Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    64s
  • max time network
    72s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    07/01/2025, 00:03

General

  • Target

    aa1e63845cbfcee49033a729fcecc2d61cdc2f41968813a45ad64946e8a2ec1f.msi

  • Size

    4.2MB

  • MD5

    93a70c58cbc42d4362fd4cc206d5a35e

  • SHA1

    f769777dec440d5e8900927b42d6c4232d6d58b7

  • SHA256

    aa1e63845cbfcee49033a729fcecc2d61cdc2f41968813a45ad64946e8a2ec1f

  • SHA512

    db54faa43d5fc83f7160edbda953ba763080f499d8ce20cc0502a357a564d1be60dc44ece4425f5ddfc0d4ce6e47cf5b7e79bf1dfa680ea98cf728191df28a23

  • SSDEEP

    98304:Fn3X3JlbT6t/B7ALNsrYr82OvJ2p9TSNV1+jjz:B3X33bT6dB76NsrYFcw+o

Malware Config

Extracted

Family

lumma

C2

https://cloudewahsj.shop/api

https://rabidcowse.shop/api

https://noisycuttej.shop/api

https://tirepublicerj.shop/api

https://framekgirus.shop/api

https://wholersorie.shop/api

https://abruptyopsn.shop/api

https://nearycrepso.shop/api

Signatures

  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

  • Lumma family
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 10 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies data under HKEY_USERS 43 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\aa1e63845cbfcee49033a729fcecc2d61cdc2f41968813a45ad64946e8a2ec1f.msi
    1⤵
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1308
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3036
    • C:\Users\Admin\AppData\Local\Limerick\iScrPaint.exe
      "C:\Users\Admin\AppData\Local\Limerick\iScrPaint.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1640
      • C:\Users\Admin\AppData\Roaming\NotepadLoadZC_test\iScrPaint.exe
        C:\Users\Admin\AppData\Roaming\NotepadLoadZC_test\iScrPaint.exe
        3⤵
        • Suspicious use of SetThreadContext
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:2900
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\SysWOW64\cmd.exe
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:2184
          • C:\Windows\SysWOW64\explorer.exe
            C:\Windows\SysWOW64\explorer.exe
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1124
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2808
  • C:\Windows\system32\DrvInst.exe
    DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005CC" "00000000000003A0"
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:2660

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Config.Msi\f783729.rbs

    Filesize

    8KB

    MD5

    5141765cc431402473fd18f8d987dad3

    SHA1

    8c5bbfe56f3df7558e7210b7f6e40ff486bc5d6d

    SHA256

    13962acbe2106208051b63c91cf245a861315c8bbe1bb40ab75345425c6e398a

    SHA512

    201bf2f4baf12e438281538779b3977dc3737aaf4448a249167c18644276c5d316e3acf228c9197f41bc40e1ccbe176e371308f4c6d45dad7a71a381f6467721

  • C:\Users\Admin\AppData\Local\Limerick\WebUI.dll

    Filesize

    7.6MB

    MD5

    d4ad539ff52c5af062bdd88deb9d08a9

    SHA1

    c4264de99b628fc9afd320ec47e004ef1ade1d54

    SHA256

    44e5c6ac6131bf6b55b9a4c0bd5db41b56da3efcf0797f044bc693abed28dbbd

    SHA512

    a87696e66564aba54311f49e06fb6948f51531a323dfceae5d3af4b62a140ab009429853e72124ecb03058a0e85c5277b3329cb52f9c3b034f840eee15a45904

  • C:\Users\Admin\AppData\Local\Limerick\cajun.sql

    Filesize

    43KB

    MD5

    10d06a63ea6f430da50e26ed3441ea1b

    SHA1

    15f43b1d9a5723c6851db5de307df3f0b220a972

    SHA256

    8a58cca115c3e3c1afd2ba4c4af776306f3b4dbfd6d16704c180d60dd192e40a

    SHA512

    9669dccc63440c9942a7a13b4f715c8dc65dbb11482d0144c4b7dcbe451b9af0f2c9f894cbc186cc8880b6b68fc70e5191bf54faa4e65e8dff0662afdb21bda5

  • C:\Users\Admin\AppData\Local\Limerick\iScrPaint.exe

    Filesize

    1.8MB

    MD5

    098ac4621ee0e855e0710710736c2955

    SHA1

    ce7b88657c3449d5d05591314aaa43bd3e32bdaa

    SHA256

    46afbf1cbd2e1b5e108c133d4079faddc7347231b0c48566fd967a3070745e7f

    SHA512

    3042785b81bd18b641f0a2b5d8aec8ef86f9bf1269421fb96d1db35a913e744eaff16d9da7a02c8001435d59befb9f26bc0bbfa6e794811abf4282ed68b185fe

  • C:\Users\Admin\AppData\Local\Limerick\jaculator.app

    Filesize

    799KB

    MD5

    eaed4e7f6c2a9d9558061db4f88b6083

    SHA1

    0992fe807fb82aa4a4cc6a2eebb76346222643f9

    SHA256

    b6b3c597d404fe24f1f87f1fe5b2cae0b6476e796c6acac1ada9ed02ede1ec07

    SHA512

    c42ea74bbb9276cc671f9635d8f4df9365d95b43c0d108c02c223a40765df517549a2332c3c427b09ef74d0e7b36a1340dbb733dd4bd14d1c8c2099ce0e5cfa9

  • C:\Users\Admin\AppData\Local\Temp\CabF26C.tmp

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\Local\Temp\TarF27F.tmp

    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

  • C:\Users\Admin\AppData\Local\Temp\e0d3395d

    Filesize

    1.0MB

    MD5

    b63f539ec9eab672628d63a62766e3b4

    SHA1

    3e844e0573f5c92b2a510fbd74776a1d47e964a7

    SHA256

    a435b1948c6b079c5e6e4c134d87f9cb1e7e3c44afbec3b35c274b3bfed3cf46

    SHA512

    b5ca171ca55569fba06e712850e1dd86cb748d78a3bae933f4f0921fcf20f35c7884ddef47c8a06fb9b0cec3fb50e4c841ec3b12751261719bab26f614f31e0f

  • C:\Windows\Installer\f783727.msi

    Filesize

    4.2MB

    MD5

    93a70c58cbc42d4362fd4cc206d5a35e

    SHA1

    f769777dec440d5e8900927b42d6c4232d6d58b7

    SHA256

    aa1e63845cbfcee49033a729fcecc2d61cdc2f41968813a45ad64946e8a2ec1f

    SHA512

    db54faa43d5fc83f7160edbda953ba763080f499d8ce20cc0502a357a564d1be60dc44ece4425f5ddfc0d4ce6e47cf5b7e79bf1dfa680ea98cf728191df28a23

  • memory/1124-65-0x0000000000080000-0x00000000000DC000-memory.dmp

    Filesize

    368KB

  • memory/1124-110-0x0000000000080000-0x00000000000DC000-memory.dmp

    Filesize

    368KB

  • memory/1124-61-0x0000000077260000-0x0000000077409000-memory.dmp

    Filesize

    1.7MB

  • memory/1124-62-0x0000000000080000-0x00000000000DC000-memory.dmp

    Filesize

    368KB

  • memory/1640-46-0x0000000000400000-0x000000000061B000-memory.dmp

    Filesize

    2.1MB

  • memory/1640-34-0x0000000077260000-0x0000000077409000-memory.dmp

    Filesize

    1.7MB

  • memory/1640-33-0x00000000748C0000-0x0000000074A34000-memory.dmp

    Filesize

    1.5MB

  • memory/2184-59-0x00000000747D0000-0x0000000074944000-memory.dmp

    Filesize

    1.5MB

  • memory/2184-58-0x0000000077260000-0x0000000077409000-memory.dmp

    Filesize

    1.7MB

  • memory/2900-56-0x0000000000400000-0x000000000061B000-memory.dmp

    Filesize

    2.1MB

  • memory/2900-54-0x00000000747D0000-0x0000000074944000-memory.dmp

    Filesize

    1.5MB

  • memory/2900-53-0x0000000077260000-0x0000000077409000-memory.dmp

    Filesize

    1.7MB

  • memory/2900-52-0x00000000747D0000-0x0000000074944000-memory.dmp

    Filesize

    1.5MB