Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

setup.exe

windows10-2004-x64

10

setup.exe

windows11-21h2-x64

10

Resubmissions

08/01/2025, 01:16 UTC

250108-bm46vszkaj 10

07/01/2025, 22:37 UTC

250107-2jz1vatpdr 10

07/01/2025, 22:11 UTC

250107-14bnbasrfr 10

06/01/2025, 21:24 UTC

250106-z9bd3ayjes 10

06/01/2025, 04:52 UTC

250106-fhgxzsyphk 10

06/01/2025, 04:46 UTC

250106-fdzl8sypaj 10

06/01/2025, 04:34 UTC

250106-e679eaymcj 10

06/01/2025, 04:26 UTC

250106-e2kybawlex 10

06/01/2025, 03:47 UTC

250106-ecn9favpcw 10

06/01/2025, 03:19 UTC

250106-dvk43avkaw 10

Analysis

  • max time kernel
    4s
  • max time network
    7s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    06/01/2025, 21:24 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    setup.exe

  • Size

    793KB

  • MD5

    5b3e5ace672f4250aeb06382579d165d

  • SHA1

    5f1d413192d92fa9a58cd5208963cda6c6c7c678

  • SHA256

    1f8c9a3874f67a64d9ffff9f73d608d62dbd93a443404d969455e03b62e5fd48

  • SHA512

    115551e9a8186986761c03d66928e432410b9c310f2dd862155cfddf1dd01133563a611e12998e898cbd78dce5ad8c2f4da923c5c2e3cec08d20bd38d644695c

  • SSDEEP

    12288:d3K1Pp+lMeB8UODTAFKHMRTviTOODTAFKHMRTviTr:JK1PSMZx0FKsRTqT/0FKsRTqTr

Score
10/10
lummadiscoverystealer

Malware Config

Extracted

Family

lumma

C2

https://cloudewahsj.shop/api

https://rabidcowse.shop/api

https://noisycuttej.shop/api

https://tirepublicerj.shop/api

https://framekgirus.shop/api

https://wholersorie.shop/api

https://abruptyopsn.shop/api

https://nearycrepso.shop/api

Signatures

  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Lumma family
    lumma
  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\setup.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1980
    • C:\Users\Admin\AppData\Local\Temp\setup.exe
      "C:\Users\Admin\AppData\Local\Temp\setup.exe"
      2⤵
        PID:3560
      • C:\Users\Admin\AppData\Local\Temp\setup.exe
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        PID:1048

    Network

    • flag-us
      DNS
      cureprouderio.click
      setup.exe
      Remote address:
      8.8.8.8:53
      Request
      cureprouderio.click
      IN A
      Response
      cureprouderio.click
      IN A
      172.67.132.7
      cureprouderio.click
      IN A
      104.21.4.114
    • flag-us
      DNS
      7.132.67.172.in-addr.arpa
      setup.exe
      Remote address:
      8.8.8.8:53
      Request
      7.132.67.172.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      abruptyopsn.shop
      setup.exe
      Remote address:
      8.8.8.8:53
      Request
      abruptyopsn.shop
      IN A
      Response
    • flag-us
      DNS
      wholersorie.shop
      setup.exe
      Remote address:
      8.8.8.8:53
      Request
      wholersorie.shop
      IN A
      Response
    • flag-us
      DNS
      framekgirus.shop
      setup.exe
      Remote address:
      8.8.8.8:53
      Request
      framekgirus.shop
      IN A
      Response
    • flag-us
      DNS
      framekgirus.shop
      setup.exe
      Remote address:
      8.8.8.8:53
      Request
      framekgirus.shop
      IN A
      Response
    • flag-us
      DNS
      nearycrepso.shop
      setup.exe
      Remote address:
      8.8.8.8:53
      Request
      nearycrepso.shop
      IN A
      Response
    • flag-us
      DNS
      nearycrepso.shop
      setup.exe
      Remote address:
      8.8.8.8:53
      Request
      nearycrepso.shop
      IN A
      Response
    • flag-us
      DNS
      tirepublicerj.shop
      setup.exe
      Remote address:
      8.8.8.8:53
      Request
      tirepublicerj.shop
      IN A
      Response
    • flag-us
      DNS
      noisycuttej.shop
      setup.exe
      Remote address:
      8.8.8.8:53
      Request
      noisycuttej.shop
      IN A
      Response
    • flag-us
      DNS
      rabidcowse.shop
      setup.exe
      Remote address:
      8.8.8.8:53
      Request
      rabidcowse.shop
      IN A
      Response
    • flag-us
      DNS
      cloudewahsj.shop
      setup.exe
      Remote address:
      8.8.8.8:53
      Request
      cloudewahsj.shop
      IN A
      Response
    • flag-us
      DNS
      steamcommunity.com
      setup.exe
      Remote address:
      8.8.8.8:53
      Request
      steamcommunity.com
      IN A
      Response
      steamcommunity.com
      IN A
      104.103.247.162
    • flag-us
      DNS
      sputnik-1985.com
      setup.exe
      Remote address:
      8.8.8.8:53
      Request
      sputnik-1985.com
      IN A
      Response
      sputnik-1985.com
      IN A
      104.21.16.1
      sputnik-1985.com
      IN A
      104.21.32.1
      sputnik-1985.com
      IN A
      104.21.80.1
      sputnik-1985.com
      IN A
      104.21.64.1
      sputnik-1985.com
      IN A
      104.21.96.1
      sputnik-1985.com
      IN A
      104.21.48.1
      sputnik-1985.com
      IN A
      104.21.112.1
    • flag-us
      DNS
      162.247.103.104.in-addr.arpa
      setup.exe
      Remote address:
      8.8.8.8:53
      Request
      162.247.103.104.in-addr.arpa
      IN PTR
      Response
      162.247.103.104.in-addr.arpa
      IN PTR
      a104-103-247-162deploystaticakamaitechnologiescom
    • flag-us
      DNS
      1.16.21.104.in-addr.arpa
      setup.exe
      Remote address:
      8.8.8.8:53
      Request
      1.16.21.104.in-addr.arpa
      IN PTR
      Response
    • 172.67.132.7:443
      cureprouderio.click
      tls
      setup.exe
      1.1kB
       5.2kB
       10
      9
    • 104.103.247.162:443
      steamcommunity.com
      tls
      setup.exe
      1.7kB
       43.6kB
       24
      38
    • 104.21.16.1:443
      sputnik-1985.com
      tls
      setup.exe
      1.1kB
       5.1kB
       9
      9
    • 8.8.8.8:53
      cureprouderio.click
      dns
      setup.exe
      384 B
       706 B
       6
      6

      DNS Request

      cureprouderio.click

      DNS Response

      172.67.132.7
      104.21.4.114

      DNS Request

      7.132.67.172.in-addr.arpa

      DNS Request

      abruptyopsn.shop

      DNS Request

      wholersorie.shop

      DNS Request

      framekgirus.shop

      DNS Request

      framekgirus.shop

    • 8.8.8.8:53
      nearycrepso.shop
      dns
      setup.exe
      124 B
       238 B
       2
      2

      DNS Request

      nearycrepso.shop

      DNS Request

      nearycrepso.shop

    • 8.8.8.8:53
      tirepublicerj.shop
      dns
      setup.exe
      519 B
       1.0kB
       8
      8

      DNS Request

      tirepublicerj.shop

      DNS Request

      noisycuttej.shop

      DNS Request

      rabidcowse.shop

      DNS Request

      cloudewahsj.shop

      DNS Request

      steamcommunity.com

      DNS Response

      104.103.247.162

      DNS Request

      sputnik-1985.com

      DNS Response

      104.21.16.1
      104.21.32.1
      104.21.80.1
      104.21.64.1
      104.21.96.1
      104.21.48.1
      104.21.112.1

      DNS Request

      162.247.103.104.in-addr.arpa

      DNS Request

      1.16.21.104.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1048-1-0x0000000000400000-0x0000000000455000-memory.dmp

      Filesize

      340KB

      Download

    • memory/1048-3-0x0000000000400000-0x0000000000455000-memory.dmp

      Filesize

      340KB

      Download

    • memory/1048-4-0x0000000000AD0000-0x0000000000B9B000-memory.dmp

      Filesize

      812KB

      Download

    • memory/1980-0-0x0000000000B00000-0x0000000000B01000-memory.dmp

      Filesize

      4KB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.