Analysis
-
max time kernel
91s -
max time network
104s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
05-07-2024 14:34
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20240704-en
0 signatures
150 seconds
General
-
Target
file.exe
-
Size
4.7MB
-
MD5
9635389d4492a1bb338d7467cc79a84f
-
SHA1
5bf4e06b683c07b6b59da041bc81fdc0e2accf5c
-
SHA256
b4c8cabdb454ad0855960445ebd98b9b7b5fab255c62a36d5b34ae575ccee0f2
-
SHA512
106e536e589a4f76176ea5ecb564f46b6f6d1dda2bf33431fff682a3b2ef8fd4df11b6101118f52e14bb46ea2469697ac5738be07fc97fae28c7ec41dbaa5508
-
SSDEEP
49152:ZadqSJa0AzAku0pfKEae72f9tMcf3gBXkjV5Eh/GRJcwq7lSv5TG11kA:IbJa0AFjk5E8a1D
Malware Config
Extracted
Family
lumma
C2
https://radiationnopp.shop/api
Signatures
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
file.exedescription pid process target process PID 4928 set thread context of 4028 4928 file.exe BitLockerToGo.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
BitLockerToGo.exepid process 4028 BitLockerToGo.exe 4028 BitLockerToGo.exe 4028 BitLockerToGo.exe 4028 BitLockerToGo.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
file.exedescription pid process target process PID 4928 wrote to memory of 4028 4928 file.exe BitLockerToGo.exe PID 4928 wrote to memory of 4028 4928 file.exe BitLockerToGo.exe PID 4928 wrote to memory of 4028 4928 file.exe BitLockerToGo.exe PID 4928 wrote to memory of 4028 4928 file.exe BitLockerToGo.exe PID 4928 wrote to memory of 4028 4928 file.exe BitLockerToGo.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4928 -
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeC:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4028
-