Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    93s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/08/2024, 17:49

General

  • Target

    ₳DÐ✵SetUp✓/Setup.exe

  • Size

    4.3MB

  • MD5

    4cba82135c6e44265dfb2a4845dff950

  • SHA1

    7dbce4c16cbd045ce8a3c2ea15df7fee3df10bcc

  • SHA256

    e6d5ef67201ef8ed953a36a6fb44aaafb40dec7a4002efb7ebe6c20f35244495

  • SHA512

    81441841a5fb6fc9507407ea9f07c16d98a1a3ca7c5eb4dabe92cc6fb93f0641ac681906dabf7aedab32a3cb6289cc2922e03bb33210eac72170797e82df60cc

  • SSDEEP

    49152:w8mxtRio/dXZg+KXXI7QKS/++2+UEaipCiPdCQIhdwIxKoZqD6uoZqUO3HoaPgoR:M92/++2+/pDNB3HokjGbc

Score
10/10

Malware Config

Extracted

Family

lumma

C2

https://erdefendkzov.shop/api

https://chippyfroggsyhz.shop/api

https://tenntysjuxmz.shop/api

Signatures

  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\₳DÐ✵SetUp✓\Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\₳DÐ✵SetUp✓\Setup.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:652
    • C:\Users\Admin\AppData\Roaming\AppServer\PDZAWQNKTVYDJ\StrCmp.exe
      C:\Users\Admin\AppData\Roaming\AppServer\PDZAWQNKTVYDJ\StrCmp.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:2824
    • C:\Windows\SysWOW64\more.com
      C:\Windows\SysWOW64\more.com
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:1508
      • C:\Users\Admin\AppData\Local\Temp\BagelHatchet.pif
        C:\Users\Admin\AppData\Local\Temp\BagelHatchet.pif
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:2832

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\466035d0

    Filesize

    1.2MB

    MD5

    8658475fdad28ed7a1876702bc64776a

    SHA1

    770ffa2d07bbd7bb4488b591065ad4841b5143a2

    SHA256

    3b5ae5ed5c3cc4806dcaef9fa8d9f70b20d193f923ec90034b7b3bee9c8951e0

    SHA512

    cd3f9e8bebfe6ff0a509e47a0e6556853de042c0073d977ae34f673cb5c2d3f228c73b547516f7ab85f1594fd1b207bcee5b6fe0c3249375b73a407025058bd9

  • C:\Users\Admin\AppData\Local\Temp\BagelHatchet.pif

    Filesize

    29KB

    MD5

    d0509de5ba78cdfb67f897b06d9d184d

    SHA1

    f3ea9fa41831739d38353167754c0bb5a9544001

    SHA256

    a5a7183977808efbaa1ca3e55776f09bcae8f30e2aa5b0520c9cd88cd0d4997d

    SHA512

    0cdfb02946e8450a057db69f3e4331adc2b1bffee2d6002ea2a1ba8b9964883dd71c6f5becd41c02a4a06fd84e20836348b56af3696ae21587a774ec75d9f2c5

  • C:\Users\Admin\AppData\Roaming\AppServer\PDZAWQNKTVYDJ\StrCmp.exe

    Filesize

    47KB

    MD5

    916d7425a559aaa77f640710a65f9182

    SHA1

    23d25052aef9ba71ddeef7cfa86ee43d5ba1ea13

    SHA256

    118de01fb498e81eab4ade980a621af43b52265a9fcbae5dedc492cdf8889f35

    SHA512

    d0c260a0347441b4e263da52feb43412df217c207eba594d59c10ee36e47e1a098b82ce633851c16096b22f4a4a6f8282bdd23d149e337439fe63a77ec7343bc

  • memory/652-0-0x00007FF889D90000-0x00007FF889F02000-memory.dmp

    Filesize

    1.4MB

  • memory/652-7-0x00007FF889DA9000-0x00007FF889DAA000-memory.dmp

    Filesize

    4KB

  • memory/652-6-0x00007FF889D90000-0x00007FF889F02000-memory.dmp

    Filesize

    1.4MB

  • memory/652-8-0x00007FF889D90000-0x00007FF889F02000-memory.dmp

    Filesize

    1.4MB

  • memory/652-14-0x00007FF889D90000-0x00007FF889F02000-memory.dmp

    Filesize

    1.4MB

  • memory/1508-23-0x0000000075AE0000-0x0000000075C5B000-memory.dmp

    Filesize

    1.5MB

  • memory/1508-21-0x0000000075AEE000-0x0000000075AF0000-memory.dmp

    Filesize

    8KB

  • memory/1508-20-0x0000000075AE0000-0x0000000075C5B000-memory.dmp

    Filesize

    1.5MB

  • memory/1508-26-0x0000000075AE0000-0x0000000075C5B000-memory.dmp

    Filesize

    1.5MB

  • memory/1508-18-0x00007FF8A8030000-0x00007FF8A8225000-memory.dmp

    Filesize

    2.0MB

  • memory/1508-33-0x0000000075AEE000-0x0000000075AF0000-memory.dmp

    Filesize

    8KB

  • memory/2832-25-0x00000000747E0000-0x0000000075A34000-memory.dmp

    Filesize

    18.3MB

  • memory/2832-29-0x00007FF8A8030000-0x00007FF8A8225000-memory.dmp

    Filesize

    2.0MB

  • memory/2832-30-0x00000000004F0000-0x0000000000562000-memory.dmp

    Filesize

    456KB

  • memory/2832-31-0x00000000747E1000-0x00000000747E8000-memory.dmp

    Filesize

    28KB

  • memory/2832-32-0x00000000004F0000-0x0000000000562000-memory.dmp

    Filesize

    456KB

  • memory/2832-34-0x00000000004F0000-0x0000000000562000-memory.dmp

    Filesize

    456KB