Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
96s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16/12/2024, 08:55
Static task
static1
Behavioral task
behavioral1
Sample
42b62e1e747b64a54a3f6896df2128d5.exe
Resource
win7-20240903-en
General
-
Target
42b62e1e747b64a54a3f6896df2128d5.exe
-
Size
1.8MB
-
MD5
42b62e1e747b64a54a3f6896df2128d5
-
SHA1
4b0d19351ed7eb44908eae3020b8298ed221d100
-
SHA256
b6046ae1bd10e5aa4bb9280b48cd846482d5122de8bbe54998800e734bddd7f7
-
SHA512
dca1b52076478cb15bded75a98ea7d689e548d87c1117c33bf303750b6495d396deb9de30711fc1eabfa0e47af20460c0bc1c15b2c85b683401c40c7e101e229
-
SSDEEP
49152:CtR8X2NBoIch/r5dAYs8fbx6XBM15lyMUqPd/R:CTWYc/w4xExExR
Malware Config
Extracted
lumma
https://sordid-snaked.cyou/api
https://awake-weaves.cyou/api
https://wrathful-jammy.cyou/api
https://debonairnukk.xyz/api
https://diffuculttan.xyz/api
https://effecterectz.xyz/api
https://deafeninggeh.biz/api
https://immureprech.biz/api
https://tacitglibbr.biz/api
Extracted
stealc
stok
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Extracted
lumma
https://tacitglibbr.biz/api
Signatures
-
Lumma family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" UWFSY6PRW4IVU7U5YM.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" UWFSY6PRW4IVU7U5YM.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" UWFSY6PRW4IVU7U5YM.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" UWFSY6PRW4IVU7U5YM.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" UWFSY6PRW4IVU7U5YM.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection UWFSY6PRW4IVU7U5YM.exe -
Stealc family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 42b62e1e747b64a54a3f6896df2128d5.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ UWFSY6PRW4IVU7U5YM.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 3PZFSFAVQVTSJRMH83XNIJWEDOC.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 42b62e1e747b64a54a3f6896df2128d5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 42b62e1e747b64a54a3f6896df2128d5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion UWFSY6PRW4IVU7U5YM.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion UWFSY6PRW4IVU7U5YM.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 3PZFSFAVQVTSJRMH83XNIJWEDOC.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 3PZFSFAVQVTSJRMH83XNIJWEDOC.exe -
Executes dropped EXE 2 IoCs
pid Process 3724 UWFSY6PRW4IVU7U5YM.exe 4596 3PZFSFAVQVTSJRMH83XNIJWEDOC.exe -
Identifies Wine through registry keys 2 TTPs 3 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine 42b62e1e747b64a54a3f6896df2128d5.exe Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine UWFSY6PRW4IVU7U5YM.exe Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine 3PZFSFAVQVTSJRMH83XNIJWEDOC.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features UWFSY6PRW4IVU7U5YM.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" UWFSY6PRW4IVU7U5YM.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
pid Process 5052 42b62e1e747b64a54a3f6896df2128d5.exe 3724 UWFSY6PRW4IVU7U5YM.exe 4596 3PZFSFAVQVTSJRMH83XNIJWEDOC.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 42b62e1e747b64a54a3f6896df2128d5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language UWFSY6PRW4IVU7U5YM.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3PZFSFAVQVTSJRMH83XNIJWEDOC.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 5052 42b62e1e747b64a54a3f6896df2128d5.exe 5052 42b62e1e747b64a54a3f6896df2128d5.exe 5052 42b62e1e747b64a54a3f6896df2128d5.exe 5052 42b62e1e747b64a54a3f6896df2128d5.exe 5052 42b62e1e747b64a54a3f6896df2128d5.exe 5052 42b62e1e747b64a54a3f6896df2128d5.exe 3724 UWFSY6PRW4IVU7U5YM.exe 3724 UWFSY6PRW4IVU7U5YM.exe 4596 3PZFSFAVQVTSJRMH83XNIJWEDOC.exe 4596 3PZFSFAVQVTSJRMH83XNIJWEDOC.exe 3724 UWFSY6PRW4IVU7U5YM.exe 3724 UWFSY6PRW4IVU7U5YM.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3724 UWFSY6PRW4IVU7U5YM.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 5052 wrote to memory of 3724 5052 42b62e1e747b64a54a3f6896df2128d5.exe 84 PID 5052 wrote to memory of 3724 5052 42b62e1e747b64a54a3f6896df2128d5.exe 84 PID 5052 wrote to memory of 3724 5052 42b62e1e747b64a54a3f6896df2128d5.exe 84 PID 5052 wrote to memory of 4596 5052 42b62e1e747b64a54a3f6896df2128d5.exe 87 PID 5052 wrote to memory of 4596 5052 42b62e1e747b64a54a3f6896df2128d5.exe 87 PID 5052 wrote to memory of 4596 5052 42b62e1e747b64a54a3f6896df2128d5.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\42b62e1e747b64a54a3f6896df2128d5.exe"C:\Users\Admin\AppData\Local\Temp\42b62e1e747b64a54a3f6896df2128d5.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5052 -
C:\Users\Admin\AppData\Local\Temp\UWFSY6PRW4IVU7U5YM.exe"C:\Users\Admin\AppData\Local\Temp\UWFSY6PRW4IVU7U5YM.exe"2⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3724
-
-
C:\Users\Admin\AppData\Local\Temp\3PZFSFAVQVTSJRMH83XNIJWEDOC.exe"C:\Users\Admin\AppData\Local\Temp\3PZFSFAVQVTSJRMH83XNIJWEDOC.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4596
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Registry
2Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.7MB
MD53aacd7d2751e6e0f434b9809f58b92bc
SHA1a398a3b7487129b2f2bd94136da6ca36e91d7505
SHA2562abc9291898edaa673b4754a60c0154084112532a7f76c36fee1e97cec5685ab
SHA51256ae68afbd59926feb21f6ff2662e3c26f461c9e7a52b26add2d8bdeda7b381ce6fde1ef787310aab666ab84a27e884810efb56ac65968c1d71fceb963516cf3
-
Filesize
2.7MB
MD5f0a01acbb7c142ecdb64c66fe7e5da72
SHA1bd76e25d19deca688e85a0c2afefebfbd2ed5708
SHA25691ea2a284a8ee25b4ad74669df7d2f5362f8e88b45c5ad0471b8fff15b1cea7f
SHA512fad5447153b4c9e95f787861dc41280b6192a71d7612772a5f4d579d7629cd2294e08b6274bba1a0c7184b1db8221a949264cd3353ee0ef40d2e7d227deafe4b