Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

LomebuGame.rar

windows7-x64

3

LomebuGame.rar

windows10-2004-x64

7

bomelugame...me.exe

windows7-x64

7

bomelugame...me.exe

windows10-2004-x64

7

$PLUGINSDI...er.dll

windows7-x64

1

$PLUGINSDI...er.dll

windows10-2004-x64

1

$PLUGINSDI...ls.dll

windows7-x64

3

$PLUGINSDI...ls.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDI...ll.dll

windows7-x64

3

$PLUGINSDI...ll.dll

windows10-2004-x64

3

$PLUGINSDIR/app-64.7z

windows7-x64

3

$PLUGINSDIR/app-64.7z

windows10-2004-x64

3

LICENSES.c...m.html

windows7-x64

1

LICENSES.c...m.html

windows10-2004-x64

1

LomebuGame.exe

windows7-x64

1

LomebuGame.exe

windows10-2004-x64

7

d3dcompiler_47.dll

windows10-2004-x64

1

ffmpeg.dll

windows7-x64

1

ffmpeg.dll

windows10-2004-x64

1

libEGL.dll

windows7-x64

1

libEGL.dll

windows10-2004-x64

1

libGLESv2.dll

windows7-x64

1

libGLESv2.dll

windows10-2004-x64

1

locales/af.ps1

windows7-x64

1

locales/af.ps1

windows10-2004-x64

1

locales/uk.ps1

windows7-x64

1

locales/uk.ps1

windows10-2004-x64

1

resources/elevate.exe

windows7-x64

1

resources/elevate.exe

windows10-2004-x64

1

vk_swiftshader.dll

windows7-x64

1

Resubmissions

27/04/2024, 19:36

240427-ybnfasfc9t 7

27/04/2024, 19:12

240427-xwpy7afb2v 7

27/04/2024, 18:20

240427-wy4ppaed6x 7

Analysis

  • max time kernel
    152s
  • max time network
    170s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/04/2024, 19:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    LomebuGame.exe

  • Size

    152.7MB

  • MD5

    88719f2009bf17f5be9713212f520ab4

  • SHA1

    0b843803935d15ff0179cbc83a66768eed88f381

  • SHA256

    cde6587e39b95f9debf34ce7c2af0932c8711597fc81609f4d300e63b2fe39dd

  • SHA512

    c1fa450234e5571d4c6cfa4a19e7ef5859bcf2300a25462e9eb16198618b9dfdcdb1f15fce309571de58c38c1107c26ad47a65d03eaf1e72ec538b0410784b0b

  • SSDEEP

    1572864:gLBZB52nvuZ7wVuMbgR7Sp6kYdEctmhoLsPagBsgkx52HYhwj+vfIBUdoJnP9Dj0:gypCmJctBjj2+Jv

Score
7/10
spywarestealer

Malware Config

Signatures

  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Checks processor information in registry 2 TTPs 7 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates processes with tasklist 1 TTPs 3 IoCs
  • Kills process with taskkill 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\LomebuGame.exe
    "C:\Users\Admin\AppData\Local\Temp\LomebuGame.exe"
    1⤵
    • Loads dropped DLL
    • Checks processor information in registry
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:536
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "chcp"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1284
      • C:\Windows\system32\chcp.com
        chcp
        3⤵
          PID:3616
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /d /s /c "echo %COMPUTERNAME%.%USERDNSDOMAIN%"
        2⤵
          PID:2532
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3856
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2796
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1092
        • C:\Users\Admin\AppData\Local\Temp\LomebuGame.exe
          "C:\Users\Admin\AppData\Local\Temp\LomebuGame.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\LomebuGame" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1876 --field-trial-handle=1880,i,13922497190276649664,9225922829442467555,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
          2⤵
            PID:3412
          • C:\Users\Admin\AppData\Local\Temp\LomebuGame.exe
            "C:\Users\Admin\AppData\Local\Temp\LomebuGame.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\LomebuGame" --mojo-platform-channel-handle=2096 --field-trial-handle=1880,i,13922497190276649664,9225922829442467555,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
            2⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:1276
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /d /s /c "findstr /C:"Detected boot environment" "%windir%\Panther\setupact.log""
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:3580
            • C:\Windows\system32\findstr.exe
              findstr /C:"Detected boot environment" "C:\Windows\Panther\setupact.log"
              3⤵
                PID:2336
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /d /s /c "tasklist"
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:2336
              • C:\Windows\system32\tasklist.exe
                tasklist
                3⤵
                • Enumerates processes with tasklist
                PID:3920
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /d /s /c "taskkill /f /im msedge.exe"
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:3640
              • C:\Windows\system32\taskkill.exe
                taskkill /f /im msedge.exe
                3⤵
                • Kills process with taskkill
                PID:4408
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /d /s /c "tasklist"
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:4988
              • C:\Windows\system32\tasklist.exe
                tasklist
                3⤵
                • Enumerates processes with tasklist
                PID:3180
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /d /s /c "where /r . cookies.sqlite"
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:4556
              • C:\Windows\system32\where.exe
                where /r . cookies.sqlite
                3⤵
                  PID:3520
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /d /s /c "tasklist"
                2⤵
                  PID:3616
                  • C:\Windows\system32\tasklist.exe
                    tasklist
                    3⤵
                    • Enumerates processes with tasklist
                    PID:380
                • C:\Users\Admin\AppData\Local\Temp\LomebuGame.exe
                  "C:\Users\Admin\AppData\Local\Temp\LomebuGame.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\LomebuGame" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2592 --field-trial-handle=1880,i,13922497190276649664,9225922829442467555,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
                  2⤵
                  • Suspicious behavior: EnumeratesProcesses
                  PID:3308
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1416 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:8
                1⤵
                  PID:1380

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                  Filesize

                  3KB

                  MD5

                  50c591ec2a1e49297738ea9f28e3ad23

                  SHA1

                  137e36b4c7c40900138a6bcf8cf5a3cce4d142af

                  SHA256

                  7648d785bda8cef95176c70711418cf3f18e065f7710f2ef467884b4887d8447

                  SHA512

                  33b5fa32501855c2617a822a4e1a2c9b71f2cf27e1b896cf6e5a28473cfd5e6d126840ca1aa1f59ef32b0d0a82a2a95c94a9cc8b845367b61e65ec70d456deec

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
                  Filesize

                  2KB

                  MD5

                  2f87410b0d834a14ceff69e18946d066

                  SHA1

                  f2ec80550202d493db61806693439a57b76634f3

                  SHA256

                  5422bc17b852ad463110de0db9b59ffa4219e065d3e2843618d6ebbd14273c65

                  SHA512

                  a313702f22450ceff0a1d7f890b0c16cf667dbcd668dbafa6dbecd0791236c0bc68e834d12113cc75352365c2a2b6cfcf30b6ef7c97ea53ed135da50de389db4

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
                  Filesize

                  135B

                  MD5

                  69d73488ca2e1d72365f4a646c62a12e

                  SHA1

                  b866d45aa42227a80181ee92fcef9a485ea788b4

                  SHA256

                  22be3cd825d43f95b7ebe7f9053f13cd205d94989f644ed6b10eb5122c567ded

                  SHA512

                  bbcdd3a2336d5f55cc1a6fddb985469d6a20d54dcf18fa9b3f2a6deb3d3281065d651c676d3bda8f3ec1c5bf98be14941fcc2a2ac242cb4a2bb7927ebd318fee

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\193d6bb5-82f6-42a6-b500-decd74741cd7.tmp.node
                  Filesize

                  131KB

                  MD5

                  4bcefe873798966491bc7cf2ee25d7bf

                  SHA1

                  b3240ef4971cb2e2bdcdd06791fe528267035ee4

                  SHA256

                  e96f77361e9c2443a70e7dd9ab62f4b6c9967f80115565f1c284342a78192df4

                  SHA512

                  0e1cdb77848f56e75f2c932fbf3e28bc99e59c9f06b89be8848b95746291b6e539a6e0252345cf3172bd11893dd1806b58ce14cab6336ea533b0f4dba6d3ea06

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0adnoqti.iaq.ps1
                  Filesize

                  60B

                  MD5

                  d17fe0a3f47be24a6453e9ef58c94641

                  SHA1

                  6ab83620379fc69f80c0242105ddffd7d98d5d9d

                  SHA256

                  96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                  SHA512

                  5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\f507dd08-9850-49d5-a994-63d3281e224d.tmp.node
                  Filesize

                  1.8MB

                  MD5

                  84319927155ec1c7e297a00d8bf8ed11

                  SHA1

                  8fc08f22de1d85a499941d5a8ffdb86485439c23

                  SHA256

                  fbbce4b12e31bd69e21bedcaef8ee9467b97117a335bd99cfa89cbdafdfd83ba

                  SHA512

                  caf12012769e565653c2f216b77e34303d9943056e3895ce38baa869a1a72e0bb6872d8b40cde0b41dc673c40740355e52abdeaeb3da416ab8b94c1e534a5165

                  Download Submit

                • memory/1092-40-0x000001EC6B270000-0x000001EC6B2B4000-memory.dmp

                  Filesize

                  272KB

                  Download

                • memory/2796-46-0x0000024922E40000-0x0000024922E64000-memory.dmp

                  Filesize

                  144KB

                  Download

                • memory/3308-94-0x000001B063A80000-0x000001B063A81000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/3308-104-0x000001B063A80000-0x000001B063A81000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/3308-100-0x000001B063A80000-0x000001B063A81000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/3308-101-0x000001B063A80000-0x000001B063A81000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/3308-102-0x000001B063A80000-0x000001B063A81000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/3308-93-0x000001B063A80000-0x000001B063A81000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/3308-95-0x000001B063A80000-0x000001B063A81000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/3308-103-0x000001B063A80000-0x000001B063A81000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/3308-106-0x000001B063A80000-0x000001B063A81000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/3308-105-0x000001B063A80000-0x000001B063A81000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/3412-67-0x0000022206480000-0x0000022206938000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/3412-64-0x0000022206480000-0x0000022206938000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/3856-39-0x00000147F4B50000-0x00000147F4B72000-memory.dmp

                  Filesize

                  136KB

                  Download

                • memory/3856-45-0x00000147F50E0000-0x00000147F510A000-memory.dmp

                  Filesize

                  168KB

                  Download

                • memory/3856-41-0x00000147F5160000-0x00000147F51D6000-memory.dmp

                  Filesize

                  472KB

                  Download