Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
03/01/2025, 19:53 UTC
250103-ymf6cszrbw 1003/01/2025, 05:06 UTC
250103-frq71szrdy 1003/01/2025, 05:00 UTC
250103-fm1kwstjgq 1003/01/2025, 04:45 UTC
250103-fdjk1ssqar 1003/01/2025, 04:35 UTC
250103-e7skcasmfr 1003/01/2025, 03:28 UTC
250103-d1dbeazrfl 10Analysis
-
max time kernel
11s -
max time network
12s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
03/01/2025, 05:00 UTC
Static task
static1
Behavioral task
behavioral1
Sample
36c05fed693856403b0e8aa36b032d350424ec12a657cb9a98f974f218db3884.exe
Resource
win10v2004-20241007-en
General
-
Target
36c05fed693856403b0e8aa36b032d350424ec12a657cb9a98f974f218db3884.exe
-
Size
310KB
-
MD5
2ea329cf21fe95c260ea3b956b6fbb75
-
SHA1
4c8a6dfe97d33ada86c65298ad91ab46eddc8454
-
SHA256
36c05fed693856403b0e8aa36b032d350424ec12a657cb9a98f974f218db3884
-
SHA512
9ba7c26d15f6a116489e69c364f51484fa028dc92cf76a15e7c49095707bc4d499e6da31e9c79e1c5d2b3047dcb0518e10fd01f163b9c6e71282fffb2e8eac90
-
SSDEEP
6144:N0ytx8RRzYd1mH+CkaPSdpzybQiwRF/yCQaOn39cm4W8+:NpeRRzQ0BkFd40bbqC8Wms+
Malware Config
Extracted
lumma
https://enterwahsh.biz/api
Signatures
-
Lumma family
-
Program crash 1 IoCs
pid pid_target Process procid_target 3472 4480 WerFault.exe 82 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 36c05fed693856403b0e8aa36b032d350424ec12a657cb9a98f974f218db3884.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\36c05fed693856403b0e8aa36b032d350424ec12a657cb9a98f974f218db3884.exe"C:\Users\Admin\AppData\Local\Temp\36c05fed693856403b0e8aa36b032d350424ec12a657cb9a98f974f218db3884.exe"1⤵
- System Location Discovery: System Language Discovery
PID:4480 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4480 -s 12482⤵
- Program crash
PID:3472
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4480 -ip 44801⤵PID:1736
Network
-
Remote address:8.8.8.8:53Requestenterwahsh.bizIN AResponse
-
Remote address:8.8.8.8:53Requestwordyfindy.latIN AResponse
-
Remote address:8.8.8.8:53Requestslipperyloo.latIN AResponse
-
Remote address:8.8.8.8:53Requestmanyrestro.latIN AResponse
-
Remote address:8.8.8.8:53Requestshapestickyr.latIN AResponse
-
Remote address:8.8.8.8:53Requesttalkynicer.latIN AResponse
-
Remote address:8.8.8.8:53Requestcurverpluch.latIN AResponse
-
Remote address:8.8.8.8:53Requesttentabatte.latIN AResponse
-
Remote address:8.8.8.8:53Request228.249.119.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestbashfulacid.latIN AResponse
-
Remote address:8.8.8.8:53Requeststeamcommunity.comIN AResponsesteamcommunity.comIN A104.82.234.109
-
GEThttps://steamcommunity.com/profiles/7656119972433190036c05fed693856403b0e8aa36b032d350424ec12a657cb9a98f974f218db3884.exeRemote address:104.82.234.109:443RequestGET /profiles/76561199724331900 HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Host: steamcommunity.com
ResponseHTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache
Date: Fri, 03 Jan 2025 05:00:16 GMT
Content-Length: 35588
Connection: keep-alive
Set-Cookie: sessionid=d7e8a9c95b500c7a0c51cece; Path=/; Secure; SameSite=None
Set-Cookie: steamCountry=GB%7C7d625a3b038bb98f68b4e14dac147806; Path=/; Secure; HttpOnly; SameSite=None
-
Remote address:8.8.8.8:53Requestlev-tolstoi.comIN AResponselev-tolstoi.comIN A104.21.66.86lev-tolstoi.comIN A172.67.157.254
-
POSThttps://lev-tolstoi.com/api36c05fed693856403b0e8aa36b032d350424ec12a657cb9a98f974f218db3884.exeRemote address:104.21.66.86:443RequestPOST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Content-Length: 8
Host: lev-tolstoi.com
ResponseHTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=38t8cae6bumif08fq8qabvc3vp; expires=Mon, 28 Apr 2025 22:46:55 GMT; Max-Age=9999999; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
cf-cache-status: DYNAMIC
vary: accept-encoding
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=txG5F1qVqNCOUeeZLAcurpLU3Ztl%2FJ2nUleG63u2FXwNZj8%2BfoPd47d4wXUmOGkqG1FtOpRyOVH7Y35IOYmhQSEziiTRccVldJxo8wUpn8D6k%2BA%2B05Zwt5LgiJKFPc4jnq8%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8fc06c9c4bc8bea8-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=60544&min_rtt=59613&rtt_var=14060&sent=6&recv=7&lost=0&retrans=0&sent_bytes=3293&recv_bytes=603&delivery_rate=62197&cwnd=253&unsent_bytes=0&cid=80b0966df3528575&ts=299&x=0"
-
Remote address:8.8.8.8:53Request180.129.81.91.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request109.234.82.104.in-addr.arpaIN PTRResponse109.234.82.104.in-addr.arpaIN PTRa104-82-234-109deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request75.159.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request86.66.21.104.in-addr.arpaIN PTRResponse
-
104.82.234.109:443https://steamcommunity.com/profiles/76561199724331900tls, http36c05fed693856403b0e8aa36b032d350424ec12a657cb9a98f974f218db3884.exe1.6kB 43.2kB 22 37
HTTP Request
GET https://steamcommunity.com/profiles/76561199724331900HTTP Response
200 -
104.21.66.86:443https://lev-tolstoi.com/apitls, http36c05fed693856403b0e8aa36b032d350424ec12a657cb9a98f974f218db3884.exe999 B 4.9kB 9 9
HTTP Request
POST https://lev-tolstoi.com/apiHTTP Response
200 -
-
-
60 B 122 B 1 1
DNS Request
enterwahsh.biz
-
60 B 125 B 1 1
DNS Request
wordyfindy.lat
-
61 B 126 B 1 1
DNS Request
slipperyloo.lat
-
60 B 125 B 1 1
DNS Request
manyrestro.lat
-
8.8.8.8:53shapestickyr.latdns36c05fed693856403b0e8aa36b032d350424ec12a657cb9a98f974f218db3884.exe62 B 127 B 1 1
DNS Request
shapestickyr.lat
-
60 B 125 B 1 1
DNS Request
talkynicer.lat
-
61 B 126 B 1 1
DNS Request
curverpluch.lat
-
60 B 125 B 1 1
DNS Request
tentabatte.lat
-
73 B 159 B 1 1
DNS Request
228.249.119.40.in-addr.arpa
-
61 B 126 B 1 1
DNS Request
bashfulacid.lat
-
8.8.8.8:53steamcommunity.comdns36c05fed693856403b0e8aa36b032d350424ec12a657cb9a98f974f218db3884.exe64 B 80 B 1 1
DNS Request
steamcommunity.com
DNS Response
104.82.234.109
-
61 B 93 B 1 1
DNS Request
lev-tolstoi.com
DNS Response
104.21.66.86172.67.157.254
-
72 B 147 B 1 1
DNS Request
180.129.81.91.in-addr.arpa
-
73 B 139 B 1 1
DNS Request
109.234.82.104.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
75.159.190.20.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
71 B 133 B 1 1
DNS Request
86.66.21.104.in-addr.arpa
-