Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
95s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
19/09/2024, 23:45
General
-
Target
file.exe
-
Size
292KB
-
MD5
0c4b826cab211945649ac4bbb0c48c6b
-
SHA1
fe0132f85b63833f55a41651fcc0f32c1c96124d
-
SHA256
41b381e462f4108957fbab888701dfb9e605621507f8dd2d3f71a32b429c5f0c
-
SHA512
6e4ea6a514002c61cadfea41ae6aa9e81178570dbae5f78b79e95f654dc6c7716a8f98b812c805ad45423f0e657fab260492e46b2e6bb45d25520d933dc27363
-
SSDEEP
6144:D8zag1zxFKmMqtXpA8dI41MwJckA3/l6ah4LXeofOdLBhShSpk+JEO:OjNxjXrX1z1845DdfCLBxZEO
Malware Config
Extracted
vidar
https://t.me/edm0d
https://steamcommunity.com/profiles/76561199768374681
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 OPR/110.0.0.0
Extracted
lumma
https://questionmwq.shop/api
https://chickerkuso.shop/api
https://achievenmtynwjq.shop/api
https://puredoffustow.shop/api
https://opponnentduei.shop/api
https://metallygaricwo.shop/api
https://milldymarskwom.shop/api
https://quotamkdsdqo.shop/api
https://carrtychaintnyw.shop/api
Signatures
-
Detect Vidar Stealer 20 IoCs
-
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 2 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 3 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
-
Suspicious use of WriteProcessMemory 47 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Checks computer location settings
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\AEGHIJEHJD.exe"C:\ProgramData\AEGHIJEHJD.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\ProgramData\HJDAKFBFBF.exe"C:\ProgramData\HJDAKFBFBF.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\HJJEGCAAECBF" & exit3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout /t 104⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
-
-
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
354KB
MD5384a847ad2833788fa253433fd2eea8d
SHA11984d8788fe40bd95a90d7d4e9dea6c4e4ff6201
SHA256de30491736617249b3e80fc9436ecf0f7675b3c3014509398c3db7298f93336a
SHA512bcdbd44837629d8881c29a7c7f6a2d4e98b52fbc49952bad2c89340a1dee18fac9987aaa8a3d91905a1f88a216c0e2501201a8665f3df7d5f627ff71a2418aac
-
Filesize
160KB
MD5f310cf1ff562ae14449e0167a3e1fe46
SHA185c58afa9049467031c6c2b17f5c12ca73bb2788
SHA256e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855
SHA5121196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad
-
Filesize
292KB
MD54a8a0ccfecc930091116324c79c1006e
SHA1d790befcbc31a4befafeaf08879e15f99633b2a1
SHA256146b7006b041d25b6846c797234f38387ec4b141c4a7e4f100d0e6d2eda29088
SHA512ffef04766c2a9f9d038ccf6156ac7f03a0e0809adaf245a1347e5ece6ad31f9b37f283d71d34c031350456f30036078d5a3e97fa563bf6af6a8fcf6edeeb25d2
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
2KB
MD54c4bf9e4d624f1045d8f73ed7f97dc3e
SHA11d78800f4a780fc6f75a778faeed2baaf84f2206
SHA2566dcfee83067db655225002d6ee68c1948d82de8a4b488355fbdee6fce73638db
SHA5124c950580ec4fb088382f066948964846bbee5d575eac1f70253e5adc3c09f071d398c1b6eb42fb2a00e017ba2a344ef6709c6f321a5b38db8bd39933989494bb
-
Filesize
2KB
MD57ec05ad5ad4ea2f59d78a181b608dfb1
SHA195dfcb1ca8c7c6353bfc940c79f877d491158faa
SHA256197a38efa533f9ff60b730cbc9b5fb604893e8dfb08a9ba85f0e5424779e3759
SHA512da07b1ce6b278f20a93cfb83107be1a96bd134657be71f31b314e981ae9f85a8db50ae10458612bd460baca5e9402d5bce61b11ed648b191be42882273b8c00a
-
Filesize
1KB
MD59ea353ed4fed6ed641da2a1a1e66cbf3
SHA142cf55d3608819795042c23df5f18fcd2b6b0c58
SHA2565245794a9cb70971f00a51f56b8b5305d16629c4d0d0e95916371a20a6119485
SHA5127476acf575e998c56bae27703d635c82a5cfd43f736b9618ec430168148f25d79c97ca344670298b51956ca0b3707d6499ef5865fe1b933acb948dddc822d05e
-
Filesize
458B
MD54011b7a0a04581fb845dc6a81fbf85b1
SHA1cd5f32a9f6754a0781cb62de8220048d6f63da0a
SHA256f6d25531203fc5b891cc1bf25f28d373e976532c7d863c667c8811baf3c44c3e
SHA5122f43a119bdf3293225480403c53b6fa1c23febf67f8c63a5b19d1cd0bd0c72e40b2b157d8dde073ffae7e9f682c6b443ed92fc77782316a262abbdb45ae4c051
-
Filesize
450B
MD5d3a09b5bf976d1948282956a2589acaf
SHA14ec90fcb38780bffb56480ac30db92e070b77e3d
SHA25666d00e4f7ab9c86ffedfbf990abac314538c03ca7b63f5b6cbe174953177ce8a
SHA51273f451db521f6ebee91f383b00e978e813446ce4e348ad4926b52284bdc11b282c7621397a66e0c883e0afc0e14c036599e87adcaec148f8df12b826f29926cd
-
Filesize
458B
MD511c1a7d1acccd5fa49dcebc9baea7c14
SHA1ac2a0dec6b4a2bec8e95d37299f18d4af5378186
SHA256f0d2644603b5486cab5837eec5afa2ec6be6a1de3a0932c4e71448214fab1317
SHA5123c15353c63cf8915cbbb43821be5904f9b76a8d63c04866a4f5cb2e9de1ae5a06d723ea09c2ce034509957b90a1adb206d3c7d0ea6ed2dcf6f22f49e9165ecc3
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
4KB
-
Filesize
360KB
-
Filesize
372KB
-
Filesize
372KB
-
Filesize
372KB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.4MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
7.7MB
-
Filesize
4KB
-
Filesize
296KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.4MB
-
Filesize
296KB