Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

03/01/2025, 19:53 UTC

250103-ymf6cszrbw 10

03/01/2025, 05:06 UTC

250103-frq71szrdy 10

03/01/2025, 05:00 UTC

250103-fm1kwstjgq 10

03/01/2025, 04:45 UTC

250103-fdjk1ssqar 10

03/01/2025, 04:35 UTC

250103-e7skcasmfr 10

03/01/2025, 03:28 UTC

250103-d1dbeazrfl 10

Analysis

  • max time kernel
    11s
  • max time network
    12s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/01/2025, 05:00 UTC

General

  • Target

    36c05fed693856403b0e8aa36b032d350424ec12a657cb9a98f974f218db3884.exe

  • Size

    310KB

  • MD5

    2ea329cf21fe95c260ea3b956b6fbb75

  • SHA1

    4c8a6dfe97d33ada86c65298ad91ab46eddc8454

  • SHA256

    36c05fed693856403b0e8aa36b032d350424ec12a657cb9a98f974f218db3884

  • SHA512

    9ba7c26d15f6a116489e69c364f51484fa028dc92cf76a15e7c49095707bc4d499e6da31e9c79e1c5d2b3047dcb0518e10fd01f163b9c6e71282fffb2e8eac90

  • SSDEEP

    6144:N0ytx8RRzYd1mH+CkaPSdpzybQiwRF/yCQaOn39cm4W8+:NpeRRzQ0BkFd40bbqC8Wms+

Score
10/10

Malware Config

Extracted

Family

lumma

C2

https://enterwahsh.biz/api

Signatures

  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

  • Lumma family
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

Processes

  • C:\Users\Admin\AppData\Local\Temp\36c05fed693856403b0e8aa36b032d350424ec12a657cb9a98f974f218db3884.exe
    "C:\Users\Admin\AppData\Local\Temp\36c05fed693856403b0e8aa36b032d350424ec12a657cb9a98f974f218db3884.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    PID:4480
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4480 -s 1248
      2⤵
      • Program crash
      PID:3472
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4480 -ip 4480
    1⤵
      PID:1736

    Network

    • flag-us
      DNS
      enterwahsh.biz
      36c05fed693856403b0e8aa36b032d350424ec12a657cb9a98f974f218db3884.exe
      Remote address:
      8.8.8.8:53
      Request
      enterwahsh.biz
      IN A
      Response
    • flag-us
      DNS
      wordyfindy.lat
      36c05fed693856403b0e8aa36b032d350424ec12a657cb9a98f974f218db3884.exe
      Remote address:
      8.8.8.8:53
      Request
      wordyfindy.lat
      IN A
      Response
    • flag-us
      DNS
      slipperyloo.lat
      36c05fed693856403b0e8aa36b032d350424ec12a657cb9a98f974f218db3884.exe
      Remote address:
      8.8.8.8:53
      Request
      slipperyloo.lat
      IN A
      Response
    • flag-us
      DNS
      manyrestro.lat
      36c05fed693856403b0e8aa36b032d350424ec12a657cb9a98f974f218db3884.exe
      Remote address:
      8.8.8.8:53
      Request
      manyrestro.lat
      IN A
      Response
    • flag-us
      DNS
      shapestickyr.lat
      36c05fed693856403b0e8aa36b032d350424ec12a657cb9a98f974f218db3884.exe
      Remote address:
      8.8.8.8:53
      Request
      shapestickyr.lat
      IN A
      Response
    • flag-us
      DNS
      talkynicer.lat
      36c05fed693856403b0e8aa36b032d350424ec12a657cb9a98f974f218db3884.exe
      Remote address:
      8.8.8.8:53
      Request
      talkynicer.lat
      IN A
      Response
    • flag-us
      DNS
      curverpluch.lat
      36c05fed693856403b0e8aa36b032d350424ec12a657cb9a98f974f218db3884.exe
      Remote address:
      8.8.8.8:53
      Request
      curverpluch.lat
      IN A
      Response
    • flag-us
      DNS
      tentabatte.lat
      36c05fed693856403b0e8aa36b032d350424ec12a657cb9a98f974f218db3884.exe
      Remote address:
      8.8.8.8:53
      Request
      tentabatte.lat
      IN A
      Response
    • flag-us
      DNS
      228.249.119.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      228.249.119.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      bashfulacid.lat
      36c05fed693856403b0e8aa36b032d350424ec12a657cb9a98f974f218db3884.exe
      Remote address:
      8.8.8.8:53
      Request
      bashfulacid.lat
      IN A
      Response
    • flag-us
      DNS
      steamcommunity.com
      36c05fed693856403b0e8aa36b032d350424ec12a657cb9a98f974f218db3884.exe
      Remote address:
      8.8.8.8:53
      Request
      steamcommunity.com
      IN A
      Response
      steamcommunity.com
      IN A
      104.82.234.109
    • flag-gb
      GET
      https://steamcommunity.com/profiles/76561199724331900
      36c05fed693856403b0e8aa36b032d350424ec12a657cb9a98f974f218db3884.exe
      Remote address:
      104.82.234.109:443
      Request
      GET /profiles/76561199724331900 HTTP/1.1
      Connection: Keep-Alive
      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
      Host: steamcommunity.com
      Response
      HTTP/1.1 200 OK
      Server: nginx
      Content-Type: text/html; charset=UTF-8
      Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;
      Expires: Mon, 26 Jul 1997 05:00:00 GMT
      Cache-Control: no-cache
      Date: Fri, 03 Jan 2025 05:00:16 GMT
      Content-Length: 35588
      Connection: keep-alive
      Set-Cookie: sessionid=d7e8a9c95b500c7a0c51cece; Path=/; Secure; SameSite=None
      Set-Cookie: steamCountry=GB%7C7d625a3b038bb98f68b4e14dac147806; Path=/; Secure; HttpOnly; SameSite=None
    • flag-us
      DNS
      lev-tolstoi.com
      36c05fed693856403b0e8aa36b032d350424ec12a657cb9a98f974f218db3884.exe
      Remote address:
      8.8.8.8:53
      Request
      lev-tolstoi.com
      IN A
      Response
      lev-tolstoi.com
      IN A
      104.21.66.86
      lev-tolstoi.com
      IN A
      172.67.157.254
    • flag-us
      POST
      https://lev-tolstoi.com/api
      36c05fed693856403b0e8aa36b032d350424ec12a657cb9a98f974f218db3884.exe
      Remote address:
      104.21.66.86:443
      Request
      POST /api HTTP/1.1
      Connection: Keep-Alive
      Content-Type: application/x-www-form-urlencoded
      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
      Content-Length: 8
      Host: lev-tolstoi.com
      Response
      HTTP/1.1 200 OK
      Date: Fri, 03 Jan 2025 05:00:16 GMT
      Content-Type: text/html; charset=UTF-8
      Transfer-Encoding: chunked
      Connection: keep-alive
      Set-Cookie: PHPSESSID=38t8cae6bumif08fq8qabvc3vp; expires=Mon, 28 Apr 2025 22:46:55 GMT; Max-Age=9999999; path=/
      Expires: Thu, 19 Nov 1981 08:52:00 GMT
      Cache-Control: no-store, no-cache, must-revalidate
      Pragma: no-cache
      X-Frame-Options: DENY
      X-Content-Type-Options: nosniff
      X-XSS-Protection: 1; mode=block
      cf-cache-status: DYNAMIC
      vary: accept-encoding
      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=txG5F1qVqNCOUeeZLAcurpLU3Ztl%2FJ2nUleG63u2FXwNZj8%2BfoPd47d4wXUmOGkqG1FtOpRyOVH7Y35IOYmhQSEziiTRccVldJxo8wUpn8D6k%2BA%2B05Zwt5LgiJKFPc4jnq8%3D"}],"group":"cf-nel","max_age":604800}
      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
      Server: cloudflare
      CF-RAY: 8fc06c9c4bc8bea8-LHR
      alt-svc: h3=":443"; ma=86400
      server-timing: cfL4;desc="?proto=TCP&rtt=60544&min_rtt=59613&rtt_var=14060&sent=6&recv=7&lost=0&retrans=0&sent_bytes=3293&recv_bytes=603&delivery_rate=62197&cwnd=253&unsent_bytes=0&cid=80b0966df3528575&ts=299&x=0"
    • flag-us
      DNS
      180.129.81.91.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      180.129.81.91.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      109.234.82.104.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      109.234.82.104.in-addr.arpa
      IN PTR
      Response
      109.234.82.104.in-addr.arpa
      IN PTR
      a104-82-234-109deploystaticakamaitechnologiescom
    • flag-us
      DNS
      75.159.190.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      75.159.190.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      95.221.229.192.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      95.221.229.192.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      86.66.21.104.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      86.66.21.104.in-addr.arpa
      IN PTR
      Response
    • 104.82.234.109:443
      https://steamcommunity.com/profiles/76561199724331900
      tls, http
      36c05fed693856403b0e8aa36b032d350424ec12a657cb9a98f974f218db3884.exe
      1.6kB
      43.2kB
      22
      37

      HTTP Request

      GET https://steamcommunity.com/profiles/76561199724331900

      HTTP Response

      200
    • 104.21.66.86:443
      https://lev-tolstoi.com/api
      tls, http
      36c05fed693856403b0e8aa36b032d350424ec12a657cb9a98f974f218db3884.exe
      999 B
      4.9kB
      9
      9

      HTTP Request

      POST https://lev-tolstoi.com/api

      HTTP Response

      200
    • 204.79.197.203:443
    • 192.229.221.95:80
    • 8.8.8.8:53
      enterwahsh.biz
      dns
      36c05fed693856403b0e8aa36b032d350424ec12a657cb9a98f974f218db3884.exe
      60 B
      122 B
      1
      1

      DNS Request

      enterwahsh.biz

    • 8.8.8.8:53
      wordyfindy.lat
      dns
      36c05fed693856403b0e8aa36b032d350424ec12a657cb9a98f974f218db3884.exe
      60 B
      125 B
      1
      1

      DNS Request

      wordyfindy.lat

    • 8.8.8.8:53
      slipperyloo.lat
      dns
      36c05fed693856403b0e8aa36b032d350424ec12a657cb9a98f974f218db3884.exe
      61 B
      126 B
      1
      1

      DNS Request

      slipperyloo.lat

    • 8.8.8.8:53
      manyrestro.lat
      dns
      36c05fed693856403b0e8aa36b032d350424ec12a657cb9a98f974f218db3884.exe
      60 B
      125 B
      1
      1

      DNS Request

      manyrestro.lat

    • 8.8.8.8:53
      shapestickyr.lat
      dns
      36c05fed693856403b0e8aa36b032d350424ec12a657cb9a98f974f218db3884.exe
      62 B
      127 B
      1
      1

      DNS Request

      shapestickyr.lat

    • 8.8.8.8:53
      talkynicer.lat
      dns
      36c05fed693856403b0e8aa36b032d350424ec12a657cb9a98f974f218db3884.exe
      60 B
      125 B
      1
      1

      DNS Request

      talkynicer.lat

    • 8.8.8.8:53
      curverpluch.lat
      dns
      36c05fed693856403b0e8aa36b032d350424ec12a657cb9a98f974f218db3884.exe
      61 B
      126 B
      1
      1

      DNS Request

      curverpluch.lat

    • 8.8.8.8:53
      tentabatte.lat
      dns
      36c05fed693856403b0e8aa36b032d350424ec12a657cb9a98f974f218db3884.exe
      60 B
      125 B
      1
      1

      DNS Request

      tentabatte.lat

    • 8.8.8.8:53
      228.249.119.40.in-addr.arpa
      dns
      73 B
      159 B
      1
      1

      DNS Request

      228.249.119.40.in-addr.arpa

    • 8.8.8.8:53
      bashfulacid.lat
      dns
      36c05fed693856403b0e8aa36b032d350424ec12a657cb9a98f974f218db3884.exe
      61 B
      126 B
      1
      1

      DNS Request

      bashfulacid.lat

    • 8.8.8.8:53
      steamcommunity.com
      dns
      36c05fed693856403b0e8aa36b032d350424ec12a657cb9a98f974f218db3884.exe
      64 B
      80 B
      1
      1

      DNS Request

      steamcommunity.com

      DNS Response

      104.82.234.109

    • 8.8.8.8:53
      lev-tolstoi.com
      dns
      36c05fed693856403b0e8aa36b032d350424ec12a657cb9a98f974f218db3884.exe
      61 B
      93 B
      1
      1

      DNS Request

      lev-tolstoi.com

      DNS Response

      104.21.66.86
      172.67.157.254

    • 8.8.8.8:53
      180.129.81.91.in-addr.arpa
      dns
      72 B
      147 B
      1
      1

      DNS Request

      180.129.81.91.in-addr.arpa

    • 8.8.8.8:53
      109.234.82.104.in-addr.arpa
      dns
      73 B
      139 B
      1
      1

      DNS Request

      109.234.82.104.in-addr.arpa

    • 8.8.8.8:53
      75.159.190.20.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      75.159.190.20.in-addr.arpa

    • 8.8.8.8:53
      95.221.229.192.in-addr.arpa
      dns
      73 B
      144 B
      1
      1

      DNS Request

      95.221.229.192.in-addr.arpa

    • 8.8.8.8:53
      86.66.21.104.in-addr.arpa
      dns
      71 B
      133 B
      1
      1

      DNS Request

      86.66.21.104.in-addr.arpa

    • 8.8.8.8:53

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/4480-0-0x0000000002070000-0x000000000209C000-memory.dmp

      Filesize

      176KB

    • memory/4480-1-0x00000000020A0000-0x00000000020EC000-memory.dmp

      Filesize

      304KB

    • memory/4480-2-0x0000000000400000-0x0000000000459000-memory.dmp

      Filesize

      356KB

    • memory/4480-3-0x0000000000400000-0x0000000000459000-memory.dmp

      Filesize

      356KB

    • memory/4480-4-0x0000000002070000-0x000000000209C000-memory.dmp

      Filesize

      176KB

    • memory/4480-5-0x00000000020A0000-0x00000000020EC000-memory.dmp

      Filesize

      304KB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.