Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

NеwIn.zip

windows11-21h2-x64

10

Analysis

  • max time kernel
    88s
  • max time network
    95s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240802-en
  • resource tags

    arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    15/10/2024, 05:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NеwIn.zip

  • Size

    99.0MB

  • MD5

    cf4f95535261f85ecc33cb988ba50e47

  • SHA1

    3d0d44f95b4411fa5f6ea65d1e6e6a1a5014e511

  • SHA256

    997320ef48c4471750d311a9c12e7fe2afc922eaff1451957a73c8bdb38a168b

  • SHA512

    d17504fd06f455e35327fd4fd8c571d96ad4a6d8a0427190d5f98c61842a869a05f636b774b70169da72cf5bb8cb9a1a1bb88a0140bf664759409ace9faa9834

  • SSDEEP

    3145728:AEzbbh9hqhTmO14qQ1u1Ce3Mn9WVaFC6yEW:1vhaTyJ1ugmMn9WVSmEW

Score
10/10
lummadiscoverystealer

Malware Config

Extracted

Family

lumma

C2

https://drawwyobstacw.sbs

https://condifendteu.sbs

https://ehticsprocw.sbs

https://vennurviot.sbs

https://resinedyw.sbs

https://enlargkiw.sbs

https://allocatinow.sbs

https://mathcucom.sbs

Signatures

  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Executes dropped EXE 8 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Program crash 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\NеwIn.zip"
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1984
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:232
    • C:\Users\Admin\Downloads\solara rat\NеwIn\NеwInstً.exe
      "C:\Users\Admin\Downloads\solara rat\NеwIn\NеwInstً.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4964
      • C:\Users\Admin\Downloads\solara rat\NеwIn\NеwInstً.exe
        "C:\Users\Admin\Downloads\solara rat\NеwIn\NеwInstً.exe"
        2⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:3836
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3836 -s 1372
          3⤵
          • Program crash
          PID:3956
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 268
        2⤵
        • Program crash
        PID:728
    • C:\Users\Admin\Downloads\solara rat\NеwIn\NеwInstً.exe
      "C:\Users\Admin\Downloads\solara rat\NеwIn\NеwInstً.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3156
      • C:\Users\Admin\Downloads\solara rat\NеwIn\NеwInstً.exe
        "C:\Users\Admin\Downloads\solara rat\NеwIn\NеwInstً.exe"
        2⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:4684
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4684 -s 1328
          3⤵
          • Program crash
          PID:1752
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4684 -s 1320
          3⤵
          • Program crash
          PID:1044
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3156 -s 216
        2⤵
        • Program crash
        PID:4992
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4964 -ip 4964
      1⤵
        PID:3908
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3836 -ip 3836
        1⤵
          PID:4908
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3156 -ip 3156
          1⤵
            PID:3152
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4684 -ip 4684
            1⤵
              PID:1224
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4684 -ip 4684
              1⤵
                PID:3636
              • C:\Users\Admin\Downloads\solara rat\NеwIn\NеwInstً.exe
                "C:\Users\Admin\Downloads\solara rat\NеwIn\NеwInstً.exe"
                1⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:1396
                • C:\Users\Admin\Downloads\solara rat\NеwIn\NеwInstً.exe
                  "C:\Users\Admin\Downloads\solara rat\NеwIn\NеwInstً.exe"
                  2⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  PID:2648
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 2648 -s 1324
                    3⤵
                    • Program crash
                    PID:1572
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 2648 -s 1328
                    3⤵
                    • Program crash
                    PID:4652
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 1396 -s 236
                  2⤵
                  • Program crash
                  PID:1140
              • C:\Users\Admin\Downloads\solara rat\NеwIn\NеwInstً.exe
                "C:\Users\Admin\Downloads\solara rat\NеwIn\NеwInstً.exe"
                1⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:2976
                • C:\Users\Admin\Downloads\solara rat\NеwIn\NеwInstً.exe
                  "C:\Users\Admin\Downloads\solara rat\NеwIn\NеwInstً.exe"
                  2⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  PID:2496
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 2496 -s 1316
                    3⤵
                    • Program crash
                    PID:1532
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 2496 -s 1324
                    3⤵
                    • Program crash
                    PID:2244
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 2976 -s 248
                  2⤵
                  • Program crash
                  PID:3160
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1396 -ip 1396
                1⤵
                  PID:3776
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 2648 -ip 2648
                  1⤵
                    PID:1716
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2976 -ip 2976
                    1⤵
                      PID:2580
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2496 -ip 2496
                      1⤵
                        PID:2248
                      • C:\Windows\SysWOW64\WerFault.exe
                        C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 2648 -ip 2648
                        1⤵
                          PID:1908
                        • C:\Windows\SysWOW64\WerFault.exe
                          C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 2496 -ip 2496
                          1⤵
                            PID:5096

                          Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\Downloads\solara rat\NеwIn\NеwInstً.exe
                            Filesize

                            570KB

                            MD5

                            a39c984c47cf1dbdd2066dbd0a52720b

                            SHA1

                            149104d94174b167116de4a6ffd32e40f340360d

                            SHA256

                            f53e85a6beb406953dd12a4270fdef5d04105ce0511e4c26a6b4069dfd90d839

                            SHA512

                            2bc06ba4f547a345d14a9f581bfe7b308c3b1de7f5c096931d00e4e0ffcf74c83ec02b04a99eb9c395779a881ef8dcf3f9b8684ce82d0e906b096b2da88234d6

                            Download Submit

                          • C:\Users\Admin\Downloads\solara rat\NеwIn\jres\doc\bin\msvcr100.dll
                            Filesize

                            755KB

                            MD5

                            bf38660a9125935658cfa3e53fdc7d65

                            SHA1

                            0b51fb415ec89848f339f8989d323bea722bfd70

                            SHA256

                            60c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa

                            SHA512

                            25f521ffe25a950d0f1a4de63b04cb62e2a3b0e72e7405799586913208bf8f8fa52aa34e96a9cc6ee47afcd41870f3aa0cd8289c53461d1b6e792d19b750c9a1

                            Download Submit

                          • C:\Users\Admin\Downloads\solara rat\NеwIn\jres\doc\lib\images\cursors\win32_LinkNoDrop32x32.gif
                            Filesize

                            153B

                            MD5

                            1e9d8f133a442da6b0c74d49bc84a341

                            SHA1

                            259edc45b4569427e8319895a444f4295d54348f

                            SHA256

                            1a1d3079d49583837662b84e11d8c0870698511d9110e710eb8e7eb20df7ae3b

                            SHA512

                            63d6f70c8cab9735f0f857f5bf99e319f6ae98238dc7829dd706b7d6855c70be206e32e3e55df884402483cf8bebad00d139283af5c0b85dc1c5bf8f253acd37

                            Download Submit

                          • C:\Users\Admin\Downloads\solara rat\NеwIn\jres\lib\deploy\messages_zh_HK.properties
                            Filesize

                            3KB

                            MD5

                            4287d97616f708e0a258be0141504beb

                            SHA1

                            5d2110cabbbc0f83a89aec60a6b37f5f5ad3163e

                            SHA256

                            479dc754bd7bff2c9c35d2e308b138eef2a1a94cf4f0fc6ccd529df02c877dc7

                            SHA512

                            f273f8d501c5d29422257733624b5193234635bd24b444874e38d8d823d728d935b176579d5d1203451c0ce377c57ed7eb3a9ce9adcb3bb591024c3b7ee78dcd

                            Download Submit

                          • memory/3156-869-0x00000000002E0000-0x0000000000370000-memory.dmp

                            Filesize

                            576KB

                            Download

                          • memory/3156-874-0x00000000002E0000-0x0000000000370000-memory.dmp

                            Filesize

                            576KB

                            Download

                          • memory/3836-864-0x0000000000400000-0x000000000045D000-memory.dmp

                            Filesize

                            372KB

                            Download

                          • memory/3836-867-0x0000000000400000-0x000000000045D000-memory.dmp

                            Filesize

                            372KB

                            Download

                          • memory/3836-868-0x00000000002E0000-0x0000000000370000-memory.dmp

                            Filesize

                            576KB

                            Download

                          • memory/4964-863-0x0000000000369000-0x000000000036A000-memory.dmp

                            Filesize

                            4KB

                            Download