Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
91s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
04/01/2025, 08:18
Static task
static1
Behavioral task
behavioral1
Sample
SET_UP.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
SET_UP.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Setup.exe
Resource
win7-20240729-en
General
-
Target
SET_UP.exe
-
Size
70.0MB
-
MD5
7395facdf6855e6ffa5b3b7c8465ea6c
-
SHA1
5b5296a4829a0954a375bdeb384bb581982611b4
-
SHA256
f0c3c758ab20867c4c1fc663c94211270849dba9bf386a0d20d3ce9049eb875e
-
SHA512
a7762a9a86183bb4056747e8f6539c82bc178de97575e8132cd44ed88633a25dddff8bb4da937b534568d922cd9d23813a20bed2cb984151adc2171702a88f7c
-
SSDEEP
24576:NM/wwRvEpNfw/mwZ9ilkBXpFwaBf62u5zaoM5OA4bHJHBhz1wJaP3d3:XpNY/BiCzFwWo5moMIbHJfX3d3
Malware Config
Extracted
lumma
https://cloudewahsj.shop/api
https://rabidcowse.shop/api
https://noisycuttej.shop/api
https://tirepublicerj.shop/api
https://framekgirus.shop/api
https://wholersorie.shop/api
https://abruptyopsn.shop/api
https://nearycrepso.shop/api
Extracted
lumma
https://abruptyopsn.shop/api
https://wholersorie.shop/api
https://framekgirus.shop/api
https://tirepublicerj.shop/api
https://noisycuttej.shop/api
https://rabidcowse.shop/api
https://cloudewahsj.shop/api
Signatures
-
Lumma family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation SET_UP.exe -
Executes dropped EXE 1 IoCs
pid Process 1160 While.com -
Enumerates processes with tasklist 1 TTPs 2 IoCs
pid Process 2308 tasklist.exe 1076 tasklist.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\BurstEstimates SET_UP.exe File opened for modification C:\Windows\ContractsIndividual SET_UP.exe File opened for modification C:\Windows\LiberiaLuxury SET_UP.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 13 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language extrac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SET_UP.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language While.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language choice.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1160 While.com 1160 While.com 1160 While.com 1160 While.com 1160 While.com 1160 While.com -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1076 tasklist.exe Token: SeDebugPrivilege 2308 tasklist.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 1160 While.com 1160 While.com 1160 While.com -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 1160 While.com 1160 While.com 1160 While.com -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 2356 wrote to memory of 4828 2356 SET_UP.exe 84 PID 2356 wrote to memory of 4828 2356 SET_UP.exe 84 PID 2356 wrote to memory of 4828 2356 SET_UP.exe 84 PID 4828 wrote to memory of 1076 4828 cmd.exe 87 PID 4828 wrote to memory of 1076 4828 cmd.exe 87 PID 4828 wrote to memory of 1076 4828 cmd.exe 87 PID 4828 wrote to memory of 1516 4828 cmd.exe 88 PID 4828 wrote to memory of 1516 4828 cmd.exe 88 PID 4828 wrote to memory of 1516 4828 cmd.exe 88 PID 4828 wrote to memory of 2308 4828 cmd.exe 91 PID 4828 wrote to memory of 2308 4828 cmd.exe 91 PID 4828 wrote to memory of 2308 4828 cmd.exe 91 PID 4828 wrote to memory of 2088 4828 cmd.exe 92 PID 4828 wrote to memory of 2088 4828 cmd.exe 92 PID 4828 wrote to memory of 2088 4828 cmd.exe 92 PID 4828 wrote to memory of 2604 4828 cmd.exe 93 PID 4828 wrote to memory of 2604 4828 cmd.exe 93 PID 4828 wrote to memory of 2604 4828 cmd.exe 93 PID 4828 wrote to memory of 232 4828 cmd.exe 94 PID 4828 wrote to memory of 232 4828 cmd.exe 94 PID 4828 wrote to memory of 232 4828 cmd.exe 94 PID 4828 wrote to memory of 3208 4828 cmd.exe 95 PID 4828 wrote to memory of 3208 4828 cmd.exe 95 PID 4828 wrote to memory of 3208 4828 cmd.exe 95 PID 4828 wrote to memory of 2636 4828 cmd.exe 96 PID 4828 wrote to memory of 2636 4828 cmd.exe 96 PID 4828 wrote to memory of 2636 4828 cmd.exe 96 PID 4828 wrote to memory of 4548 4828 cmd.exe 97 PID 4828 wrote to memory of 4548 4828 cmd.exe 97 PID 4828 wrote to memory of 4548 4828 cmd.exe 97 PID 4828 wrote to memory of 1160 4828 cmd.exe 98 PID 4828 wrote to memory of 1160 4828 cmd.exe 98 PID 4828 wrote to memory of 1160 4828 cmd.exe 98 PID 4828 wrote to memory of 4480 4828 cmd.exe 99 PID 4828 wrote to memory of 4480 4828 cmd.exe 99 PID 4828 wrote to memory of 4480 4828 cmd.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\SET_UP.exe"C:\Users\Admin\AppData\Local\Temp\SET_UP.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c move Bonds Bonds.cmd & Bonds.cmd2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4828 -
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1076
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "opssvc wrsa"3⤵
- System Location Discovery: System Language Discovery
PID:1516
-
-
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2308
-
-
C:\Windows\SysWOW64\findstr.exefindstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"3⤵
- System Location Discovery: System Language Discovery
PID:2088
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 3394743⤵
- System Location Discovery: System Language Discovery
PID:2604
-
-
C:\Windows\SysWOW64\extrac32.exeextrac32 /Y /E Roommate3⤵
- System Location Discovery: System Language Discovery
PID:232
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V "PERFECTLY" Ruled3⤵
- System Location Discovery: System Language Discovery
PID:3208
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b 339474\While.com + Fitting + Engine + Reasons + Immigrants + Colony + Fired + Speak + Selecting + Element + Italic 339474\While.com3⤵
- System Location Discovery: System Language Discovery
PID:2636
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Miniature + ..\Triumph + ..\Cialis + ..\Downloads + ..\Satin + ..\Mate K3⤵
- System Location Discovery: System Language Discovery
PID:4548
-
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\339474\While.comWhile.com K3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1160
-
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 53⤵
- System Location Discovery: System Language Discovery
PID:4480
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
457KB
MD58ff92c3cfbe56b0aae16ebd1f56a01f7
SHA1ecbafa5e60885b4ce21ec3525fff09a7b2148ed6
SHA256e235b5e2f0863e83dbea87b9c98eaf2e7f0cc43d6217e6a454c27837a6dc657e
SHA512dd8ad6852ff52b85bd01ad3bbbd7cbcd6b3d45e33da3dd96c70625ffd523e6ad2dfded7e134df4a67d808cc974de7fa0451c8b61ad69b3fe24ef33d5de85a7b3
-
Filesize
361B
MD53c3aaa8b37c9b0a0b563694cdc45b7b6
SHA143773add7c936146a774f55296aa8536be9a23a8
SHA256dbdce353e2dfc11844fcec9edf4ebc2f346bcb9a71c9172c7fefa3716b853349
SHA5123fa13a634d4104cb1b045608c70f9250f002e6e5bceec120154294e24f1240c9b52fe09f59f4f9885c1507b9320b10fab1050d396602e5168f5e36574a81ce6a
-
Filesize
925KB
MD562d09f076e6e0240548c2f837536a46a
SHA126bdbc63af8abae9a8fb6ec0913a307ef6614cf2
SHA2561300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49
SHA51232de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f
-
Filesize
10KB
MD5e1cd007cbc539894807f0fcc6655cf21
SHA1a2a046bbf907021559f3ae6fbf0ba2813fb11f99
SHA2566b1ada2c25358700ae6e001a9f262bdc5b33e18d7642b65ffbaeb508c4e9e47a
SHA512639d5760b95c92ad6b6c69f16b5141a909d42af187957c6b11f4f9220d90c7204427da5e44f855d7cd7a3d50eff335a06b3d8f347a0f88cf1722511d5667421d
-
Filesize
96KB
MD5f292981413fcd87d85f559568c28fba3
SHA12dd36a59c3a98914230c22a6f22e77619e2f2101
SHA256bb80896e8e7f604c79fb8a5dee1d1de5dca7b254e1562cda5d6524eb69feb4dd
SHA5123f3e7251596ec4bb6e0062595ccd4eb7743b7098ce64278ff1a9bbaa416bd382a5b2b79a38e6d96cbd778ef6e7baa987a32a3f54159c6541f8f63738051e1efc
-
Filesize
56KB
MD511ef20e1b4022d8a8283962abffec417
SHA19e77b02b7dafba36d3351164b3fa3704a015a512
SHA256c16b55c51e0cde84a6fe89035681b9e3ab94a0023930d3f87e0e141ef2971f0c
SHA512adaa2fa449aa6e5a5bb081d03e0ed018cc9da0ebe5f621fe132bbe3d2efc798efa3b3941ec3f54cd34ef325125906f20e6ae3c0103742a1dbbfe90d7d8c4ba9a
-
Filesize
96KB
MD5ce4b1c9d859bfa66d70a4de5ae8bbcd5
SHA1489b4436ff4da4ce7dc735ef2b95fd439e741d2e
SHA2563b824d92bf2d0d00dd3238f60ab7c05139fb50c5c92e62ab0c1a54d8b258b325
SHA512a36ab4baccc0aeaf1ff1df70c8a714fd341ea5210ba0f0c15ebc7fe3f77165b47ec840aa8996abd41294de7caf44b28fbf211bcccbe6eba0061d5658284660b8
-
Filesize
77KB
MD5bf9fbd4e02648bfd30ab88a962d3095b
SHA1128cd6a2e4eed0d92a0707823b62168db7b74dab
SHA2560a0adff3b071b2f5c5e1c6d2ee6c294c3f14ba76170895419283d66c34192382
SHA5122f76b523de8f63098aa296e5efe11a8ba1cab29d28c0442bad07bbddb5732aa080b9499054e92e4f053e5d040a8403a9d916f66ef32e21e119f5e9239fc44279
-
Filesize
102KB
MD5c1990d5b44f5f9e32f46f28b7eb30d8c
SHA129c810996a527cfb5f568ead13e3ae8afaad6614
SHA256f05af6d4c7155e20ce4842e11e1cbb379ad50ff930f3ec6d6fb8612b687a5ab7
SHA51220dca786baaa2afced1a1e5aa5e7aa18f59e17a70c71de927a8d0391947df08198f9045a56548ac0a6934ab755eab88c3ca1f3f949f78d79807a00dec7d630c9
-
Filesize
115KB
MD5de86154691008fcde6a29ec4146736c0
SHA196446b08fbb349badb085b3f698c81042ba4034b
SHA256a6818911b287821f3c96ea6791b48b89eed0f86f2c039141c27b84724872690e
SHA5120e24a2f58d8770019f16d1ad5aef888961f86f8025fefab43852af63065f8f2b4bedc68c6defc86aa05244d7b6b1baa9c271f74c447a7aa097c910057af82c41
-
Filesize
147KB
MD5ea871b11c576a77946f746ee53ac6f86
SHA17cbbffe28838c1e604a0ec4dde30e6b207ff313d
SHA256be1430b9962146abdf2554dd59dca695565a2dcc27a8d3f96c3bb0c175ebbc32
SHA512fa8755c88555908b01fca6efacbe041d76559151e17ded358235253251ee2abd3ba74de8191e1ecb2dd432b70fc0add2635080a67bc8be6b150a9ad2303522a3
-
Filesize
88KB
MD5744d105b162b411f84bb2170fc7ce9f1
SHA183ea2d09fe1ee6b1e3f7779e0a5847eb929da56d
SHA2568c56963dc7859a57a18ca458cf2b121b3e158af214f386c4ed4e13a0de08d8e1
SHA512ab4620caa8403bbf4249aabfb477696063a95e1608ef6165ed964033964a3d8f2fa62f0d7e3a9393619b8817a8cfbde1a4b1997f90241b9ee0558a0d11a357bc
-
Filesize
43KB
MD503a76741f860a345969e1a5c0b6898a3
SHA18fbbdf6e3d9de107e890219fa93666c4938d2c57
SHA256b195744ed5b187bacd65a22c00360c6f9dc69ea9e8e571ffbafde8344702d66d
SHA512be215a2317938f8ffa74d972c9acffa43a0095ffa586857547683e5587ed3fb8a73f1637cdc57f078f10a7e4c24c3ed816ad124895436f7ede54875ff89a0535
-
Filesize
91KB
MD5fb3c1b1e5b0ea73afdfc5a0111c6d45e
SHA115bad2a6d6fb4776f6b547f5e38c8b95a050690d
SHA256ee3eebb6f9aae1e96077e71fafe4327dcc1f236ef442379788573e0506320016
SHA512a11083ab77fbbd21389d0419696954d17524aa04875d72e92e49b74e6abb42aa49279b82cd67e27968db96c27fa4657710886db6bd78feef5f2fdbc73fa0b395
-
Filesize
56KB
MD52c5c854d5f9db70e9fbf15cb32aef5a6
SHA16f20d1ab6ae2476dbe6b05f5cd379d2d574efd36
SHA2562c633853c2a9292bbe47bc61234ec76926446a29dd6642019d62c0937ef19276
SHA51214a5d07b303c48e3db36652ea9daa041fec8c3b807085b37aeb56c342ca939c6f8775dcfa71997055060c2fdba2d92635c3b554e98b0b936e8f6f96a5c5c6258
-
Filesize
50KB
MD530b97e452682502b1c0075cb4a263a8f
SHA19d431e0790b5fc3f9b3ac9ba340b5417f84aa8d7
SHA256e58f03cbe565e6dc6591a1d6194b87d08bb574e2d925e63cc263de83a8e97ef1
SHA512ab887b8415ad4a8204e24a991da230fd6639c5a53135904b44971bfcfc28fbec3a18cbf0509a32b3aae6bf1a0619830179235ab2e4b36a51ed1be6d24c57bb1c
-
Filesize
478KB
MD5787890a49a3c79fad4a7df8a0265d5ab
SHA16303424d11585dfe0992a8c021557715d5e1db74
SHA2561dbacaff9f0a1fa4efcd8f0ca8d3ccc9f1bcb1c01252b214f61db4d2892f66d2
SHA512ee2f02716c1bfb3a4200a7c5ee98c365ece476e536a76ea474df7dd7fde1542317950c5f3342e2d4036f60b70cad0b04c7962f2b12bf5afafd5a1dd0a36e22d0
-
Filesize
370B
MD5b97a1ce3e7053cfd3c5c459cd3bc2678
SHA1bf3b482959d3edcf3307d493363920c68ec05dc7
SHA25622dd6e124eb389c162be6a1ddc50c2b3981f15852dfed6cfda27898f4437d194
SHA512ba3366f058055a8566aa51a4b37b0a5cfa58015dc2e47d5c03e69f6dde195c35c15d61f0b51308891839860c2cbf7f814c5a9640205518f1af8727863725c2f8
-
Filesize
53KB
MD5a0075f0c467d59cbc3197dedb784abf9
SHA1ea2549868ca29c1a8b43840b93674a343f856521
SHA256323ee834cf50ab0ee16c15fa85e0e7091325bd619efe152916aa05002833eab3
SHA51271459887143b7629bcd8ea79d7009e99ba49e941af108ee4369ac1c76a5fb9e48870b0bcb2c45cc210e573d348f1daad27f7587b0da8037ec0540eeb7064ee8e
-
Filesize
107KB
MD572226b392ba5391978f5d7f09b8db2a4
SHA1b35f2d4f09d8773324ca8cbc508396957e109f55
SHA256344a278772a562715ded572168d6270ac6e0dbd511c92e43c712604a6de9e6be
SHA51212159c4783beed0ce73fe37a9d8411420d0558fee5527a492d7ab492423db11bd0546dc133dae2e1843e54afbff0d365fa4991850da413fda2c0582a769cf562
-
Filesize
139KB
MD56dfce423d36b3537267dbbf8cb6a5444
SHA1abc5dce9415321459f5ce63444bf8e86e08dd73e
SHA2560c98a2b0ea7277a2a6a6a4fd821d629469642aa8a74fb27b43a1be2d94e31795
SHA512e0bda21fc4d3da19382011a1862bcd9164e444d75f104198af40d0d17a69ae48034f6593caa6432b2c327bf06742425da3ebfeaa375fbe71dfad485abd9a2422
-
Filesize
65KB
MD5091194c1fbd7b7232ef54b5467834b09
SHA188584813475d1effdfe06d8f7975821e4d4708a4
SHA2563c4246f75daa7af377509c3513eaf52924af647293547453c1e71d04eef23395
SHA51262bdced6b22f7be4c2f84dcf4e3a57d4b0011982034e10b61f5d32896529f585c51ca656a380e8b0e38664ccedf90fe6f2b16106e0d1a68759a07bc8b3be45f3