Analysis
-
max time kernel
121s -
max time network
131s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
05-07-2024 04:02
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b82c80a3ce9b5c44391d3f11307f8b8e.exe
Resource
win7-20240704-en
0 signatures
150 seconds
General
-
Target
b82c80a3ce9b5c44391d3f11307f8b8e.exe
-
Size
6.5MB
-
MD5
b82c80a3ce9b5c44391d3f11307f8b8e
-
SHA1
7480059bc051383eaaf0d83b7f39d7c4989e4dea
-
SHA256
ce9b5ec3693188ed91e363e55286cd212f44912b042bd83a924af2f43daaa55f
-
SHA512
c04bb5a116dfbe2599ce91e084888d5c051e831812ed75e7d0fd40373f0f0ade7701246a433cf5552b5b8b370155b95547f8165d7d38c76325124c7afbf431e2
-
SSDEEP
49152:8im7Z/AvmNVNL6B6QeuuLlKHqhk/6eYivn7Bp+CiOo0NGpkAF3j+5E3BN7ObFb+I:/fe3F8+eYYn1liONE3B2AK8i
Malware Config
Extracted
Family
lumma
C2
https://citizencenturygoodwk.shop/api
Signatures
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
b82c80a3ce9b5c44391d3f11307f8b8e.exedescription pid process target process PID 3228 set thread context of 3560 3228 b82c80a3ce9b5c44391d3f11307f8b8e.exe BitLockerToGo.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
BitLockerToGo.exepid process 3560 BitLockerToGo.exe 3560 BitLockerToGo.exe 3560 BitLockerToGo.exe 3560 BitLockerToGo.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
b82c80a3ce9b5c44391d3f11307f8b8e.exedescription pid process target process PID 3228 wrote to memory of 3560 3228 b82c80a3ce9b5c44391d3f11307f8b8e.exe BitLockerToGo.exe PID 3228 wrote to memory of 3560 3228 b82c80a3ce9b5c44391d3f11307f8b8e.exe BitLockerToGo.exe PID 3228 wrote to memory of 3560 3228 b82c80a3ce9b5c44391d3f11307f8b8e.exe BitLockerToGo.exe PID 3228 wrote to memory of 3560 3228 b82c80a3ce9b5c44391d3f11307f8b8e.exe BitLockerToGo.exe PID 3228 wrote to memory of 3560 3228 b82c80a3ce9b5c44391d3f11307f8b8e.exe BitLockerToGo.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b82c80a3ce9b5c44391d3f11307f8b8e.exe"C:\Users\Admin\AppData\Local\Temp\b82c80a3ce9b5c44391d3f11307f8b8e.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3228 -
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeC:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3560