Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

'Set-up.exe

windows10-2004-x64

10

'Set-up.exe

windows10-ltsc 2021-x64

10

'Set-up.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    71s
  • max time network
    62s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    06/01/2025, 23:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    'Set-up.exe

  • Size

    73.0MB

  • MD5

    762266932c784bb2723293ad1cbecc37

  • SHA1

    7983d7eda278567ba082c13b5690266212c447d4

  • SHA256

    792474b38315e55d49a76f68e97b8a6b498ca794decc326cbaef5df22476c88d

  • SHA512

    6862c10dbad70c356be44001f5f514a3f55b23e64aa4a2b89c6e49f1375bb83977bf8bf2398f4eb3f92fc0526968e9ff2e5021cff72725fcafef4351277838a3

  • SSDEEP

    24576:iy3UVrqlCZuTti0JGBtlfvrVTPOk338FNR8olu6jF/3UDIBsS14tB1lzFlE675+E:L3UdqO4+OnXPPpBs1qg5lRCTk6A

Score
10/10
lummadiscoverystealer

Malware Config

Extracted

Family

lumma

C2

https://cloudewahsj.shop/api

https://rabidcowse.shop/api

https://noisycuttej.shop/api

https://tirepublicerj.shop/api

https://framekgirus.shop/api

https://wholersorie.shop/api

https://abruptyopsn.shop/api

https://nearycrepso.shop/api

Signatures

  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Lumma family
    lumma
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry class 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 17 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 41 IoCs
  • Suspicious use of SendNotifyMessage 41 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\'Set-up.exe
    "C:\Users\Admin\AppData\Local\Temp\'Set-up.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    PID:1492
  • C:\Windows\system32\BackgroundTransferHost.exe
    "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
    1⤵
    • Modifies registry class
    PID:1112
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:3736
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /0
      1⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1880

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\a3427ad0-9b7d-4ffa-90f7-23460fadb991.down_data
      Filesize

      555KB

      MD5

      5683c0028832cae4ef93ca39c8ac5029

      SHA1

      248755e4e1db552e0b6f8651b04ca6d1b31a86fb

      SHA256

      855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

      SHA512

      aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

      Download Submit

    • memory/1492-0-0x0000000002660000-0x00000000026B6000-memory.dmp

      Filesize

      344KB

      Download

    • memory/1492-2-0x0000000002660000-0x00000000026B6000-memory.dmp

      Filesize

      344KB

      Download

    • memory/1880-17-0x000001FF0B550000-0x000001FF0B551000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1880-13-0x000001FF0B550000-0x000001FF0B551000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1880-12-0x000001FF0B550000-0x000001FF0B551000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1880-11-0x000001FF0B550000-0x000001FF0B551000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1880-23-0x000001FF0B550000-0x000001FF0B551000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1880-22-0x000001FF0B550000-0x000001FF0B551000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1880-21-0x000001FF0B550000-0x000001FF0B551000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1880-20-0x000001FF0B550000-0x000001FF0B551000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1880-19-0x000001FF0B550000-0x000001FF0B551000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1880-18-0x000001FF0B550000-0x000001FF0B551000-memory.dmp

      Filesize

      4KB

      Download