Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

7

Avira Adve...ey.exe

windows10-2004-x64

10

Avira Adve...ey.exe

windows11-21h2-x64

10

Resubmissions

06/08/2024, 04:47

240806-fewxqstfrb 10

06/08/2024, 04:46

240806-fedq6azenp 10

06/08/2024, 04:44

240806-fc8thszeln 10

05/08/2024, 13:30

240805-qr3ads1elc 10

Analysis

  • max time kernel
    440s
  • max time network
    458s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240802-en
  • resource tags

    arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    06/08/2024, 04:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Avira Advertising/payment and key.exe

  • Size

    4.2MB

  • MD5

    ad433332d168ed1555d260e6b149e2fe

  • SHA1

    beb4d3f2d7a8d2b4b194e7c123477010ea1a6baa

  • SHA256

    7232ec3f17f009b1d24f7383d32a4b499288b000d5738758da0035252953e409

  • SHA512

    bc4bd97db41debe9615d33a31b852f44c89b6ac43104241427f7ed742e771cc2ce590c583859e5368f2fd1e4c1b4ae57827a90ba1c095c76f0f2bc04857d8d92

  • SSDEEP

    24576:h5yHx5/mc9iNTGYARvoqY6nNdcDMdvnLD4WlYrRkcXV7G4OVnw0cLOV:hIxcS8AY6nILfr

Score
10/10
lummadiscoverystealer

Malware Config

Extracted

Family

lumma

C2

https://empiredzmwnx.shop/api

https://boattyownerwrv.shop/api

https://rainbowmynsjn.shop/api

https://definitonizmnx.shop/api

https://creepydxzoxmj.shop/api

https://budgetttysnzm.shop/api

https://chippyfroggsyhz.shop/api

https://assumedtribsosp.shop/api

Signatures

  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Executes dropped EXE 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 34 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 42 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Avira Advertising\payment and key.exe
    "C:\Users\Admin\AppData\Local\Temp\Avira Advertising\payment and key.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2144
    • C:\Users\Admin\AppData\Local\Temp\䍈䅒䵁䡒䵁䥒
      "C:\Users\Admin\AppData\Local\Temp\䍈䅒䵁䡒䵁䥒"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1456
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1456 -s 400
        3⤵
        • Program crash
        PID:3756
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 1456 -ip 1456
    1⤵
      PID:2996
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:2320
      • C:\Windows\system32\OpenWith.exe
        C:\Windows\system32\OpenWith.exe -Embedding
        1⤵
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:4856
      • C:\Windows\system32\OpenWith.exe
        C:\Windows\system32\OpenWith.exe -Embedding
        1⤵
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        PID:3312
      • C:\Windows\system32\OpenWith.exe
        C:\Windows\system32\OpenWith.exe -Embedding
        1⤵
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:2260
      • C:\Users\Admin\AppData\Local\Temp\䍈䅒䵁䡒䵁䥒.exe
        "C:\Users\Admin\AppData\Local\Temp\䍈䅒䵁䡒䵁䥒.exe"
        1⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:1108

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\䍈䅒䵁䡒䵁䥒
        Filesize

        38KB

        MD5

        3992f464696b0eeff236aef93b1fdbd5

        SHA1

        8dddabaea6b342efc4f5b244420a0af055ae691e

        SHA256

        0d1a8457014f2eb2563a91d1509dba38f6c418fedf5f241d8579d15a93e40e14

        SHA512

        27a63b43dc50faf4d9b06e10daa15e83dfb3f3be1bd3af83ea6990bd8ae6d3a6a7fc2f928822db972aaf1305970f4587d768d68cd7e1124bc8f710c1d3ee19a6

        Download Submit

      • memory/1456-2-0x0000000000400000-0x0000000000457000-memory.dmp

        Filesize

        348KB

        Download

      • memory/1456-8-0x0000000000400000-0x0000000000457000-memory.dmp

        Filesize

        348KB

        Download

      • memory/1456-6-0x0000000000400000-0x0000000000457000-memory.dmp

        Filesize

        348KB

        Download