Analysis
-
max time kernel
103s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20250610-en -
resource tags
arch:x64arch:x86image:win10v2004-20250610-enlocale:en-usos:windows10-2004-x64system -
submitted
01/07/2025, 07:21
Static task
static1
Behavioral task
behavioral1
Sample
f59c4abf1d82c01d36d7fbcc5e757a2d.exe
Resource
win10v2004-20250610-en
General
-
Target
f59c4abf1d82c01d36d7fbcc5e757a2d.exe
-
Size
1.2MB
-
MD5
f59c4abf1d82c01d36d7fbcc5e757a2d
-
SHA1
47df3c64f6c22efdafd6b99e9df00f6b9df67efb
-
SHA256
42f3f02f068d4c71db86b450dc03897b2ff27554402ac37deb4817856555ad8a
-
SHA512
dcc27f66457f38563c9310e27ba23beef39c57c7a3d75b6e528a2baceb72cf6c7dddaf2fe4345cc90c9998e930b7c2829e4a0035dc41e92cb1fc2de0a4b0fa8a
-
SSDEEP
24576:IS6Hg7JOPy1xDoeAkCKeFfLS4/asByWfLS4/asBy:IRgFJ7mKeFzSs1zSs
Malware Config
Extracted
lumma
https://t.me/vstalnasral555
https://swenku.xyz/gaok
https://pacwpw.xyz/qwpr
https://comkxjs.xyz/taox
https://unurew.xyz/anhd
https://trsuv.xyz/gait
https://sqgzl.xyz/taoa
https://cexpxg.xyz/airq
https://urarfx.xyz/twox
https://liaxn.xyz/nbzh
-
build_id
d488cf6547f510dbfa48b6ad20c64a73d20aa588797b747694
Signatures
-
Lumma family
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4516 set thread context of 212 4516 f59c4abf1d82c01d36d7fbcc5e757a2d.exe 89 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSBuild.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 212 MSBuild.exe 212 MSBuild.exe 212 MSBuild.exe 212 MSBuild.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4516 wrote to memory of 212 4516 f59c4abf1d82c01d36d7fbcc5e757a2d.exe 89 PID 4516 wrote to memory of 212 4516 f59c4abf1d82c01d36d7fbcc5e757a2d.exe 89 PID 4516 wrote to memory of 212 4516 f59c4abf1d82c01d36d7fbcc5e757a2d.exe 89 PID 4516 wrote to memory of 212 4516 f59c4abf1d82c01d36d7fbcc5e757a2d.exe 89 PID 4516 wrote to memory of 212 4516 f59c4abf1d82c01d36d7fbcc5e757a2d.exe 89 PID 4516 wrote to memory of 212 4516 f59c4abf1d82c01d36d7fbcc5e757a2d.exe 89 PID 4516 wrote to memory of 212 4516 f59c4abf1d82c01d36d7fbcc5e757a2d.exe 89 PID 4516 wrote to memory of 212 4516 f59c4abf1d82c01d36d7fbcc5e757a2d.exe 89 PID 4516 wrote to memory of 212 4516 f59c4abf1d82c01d36d7fbcc5e757a2d.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\f59c4abf1d82c01d36d7fbcc5e757a2d.exe"C:\Users\Admin\AppData\Local\Temp\f59c4abf1d82c01d36d7fbcc5e757a2d.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4516 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:212
-