Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

Release-x64.zip

windows7-x64

1

Release-x64.zip

windows10-2004-x64

10

README.txt

windows7-x64

1

README.txt

windows10-2004-x64

1

Analysis

  • max time kernel
    35s
  • max time network
    39s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/01/2025, 18:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Release-x64.zip

  • Size

    19.6MB

  • MD5

    25493ab271580066a0d5e8d43b25e055

  • SHA1

    f2a8336d1e6a75233f796fe37ec00aa204fb6907

  • SHA256

    5281883011b847e4ab3f68c7488a47fb8489ac802c558a2cb1e5bef588f06269

  • SHA512

    41728fc89da12faca4fa738f5ef48cd1d7fd1c9b82151f9d011f4079611d0e7fdc7a06503a07a469a89b9de0424404b547bd89e5678da73a8dfa89668932deb1

  • SSDEEP

    393216:oyzn8HaG+RVYNVwS8+1Kd7qI2R/Ri977qCWEyeEcTeuoIJKxoJe4B2:Zn8yV2Vw7+10qbKzEcquoAKxogM2

Score
10/10
lummadiscoverystealer

Malware Config

Extracted

Family

lumma

C2

https://cloudewahsj.shop/api

https://rabidcowse.shop/api

https://noisycuttej.shop/api

https://tirepublicerj.shop/api

https://framekgirus.shop/api

https://wholersorie.shop/api

https://abruptyopsn.shop/api

https://nearycrepso.shop/api

Extracted

Family

lumma

C2

https://abruptyopsn.shop/api

https://wholersorie.shop/api

https://framekgirus.shop/api

https://tirepublicerj.shop/api

https://noisycuttej.shop/api

https://rabidcowse.shop/api

https://cloudewahsj.shop/api

Signatures

  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Lumma family
    lumma
  • Executes dropped EXE 3 IoCs
  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Release-x64.zip"
    1⤵
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:4152
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zO83076CF7\README.txt
      2⤵
      • Opens file in notepad (likely ransom note)
      PID:2632
    • C:\Users\Admin\AppData\Local\Temp\7zO830A6EA7\Bootstrapp.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO830A6EA7\Bootstrapp.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:3552
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3552 -s 1356
        3⤵
        • Program crash
        PID:4960
    • C:\Users\Admin\AppData\Local\Temp\7zO8305EB68\Bootstrapp.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO8305EB68\Bootstrapp.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2160
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2160 -s 1296
        3⤵
        • Program crash
        PID:2340
    • C:\Users\Admin\AppData\Local\Temp\7zO8307DE68\Bootstrapp.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO8307DE68\Bootstrapp.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:4304
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3552 -ip 3552
    1⤵
      PID:1752
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2160 -ip 2160
      1⤵
        PID:2440

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\7zO83076CF7\README.txt
        Filesize

        124B

        MD5

        3b4bb14e17a60137e3e93c7adac41bcb

        SHA1

        de09ed28df13d9325e816d0c656582a929077876

        SHA256

        bde691c014e6a2527d5ef783d065edf14bcfe83b20c1ff97c22d280633b5287e

        SHA512

        ec76f39b6ab4c6f822a1777c78212d659d86760458da9f050fba48bef12cba054573f25fc96278b49cdb163bed41a157123c01d3897226584cd1b57a653dfb50

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\7zO830A6EA7\Bootstrapp.exe
        Filesize

        303KB

        MD5

        8b4b611f189dc2c0da8f0418a4f75a48

        SHA1

        67da157c8da2ee1deb30472e06cacca5c1918d5f

        SHA256

        c06c92f33a0f706400bac3cb9174e27d95a995bd69886bd7e779638813483c78

        SHA512

        93cd273d5d0525e92340434cb4a255c8d2dad8db24a2cbb0d78a1a5be41ecdafd835971bed638e98e546bfdcd59151a8d2219a4fc307a50b8e22b6b928136e58

        Download Submit

      • memory/2160-32-0x0000000000400000-0x0000000000457000-memory.dmp

        Filesize

        348KB

        Download

      • memory/3552-13-0x0000000000400000-0x0000000000457000-memory.dmp

        Filesize

        348KB

        Download