Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
195s -
max time network
262s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
-
submitted
30/09/2024, 05:02
General
-
Target
56afc3a4d1976c141a65895d5fb4e6fc5756a593cf97d234626f8107ad2141d5.exe
-
Size
326KB
-
MD5
7bd092de7377de68b4f563563b616b10
-
SHA1
5bccfe4bbc92f7f7c535c75e5c345c8c6cd56f02
-
SHA256
56afc3a4d1976c141a65895d5fb4e6fc5756a593cf97d234626f8107ad2141d5
-
SHA512
ae610593911053c6d24ce92adea19b3faa44d385fa9c97ba060626fa7d5f00cb65affce239f21b34a02f31282754857b3b40351dc185e55158ea49026a839cd4
-
SSDEEP
6144:4xqtQERKoOzkzPdM6grTH06m/cr1DfBDIplsdyS38hYjpWO5yEO:NydZozPdMH/U6mkr5fd4mdbMcTEEO
Malware Config
Extracted
stealc
default
http://46.8.231.109
-
url_path
/c4754d4f680ead72.php
Extracted
vidar
11
a669a86f8433a1e88901711c0f772c97
https://t.me/jamsemlg
https://steamcommunity.com/profiles/76561199780418869
https://t.me/ae5ed
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
Extracted
lumma
Extracted
lumma
https://possiwreeste.site/api
https://underlinemdsj.site/api
https://chaptermusu.store/api
Signatures
-
Detect Vidar Stealer 15 IoCs
-
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
-
Stealc
Stealc is an infostealer written in C++.
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Downloads MZ/PE file
-
Executes dropped EXE 7 IoCs
-
Loads dropped DLL 6 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 8 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 22 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 26 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\56afc3a4d1976c141a65895d5fb4e6fc5756a593cf97d234626f8107ad2141d5.exe"C:\Users\Admin\AppData\Local\Temp\56afc3a4d1976c141a65895d5fb4e6fc5756a593cf97d234626f8107ad2141d5.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminDAEBKKKEHD.exe"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\AdminDAEBKKKEHD.exe"C:\Users\AdminDAEBKKKEHD.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"5⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\CGDGIJKFIJ.exe"C:\ProgramData\CGDGIJKFIJ.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"7⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"7⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"7⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"7⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\ProgramData\GCGCBAECFC.exe"C:\ProgramData\GCGCBAECFC.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"7⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\ProgramData\BAKEBAFIIE.exe"C:\ProgramData\BAKEBAFIIE.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"7⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"7⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminBKFHCGIDBA.exe"8⤵
- System Location Discovery: System Language Discovery
-
C:\Users\AdminBKFHCGIDBA.exe"C:\Users\AdminBKFHCGIDBA.exe"9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"10⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminCGIJJKEHCA.exe"8⤵
- System Location Discovery: System Language Discovery
-
C:\Users\AdminCGIJJKEHCA.exe"C:\Users\AdminCGIJJKEHCA.exe"9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"10⤵
- System Location Discovery: System Language Discovery
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\BKJJEBKKEHJD" & exit6⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\timeout.exetimeout /t 107⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminJDBKJJKEBG.exe"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\AdminJDBKJJKEBG.exe"C:\Users\AdminJDBKJJKEBG.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"5⤵
- System Location Discovery: System Language Discovery
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
326KB
MD52832fbde1cf7ea83bd6fd6a4a5e8fe15
SHA11ced7a749d257091e0c3b75605fd3bc005e531de
SHA2562b8bcd9d7d072feb114e0436dc10aa80fda52cdd46a4948ea1ae984f74898375
SHA512c69f1197a0c74d057ab569d35c9af675fc465ce6abcc6c8fc32b316d3586871a426d7ab904c43827be7413748f0f45f7f3689076ca031fd858a4a8abf78b9299
-
Filesize
92KB
MD5f1f1e52e12157f58250690a14935123a
SHA1025aa05e57a95271b542e7f968750fe0b7152775
SHA256158a58c6f84871d2d0ad01de5e4b54f308bea3669a5e8e5bb4ad5b0824a9f72e
SHA5128f3b4841ce6aea0d3a0e93b420b5985be47c609f4e477e432c626b2146c8b97854ed115b3c4fa2495033a103cb51f0d9cce85b14acb0a1de2227bbbb2305fab5
-
Filesize
6KB
MD56cf34ebba769901d5f6a8f80b677a454
SHA1b881b8ef4e312a07df5823560b32242cbd1a7d2f
SHA2563e99d6dc7cd280c408badca5f775051970170b4fb005ab409950f78f9eb2f71a
SHA5124d3abb4ce7cdf4ece0b93e9cdf8972872571c6cb8a4c32e8216dc2cd73544b9e4cceb936012bb499df9d92be3e6a9bb8f67be8471be5982ffb962232091db7da
-
Filesize
46KB
MD502d2c46697e3714e49f46b680b9a6b83
SHA184f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA51260348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac
-
Filesize
20KB
MD5c9ff7748d8fcef4cf84a5501e996a641
SHA102867e5010f62f97ebb0cfb32cb3ede9449fe0c9
SHA2564d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988
SHA512d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73
-
Filesize
669KB
MD5550686c0ee48c386dfcb40199bd076ac
SHA1ee5134da4d3efcb466081fb6197be5e12a5b22ab
SHA256edd043f2005dbd5902fc421eabb9472a7266950c5cbaca34e2d590b17d12f5fa
SHA5120b7f47af883b99f9fbdc08020446b58f2f3fa55292fd9bc78fc967dd35bdd8bd549802722de37668cc89ede61b20359190efbfdf026ae2bdc854f4740a54649e
-
Filesize
7KB
MD5617619c1bf353d686404dfae7f8ac1bb
SHA12693c7c68a68a50c2f5bbf18267319e8cd1dca85
SHA2568e85bedde36fa3cd3941d4ad055716c643cc8023cd79a1dc049c3f5f2f0c13ea
SHA5122674c92232af9ab3aaaefcdd930b40fd904793b3cc021f916391e16a54e66f597e6b7a84eee192ca8e69e0e368921ecaadd4dfe746f0f4c08b578d8eaeeccd9d
-
Filesize
439KB
MD55ff1fca37c466d6723ec67be93b51442
SHA134cc4e158092083b13d67d6d2bc9e57b798a303b
SHA2565136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062
SHA5124802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546
-
Filesize
251KB
MD54e52d739c324db8225bd9ab2695f262f
SHA171c3da43dc5a0d2a1941e874a6d015a071783889
SHA25674ebbac956e519e16923abdc5ab8912098a4f64e38ddcb2eae23969f306afe5a
SHA5122d4168a69082a9192b9248f7331bd806c260478ff817567df54f997d7c3c7d640776131355401e4bdb9744e246c36d658cb24b18de67d8f23f10066e5fe445f6
-
Filesize
2KB
MD54a19ba0606043a886eab9118e59efc43
SHA1a9d8c5f957b88416f0dc699a63475e9022aa66c3
SHA2564cd803492adf9b1ae54ad397d2a2bd85135248bc60272a7a8b8748352c2687cb
SHA512ea72f15e338cc50d2ae7120b78fd2debb0fba07b5fd11789875685aaea982c6606fd285f12b28438e3ed71dd510f821cf8c2925afa21faf91999778271973dfa
-
Filesize
78KB
MD5a37ee36b536409056a86f50e67777dd7
SHA11cafa159292aa736fc595fc04e16325b27cd6750
SHA2568934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825
SHA5123a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356
-
Filesize
20KB
MD57ab78e4527ebdd6c8917c5427ddbeea9
SHA18d49808b08e2de6fa1b3e804b556be427698edf9
SHA256566a9c0b184d8995c8db7e9763fc6aedb1234d790a2d4b3ac9d1d1728401b792
SHA512c4b5104d32d903b55ac1af8ac28feb43871ac2d432e329ac6ee33f68452db788d4ea6c90158206f7f1824837e8442cda818e7b913b073dd250d06a86c7563308
-
Filesize
404KB
MD538dabc7063c0a175a12c30bd44cf3dbc
SHA16d7aabebd8a417168e220c7497f4bc38c314da3b
SHA256de664956d799e59e1cca0788d545922ee420e3afdcf277442f148f52bc78df89
SHA512674760ad37cf7886ca4cd786e4d1966d3827fdad008a85a125e18bd474d073dae8d4296427253bb86e78d3173a300611ee5eb2e01c1f968700679350fc17a24d
-
Filesize
371KB
MD532c2e31313c3df4a7a36c72503a5beba
SHA11c88051112dab0e306cadd9ee5d65f8dc229f079
SHA256f1fa2872fcd33c6dbce8d974c0c0381c0762d46a53ceaca14a29727ad02baef3
SHA512ee04d786e53f7fa203dbc4f8c018c72a907dabbd2d1c57e219b2ccc2dbd9d79a4ee8580b98f9b5c5024e628c0207cdd2bf93b9468e457f4ee00326c7c689f1ae
-
Filesize
425B
MD5605f809fab8c19729d39d075f7ffdb53
SHA1c546f877c9bd53563174a90312a8337fdfc5fdd9
SHA2566904d540649e76c55f99530b81be17e099184bb4cad415aa9b9b39cc3677f556
SHA51282cc12c3186ae23884b8d5c104638c8206272c4389ade56b926dfc1d437b03888159b3c790b188b54d277a262e731927e703e680ea642e1417faee27443fd5b3
-
Filesize
2.3MB
MD590e744829865d57082a7f452edc90de5
SHA1833b178775f39675fa4e55eab1032353514e1052
SHA256036a57102385d7f0d7b2deacf932c1c372ae30d924365b7a88f8a26657dd7550
SHA5120a2d112ff7cb806a74f5ec17fe097d28107bb497d6ed5ad28ea47e6795434ba903cdb49aaf97a9a99c08cd0411f1969cad93031246dc107c26606a898e570323
-
Filesize
103B
MD5ff0ae74f9ceb03f98c483d8555f76689
SHA1b907b50584c93f0e1b221982268868eafb94a9d9
SHA256e5d7bb8e8143178c7f1f5f07211f83de319a25da4d493661074fad59630f5169
SHA512a1329baf8f7d4c9d70a0109c73cf0d2429b07077f0ddfc2e36e54d274035dd14ca249dcb0f0376eb48ad02aaacfc7d9ede1d528bc073fc347f738b22f0ac3595
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
396KB
-
Filesize
396KB
-
Filesize
396KB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.4MB
-
Filesize
2.5MB
-
Filesize
4KB
-
Filesize
424KB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
384KB
-
Filesize
344KB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.4MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.5MB
-
Filesize
2.4MB
-
Filesize
972KB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
6.9MB
-
Filesize
344KB