Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17/12/2024, 08:49
Static task
static1
Behavioral task
behavioral1
Sample
bb2f1d74aabd9d2a6eb16dd3cde55e5e.exe
Resource
win7-20240903-en
General
-
Target
bb2f1d74aabd9d2a6eb16dd3cde55e5e.exe
-
Size
1.8MB
-
MD5
bb2f1d74aabd9d2a6eb16dd3cde55e5e
-
SHA1
2000c94f296473baa42444ea0fbd607a0f5cd19a
-
SHA256
21c3ff6d14dbf792891e0c30da1eb51aa65c6f87c65cd8303e58ed26995a6390
-
SHA512
d82f1d4cbd8a229c80f896eac151b41af46292ca936c8673053d0c3bddefee62b31b8b614e042dc33ad83ef3935f99d7dcefb8509b5c378ea076ab58dba4da20
-
SSDEEP
49152:7K/2FxcdjKcueMKUPCEIWadlDHzzq1O0oEprRWh7uC:7Kkc8ypdlDHKHoOWh7u
Malware Config
Extracted
lumma
https://sordid-snaked.cyou/api
https://awake-weaves.cyou/api
https://wrathful-jammy.cyou/api
https://debonairnukk.xyz/api
https://diffuculttan.xyz/api
https://effecterectz.xyz/api
https://deafeninggeh.biz/api
https://immureprech.biz/api
https://tacitglibbr.biz/api
Extracted
stealc
stok
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Extracted
lumma
https://tacitglibbr.biz/api
Signatures
-
Lumma family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection EWWYNRY5DRNPMF80Z30PQDEFY.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" EWWYNRY5DRNPMF80Z30PQDEFY.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" EWWYNRY5DRNPMF80Z30PQDEFY.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" EWWYNRY5DRNPMF80Z30PQDEFY.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" EWWYNRY5DRNPMF80Z30PQDEFY.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" EWWYNRY5DRNPMF80Z30PQDEFY.exe -
Stealc family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ bb2f1d74aabd9d2a6eb16dd3cde55e5e.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ EWWYNRY5DRNPMF80Z30PQDEFY.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 0ZKLE0VRK2GGOYDXYD2507S12HFR.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 0ZKLE0VRK2GGOYDXYD2507S12HFR.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 0ZKLE0VRK2GGOYDXYD2507S12HFR.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion bb2f1d74aabd9d2a6eb16dd3cde55e5e.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion bb2f1d74aabd9d2a6eb16dd3cde55e5e.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion EWWYNRY5DRNPMF80Z30PQDEFY.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion EWWYNRY5DRNPMF80Z30PQDEFY.exe -
Executes dropped EXE 2 IoCs
pid Process 4156 EWWYNRY5DRNPMF80Z30PQDEFY.exe 1636 0ZKLE0VRK2GGOYDXYD2507S12HFR.exe -
Identifies Wine through registry keys 2 TTPs 3 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine bb2f1d74aabd9d2a6eb16dd3cde55e5e.exe Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine EWWYNRY5DRNPMF80Z30PQDEFY.exe Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine 0ZKLE0VRK2GGOYDXYD2507S12HFR.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features EWWYNRY5DRNPMF80Z30PQDEFY.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" EWWYNRY5DRNPMF80Z30PQDEFY.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
pid Process 4564 bb2f1d74aabd9d2a6eb16dd3cde55e5e.exe 4156 EWWYNRY5DRNPMF80Z30PQDEFY.exe 1636 0ZKLE0VRK2GGOYDXYD2507S12HFR.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bb2f1d74aabd9d2a6eb16dd3cde55e5e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EWWYNRY5DRNPMF80Z30PQDEFY.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0ZKLE0VRK2GGOYDXYD2507S12HFR.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 4564 bb2f1d74aabd9d2a6eb16dd3cde55e5e.exe 4564 bb2f1d74aabd9d2a6eb16dd3cde55e5e.exe 4564 bb2f1d74aabd9d2a6eb16dd3cde55e5e.exe 4564 bb2f1d74aabd9d2a6eb16dd3cde55e5e.exe 4564 bb2f1d74aabd9d2a6eb16dd3cde55e5e.exe 4564 bb2f1d74aabd9d2a6eb16dd3cde55e5e.exe 4156 EWWYNRY5DRNPMF80Z30PQDEFY.exe 4156 EWWYNRY5DRNPMF80Z30PQDEFY.exe 1636 0ZKLE0VRK2GGOYDXYD2507S12HFR.exe 1636 0ZKLE0VRK2GGOYDXYD2507S12HFR.exe 4156 EWWYNRY5DRNPMF80Z30PQDEFY.exe 4156 EWWYNRY5DRNPMF80Z30PQDEFY.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4156 EWWYNRY5DRNPMF80Z30PQDEFY.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4564 wrote to memory of 4156 4564 bb2f1d74aabd9d2a6eb16dd3cde55e5e.exe 85 PID 4564 wrote to memory of 4156 4564 bb2f1d74aabd9d2a6eb16dd3cde55e5e.exe 85 PID 4564 wrote to memory of 4156 4564 bb2f1d74aabd9d2a6eb16dd3cde55e5e.exe 85 PID 4564 wrote to memory of 1636 4564 bb2f1d74aabd9d2a6eb16dd3cde55e5e.exe 88 PID 4564 wrote to memory of 1636 4564 bb2f1d74aabd9d2a6eb16dd3cde55e5e.exe 88 PID 4564 wrote to memory of 1636 4564 bb2f1d74aabd9d2a6eb16dd3cde55e5e.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\bb2f1d74aabd9d2a6eb16dd3cde55e5e.exe"C:\Users\Admin\AppData\Local\Temp\bb2f1d74aabd9d2a6eb16dd3cde55e5e.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4564 -
C:\Users\Admin\AppData\Local\Temp\EWWYNRY5DRNPMF80Z30PQDEFY.exe"C:\Users\Admin\AppData\Local\Temp\EWWYNRY5DRNPMF80Z30PQDEFY.exe"2⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4156
-
-
C:\Users\Admin\AppData\Local\Temp\0ZKLE0VRK2GGOYDXYD2507S12HFR.exe"C:\Users\Admin\AppData\Local\Temp\0ZKLE0VRK2GGOYDXYD2507S12HFR.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1636
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Registry
2Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.8MB
MD5c8b363548ff963b9eaefdcf0ab866e99
SHA1d3e0fa20ca34e90e5640d30cfd56e7c4b941e917
SHA2561b5103442d7f0ee79daa29f46c1b3bd6ad65e1f844616441e05c592198ebf7f2
SHA5125e69aa93ee6bd2fe29464cf0c07026cefcab515c4217cd6eaa37fe7fb36ceee37a68242625e2fdd70efdc4bdf2cecbb9727189a6f2b3f21138fd6378ad33d3cf
-
Filesize
1.7MB
MD5a5f5306454959cc92379287fa8f99a9a
SHA16a339fd816392b7683bb7ab9c694340bef5aab67
SHA256b11c07bbbedbe1d3df654b2f26362dce51c0eaef9bc7a87617cd3d300341a72a
SHA51265865f0f8461845b40b75319096cdbabcf567664f1b0cae0f82c4bc6cb64bcbd748b6e9ebaba60eb35fc35a3415cc8278f29f98bf91d22eb39fc9598d92d6c24