bc636fe2b48580c133
-
SHA1
aee73dc45371a50878556201cb13fce4923bcb47
-
SHA256
34656ef1ee64ca950ce6c85c4b8ca9977febd3f67c990b940cd960860881a634
-
SHA512
99e0aac648e3904b45c35b6bc3ca44af5b461e95f3ce746e8dfd6937e259f3d052847710659f8880642438bfa8197c8800723f32f8efa0e5e3bf261ce62db77a
-
SSDEEP
98304:/V7/kWotzffMGgFsud1ustuSJQozcgO/B8Px3DwGVMbalzWayZ1Ex3kmivUQe0I4:StzffMbsWnQoxucxDwGjXJx0TUD
Malware Config
Extracted
Family
lumma
C2
https://nobledpcowep.shop/api
Signatures
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
s1.exedescription pid process target process PID 2004 set thread context of 4468 2004 s1.exe BitLockerToGo.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
BitLockerToGo.exepid process 4468 BitLockerToGo.exe 4468 BitLockerToGo.exe 4468 BitLockerToGo.exe 4468 BitLockerToGo.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
s1.exedescription pid process Token: SeDebugPrivilege 2004 s1.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
s1.exedescription pid process target process PID 2004 wrote to memory of 4468 2004 s1.exe BitLockerToGo.exe PID 2004 wrote to memory of 4468 2004 s1.exe BitLockerToGo.exe PID 2004 wrote to memory of 4468 2004 s1.exe BitLockerToGo.exe PID 2004 wrote to memory of 4468 2004 s1.exe BitLockerToGo.exe PID 2004 wrote to memory of 4468 2004 s1.exe BitLockerToGo.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\s1.exe"C:\Users\Admin\AppData\Local\Temp\s1.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeC:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4468