Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    117s
  • max time network
    117s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    04/01/2025, 02:18

General

  • Target

    setup.exe

  • Size

    793KB

  • MD5

    5b3e5ace672f4250aeb06382579d165d

  • SHA1

    5f1d413192d92fa9a58cd5208963cda6c6c7c678

  • SHA256

    1f8c9a3874f67a64d9ffff9f73d608d62dbd93a443404d969455e03b62e5fd48

  • SHA512

    115551e9a8186986761c03d66928e432410b9c310f2dd862155cfddf1dd01133563a611e12998e898cbd78dce5ad8c2f4da923c5c2e3cec08d20bd38d644695c

  • SSDEEP

    12288:d3K1Pp+lMeB8UODTAFKHMRTviTOODTAFKHMRTviTr:JK1PSMZx0FKsRTqT/0FKsRTqTr

Score
10/10

Malware Config

Extracted

Family

lumma

C2

https://cloudewahsj.shop/api

https://rabidcowse.shop/api

https://noisycuttej.shop/api

https://tirepublicerj.shop/api

https://framekgirus.shop/api

https://wholersorie.shop/api

https://abruptyopsn.shop/api

https://nearycrepso.shop/api

Signatures

  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

  • Lumma family
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\setup.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1524
    • C:\Users\Admin\AppData\Local\Temp\setup.exe
      "C:\Users\Admin\AppData\Local\Temp\setup.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2724
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2724 -s 252
        3⤵
        • Program crash
        PID:2720

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2724-0-0x0000000000400000-0x0000000000455000-memory.dmp

    Filesize

    340KB

  • memory/2724-11-0x0000000000400000-0x0000000000455000-memory.dmp

    Filesize

    340KB

  • memory/2724-9-0x0000000000400000-0x0000000000455000-memory.dmp

    Filesize

    340KB

  • memory/2724-7-0x0000000000400000-0x0000000000455000-memory.dmp

    Filesize

    340KB

  • memory/2724-5-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/2724-4-0x0000000000400000-0x0000000000455000-memory.dmp

    Filesize

    340KB

  • memory/2724-3-0x0000000000400000-0x0000000000455000-memory.dmp

    Filesize

    340KB

  • memory/2724-2-0x0000000000400000-0x0000000000455000-memory.dmp

    Filesize

    340KB

  • memory/2724-1-0x0000000000400000-0x0000000000455000-memory.dmp

    Filesize

    340KB