Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    109s
  • max time network
    111s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    03/01/2025, 09:50

General

  • Target

    Release.zip

  • Size

    24.6MB

  • MD5

    a26453383ae24b24575e0795a338ef0b

  • SHA1

    27e37285f54647dd670e7d7b0d3fd501f97cfe18

  • SHA256

    c435de2808f39abe757760d81c10fdc60a3872088e2954951084c718bcef517b

  • SHA512

    8d59eb375b48ff4d335c63e5bfaed26f38cb3fec297433ee5472132872a3d8fec90099c22bab3633bf5116b577b6b13bbfdcf401d7649fa67eda32d2f88c91b8

  • SSDEEP

    786432:/az6YIuPordUKmTsUizXSVGQfcbPSIz4gyh5:/aGYdPor4TuC4QfkPSIz415

Score
10/10

Malware Config

Extracted

Family

lumma

C2

https://cloudewahsj.shop/api

https://rabidcowse.shop/api

https://noisycuttej.shop/api

https://tirepublicerj.shop/api

https://framekgirus.shop/api

https://wholersorie.shop/api

https://abruptyopsn.shop/api

https://nearycrepso.shop/api

https://begguinnerz.biz/api

Signatures

  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

  • Lumma family
  • Executes dropped EXE 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Release.zip"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:4768
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:4712
    • C:\Users\Admin\Desktop\Release\NewUpd [v1.1.0].exe
      "C:\Users\Admin\Desktop\Release\NewUpd [v1.1.0].exe"
      1⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:3452
    • C:\Windows\system32\BackgroundTransferHost.exe
      "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
      1⤵
      • Modifies registry class
      PID:2624
    • C:\Windows\System32\notepad.exe
      "C:\Windows\System32\notepad.exe"
      1⤵
        PID:72

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\9adcb502-9930-4e18-8462-5dab65b6645c.down_data

        Filesize

        555KB

        MD5

        5683c0028832cae4ef93ca39c8ac5029

        SHA1

        248755e4e1db552e0b6f8651b04ca6d1b31a86fb

        SHA256

        855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

        SHA512

        aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

      • C:\Users\Admin\AppData\Local\Temp\7zE0A2B7487\Release\workspace\.tests\isfile.txt

        Filesize

        7B

        MD5

        260ca9dd8a4577fc00b7bd5810298076

        SHA1

        53a5687cb26dc41f2ab4033e97e13adefd3740d6

        SHA256

        aee408847d35e44e99430f0979c3357b85fe8dbb4535a494301198adbee85f27

        SHA512

        51e85deb51c2b909a21ec5b8e83b1cb28da258b1be227620105a345a2bd4c6aea549cd5429670f2df33324667b9f623a420b3a0bdbbd03ad48602211e75478a7

      • C:\Users\Admin\AppData\Local\Temp\7zE0A2B7487\Release\workspace\Xeno.exe.WebView2\EBWebView\Default\DawnWebGPUCache\data_2

        Filesize

        8KB

        MD5

        0962291d6d367570bee5454721c17e11

        SHA1

        59d10a893ef321a706a9255176761366115bedcb

        SHA256

        ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

        SHA512

        f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

      • C:\Users\Admin\AppData\Local\Temp\7zE0A2B7487\Release\workspace\Xeno.exe.WebView2\EBWebView\Default\Extension State\CURRENT

        Filesize

        16B

        MD5

        46295cac801e5d4857d09837238a6394

        SHA1

        44e0fa1b517dbf802b18faf0785eeea6ac51594b

        SHA256

        0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

        SHA512

        8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

      • C:\Users\Admin\AppData\Local\Temp\7zE0A2B7487\Release\workspace\Xeno.exe.WebView2\EBWebView\Default\Extension State\MANIFEST-000001

        Filesize

        41B

        MD5

        5af87dfd673ba2115e2fcf5cfdb727ab

        SHA1

        d5b5bbf396dc291274584ef71f444f420b6056f1

        SHA256

        f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

        SHA512

        de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

      • C:\Users\Admin\AppData\Local\Temp\7zE0A2B7487\Release\workspace\Xeno.exe.WebView2\EBWebView\Default\GPUCache\data_0

        Filesize

        8KB

        MD5

        cf89d16bb9107c631daabf0c0ee58efb

        SHA1

        3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

        SHA256

        d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

        SHA512

        8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

      • C:\Users\Admin\AppData\Local\Temp\7zE0A2B7487\Release\workspace\Xeno.exe.WebView2\EBWebView\Default\GPUCache\data_1

        Filesize

        264KB

        MD5

        a833653a021f29ee2ec1a845e0c2308f

        SHA1

        05071159d3c2516d67b765cef012a0a2d3337759

        SHA256

        8e9f3538e43a68caa472fd47adaf43906e097cfb53ef55d1361caf1cc97efca7

        SHA512

        0902a886c95cee1b34f9419ab0a10ce0fe96eae57c59ab4cefba99ba3fc2a0237741f31076ce065db14fe3dfecd325458209f0d1e9fcc8b9ac7bff8328e1744f

      • C:\Users\Admin\AppData\Local\Temp\7zE0A2B7487\Release\workspace\Xeno.exe.WebView2\EBWebView\Default\GPUCache\data_3

        Filesize

        8KB

        MD5

        41876349cb12d6db992f1309f22df3f0

        SHA1

        5cf26b3420fc0302cd0a71e8d029739b8765be27

        SHA256

        e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

        SHA512

        e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

      • C:\Users\Admin\AppData\Local\Temp\7zE0A2B7487\Release\workspace\Xeno.exe.WebView2\EBWebView\Default\Shared Dictionary\cache\index

        Filesize

        24B

        MD5

        54cb446f628b2ea4a5bce5769910512e

        SHA1

        c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

        SHA256

        fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

        SHA512

        8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

      • C:\Users\Admin\Desktop\Release\NewUpd [v1.1.0].exe

        Filesize

        1.9MB

        MD5

        11009591ca02b389f69e8c8e34f3f0c3

        SHA1

        de3e14d918d6aa164112c7339f85f67e60291616

        SHA256

        6f0df40928071c599955dfa09d5f4596a823ad68b887c228a8e810287d856b66

        SHA512

        1ea9ce27abdd7d8ee4aa139ede7e856b3e7404cb30259e2fdd09b2125bbc0aade93e25568ce426e82bcf45167982cdff51432ed20d8db7e8b8e9d1c03ae513aa

      • memory/3452-549-0x00000000030A0000-0x0000000003158000-memory.dmp

        Filesize

        736KB

      • memory/3452-550-0x00000000030A0000-0x0000000003158000-memory.dmp

        Filesize

        736KB

      • memory/3452-551-0x0000000000BF0000-0x0000000000DD6000-memory.dmp

        Filesize

        1.9MB

      • memory/3452-555-0x0000000000EA0000-0x0000000000EF7000-memory.dmp

        Filesize

        348KB

      • memory/3452-556-0x0000000000EA0000-0x0000000000EF7000-memory.dmp

        Filesize

        348KB

      • memory/3452-554-0x0000000000EA0000-0x0000000000EF7000-memory.dmp

        Filesize

        348KB

      • memory/3452-557-0x00000000030A0000-0x0000000003158000-memory.dmp

        Filesize

        736KB

      • memory/3452-553-0x0000000000EA0000-0x0000000000EF7000-memory.dmp

        Filesize

        348KB

      • memory/3452-552-0x0000000000EA0000-0x0000000000EF7000-memory.dmp

        Filesize

        348KB

      • memory/3452-559-0x0000000000BF0000-0x0000000000DD6000-memory.dmp

        Filesize

        1.9MB

      • memory/3452-548-0x0000000000DE0000-0x0000000000E99000-memory.dmp

        Filesize

        740KB