Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/04/2024, 11:05

General

  • Target

    Setup.exe

  • Size

    8.5MB

  • MD5

    98169506fec94c2b12ba9930ad704515

  • SHA1

    bce662a9fb94551f648ba2d7e29659957fd6a428

  • SHA256

    9b8a5b0a45adf843e24214b46c285e44e73bc6eaf9e2a3b2c14a6d93ae541363

  • SHA512

    7f4f7ac2326a1a8b7afc72822dae328753578eb0a4ffcec5adb4e4fb0c49703070f71e7411df221ee9f44d6b43a0a94921fe530877c5d5e71640b807e96def30

  • SSDEEP

    196608:vdoUox8PFOegKz+qE1cnuyHgv3eZaOxqeXY4K:vC0O9m7EWEvbOxqetK

Malware Config

Extracted

Family

lumma

C2

https://bettynoticecovej.shop/api

https://productivelookewr.shop/api

https://tolerateilusidjukl.shop/api

https://shatterbreathepsw.shop/api

https://shortsvelventysjo.shop/api

https://incredibleextedwj.shop/api

https://alcojoldwograpciw.shop/api

https://liabilitynighstjsko.shop/api

https://demonstationfukewko.shop/api

Signatures

  • Banload

    Banload variants download malicious files, then install and execute the files.

  • Lumma Stealer

    An infostealer written in C++ first seen in August 2022.

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Registers COM server for autorun 1 TTPs 3 IoCs
  • Modifies registry class 12 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Suspicious use of SetThreadContext
    • Registers COM server for autorun
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:4856
    • C:\Windows\SysWOW64\netsh.exe
      C:\Windows\SysWOW64\netsh.exe
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:1944
      • C:\Users\Admin\AppData\Local\Temp\tracewpp.exe
        C:\Users\Admin\AppData\Local\Temp\tracewpp.exe
        3⤵
        • Loads dropped DLL
        PID:1556

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\e6b4c6f5

    Filesize

    1.2MB

    MD5

    f6e8c852c20da674bcf6ad316026298c

    SHA1

    0ad165a549928423d173fe7fbb295755fb5e645a

    SHA256

    8e9030c532003305a0954d9ea4ace5dcf198f02f7d72db782e3c753c1cf1766c

    SHA512

    f36d1abf46675f1c099c2329665add6571ef7b3d05439c90a1e2babb90918516f3eb0395651dc02617f76c0a849f1264b864a2c83a175b62b615c7491e215b5b

  • C:\Users\Admin\AppData\Local\Temp\tracewpp.exe

    Filesize

    207KB

    MD5

    0930890f83efad2a3091d1e3f0b82707

    SHA1

    e0dcdefdde9dddd482e0b72504b35e96b795b27e

    SHA256

    e8be7f038dd98179a1a27d5b176d23a60ad44426442699a3b9b714f9778c5cf2

    SHA512

    608e2a169a9eb3c1b8e4459704e87123e5d04de57937175811a3f67559f0ead77b09e48562c1df732552a6aca7a8089528f43cda83bcdad1644a089b11a0e9f6

  • memory/1556-51-0x0000000000220000-0x000000000026E000-memory.dmp

    Filesize

    312KB

  • memory/1556-50-0x0000000000220000-0x000000000026E000-memory.dmp

    Filesize

    312KB

  • memory/1556-49-0x0000000000AB0000-0x0000000000B34000-memory.dmp

    Filesize

    528KB

  • memory/1556-47-0x0000000000220000-0x000000000026E000-memory.dmp

    Filesize

    312KB

  • memory/1556-46-0x00007FF988BD0000-0x00007FF988DC5000-memory.dmp

    Filesize

    2.0MB

  • memory/1944-42-0x00000000743D0000-0x000000007454B000-memory.dmp

    Filesize

    1.5MB

  • memory/1944-40-0x00000000743D0000-0x000000007454B000-memory.dmp

    Filesize

    1.5MB

  • memory/1944-41-0x00000000743D0000-0x000000007454B000-memory.dmp

    Filesize

    1.5MB

  • memory/1944-38-0x00007FF988BD0000-0x00007FF988DC5000-memory.dmp

    Filesize

    2.0MB

  • memory/4856-16-0x0000000000400000-0x0000000001CF7000-memory.dmp

    Filesize

    25.0MB

  • memory/4856-35-0x00007FF96A5A0000-0x00007FF96A712000-memory.dmp

    Filesize

    1.4MB

  • memory/4856-34-0x00007FF96A5A0000-0x00007FF96A712000-memory.dmp

    Filesize

    1.4MB

  • memory/4856-20-0x00007FF96A5A0000-0x00007FF96A712000-memory.dmp

    Filesize

    1.4MB

  • memory/4856-19-0x0000000000400000-0x0000000001CF7000-memory.dmp

    Filesize

    25.0MB

  • memory/4856-17-0x0000000000400000-0x0000000001CF7000-memory.dmp

    Filesize

    25.0MB

  • memory/4856-0-0x0000000003FA0000-0x0000000004188000-memory.dmp

    Filesize

    1.9MB

  • memory/4856-15-0x0000000000400000-0x0000000001CF7000-memory.dmp

    Filesize

    25.0MB

  • memory/4856-14-0x0000000000400000-0x0000000001CF7000-memory.dmp

    Filesize

    25.0MB

  • memory/4856-12-0x0000000000400000-0x0000000001CF7000-memory.dmp

    Filesize

    25.0MB

  • memory/4856-10-0x0000000000400000-0x0000000001CF7000-memory.dmp

    Filesize

    25.0MB