Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

aa6a1653fb...fN.exe

windows7-x64

10

aa6a1653fb...fN.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    93s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/01/2025, 08:15 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    aa6a1653fb3f3306c28456c7ff359a6f790df05d21e3befb7f08878495e6239fN.exe

  • Size

    1.8MB

  • MD5

    b660f6eea67dd79fc8c91c6a6b6349c0

  • SHA1

    8584bdc3288b169020056c32ac01d1d50a1246c8

  • SHA256

    aa6a1653fb3f3306c28456c7ff359a6f790df05d21e3befb7f08878495e6239f

  • SHA512

    98107ffb556be668ec49d010adb1a3a3287fff6c2cd0c287bbc5d4c857bcbf56474363344386a77925278fbbe01d6e5d2bbf4a7f26febc72527b6d3dbd73838f

  • SSDEEP

    49152:dGbpaBIua5mOjJACFHA2sRgHmU+ZXBVsmBbG:4xTokACVsTemg

Score
10/10
lummadiscoveryevasionstealer

Malware Config

Extracted

Family

lumma

C2

https://cloudewahsj.shop/api

https://rabidcowse.shop/api

https://noisycuttej.shop/api

https://tirepublicerj.shop/api

https://framekgirus.shop/api

https://wholersorie.shop/api

https://abruptyopsn.shop/api

https://nearycrepso.shop/api

https://fancywaxxers.shop/api

Signatures

  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Lumma family
    lumma
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\aa6a1653fb3f3306c28456c7ff359a6f790df05d21e3befb7f08878495e6239fN.exe
    "C:\Users\Admin\AppData\Local\Temp\aa6a1653fb3f3306c28456c7ff359a6f790df05d21e3befb7f08878495e6239fN.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    PID:2808

Network

  • flag-us
    DNS
    fancywaxxers.shop
    aa6a1653fb3f3306c28456c7ff359a6f790df05d21e3befb7f08878495e6239fN.exe
    Remote address:
    8.8.8.8:53
    Request
    fancywaxxers.shop
    IN A
    Response
  • flag-us
    DNS
    fancywaxxers.shop
    aa6a1653fb3f3306c28456c7ff359a6f790df05d21e3befb7f08878495e6239fN.exe
    Remote address:
    8.8.8.8:53
    Request
    fancywaxxers.shop
    IN A
    Response
  • flag-us
    DNS
    104.219.191.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    104.219.191.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    8.153.16.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.153.16.2.in-addr.arpa
    IN PTR
    Response
    8.153.16.2.in-addr.arpa
    IN PTR
    a2-16-153-8deploystaticakamaitechnologiescom
  • flag-us
    DNS
    nearycrepso.shop
    aa6a1653fb3f3306c28456c7ff359a6f790df05d21e3befb7f08878495e6239fN.exe
    Remote address:
    8.8.8.8:53
    Request
    nearycrepso.shop
    IN A
    Response
  • flag-us
    DNS
    abruptyopsn.shop
    aa6a1653fb3f3306c28456c7ff359a6f790df05d21e3befb7f08878495e6239fN.exe
    Remote address:
    8.8.8.8:53
    Request
    abruptyopsn.shop
    IN A
    Response
  • flag-us
    DNS
    wholersorie.shop
    aa6a1653fb3f3306c28456c7ff359a6f790df05d21e3befb7f08878495e6239fN.exe
    Remote address:
    8.8.8.8:53
    Request
    wholersorie.shop
    IN A
    Response
  • flag-us
    DNS
    framekgirus.shop
    aa6a1653fb3f3306c28456c7ff359a6f790df05d21e3befb7f08878495e6239fN.exe
    Remote address:
    8.8.8.8:53
    Request
    framekgirus.shop
    IN A
    Response
  • flag-us
    DNS
    tirepublicerj.shop
    aa6a1653fb3f3306c28456c7ff359a6f790df05d21e3befb7f08878495e6239fN.exe
    Remote address:
    8.8.8.8:53
    Request
    tirepublicerj.shop
    IN A
    Response
  • flag-us
    DNS
    noisycuttej.shop
    aa6a1653fb3f3306c28456c7ff359a6f790df05d21e3befb7f08878495e6239fN.exe
    Remote address:
    8.8.8.8:53
    Request
    noisycuttej.shop
    IN A
    Response
  • flag-us
    DNS
    rabidcowse.shop
    aa6a1653fb3f3306c28456c7ff359a6f790df05d21e3befb7f08878495e6239fN.exe
    Remote address:
    8.8.8.8:53
    Request
    rabidcowse.shop
    IN A
    Response
  • flag-us
    DNS
    14.160.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    14.160.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    cloudewahsj.shop
    aa6a1653fb3f3306c28456c7ff359a6f790df05d21e3befb7f08878495e6239fN.exe
    Remote address:
    8.8.8.8:53
    Request
    cloudewahsj.shop
    IN A
    Response
  • flag-us
    DNS
    cloudewahsj.shop
    aa6a1653fb3f3306c28456c7ff359a6f790df05d21e3befb7f08878495e6239fN.exe
    Remote address:
    8.8.8.8:53
    Request
    cloudewahsj.shop
    IN A
    Response
  • flag-us
    DNS
    steamcommunity.com
    aa6a1653fb3f3306c28456c7ff359a6f790df05d21e3befb7f08878495e6239fN.exe
    Remote address:
    8.8.8.8:53
    Request
    steamcommunity.com
    IN A
    Response
    steamcommunity.com
    IN A
    23.214.143.155
  • flag-gb
    GET
    https://steamcommunity.com/profiles/76561199724331900
    aa6a1653fb3f3306c28456c7ff359a6f790df05d21e3befb7f08878495e6239fN.exe
    Remote address:
    23.214.143.155:443
    Request
    GET /profiles/76561199724331900 HTTP/1.1
    Connection: Keep-Alive
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
    Host: steamcommunity.com
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Content-Type: text/html; charset=UTF-8
    Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;
    Expires: Mon, 26 Jul 1997 05:00:00 GMT
    Cache-Control: no-cache
    Date: Wed, 08 Jan 2025 08:15:10 GMT
    Content-Length: 25984
    Connection: keep-alive
    Set-Cookie: sessionid=fe966ab5783b9c53c8364661; Path=/; Secure; SameSite=None
    Set-Cookie: steamCountry=GB%7C7d625a3b038bb98f68b4e14dac147806; Path=/; Secure; HttpOnly; SameSite=None
  • flag-us
    DNS
    155.143.214.23.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    155.143.214.23.in-addr.arpa
    IN PTR
    Response
    155.143.214.23.in-addr.arpa
    IN PTR
    a23-214-143-155deploystaticakamaitechnologiescom
  • flag-us
    DNS
    58.55.71.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    58.55.71.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    53.210.109.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    53.210.109.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    15.164.165.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    15.164.165.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    107.12.20.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    107.12.20.2.in-addr.arpa
    IN PTR
    Response
    107.12.20.2.in-addr.arpa
    IN PTR
    a2-20-12-107deploystaticakamaitechnologiescom
  • flag-us
    DNS
    20.49.80.91.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    20.49.80.91.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.214.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.214.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    22.236.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    22.236.111.52.in-addr.arpa
    IN PTR
    Response
  • 23.214.143.155:443
    https://steamcommunity.com/profiles/76561199724331900
    tls, http
    aa6a1653fb3f3306c28456c7ff359a6f790df05d21e3befb7f08878495e6239fN.exe
    1.4kB
     33.2kB
     18
    29

    HTTP Request

    GET https://steamcommunity.com/profiles/76561199724331900

    HTTP Response

    200
  • 8.8.8.8:53
    fancywaxxers.shop
    dns
    aa6a1653fb3f3306c28456c7ff359a6f790df05d21e3befb7f08878495e6239fN.exe
    126 B
     240 B
     2
    2

    DNS Request

    fancywaxxers.shop

    DNS Request

    fancywaxxers.shop

  • 8.8.8.8:53
    104.219.191.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    104.219.191.52.in-addr.arpa

  • 8.8.8.8:53
    8.153.16.2.in-addr.arpa
    dns
    69 B
     131 B
     1
    1

    DNS Request

    8.153.16.2.in-addr.arpa

  • 8.8.8.8:53
    nearycrepso.shop
    dns
    aa6a1653fb3f3306c28456c7ff359a6f790df05d21e3befb7f08878495e6239fN.exe
    62 B
     119 B
     1
    1

    DNS Request

    nearycrepso.shop

  • 8.8.8.8:53
    abruptyopsn.shop
    dns
    aa6a1653fb3f3306c28456c7ff359a6f790df05d21e3befb7f08878495e6239fN.exe
    62 B
     119 B
     1
    1

    DNS Request

    abruptyopsn.shop

  • 8.8.8.8:53
    wholersorie.shop
    dns
    aa6a1653fb3f3306c28456c7ff359a6f790df05d21e3befb7f08878495e6239fN.exe
    62 B
     119 B
     1
    1

    DNS Request

    wholersorie.shop

  • 8.8.8.8:53
    framekgirus.shop
    dns
    aa6a1653fb3f3306c28456c7ff359a6f790df05d21e3befb7f08878495e6239fN.exe
    62 B
     119 B
     1
    1

    DNS Request

    framekgirus.shop

  • 8.8.8.8:53
    tirepublicerj.shop
    dns
    aa6a1653fb3f3306c28456c7ff359a6f790df05d21e3befb7f08878495e6239fN.exe
    64 B
     121 B
     1
    1

    DNS Request

    tirepublicerj.shop

  • 8.8.8.8:53
    noisycuttej.shop
    dns
    aa6a1653fb3f3306c28456c7ff359a6f790df05d21e3befb7f08878495e6239fN.exe
    62 B
     119 B
     1
    1

    DNS Request

    noisycuttej.shop

  • 8.8.8.8:53
    rabidcowse.shop
    dns
    aa6a1653fb3f3306c28456c7ff359a6f790df05d21e3befb7f08878495e6239fN.exe
    61 B
     118 B
     1
    1

    DNS Request

    rabidcowse.shop

  • 8.8.8.8:53
    14.160.190.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    14.160.190.20.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    cloudewahsj.shop
    dns
    aa6a1653fb3f3306c28456c7ff359a6f790df05d21e3befb7f08878495e6239fN.exe
    124 B
     238 B
     2
    2

    DNS Request

    cloudewahsj.shop

    DNS Request

    cloudewahsj.shop

  • 8.8.8.8:53
    steamcommunity.com
    dns
    aa6a1653fb3f3306c28456c7ff359a6f790df05d21e3befb7f08878495e6239fN.exe
    64 B
     80 B
     1
    1

    DNS Request

    steamcommunity.com

    DNS Response

    23.214.143.155

  • 8.8.8.8:53
    155.143.214.23.in-addr.arpa
    dns
    73 B
     139 B
     1
    1

    DNS Request

    155.143.214.23.in-addr.arpa

  • 8.8.8.8:53
    58.55.71.13.in-addr.arpa
    dns
    70 B
     144 B
     1
    1

    DNS Request

    58.55.71.13.in-addr.arpa

  • 8.8.8.8:53
    53.210.109.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    53.210.109.20.in-addr.arpa

  • 8.8.8.8:53
    15.164.165.52.in-addr.arpa
    dns
    72 B
     146 B
     1
    1

    DNS Request

    15.164.165.52.in-addr.arpa

  • 8.8.8.8:53
    107.12.20.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    107.12.20.2.in-addr.arpa

  • 8.8.8.8:53
    20.49.80.91.in-addr.arpa
    dns
    70 B
     145 B
     1
    1

    DNS Request

    20.49.80.91.in-addr.arpa

  • 8.8.8.8:53
    172.214.232.199.in-addr.arpa
    dns
    74 B
     128 B
     1
    1

    DNS Request

    172.214.232.199.in-addr.arpa

  • 8.8.8.8:53
    22.236.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    22.236.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2808-0-0x0000000000350000-0x00000000007F1000-memory.dmp

    Filesize

    4.6MB

    Download

  • memory/2808-1-0x0000000076F04000-0x0000000076F06000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2808-2-0x0000000000351000-0x000000000037A000-memory.dmp

    Filesize

    164KB

    Download

  • memory/2808-3-0x0000000000350000-0x00000000007F1000-memory.dmp

    Filesize

    4.6MB

    Download

  • memory/2808-4-0x0000000000350000-0x00000000007F1000-memory.dmp

    Filesize

    4.6MB

    Download

  • memory/2808-5-0x0000000000350000-0x00000000007F1000-memory.dmp

    Filesize

    4.6MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.