Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

7

Avira Adve...ey.exe

windows10-2004-x64

10

Avira Adve...ey.exe

windows11-21h2-x64

10

Resubmissions

06/08/2024, 04:47

240806-fewxqstfrb 10

06/08/2024, 04:46

240806-fedq6azenp 10

06/08/2024, 04:44

240806-fc8thszeln 10

05/08/2024, 13:30

240805-qr3ads1elc 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Avira Advertising (extract.me).zip

  • Size

    5.6MB

  • Sample

    240806-fewxqstfrb

  • MD5

    10000694d7ce74468b950efaf04f87ca

  • SHA1

    45f2168d3fba64c522a8e0410d7d0db144785767

  • SHA256

    a3f2e3023e451956599f92984793cda204648692c84d30de7e4870bbc63b4ae0

  • SHA512

    e7fda1671bf9cbe07fc0039c39cb7c446ead44c4e265df787f3a62c5de0f6e2ed74738257c436d07b40007ed34a80391743ad9850be16066910175741571a29b

  • SSDEEP

    98304:rFZb3phXDGsbosDQQEzfga52GHnkl4dkM2boo0sjnEtRB/udGjxFAsdP7SgzY8ah:rP3HTGNFLRb/o0YnCBUaFA8POgzYTpum

Score
10/10
lummadiscoverypersistenceprivilege_escalationstealerthemida

Malware Config

Extracted

Family

lumma

C2

https://empiredzmwnx.shop/api

https://boattyownerwrv.shop/api

https://rainbowmynsjn.shop/api

https://definitonizmnx.shop/api

https://creepydxzoxmj.shop/api

https://budgetttysnzm.shop/api

https://chippyfroggsyhz.shop/api

https://assumedtribsosp.shop/api

Targets

    • Target

      Avira Advertising/payment and key.exe

    • Size

      4.2MB

    • MD5

      ad433332d168ed1555d260e6b149e2fe

    • SHA1

      beb4d3f2d7a8d2b4b194e7c123477010ea1a6baa

    • SHA256

      7232ec3f17f009b1d24f7383d32a4b499288b000d5738758da0035252953e409

    • SHA512

      bc4bd97db41debe9615d33a31b852f44c89b6ac43104241427f7ed742e771cc2ce590c583859e5368f2fd1e4c1b4ae57827a90ba1c095c76f0f2bc04857d8d92

    • SSDEEP

      24576:h5yHx5/mc9iNTGYARvoqY6nNdcDMdvnLD4WlYrRkcXV7G4OVnw0cLOV:hIxcS8AY6nILfr

    Score
    10/10
    lummadiscoverypersistenceprivilege_escalationstealer

    • Lumma Stealer, LummaC

      Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

      stealerlumma

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

      persistenceprivilege_escalation

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies system executable filetype association

      persistence

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

2
T1546

Change Default File Association

1
T1546.001

Component Object Model Hijacking

1
T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

2
T1546

Change Default File Association

1
T1546.001

Component Object Model Hijacking

1
T1546.015

Defense Evasion

Modify Registry

3
T1112

Credential Access

Discovery

Browser Information Discovery

1
T1217

Query Registry

5
T1012

System Information Discovery

5
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks