1154b67fdd4c7948e515c6c33c02725f491b35b47c9d1d88e6a5e8ede962ca4f

Analysis

max time kernel
425s
max time network
434s
platform
windows10-2004_x64
resource
win10v2004-20240730-en
resource tags

arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
submitted
02-08-2024 10:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LithiumNukerV2-main/LithiumNukerV2.exe
Size

17KB
MD5

141296b8484e510e357fc620613fd4ba
SHA1

ad5dcb55883e74b53da1c6d94ce18b1788ba67a6
SHA256

0a918070f9cf821847b17df6c9d8858e1dd2da30a7d7121e06efe27eff740ad4
SHA512

dde9ef0c074ea607c7acf6d248f4b6980cb9e057ade6885d2c5091ebc71f7842dc113f813a4d5d54a7a0d6acbb2437cbd9684d1472872313d2c62f8794e42b2e
SSDEEP

192:zvrvG+/dLz9R3nLc8MGzSnCs3Hznvjd0p6oUYc84C3LZm94qt5fOrool:zzn/d08fSvXznvjd0/cu3L0flo

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 28 IoCs

Web Service

T1102

flow	ioc
48	discord.com
52	discord.com
66	discord.com
57	discord.com
64	discord.com
49	discord.com
55	discord.com
56	discord.com
63	discord.com
65	discord.com
68	discord.com
70	pastebin.com
40	discord.com
51	discord.com
54	discord.com
60	discord.com
41	discord.com
58	discord.com
61	discord.com
46	discord.com
69	discord.com
50	discord.com
59	discord.com
62	discord.com
47	discord.com
53	discord.com
67	discord.com
71	pastebin.com

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LithiumNukerV2.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	644	LithiumNukerV2.exe

C:\Users\Admin\AppData\Local\Temp\LithiumNukerV2-main\LithiumNukerV2.exe
"C:\Users\Admin\AppData\Local\Temp\LithiumNukerV2-main\LithiumNukerV2.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/644-0-0x000000007480E000-0x000000007480F000-memory.dmp

Filesize
4KB

Download
memory/644-1-0x0000000000D80000-0x0000000000D8A000-memory.dmp

Filesize
40KB

Download
memory/644-2-0x0000000005680000-0x0000000005698000-memory.dmp

Filesize
96KB

Download
memory/644-3-0x0000000005740000-0x00000000057D2000-memory.dmp

Filesize
584KB

Download
memory/644-4-0x0000000005720000-0x0000000005730000-memory.dmp

Filesize
64KB

Download
memory/644-5-0x0000000074800000-0x0000000074FB0000-memory.dmp

Filesize
7.7MB

Download
memory/644-6-0x000000007480E000-0x000000007480F000-memory.dmp

Filesize
4KB

Download
memory/644-7-0x0000000074800000-0x0000000074FB0000-memory.dmp

Filesize
7.7MB

Download
memory/644-8-0x0000000005B70000-0x0000000005BE6000-memory.dmp

Filesize
472KB

Download
memory/644-9-0x00000000059A0000-0x00000000059BE000-memory.dmp

Filesize
120KB

Download
memory/644-10-0x0000000006740000-0x00000000067F0000-memory.dmp

Filesize
704KB

Download
memory/644-11-0x00000000063A0000-0x00000000063C2000-memory.dmp

Filesize
136KB

Download
memory/644-12-0x0000000009C10000-0x0000000009F64000-memory.dmp

Filesize
3.3MB

Download
memory/644-16-0x0000000074800000-0x0000000074FB0000-memory.dmp

Filesize
7.7MB

Download