Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

MediPeel.exe

windows7-x64

10

MediPeel.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    14/09/2024, 13:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    MediPeel.exe

  • Size

    10.7MB

  • MD5

    ebb28d3da6ea29cec25910328415f994

  • SHA1

    a178aaa66b50fb03e3db39902b31400b7088f2b1

  • SHA256

    2a875c4f05a84aa5fa139d23e0b51b7cd2047c06a35d051ebd0891bd11f3a721

  • SHA512

    a6073636b21f19e69a7f0e9b1ef201867fbad9a14f10f1d2c8b63cc3b2f6fdf3b3954be1955b37c8034ff52e048fe489f27553aaf28401bc93a317753f02c09a

  • SSDEEP

    196608:Q4xFLbxtbJBdZaK31/aGdJXOLBZIy+fjfKCGqlQGDM427lZCcxxi6VTDqQ7poZQ:QeVbxH93Fa0JXDysQR57lZnxxi+TOQ7z

Score
10/10
lummadiscoverystealer

Malware Config

Extracted

Family

lumma

C2

https://refrencireoi.shop/api

https://complainnykso.shop/api

https://basedsymsotp.shop/api

https://charistmatwio.shop/api

https://grassemenwji.shop/api

https://stitchmiscpaew.shop/api

https://commisionipwn.shop/api

Signatures

  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 6 IoCs
  • Enumerates processes with tasklist 1 TTPs 6 IoCs
    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\MediPeel.exe
    "C:\Users\Admin\AppData\Local\Temp\MediPeel.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3052
    • C:\Users\Admin\AppData\Local\Temp\is-4JM99.tmp\MediPeel.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-4JM99.tmp\MediPeel.tmp" /SL5="$5014E,10267176,812544,C:\Users\Admin\AppData\Local\Temp\MediPeel.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2412
      • C:\Users\Admin\AppData\Local\Temp\MediPeel.exe
        "C:\Users\Admin\AppData\Local\Temp\MediPeel.exe" /VERYSILENT /NORESTART
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:264
        • C:\Users\Admin\AppData\Local\Temp\is-94A0B.tmp\MediPeel.tmp
          "C:\Users\Admin\AppData\Local\Temp\is-94A0B.tmp\MediPeel.tmp" /SL5="$6014E,10267176,812544,C:\Users\Admin\AppData\Local\Temp\MediPeel.exe" /VERYSILENT /NORESTART
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:2920
          • C:\Windows\system32\cmd.exe
            "cmd.exe" /C tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH | find /I "wrsa.exe"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2368
            • C:\Windows\system32\tasklist.exe
              tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH
              6⤵
              • Enumerates processes with tasklist
              • Suspicious use of AdjustPrivilegeToken
              PID:1324
            • C:\Windows\system32\find.exe
              find /I "wrsa.exe"
              6⤵
                PID:1280
            • C:\Windows\system32\cmd.exe
              "cmd.exe" /C tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH | find /I "opssvc.exe"
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:1372
              • C:\Windows\system32\tasklist.exe
                tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH
                6⤵
                • Enumerates processes with tasklist
                • Suspicious use of AdjustPrivilegeToken
                PID:1668
              • C:\Windows\system32\find.exe
                find /I "opssvc.exe"
                6⤵
                  PID:2312
              • C:\Windows\system32\cmd.exe
                "cmd.exe" /C tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH | find /I "avastui.exe"
                5⤵
                • Suspicious use of WriteProcessMemory
                PID:1704
                • C:\Windows\system32\tasklist.exe
                  tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH
                  6⤵
                  • Enumerates processes with tasklist
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1736
                • C:\Windows\system32\find.exe
                  find /I "avastui.exe"
                  6⤵
                    PID:1720
                • C:\Windows\system32\cmd.exe
                  "cmd.exe" /C tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH | find /I "avgui.exe"
                  5⤵
                  • Suspicious use of WriteProcessMemory
                  PID:344
                  • C:\Windows\system32\tasklist.exe
                    tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH
                    6⤵
                    • Enumerates processes with tasklist
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2276
                  • C:\Windows\system32\find.exe
                    find /I "avgui.exe"
                    6⤵
                      PID:1508
                  • C:\Windows\system32\cmd.exe
                    "cmd.exe" /C tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH | find /I "nswscsvc.exe"
                    5⤵
                    • Suspicious use of WriteProcessMemory
                    PID:2604
                    • C:\Windows\system32\tasklist.exe
                      tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH
                      6⤵
                      • Enumerates processes with tasklist
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2872
                    • C:\Windows\system32\find.exe
                      find /I "nswscsvc.exe"
                      6⤵
                        PID:2760
                    • C:\Windows\system32\cmd.exe
                      "cmd.exe" /C tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH | find /I "sophoshealth.exe"
                      5⤵
                        PID:1236
                        • C:\Windows\system32\tasklist.exe
                          tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH
                          6⤵
                          • Enumerates processes with tasklist
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2712
                        • C:\Windows\system32\find.exe
                          find /I "sophoshealth.exe"
                          6⤵
                            PID:1012
                        • C:\Users\Admin\AppData\Local\pensy\AutoIt3.exe
                          "C:\Users\Admin\AppData\Local\pensy\\AutoIt3.exe" "C:\Users\Admin\AppData\Local\pensy\\bombinate.a3x"
                          5⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:2964
                          • C:\Windows\SysWOW64\cmd.exe
                            "C:\Windows\System32\cmd.exe" /c ping -n 5 127.0.0.1 >nul && AutoIt3.exe C:\ProgramData\\cv1GMfACm.a3x && del C:\ProgramData\\cv1GMfACm.a3x
                            6⤵
                            • Loads dropped DLL
                            • System Location Discovery: System Language Discovery
                            • System Network Configuration Discovery: Internet Connection Discovery
                            PID:1588
                            • C:\Windows\SysWOW64\PING.EXE
                              ping -n 5 127.0.0.1
                              7⤵
                              • System Location Discovery: System Language Discovery
                              • System Network Configuration Discovery: Internet Connection Discovery
                              • Runs ping.exe
                              PID:2096
                            • C:\Users\Admin\AppData\Local\pensy\AutoIt3.exe
                              AutoIt3.exe C:\ProgramData\\cv1GMfACm.a3x
                              7⤵
                              • Executes dropped EXE
                              • Suspicious use of SetThreadContext
                              • System Location Discovery: System Language Discovery
                              • Checks processor information in registry
                              PID:108
                              • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
                                "C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe"
                                8⤵
                                • System Location Discovery: System Language Discovery
                                PID:1432

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Temp\Cab170C.tmp
                  Filesize

                  70KB

                  MD5

                  49aebf8cbd62d92ac215b2923fb1b9f5

                  SHA1

                  1723be06719828dda65ad804298d0431f6aff976

                  SHA256

                  b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                  SHA512

                  bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\Tar172E.tmp
                  Filesize

                  181KB

                  MD5

                  4ea6026cf93ec6338144661bf1202cd1

                  SHA1

                  a1dec9044f750ad887935a01430bf49322fbdcb7

                  SHA256

                  8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                  SHA512

                  6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                  Download Submit

                • C:\Users\Admin\AppData\Local\pensy\bombinate.a3x
                  Filesize

                  62KB

                  MD5

                  2011fd050c4ca32737a3c7a1eceab131

                  SHA1

                  4b1c49c9d00750f57d3ed84f5e0deedfe90ee6ed

                  SHA256

                  3076733f6d4d580c995d8a675ad6f1e3731cd08a713aac0a8ce3cdb82182c482

                  SHA512

                  3786718aa8dbb4e8377c97ae810019281bfcd36b1f2aa807edfb8e7f0116dac03a9d1fa1d7dbc77cc4135315a8e4abb38e544592994aee95919e5683f2bb24d0

                  Download Submit

                • C:\Users\Admin\AppData\Local\pensy\bombinate.gif
                  Filesize

                  478KB

                  MD5

                  a2d51318f12154d1577dd5d267e38a31

                  SHA1

                  63b6e1880f674838612f99754b1a90114d2f71e4

                  SHA256

                  3214f770354ce2aa47691390b25fbbf89b472a41ae2e6549f3a1388667a6d6d3

                  SHA512

                  28abcaa05df554fa1f5dd4d98aa13e77e45f24aa72c69cf558debe4e87176bd916014b9d8e47f10fcbb8d56fe3d1609b1694e7675f60f224feca9368cf16e4a3

                  Download Submit

                • \Users\Admin\AppData\Local\Temp\is-3F5AO.tmp\_isetup\_iscrypt.dll
                  Filesize

                  2KB

                  MD5

                  a69559718ab506675e907fe49deb71e9

                  SHA1

                  bc8f404ffdb1960b50c12ff9413c893b56f2e36f

                  SHA256

                  2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

                  SHA512

                  e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

                  Download Submit

                • \Users\Admin\AppData\Local\Temp\is-4JM99.tmp\MediPeel.tmp
                  Filesize

                  3.1MB

                  MD5

                  0d3c13ea2213808a14905b85f141061a

                  SHA1

                  31b3a57012127a5bda5beec6ac3901700b6f702c

                  SHA256

                  8241b818954f711736e70b5b3c4513e1f035cc35f394d7fefde18b64e59cda51

                  SHA512

                  50d84a7c01c2c8c94fd8f1c8b9043c7d9c31e1d7ff16532f115a7a50be6c3cf9df5e0ef8eddb667feeb53ff693468e64db13ad1d7b9c8b9a7c8447d42c3559dc

                  Download Submit

                • \Users\Admin\AppData\Local\pensy\AutoIt3.exe
                  Filesize

                  921KB

                  MD5

                  3f58a517f1f4796225137e7659ad2adb

                  SHA1

                  e264ba0e9987b0ad0812e5dd4dd3075531cfe269

                  SHA256

                  1da298cab4d537b0b7b5dabf09bff6a212b9e45731e0cc772f99026005fb9e48

                  SHA512

                  acf740aafce390d06c6a76c84e7ae7c0f721731973aadbe3e57f2eb63241a01303cc6bf11a3f9a88f8be0237998b5772bdaf569137d63ba3d0f877e7d27fc634

                  Download Submit

                • memory/264-16-0x0000000000ED0000-0x0000000000FA4000-memory.dmp

                  Filesize

                  848KB

                  Download

                • memory/264-181-0x0000000000ED0000-0x0000000000FA4000-memory.dmp

                  Filesize

                  848KB

                  Download

                • memory/1432-190-0x0000000000400000-0x0000000000459000-memory.dmp

                  Filesize

                  356KB

                  Download

                • memory/1432-191-0x0000000000400000-0x0000000000459000-memory.dmp

                  Filesize

                  356KB

                  Download

                • memory/2412-15-0x0000000001240000-0x0000000001574000-memory.dmp

                  Filesize

                  3.2MB

                  Download

                • memory/2412-8-0x0000000000140000-0x0000000000141000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/2920-179-0x0000000001070000-0x00000000013A4000-memory.dmp

                  Filesize

                  3.2MB

                  Download

                • memory/3052-19-0x0000000000ED0000-0x0000000000FA4000-memory.dmp

                  Filesize

                  848KB

                  Download

                • memory/3052-0-0x0000000000ED0000-0x0000000000FA4000-memory.dmp

                  Filesize

                  848KB

                  Download

                • memory/3052-2-0x0000000000ED1000-0x0000000000F79000-memory.dmp

                  Filesize

                  672KB

                  Download