Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
66s -
max time network
68s -
platform
windows11-21h2_x64 -
resource
win11-20241007-es -
resource tags
arch:x64arch:x86image:win11-20241007-eslocale:es-esos:windows11-21h2-x64systemwindows -
submitted
04/01/2025, 03:23
Static task
static1
Behavioral task
behavioral1
Sample
External2.4.exe
Resource
win10ltsc2021-20241211-es
General
-
Target
External2.4.exe
-
Size
3.7MB
-
MD5
0d59625aac6e72b533c252f60693ab01
-
SHA1
1322f9d2daccf4ff016a73d27daa5a17b187046f
-
SHA256
80384108010dffb5c0f2ad250925dc0fbe80a5e1dfc76fa8b2d1bcc9283bd091
-
SHA512
0175647093c69ff3a6a403f5397933df23a5b4eddb8feceb13650e373fe7d8bf94250c0dac67d7a8b6efd34d14e112459a498851006a985c264d345fd2569227
-
SSDEEP
49152:uR/W9yhKrDPtTbvMr2aQPF7Ifxzce3qLz+LZwlhVXaL4tE6SV1nF19B7o:uR/jitHEraLz9Fu
Malware Config
Extracted
lumma
https://hummskitnj.buzz/api
https://cashfuzysao.buzz/api
https://appliacnesot.buzz/api
https://screwamusresz.buzz/api
https://inherineau.buzz/api
https://scentniej.buzz/api
https://rebuildeso.buzz/api
https://prisonyfork.buzz/api
Signatures
-
Lumma family
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3240 set thread context of 4344 3240 External2.4.exe 77 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language External2.4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BitLockerToGo.exe -
Modifies registry class 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix BackgroundTransferHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" BackgroundTransferHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" BackgroundTransferHost.exe Key created \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\MuiCache BackgroundTransferHost.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3240 wrote to memory of 4344 3240 External2.4.exe 77 PID 3240 wrote to memory of 4344 3240 External2.4.exe 77 PID 3240 wrote to memory of 4344 3240 External2.4.exe 77 PID 3240 wrote to memory of 4344 3240 External2.4.exe 77 PID 3240 wrote to memory of 4344 3240 External2.4.exe 77 PID 3240 wrote to memory of 4344 3240 External2.4.exe 77 PID 3240 wrote to memory of 4344 3240 External2.4.exe 77 PID 3240 wrote to memory of 4344 3240 External2.4.exe 77 PID 3240 wrote to memory of 4344 3240 External2.4.exe 77
Processes
-
C:\Users\Admin\AppData\Local\Temp\External2.4.exe"C:\Users\Admin\AppData\Local\Temp\External2.4.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3240 -
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"2⤵
- System Location Discovery: System Language Discovery
PID:4344
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc1⤵PID:3968
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.131⤵
- Modifies registry class
PID:792
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\4780ef5a-a133-4b9b-bfa0-e6fea5ebe1c8.down_data
Filesize126KB
MD50a110bd321f114ff8727674eee2a490f
SHA1ed3eed0bc086ef1df640064d483e20487182a215
SHA256f1f611b30db0431160b742fb7b8a5ae609a7acbd3724810d92e186c65c14c268
SHA5123c08d7c95e5bb0fbdf87cce4fbf7cb10db1f2d5df8cc3e8c214ae064d1e0a0bbcdb1d599605a04dd0ab8c0c3fe5401e5a75ee8620d219e4e0da0810693bef728