Analysis
-
max time kernel
94s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
06-07-2024 03:55
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3d0e88c3d98ff52d7a4a9f6e47872c70.exe
Resource
win7-20240220-en
0 signatures
150 seconds
General
-
Target
3d0e88c3d98ff52d7a4a9f6e47872c70.exe
-
Size
6.6MB
-
MD5
3d0e88c3d98ff52d7a4a9f6e47872c70
-
SHA1
a18e425aeff4390b9feee83b523bb108ea26c8e1
-
SHA256
25a73f951de64a2002227a01c1365c291059d578db3bbd9da01eed67ebe19839
-
SHA512
968553a41c5b8e2ebed773327609c0f09ac4ed1243aa9cd0d38cb6e7b7cc3408bea88261da5cb14a91990574510ac81732e91cc7f57caabd288e9aa4a10c564c
-
SSDEEP
49152:T2pLnmlP4CRmgkWXfaadQ7hKIP0bgHdno22ctHNjjODAvjV5E8ZkqhHmX5uBhSWB:XP4OBXi0bgHdnhLXE8YrK/5
Malware Config
Extracted
Family
lumma
C2
https://asdasdadskewk.shop/api
Signatures
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
3d0e88c3d98ff52d7a4a9f6e47872c70.exedescription pid process target process PID 3984 set thread context of 1036 3984 3d0e88c3d98ff52d7a4a9f6e47872c70.exe BitLockerToGo.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
BitLockerToGo.exepid process 1036 BitLockerToGo.exe 1036 BitLockerToGo.exe 1036 BitLockerToGo.exe 1036 BitLockerToGo.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
3d0e88c3d98ff52d7a4a9f6e47872c70.exedescription pid process target process PID 3984 wrote to memory of 1036 3984 3d0e88c3d98ff52d7a4a9f6e47872c70.exe BitLockerToGo.exe PID 3984 wrote to memory of 1036 3984 3d0e88c3d98ff52d7a4a9f6e47872c70.exe BitLockerToGo.exe PID 3984 wrote to memory of 1036 3984 3d0e88c3d98ff52d7a4a9f6e47872c70.exe BitLockerToGo.exe PID 3984 wrote to memory of 1036 3984 3d0e88c3d98ff52d7a4a9f6e47872c70.exe BitLockerToGo.exe PID 3984 wrote to memory of 1036 3984 3d0e88c3d98ff52d7a4a9f6e47872c70.exe BitLockerToGo.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3d0e88c3d98ff52d7a4a9f6e47872c70.exe"C:\Users\Admin\AppData\Local\Temp\3d0e88c3d98ff52d7a4a9f6e47872c70.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3984 -
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeC:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1036
-