Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

7

Avira Adve...ey.exe

windows10-2004-x64

10

Resubmissions

06/08/2024, 04:47 UTC

240806-fewxqstfrb 10

06/08/2024, 04:46 UTC

240806-fedq6azenp 10

06/08/2024, 04:44 UTC

240806-fc8thszeln 10

05/08/2024, 13:30 UTC

240805-qr3ads1elc 10

Analysis

  • max time kernel
    1690s
  • max time network
    1160s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/08/2024, 04:44 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Avira Advertising/payment and key.exe

  • Size

    4.2MB

  • MD5

    ad433332d168ed1555d260e6b149e2fe

  • SHA1

    beb4d3f2d7a8d2b4b194e7c123477010ea1a6baa

  • SHA256

    7232ec3f17f009b1d24f7383d32a4b499288b000d5738758da0035252953e409

  • SHA512

    bc4bd97db41debe9615d33a31b852f44c89b6ac43104241427f7ed742e771cc2ce590c583859e5368f2fd1e4c1b4ae57827a90ba1c095c76f0f2bc04857d8d92

  • SSDEEP

    24576:h5yHx5/mc9iNTGYARvoqY6nNdcDMdvnLD4WlYrRkcXV7G4OVnw0cLOV:hIxcS8AY6nILfr

Score
10/10
lummadiscoverystealer

Malware Config

Extracted

Family

lumma

C2

https://empiredzmwnx.shop/api

https://boattyownerwrv.shop/api

https://rainbowmynsjn.shop/api

https://definitonizmnx.shop/api

https://creepydxzoxmj.shop/api

https://budgetttysnzm.shop/api

https://chippyfroggsyhz.shop/api

https://assumedtribsosp.shop/api

Signatures

  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Executes dropped EXE 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 1 IoCs
  • Suspicious use of SetWindowsHookEx 31 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Avira Advertising\payment and key.exe
    "C:\Users\Admin\AppData\Local\Temp\Avira Advertising\payment and key.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2252
    • C:\Users\Admin\AppData\Local\Temp\䅍䡒䕇則䡍䅇
      "C:\Users\Admin\AppData\Local\Temp\䅍䡒䕇則䡍䅇"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1488
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1488 -s 372
        3⤵
        • Program crash
        PID:2500
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1488 -ip 1488
    1⤵
      PID:3456
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:4172
      • C:\Windows\system32\OpenWith.exe
        C:\Windows\system32\OpenWith.exe -Embedding
        1⤵
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:4968
      • C:\Users\Admin\AppData\Local\Temp\䅍䡒䕇則䡍䅇.exe
        "C:\Users\Admin\AppData\Local\Temp\䅍䡒䕇則䡍䅇.exe"
        1⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:1668

      Network

      • flag-us
        DNS
        8.8.8.8.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        8.8.8.8.in-addr.arpa
        IN PTR
        Response
        8.8.8.8.in-addr.arpa
        IN PTR
        dnsgoogle
      • flag-us
        DNS
        67.31.126.40.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        67.31.126.40.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        172.214.232.199.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        172.214.232.199.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        88.156.103.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        88.156.103.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        183.59.114.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        183.59.114.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        15.164.165.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        15.164.165.52.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        172.210.232.199.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        172.210.232.199.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        73.144.22.2.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        73.144.22.2.in-addr.arpa
        IN PTR
        Response
        73.144.22.2.in-addr.arpa
        IN PTR
        a2-22-144-73deploystaticakamaitechnologiescom
      • flag-us
        DNS
        48.229.111.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        48.229.111.52.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        122.10.44.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        122.10.44.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        14.160.190.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        14.160.190.20.in-addr.arpa
        IN PTR
        Response
      No results found
      • 8.8.8.8:53
        8.8.8.8.in-addr.arpa
        dns
        66 B
         90 B
         1
        1

        DNS Request

        8.8.8.8.in-addr.arpa

      • 8.8.8.8:53
        67.31.126.40.in-addr.arpa
        dns
        71 B
         157 B
         1
        1

        DNS Request

        67.31.126.40.in-addr.arpa

      • 8.8.8.8:53
        172.214.232.199.in-addr.arpa
        dns
        74 B
         128 B
         1
        1

        DNS Request

        172.214.232.199.in-addr.arpa

      • 8.8.8.8:53
        88.156.103.20.in-addr.arpa
        dns
        72 B
         158 B
         1
        1

        DNS Request

        88.156.103.20.in-addr.arpa

      • 8.8.8.8:53
        183.59.114.20.in-addr.arpa
        dns
        72 B
         158 B
         1
        1

        DNS Request

        183.59.114.20.in-addr.arpa

      • 8.8.8.8:53
        15.164.165.52.in-addr.arpa
        dns
        72 B
         146 B
         1
        1

        DNS Request

        15.164.165.52.in-addr.arpa

      • 8.8.8.8:53
        172.210.232.199.in-addr.arpa
        dns
        74 B
         128 B
         1
        1

        DNS Request

        172.210.232.199.in-addr.arpa

      • 8.8.8.8:53
        73.144.22.2.in-addr.arpa
        dns
        70 B
         133 B
         1
        1

        DNS Request

        73.144.22.2.in-addr.arpa

      • 8.8.8.8:53
        48.229.111.52.in-addr.arpa
        dns
        72 B
         158 B
         1
        1

        DNS Request

        48.229.111.52.in-addr.arpa

      • 8.8.8.8:53
        122.10.44.20.in-addr.arpa
        dns
        71 B
         145 B
         1
        1

        DNS Request

        122.10.44.20.in-addr.arpa

      • 8.8.8.8:53
        14.160.190.20.in-addr.arpa
        dns
        72 B
         158 B
         1
        1

        DNS Request

        14.160.190.20.in-addr.arpa

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\䅍䡒䕇則䡍䅇
        Filesize

        38KB

        MD5

        3992f464696b0eeff236aef93b1fdbd5

        SHA1

        8dddabaea6b342efc4f5b244420a0af055ae691e

        SHA256

        0d1a8457014f2eb2563a91d1509dba38f6c418fedf5f241d8579d15a93e40e14

        SHA512

        27a63b43dc50faf4d9b06e10daa15e83dfb3f3be1bd3af83ea6990bd8ae6d3a6a7fc2f928822db972aaf1305970f4587d768d68cd7e1124bc8f710c1d3ee19a6

        Download Submit

      • memory/1488-2-0x0000000000400000-0x0000000000457000-memory.dmp

        Filesize

        348KB

        Download

      • memory/1488-7-0x0000000000400000-0x0000000000457000-memory.dmp

        Filesize

        348KB

        Download

      • memory/1488-8-0x0000000000400000-0x0000000000457000-memory.dmp

        Filesize

        348KB

        Download

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.