Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    122s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    03/01/2025, 13:33

General

  • Target

    nayfObR.exe

  • Size

    522KB

  • MD5

    138fcf999a87419be2c7e5e036601466

  • SHA1

    7569a1444cd948145c966dbe0b47ffdb587f8681

  • SHA256

    960aa535a9712242c02a82c1f07530ae60e79bcbab15fcf0ebc6e7dbd636710b

  • SHA512

    afd574b7cf69012e1fd319c6e3825ff512c042c9917f5d7087ea88632516c9ab6bb30d48d465e18ba1be6e412a9ac728d609006af05df8577d7de2c938501c6d

  • SSDEEP

    12288:DztE0u86qlmk/345zA7Fv6vsVOzm9t/Gzr9AskP6f:DO0uYlmsozAAvsYkGzrOw

Score
10/10

Malware Config

Extracted

Family

lumma

C2

https://cloudewahsj.shop/api

https://rabidcowse.shop/api

https://noisycuttej.shop/api

https://tirepublicerj.shop/api

https://framekgirus.shop/api

https://wholersorie.shop/api

https://abruptyopsn.shop/api

https://nearycrepso.shop/api

https://fancywaxxers.shop/api

Signatures

  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

  • Lumma family
  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\nayfObR.exe
    "C:\Users\Admin\AppData\Local\Temp\nayfObR.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2312
    • C:\Users\Admin\AppData\Local\Temp\nayfObR.exe
      "C:\Users\Admin\AppData\Local\Temp\nayfObR.exe"
      2⤵
        PID:2100
      • C:\Users\Admin\AppData\Local\Temp\nayfObR.exe
        "C:\Users\Admin\AppData\Local\Temp\nayfObR.exe"
        2⤵
          PID:1640
        • C:\Users\Admin\AppData\Local\Temp\nayfObR.exe
          "C:\Users\Admin\AppData\Local\Temp\nayfObR.exe"
          2⤵
            PID:1984
          • C:\Users\Admin\AppData\Local\Temp\nayfObR.exe
            "C:\Users\Admin\AppData\Local\Temp\nayfObR.exe"
            2⤵
              PID:2064
            • C:\Users\Admin\AppData\Local\Temp\nayfObR.exe
              "C:\Users\Admin\AppData\Local\Temp\nayfObR.exe"
              2⤵
                PID:2524
              • C:\Users\Admin\AppData\Local\Temp\nayfObR.exe
                "C:\Users\Admin\AppData\Local\Temp\nayfObR.exe"
                2⤵
                  PID:1668

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • memory/1668-1-0x0000000000400000-0x000000000045B000-memory.dmp

                Filesize

                364KB

              • memory/1668-8-0x0000000000400000-0x000000000045B000-memory.dmp

                Filesize

                364KB

              • memory/1668-6-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

                Filesize

                4KB

              • memory/1668-5-0x0000000000400000-0x000000000045B000-memory.dmp

                Filesize

                364KB

              • memory/1668-4-0x0000000000400000-0x000000000045B000-memory.dmp

                Filesize

                364KB

              • memory/1668-2-0x0000000000400000-0x000000000045B000-memory.dmp

                Filesize

                364KB

              • memory/1668-3-0x0000000000400000-0x000000000045B000-memory.dmp

                Filesize

                364KB

              • memory/1668-10-0x0000000000400000-0x000000000045B000-memory.dmp

                Filesize

                364KB

              • memory/1668-11-0x0000000000400000-0x000000000045B000-memory.dmp

                Filesize

                364KB

              • memory/2312-0-0x0000000000260000-0x0000000000261000-memory.dmp

                Filesize

                4KB