Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
Bootstrapper_1725724037599_1sly5.exe
-
Size
146KB
-
Sample
240907-wsr4psxbqq
-
MD5
bc832d4fef741681578a87eb5d95b292
-
SHA1
75a89d287b15af8c6b8bcd9fa7887badc1850c5d
-
SHA256
5aa9d099dfc103dc52a33655e57845c6084b5d6bfab65abf4f3daea9911c613a
-
SHA512
270298becb80e7398ee608c780185caa6cfe1b48319c87302efd1fbc17f73f5acf9926295420e3dc8caeaa6e80f57db235e0d9adc2e37dda674d6d85c01be4f8
-
SSDEEP
3072:8PCyYwC+M2FEv80IZOA/CyYwC+M2FEv80IZOAU80IZOA4:ghY7X2Kvh4hY7X2Kvhvh
Static task
static1
Behavioral task
behavioral1
Sample
Bootstrapper_1725724037599_1sly5.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Bootstrapper_1725724037599_1sly5.exe
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
Bootstrapper_1725724037599_1sly5.exe
Resource
win10v2004-20240802-en
Malware Config
Extracted
lumma
https://chocolatedwq.shop/api
https://condedqpwqm.shop/api
Targets
-
-
Target
Bootstrapper_1725724037599_1sly5.exe
-
Size
146KB
-
MD5
bc832d4fef741681578a87eb5d95b292
-
SHA1
75a89d287b15af8c6b8bcd9fa7887badc1850c5d
-
SHA256
5aa9d099dfc103dc52a33655e57845c6084b5d6bfab65abf4f3daea9911c613a
-
SHA512
270298becb80e7398ee608c780185caa6cfe1b48319c87302efd1fbc17f73f5acf9926295420e3dc8caeaa6e80f57db235e0d9adc2e37dda674d6d85c01be4f8
-
SSDEEP
3072:8PCyYwC+M2FEv80IZOA/CyYwC+M2FEv80IZOAU80IZOA4:ghY7X2Kvh4hY7X2Kvhvh
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Blocklisted process makes network request
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Drops file in System32 directory
-
Enumerates processes with tasklist
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Discovery
Peripheral Device Discovery
1Process Discovery
1Query Registry
3Remote System Discovery
1System Information Discovery
4System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1