Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    66s
  • max time network
    68s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-es
  • resource tags

    arch:x64arch:x86image:win11-20241007-eslocale:es-esos:windows11-21h2-x64systemwindows
  • submitted
    04/01/2025, 03:23

General

  • Target

    External2.4.exe

  • Size

    3.7MB

  • MD5

    0d59625aac6e72b533c252f60693ab01

  • SHA1

    1322f9d2daccf4ff016a73d27daa5a17b187046f

  • SHA256

    80384108010dffb5c0f2ad250925dc0fbe80a5e1dfc76fa8b2d1bcc9283bd091

  • SHA512

    0175647093c69ff3a6a403f5397933df23a5b4eddb8feceb13650e373fe7d8bf94250c0dac67d7a8b6efd34d14e112459a498851006a985c264d345fd2569227

  • SSDEEP

    49152:uR/W9yhKrDPtTbvMr2aQPF7Ifxzce3qLz+LZwlhVXaL4tE6SV1nF19B7o:uR/jitHEraLz9Fu

Score
10/10

Malware Config

Extracted

Family

lumma

C2

https://hummskitnj.buzz/api

https://cashfuzysao.buzz/api

https://appliacnesot.buzz/api

https://screwamusresz.buzz/api

https://inherineau.buzz/api

https://scentniej.buzz/api

https://rebuildeso.buzz/api

https://prisonyfork.buzz/api

Signatures

  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

  • Lumma family
  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 4 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\External2.4.exe
    "C:\Users\Admin\AppData\Local\Temp\External2.4.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3240
    • C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
      "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4344
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
    1⤵
      PID:3968
    • C:\Windows\system32\BackgroundTransferHost.exe
      "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
      1⤵
      • Modifies registry class
      PID:792

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\4780ef5a-a133-4b9b-bfa0-e6fea5ebe1c8.down_data

      Filesize

      126KB

      MD5

      0a110bd321f114ff8727674eee2a490f

      SHA1

      ed3eed0bc086ef1df640064d483e20487182a215

      SHA256

      f1f611b30db0431160b742fb7b8a5ae609a7acbd3724810d92e186c65c14c268

      SHA512

      3c08d7c95e5bb0fbdf87cce4fbf7cb10db1f2d5df8cc3e8c214ae064d1e0a0bbcdb1d599605a04dd0ab8c0c3fe5401e5a75ee8620d219e4e0da0810693bef728

    • memory/4344-0-0x0000000000400000-0x0000000000457000-memory.dmp

      Filesize

      348KB

    • memory/4344-1-0x0000000000400000-0x0000000000457000-memory.dmp

      Filesize

      348KB

    • memory/4344-2-0x0000000000400000-0x0000000000457000-memory.dmp

      Filesize

      348KB

    • memory/4344-3-0x0000000000400000-0x0000000000457000-memory.dmp

      Filesize

      348KB

    • memory/4344-4-0x0000000000400000-0x0000000000457000-memory.dmp

      Filesize

      348KB