Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
16s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
-
submitted
07/01/2024, 00:18
General
-
Target
4789024a329b2261b6913ae6de68180e.exe
-
Size
692KB
-
MD5
4789024a329b2261b6913ae6de68180e
-
SHA1
27fdab1e2ed3dcabbb4fa8b5a093fa5e64378799
-
SHA256
5b0277f87ba9d6f996b755001949f7563f7e08800a5b984aeeb65118e345a0aa
-
SHA512
16c19d8e9c10943ad1e8513bcb7a7cac6ffe709164a85de217e3687c9d58e674ba55cf0c53711fe949278d3484e4a0a54cd9e6abd4d3924fd98943dd3efaaf60
-
SSDEEP
12288:pPAk41FUmnH/VFwl7uGcqh9L8I+UfqgjoGsnipVEYhXt7nXfgkSQ:d54/UWfVFwFuGcwtaY1Bl4kSQ
Malware Config
Signatures
-
Detect Lumma Stealer payload V4 20 IoCs
-
Lumma Stealer
An infostealer written in C++ first seen in August 2022.
-
Modifies security service 2 TTPs 2 IoCs
-
Executes dropped EXE 2 IoCs
-
Identifies Wine through registry keys 2 TTPs 3 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 4 IoCs
-
Drops file in System32 directory 6 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
-
Runs .reg file with regedit 10 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of WriteProcessMemory 20 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\4789024a329b2261b6913ae6de68180e.exe"C:\Users\Admin\AppData\Local\Temp\4789024a329b2261b6913ae6de68180e.exe"1⤵
- Identifies Wine through registry keys
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\winapi.exeC:\Windows\system32\winapi.exe 708 "C:\Users\Admin\AppData\Local\Temp\4789024a329b2261b6913ae6de68180e.exe"2⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\winapi.exeC:\Windows\system32\winapi.exe 740 "C:\Windows\SysWOW64\winapi.exe"3⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\winapi.exeC:\Windows\system32\winapi.exe 752 "C:\Windows\SysWOW64\winapi.exe"4⤵
-
C:\Windows\SysWOW64\winapi.exeC:\Windows\system32\winapi.exe 756 "C:\Windows\SysWOW64\winapi.exe"5⤵
-
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat6⤵
-
-
C:\Windows\SysWOW64\winapi.exeC:\Windows\system32\winapi.exe 760 "C:\Windows\SysWOW64\winapi.exe"6⤵
-
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat7⤵
-
-
C:\Windows\SysWOW64\winapi.exeC:\Windows\system32\winapi.exe 764 "C:\Windows\SysWOW64\winapi.exe"7⤵
-
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat8⤵
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg9⤵
- Runs .reg file with regedit
-
-
-
C:\Windows\SysWOW64\winapi.exeC:\Windows\system32\winapi.exe 768 "C:\Windows\SysWOW64\winapi.exe"8⤵
-
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat9⤵
-
-
C:\Windows\SysWOW64\winapi.exeC:\Windows\system32\winapi.exe 772 "C:\Windows\SysWOW64\winapi.exe"9⤵
-
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat10⤵
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg11⤵
- Runs .reg file with regedit
-
-
-
C:\Windows\SysWOW64\winapi.exeC:\Windows\system32\winapi.exe 744 "C:\Windows\SysWOW64\winapi.exe"10⤵
-
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat11⤵
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg12⤵
- Runs .reg file with regedit
-
-
-
C:\Windows\SysWOW64\winapi.exeC:\Windows\system32\winapi.exe 776 "C:\Windows\SysWOW64\winapi.exe"11⤵
-
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat12⤵
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg13⤵
- Runs .reg file with regedit
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat2⤵
- Suspicious use of WriteProcessMemory
-
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg1⤵
- Modifies security service
- Runs .reg file with regedit
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg1⤵
- Runs .reg file with regedit
-
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat1⤵
-
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat1⤵
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg2⤵
- Runs .reg file with regedit
-
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg1⤵
- Runs .reg file with regedit
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg1⤵
- Runs .reg file with regedit
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg1⤵
- Runs .reg file with regedit
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD59e5db93bd3302c217b15561d8f1e299d
SHA195a5579b336d16213909beda75589fd0a2091f30
SHA256f360fb5740172b6b4dd59c1ac30b480511665ae991196f833167e275d91f943e
SHA512b5547e5047a3c43397ee846ff9d5979cba45ba44671db5c5df5536d9dc26262e27a8645a08e0cf35960a3601dc0f6f5fe8d47ae232c9ca44d6899e97d36fb25a
-
Filesize
5KB
MD50019a0451cc6b9659762c3e274bc04fb
SHA15259e256cc0908f2846e532161b989f1295f479b
SHA256ce4674afd978d1401596d22a0961f90c8fb53c5bd55649684e1a999c8cf77876
SHA512314c23ec37cb0cd4443213c019c4541df968447353b422ef6fff1e7ddf6c983c80778787408b7ca9b81e580a6a7f1589ca7f43c022e6fc16182973580ed4d904
-
Filesize
61KB
MD5c86b4e064d2a7943e2145bc95c0bed70
SHA1d20c32a1c89cd86cf4aaf226ea0220546a91b1a1
SHA2568d184d01f301d39d45ae445531f448c2ebb3014ec577639b38d8f78a9e9742e3
SHA5122a6b8cfb5899f3b8a0b7c80ce2ff0f429060555f5cd88153b43eed882d92170f7de53c4fabeb8b771f947a4553a8dce3e1102ab3d12c951d13f3d736256908b1
-
Filesize
7.4MB
-
Filesize
7.4MB
-
Filesize
7.4MB
-
Filesize
7.4MB
-
Filesize
7.4MB
-
Filesize
7.4MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
7.4MB
-
Filesize
7.4MB
-
Filesize
4KB
-
Filesize
7.4MB
-
Filesize
7.4MB
-
Filesize
7.4MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
7.4MB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
7.4MB
-
Filesize
7.4MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
7.4MB
-
Filesize
7.4MB
-
Filesize
4KB
-
Filesize
7.4MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
7.4MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
7.4MB
-
Filesize
7.4MB
-
Filesize
7.4MB
-
Filesize
7.4MB
-
Filesize
7.4MB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
7.4MB
-
Filesize
7.4MB
-
Filesize
7.4MB
-
Filesize
7.4MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
7.4MB
-
Filesize
7.4MB
-
Filesize
4KB
-
Filesize
7.4MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
7.4MB
-
Filesize
7.4MB
-
Filesize
7.4MB
-
Filesize
7.4MB
-
Filesize
7.4MB
-
Filesize
7.4MB
-
Filesize
7.4MB
-
Filesize
7.4MB
-
Filesize
7.4MB
-
Filesize
7.4MB
-
Filesize
7.4MB
-
Filesize
7.4MB
-
Filesize
7.4MB