Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
89s -
max time network
93s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241211-es -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241211-eslocale:es-esos:windows10-ltsc 2021-x64systemwindows -
submitted
04/01/2025, 03:23
Static task
static1
Behavioral task
behavioral1
Sample
External2.4.exe
Resource
win10ltsc2021-20241211-es
General
-
Target
External2.4.exe
-
Size
3.7MB
-
MD5
0d59625aac6e72b533c252f60693ab01
-
SHA1
1322f9d2daccf4ff016a73d27daa5a17b187046f
-
SHA256
80384108010dffb5c0f2ad250925dc0fbe80a5e1dfc76fa8b2d1bcc9283bd091
-
SHA512
0175647093c69ff3a6a403f5397933df23a5b4eddb8feceb13650e373fe7d8bf94250c0dac67d7a8b6efd34d14e112459a498851006a985c264d345fd2569227
-
SSDEEP
49152:uR/W9yhKrDPtTbvMr2aQPF7Ifxzce3qLz+LZwlhVXaL4tE6SV1nF19B7o:uR/jitHEraLz9Fu
Malware Config
Extracted
lumma
https://hummskitnj.buzz/api
https://cashfuzysao.buzz/api
https://appliacnesot.buzz/api
https://screwamusresz.buzz/api
https://inherineau.buzz/api
https://scentniej.buzz/api
https://rebuildeso.buzz/api
https://prisonyfork.buzz/api
Signatures
-
Lumma family
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1620 set thread context of 4620 1620 External2.4.exe 90 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language External2.4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BitLockerToGo.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 taskmgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString taskmgr.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000_Classes\Local Settings taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4184 taskmgr.exe Token: SeSystemProfilePrivilege 4184 taskmgr.exe Token: SeCreateGlobalPrivilege 4184 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe 4184 taskmgr.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1620 wrote to memory of 4620 1620 External2.4.exe 90 PID 1620 wrote to memory of 4620 1620 External2.4.exe 90 PID 1620 wrote to memory of 4620 1620 External2.4.exe 90 PID 1620 wrote to memory of 4620 1620 External2.4.exe 90 PID 1620 wrote to memory of 4620 1620 External2.4.exe 90 PID 1620 wrote to memory of 4620 1620 External2.4.exe 90 PID 1620 wrote to memory of 4620 1620 External2.4.exe 90 PID 1620 wrote to memory of 4620 1620 External2.4.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\External2.4.exe"C:\Users\Admin\AppData\Local\Temp\External2.4.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"2⤵
- System Location Discovery: System Language Discovery
PID:4620
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4184
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4348
-
C:\Windows\System32\8kkdna.exe"C:\Windows\System32\8kkdna.exe"1⤵PID:3736