Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
16/12/2024, 09:03
Static task
static1
Behavioral task
behavioral1
Sample
4759820fde0c680644d332189bec83aa.exe
Resource
win7-20240903-en
General
-
Target
4759820fde0c680644d332189bec83aa.exe
-
Size
1.8MB
-
MD5
4759820fde0c680644d332189bec83aa
-
SHA1
57299ea1dac94f357b2ff19e36df44f8eb5b4a33
-
SHA256
f77d07b9c49ce8361a05f50d39c3b2eefc02c9cf64200c80fdec8f445b7cac7d
-
SHA512
156af54e601d1826e61407e03cd499344b17df99c0e6f57d928d2c748873556855deac4bbed1a319f5512e7456b399c5ffe089e0ba887ed62e432c9040767651
-
SSDEEP
49152:oOaxlQZ6PXdx29IOHABzAmN1tnaodro4cxR2zV:7jZ6PXdx2FABMm4OrJ6R2z
Malware Config
Extracted
lumma
https://sordid-snaked.cyou/api
https://awake-weaves.cyou/api
https://wrathful-jammy.cyou/api
https://debonairnukk.xyz/api
https://diffuculttan.xyz/api
https://effecterectz.xyz/api
https://deafeninggeh.biz/api
https://immureprech.biz/api
https://tacitglibbr.biz/api
Extracted
stealc
stok
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Extracted
lumma
https://tacitglibbr.biz/api
Signatures
-
Lumma family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection S4BFOKNV0YJYATP7C33U18SHJMWM.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" S4BFOKNV0YJYATP7C33U18SHJMWM.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" S4BFOKNV0YJYATP7C33U18SHJMWM.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" S4BFOKNV0YJYATP7C33U18SHJMWM.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" S4BFOKNV0YJYATP7C33U18SHJMWM.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" S4BFOKNV0YJYATP7C33U18SHJMWM.exe -
Stealc family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ S4BFOKNV0YJYATP7C33U18SHJMWM.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Z0YIM7FPDAHSNOZ4L4DBG03HB.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 4759820fde0c680644d332189bec83aa.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 4759820fde0c680644d332189bec83aa.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion S4BFOKNV0YJYATP7C33U18SHJMWM.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion S4BFOKNV0YJYATP7C33U18SHJMWM.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Z0YIM7FPDAHSNOZ4L4DBG03HB.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Z0YIM7FPDAHSNOZ4L4DBG03HB.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 4759820fde0c680644d332189bec83aa.exe -
Executes dropped EXE 2 IoCs
pid Process 2920 S4BFOKNV0YJYATP7C33U18SHJMWM.exe 2516 Z0YIM7FPDAHSNOZ4L4DBG03HB.exe -
Identifies Wine through registry keys 2 TTPs 3 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine 4759820fde0c680644d332189bec83aa.exe Key opened \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine S4BFOKNV0YJYATP7C33U18SHJMWM.exe Key opened \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine Z0YIM7FPDAHSNOZ4L4DBG03HB.exe -
Loads dropped DLL 3 IoCs
pid Process 1076 4759820fde0c680644d332189bec83aa.exe 1076 4759820fde0c680644d332189bec83aa.exe 1076 4759820fde0c680644d332189bec83aa.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features S4BFOKNV0YJYATP7C33U18SHJMWM.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" S4BFOKNV0YJYATP7C33U18SHJMWM.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
pid Process 1076 4759820fde0c680644d332189bec83aa.exe 2920 S4BFOKNV0YJYATP7C33U18SHJMWM.exe 2516 Z0YIM7FPDAHSNOZ4L4DBG03HB.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4759820fde0c680644d332189bec83aa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language S4BFOKNV0YJYATP7C33U18SHJMWM.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Z0YIM7FPDAHSNOZ4L4DBG03HB.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 1076 4759820fde0c680644d332189bec83aa.exe 1076 4759820fde0c680644d332189bec83aa.exe 1076 4759820fde0c680644d332189bec83aa.exe 1076 4759820fde0c680644d332189bec83aa.exe 1076 4759820fde0c680644d332189bec83aa.exe 2920 S4BFOKNV0YJYATP7C33U18SHJMWM.exe 2516 Z0YIM7FPDAHSNOZ4L4DBG03HB.exe 2920 S4BFOKNV0YJYATP7C33U18SHJMWM.exe 2920 S4BFOKNV0YJYATP7C33U18SHJMWM.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2920 S4BFOKNV0YJYATP7C33U18SHJMWM.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1076 wrote to memory of 2920 1076 4759820fde0c680644d332189bec83aa.exe 31 PID 1076 wrote to memory of 2920 1076 4759820fde0c680644d332189bec83aa.exe 31 PID 1076 wrote to memory of 2920 1076 4759820fde0c680644d332189bec83aa.exe 31 PID 1076 wrote to memory of 2920 1076 4759820fde0c680644d332189bec83aa.exe 31 PID 1076 wrote to memory of 2516 1076 4759820fde0c680644d332189bec83aa.exe 32 PID 1076 wrote to memory of 2516 1076 4759820fde0c680644d332189bec83aa.exe 32 PID 1076 wrote to memory of 2516 1076 4759820fde0c680644d332189bec83aa.exe 32 PID 1076 wrote to memory of 2516 1076 4759820fde0c680644d332189bec83aa.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\4759820fde0c680644d332189bec83aa.exe"C:\Users\Admin\AppData\Local\Temp\4759820fde0c680644d332189bec83aa.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1076 -
C:\Users\Admin\AppData\Local\Temp\S4BFOKNV0YJYATP7C33U18SHJMWM.exe"C:\Users\Admin\AppData\Local\Temp\S4BFOKNV0YJYATP7C33U18SHJMWM.exe"2⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2920
-
-
C:\Users\Admin\AppData\Local\Temp\Z0YIM7FPDAHSNOZ4L4DBG03HB.exe"C:\Users\Admin\AppData\Local\Temp\Z0YIM7FPDAHSNOZ4L4DBG03HB.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2516
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Registry
2Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.7MB
MD5f0a01acbb7c142ecdb64c66fe7e5da72
SHA1bd76e25d19deca688e85a0c2afefebfbd2ed5708
SHA25691ea2a284a8ee25b4ad74669df7d2f5362f8e88b45c5ad0471b8fff15b1cea7f
SHA512fad5447153b4c9e95f787861dc41280b6192a71d7612772a5f4d579d7629cd2294e08b6274bba1a0c7184b1db8221a949264cd3353ee0ef40d2e7d227deafe4b
-
Filesize
1.7MB
MD53aacd7d2751e6e0f434b9809f58b92bc
SHA1a398a3b7487129b2f2bd94136da6ca36e91d7505
SHA2562abc9291898edaa673b4754a60c0154084112532a7f76c36fee1e97cec5685ab
SHA51256ae68afbd59926feb21f6ff2662e3c26f461c9e7a52b26add2d8bdeda7b381ce6fde1ef787310aab666ab84a27e884810efb56ac65968c1d71fceb963516cf3