Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

cryptolaemus

windows10-2004-x64

10

cryptolaemus

windows11-21h2-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    116s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/08/2024, 12:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d068a6d76dec4793e1c7e67d849485fec2eac4d1da91b48426c31d7b2b172b48.exe

  • Size

    1021KB

  • MD5

    a63aa4427cbc2b463642def398f2d217

  • SHA1

    49c3c7d4fea7f7abdf148e33b3470ce1bc23ecc5

  • SHA256

    d068a6d76dec4793e1c7e67d849485fec2eac4d1da91b48426c31d7b2b172b48

  • SHA512

    4fedbe899a27f0c9c34a8c4cced85c68148dab9b605e24787b4552429ab6d1091bc78f8599ca0ca43acd18c6d74fe94830ed4303f24bf9ffe99b0cf9fec6a198

  • SSDEEP

    24576:rhEQaXb3UlbHCxOBHyP1OL7LDMf0f7GSbTmTMs1eC:u9TUBHCxOxyP03LDG0jGSmTnd

Score
10/10
lummadiscoverystealer

Malware Config

Extracted

Family

lumma

C2

https://enthusiandsi.shop/api

https://empiredzmwnx.shop/api

https://boattyownerwrv.shop/api

https://rainbowmynsjn.shop/api

https://definitonizmnx.shop/api

https://creepydxzoxmj.shop/api

https://budgetttysnzm.shop/api

https://chippyfroggsyhz.shop/api

https://assumedtribsosp.shop/api

Extracted

Family

lumma

C2

https://enthusiandsi.shop/api

https://tenntysjuxmz.shop/api

Signatures

  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates processes with tasklist 1 TTPs 2 IoCs
    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3440
      • C:\Users\Admin\AppData\Local\Temp\d068a6d76dec4793e1c7e67d849485fec2eac4d1da91b48426c31d7b2b172b48.exe
        "C:\Users\Admin\AppData\Local\Temp\d068a6d76dec4793e1c7e67d849485fec2eac4d1da91b48426c31d7b2b172b48.exe"
        2⤵
        • Loads dropped DLL
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        PID:3312
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /k move Themes Themes.cmd & Themes.cmd & exit
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:428
        • C:\Windows\system32\tasklist.exe
          tasklist
          3⤵
          • Enumerates processes with tasklist
          • Suspicious use of AdjustPrivilegeToken
          PID:1852
        • C:\Windows\system32\findstr.exe
          findstr /I "wrsa.exe opssvc.exe"
          3⤵
            PID:3408
          • C:\Windows\system32\tasklist.exe
            tasklist
            3⤵
            • Enumerates processes with tasklist
            • Suspicious use of AdjustPrivilegeToken
            PID:4876
          • C:\Windows\system32\findstr.exe
            findstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe"
            3⤵
              PID:4492
            • C:\Windows\system32\cmd.exe
              cmd /c md 647551
              3⤵
                PID:208
              • C:\Windows\system32\findstr.exe
                findstr /V "LatviaTicketClevelandPoet" Larger
                3⤵
                  PID:3960
                • C:\Windows\system32\cmd.exe
                  cmd /c copy /b Develop + Jeremy + Kazakhstan + Reviewed + Subtle + Expect 647551\h
                  3⤵
                    PID:5028
                  • C:\Users\Admin\AppData\Local\Temp\647551\Precisely.pif
                    Precisely.pif h
                    3⤵
                    • Suspicious use of NtCreateUserProcessOtherParentProcess
                    • Executes dropped EXE
                    • Suspicious use of SetThreadContext
                    • System Location Discovery: System Language Discovery
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of FindShellTrayWindow
                    • Suspicious use of SendNotifyMessage
                    • Suspicious use of WriteProcessMemory
                    PID:3680
                  • C:\Windows\system32\choice.exe
                    choice /d y /t 5
                    3⤵
                      PID:1660
                  • C:\Users\Admin\AppData\Local\Temp\647551\Precisely.pif
                    C:\Users\Admin\AppData\Local\Temp\647551\Precisely.pif
                    2⤵
                    • Executes dropped EXE
                    • System Location Discovery: System Language Discovery
                    PID:1864

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Temp\647551\Precisely.pif
                  Filesize

                  872KB

                  MD5

                  c56b5f0201a3b3de53e561fe76912bfd

                  SHA1

                  2a4062e10a5de813f5688221dbeb3f3ff33eb417

                  SHA256

                  237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

                  SHA512

                  195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\647551\h
                  Filesize

                  448KB

                  MD5

                  6fdfd7bd8eeb457e56d58555cf25da5e

                  SHA1

                  8d62d43f955a3ac6d50f4c9b7d1ed888f9049f07

                  SHA256

                  0d27d248085e70ec9840900e32e71ee90f530968906eaf519144d007ce097ce6

                  SHA512

                  8a5e0fe06f7bd37aab434a4191d20f3c5074a9703e3797d3f59a17073d7e224824ddb7a9cd5e680efb8ac1f2bad217d18c65d1fa939d7f4c25c89eeaaa0af0de

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\Deemed
                  Filesize

                  872KB

                  MD5

                  c30baf006c23f5502a6eac13c4121cac

                  SHA1

                  a46b52d9441117cc8a6a1c3f68162ec294b68068

                  SHA256

                  0aa9d496c6ba1d362368cf3a612cd737f19fdd6051af41d748746da51dbefe9d

                  SHA512

                  af29fa6425006c8ff87fa2c422a2d49148bd6107c6d7a8aadc75ced5d5a08aea0e8d01de99cc95f077c58964b24b872a92b7f8d5d03989c3142c50bbd1b3510d

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\Develop
                  Filesize

                  73KB

                  MD5

                  1ebc315401a599085e455ae7d76e177e

                  SHA1

                  be61fa1790aff061b8bfe2e371c4352c6d172c1e

                  SHA256

                  bb86584cf9142113c81fab982202ccb61ef2c5eb1bb8972a0565eb76a8d97f70

                  SHA512

                  5c93163f13ebd7b8b6e81644d6bcffb308a0391c070515bcc9e32094c0e3da7c8167e7feefb21fd7c840abf9074a7959a589b8d0fa7aa76e116c6d6de84977c2

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\Expect
                  Filesize

                  18KB

                  MD5

                  53746be92b194c780a2d58f34ee00b11

                  SHA1

                  bb99ba3c2b950b1914182d6aebd760a24b7b8338

                  SHA256

                  191e020f3c5af35645b57244b3d84e9bac8463aee6f896bd7141c8e14c905f53

                  SHA512

                  f2bbe556a053b2f3b36fc9d6f36de908a23ab633f6a5ff38c62bb105866f0f8a64c66a7c9fad6ae381be1a0e2251bfed51c36ead64f696e24cced718ad1304e7

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\Jeremy
                  Filesize

                  99KB

                  MD5

                  7dc54410052dbb22f08d596a65d1e601

                  SHA1

                  79a2e7f1091008f152a586c446b947067b80709d

                  SHA256

                  17dce7c80e90b3b23fb3ba0845c44c0a7c90afeabe4545dbfbe96e0282d929ef

                  SHA512

                  258e8e9e88a4599fa481fcbaca5b92df22ee4593d7d0590f4a868dfa7165099899416b6987b83311f17818adf19d4dbb65c18ad659a2ee7e33c368d4bbef252b

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\Kazakhstan
                  Filesize

                  99KB

                  MD5

                  fc34ac746c73f1a69c6ec09cb470964f

                  SHA1

                  9d2af2aa3d507e9dc9037801ca553e58ba8eb077

                  SHA256

                  31924043f5d76a478d819d8be63bcd1238f0c503a150893dc2a19e80ace9bb62

                  SHA512

                  9308a294788afb379fbb22afab6cbe78418048d708e1629a104a54b090327d8a4e3c958c889db96f186399c5f2ee66c8e5f699a2ee5480d764014366eddac0d3

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\Larger
                  Filesize

                  490B

                  MD5

                  99352b2770c4409f48bc24896f26baae

                  SHA1

                  b23f51bf53495bb973fbaf37ff34184e2b83b081

                  SHA256

                  057c2fdd3f765865510d3557f9083a2bdb68987f806a469a966dd2edbb28e37f

                  SHA512

                  1c9e194f9666ca0e6fc9df690557f58ec28c8393447c339740d1e29f855e0e8ed792310de420cce38df14a6000744b206bc262b38d0b479ed86203a0909ce2d4

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\Reviewed
                  Filesize

                  91KB

                  MD5

                  dbb1c7e3ee4a5462f0d20f7f30748ed6

                  SHA1

                  55a501b433887f89934a7afb9b7e4eb44e828671

                  SHA256

                  d1464a5481d67860e6c99d488fcb5599908d15577fee5da65508492f37e387a1

                  SHA512

                  66df41b88eb949c5687ec125b1a4ee92e3ec5c72f8074037db60e8e57ad125d28fccddf5ac10e70708dd94a9a921bbec2e901873a8a267fd01d1505c4e3df79b

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\Subtle
                  Filesize

                  68KB

                  MD5

                  271a155148cd40704556bce7a8596163

                  SHA1

                  121c56e001c1f23b22ea3322c906f5a21eb690cd

                  SHA256

                  cf88957d77c63719387019270a38b952332d9d4ad0435c242833b6ea955eb036

                  SHA512

                  b7cdef8ee6f8b8ac04ebb294c10dcc10d266f453e0491dca42f5b1fa0bd2b3c61f3c62a7d32c4e69423cff300ee93cf7dc09c37824ca3cd5b66a15d65b474a02

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\Themes
                  Filesize

                  22KB

                  MD5

                  36f1c87d9737391327b7a8a85eb876a4

                  SHA1

                  950ab5aa64bf8514b991c273251f37884d0baa8d

                  SHA256

                  d19b134a54477eb88a8051049bc528f172902bd7109e02bb48c56b113f45210c

                  SHA512

                  429bfdd110fdebbb30f3d455db7b1c1e8057e71a7f53db2d01e8e9ae2aab9bad5a15f7ba6c82704fa1dddf90adfc4a0742cc91d8375eaa3f2ba1a63362fb0793

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\nsy69B7.tmp\ShellExecAsUser.dll
                  Filesize

                  43KB

                  MD5

                  552cba3c6c9987e01be178e1ee22d36b

                  SHA1

                  4c0ab0127453b0b53aeb27e407859bccb229ea1b

                  SHA256

                  1f17e4d5ffe7b2c9a396ee9932ac5198f0c050241e5f9ccd3a56e576613d8a29

                  SHA512

                  9bcf47b62ca8ffa578751008cae523d279cdb1699fd916754491899c31ace99f18007ed0e2cbe9902abf132d516259b5fb283379d2fead37c76b19e2e835e95a

                  Download Submit

                • memory/1864-34-0x0000000000B20000-0x0000000000B77000-memory.dmp

                  Filesize

                  348KB

                  Download

                • memory/1864-35-0x0000000000B20000-0x0000000000B77000-memory.dmp

                  Filesize

                  348KB

                  Download

                • memory/1864-37-0x0000000000B20000-0x0000000000B77000-memory.dmp

                  Filesize

                  348KB

                  Download