Analysis
-
max time kernel
148s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
06-07-2024 05:20
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f2a5c7e8313862aca9b7a6314ca73f3a.exe
Resource
win7-20240705-en
0 signatures
150 seconds
General
-
Target
f2a5c7e8313862aca9b7a6314ca73f3a.exe
-
Size
5.2MB
-
MD5
f2a5c7e8313862aca9b7a6314ca73f3a
-
SHA1
dd9f9c6d3dfc2805e8851676679cd9734a877eea
-
SHA256
ca66a07c7d3fc179579bc8ffe620503fe7f86abdd1abb0c17fbe5bfef42d7b9f
-
SHA512
a459adc6ce2cc9d19672894de1df41228da0b072bbbd67493b7a1d3b57cd491c0c62b7e842e1d7306719e889fe777b915b3de274f4dad52ba5ba601783e79a13
-
SSDEEP
49152:Z6dH/1E4lojlIfw68P9//EctarfVW7c9PqoEv0V8jM5ERIcRjtS7HU4sOThLJG+6:E9tzQIUhZh7cJxEIZJX6
Malware Config
Extracted
Family
lumma
C2
https://affecthorsedpo.shop/api
Signatures
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
f2a5c7e8313862aca9b7a6314ca73f3a.exedescription pid process target process PID 3360 set thread context of 4128 3360 f2a5c7e8313862aca9b7a6314ca73f3a.exe BitLockerToGo.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
BitLockerToGo.exepid process 4128 BitLockerToGo.exe 4128 BitLockerToGo.exe 4128 BitLockerToGo.exe 4128 BitLockerToGo.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
f2a5c7e8313862aca9b7a6314ca73f3a.exedescription pid process target process PID 3360 wrote to memory of 4128 3360 f2a5c7e8313862aca9b7a6314ca73f3a.exe BitLockerToGo.exe PID 3360 wrote to memory of 4128 3360 f2a5c7e8313862aca9b7a6314ca73f3a.exe BitLockerToGo.exe PID 3360 wrote to memory of 4128 3360 f2a5c7e8313862aca9b7a6314ca73f3a.exe BitLockerToGo.exe PID 3360 wrote to memory of 4128 3360 f2a5c7e8313862aca9b7a6314ca73f3a.exe BitLockerToGo.exe PID 3360 wrote to memory of 4128 3360 f2a5c7e8313862aca9b7a6314ca73f3a.exe BitLockerToGo.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f2a5c7e8313862aca9b7a6314ca73f3a.exe"C:\Users\Admin\AppData\Local\Temp\f2a5c7e8313862aca9b7a6314ca73f3a.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3360 -
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeC:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4128
-