Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    140s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/01/2025, 05:08

General

  • Target

    c002664469a48ede06c57b592a27b496bfc3cccb75e3fa468d4b3cf562563fc1.exe

  • Size

    14.4MB

  • MD5

    191294c00be02e5bf0807dc1cf52c53a

  • SHA1

    5dbfe490dcc65b2107f9bc0461c9e6767463795a

  • SHA256

    c002664469a48ede06c57b592a27b496bfc3cccb75e3fa468d4b3cf562563fc1

  • SHA512

    7bbefd4dc19290e454e3f4b08eb5f7faf904639a441d96f74c3973db0302a240192e31cf55c3939c7a70e024199754f084eb68a2ecccc0aea803da6a46025bdc

  • SSDEEP

    393216:8ZnXkkkXBPkVr/zc5Vk1LJG9+ydIaxbDdVUD5:8ZXJqkVr/zc521LJG9+ydIIbhGD5

Score
10/10

Malware Config

Extracted

Family

lumma

C2

https://p3ar11fter.sbs/api

https://3xp3cts1aim.sbs/api

https://owner-vacat10n.sbs/api

https://peepburry828.sbs/api

https://p10tgrace.sbs/api

https://befall-sm0ker.sbs/api

https://librari-night.sbs/api

https://processhol.sbs/api

https://cashju1cyh0.cyou/api

Signatures

  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

  • Lumma family
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Blocklisted process makes network request 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c002664469a48ede06c57b592a27b496bfc3cccb75e3fa468d4b3cf562563fc1.exe
    "C:\Users\Admin\AppData\Local\Temp\c002664469a48ede06c57b592a27b496bfc3cccb75e3fa468d4b3cf562563fc1.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4856
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\333.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\333.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:4456
      • C:\Windows\SysWOW64\more.com
        C:\Windows\SysWOW64\more.com
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        PID:3456
        • C:\Windows\SysWOW64\msiexec.exe
          C:\Windows\SysWOW64\msiexec.exe
          4⤵
          • Blocklisted process makes network request
          • System Location Discovery: System Language Discovery
          PID:1592
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.com/15PRC4
      2⤵
      • Enumerates system info in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2576
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffa67e46f8,0x7fffa67e4708,0x7fffa67e4718
        3⤵
          PID:1064
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,18371220359375017449,1681372508795875149,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
          3⤵
            PID:632
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,18371220359375017449,1681372508795875149,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:2636
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,18371220359375017449,1681372508795875149,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2872 /prefetch:8
            3⤵
              PID:2308
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,18371220359375017449,1681372508795875149,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
              3⤵
                PID:2696
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,18371220359375017449,1681372508795875149,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
                3⤵
                  PID:1220
                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,18371220359375017449,1681372508795875149,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5200 /prefetch:8
                  3⤵
                    PID:3580
                  • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,18371220359375017449,1681372508795875149,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5200 /prefetch:8
                    3⤵
                    • Suspicious behavior: EnumeratesProcesses
                    PID:3712
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,18371220359375017449,1681372508795875149,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:1
                    3⤵
                      PID:3544
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,18371220359375017449,1681372508795875149,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5332 /prefetch:1
                      3⤵
                        PID:4796
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,18371220359375017449,1681372508795875149,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4784 /prefetch:1
                        3⤵
                          PID:2604
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,18371220359375017449,1681372508795875149,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:1
                          3⤵
                            PID:3920
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,18371220359375017449,1681372508795875149,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1048 /prefetch:2
                            3⤵
                            • Suspicious behavior: EnumeratesProcesses
                            PID:4708
                      • C:\Windows\System32\CompPkgSrv.exe
                        C:\Windows\System32\CompPkgSrv.exe -Embedding
                        1⤵
                          PID:1112
                        • C:\Windows\System32\CompPkgSrv.exe
                          C:\Windows\System32\CompPkgSrv.exe -Embedding
                          1⤵
                            PID:4640

                          Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                            Filesize

                            152B

                            MD5

                            61cef8e38cd95bf003f5fdd1dc37dae1

                            SHA1

                            11f2f79ecb349344c143eea9a0fed41891a3467f

                            SHA256

                            ae671613623b4477fbd5daf1fd2d148ae2a09ddcc3804b2b6d4ffcb60b317e3e

                            SHA512

                            6fb9b333fe0e8fde19fdd0bd01a1990a4e60a87c0a02bc8297da1206e42f8690d06b030308e58c862e9e77714a585eed7cc1627590d99a10aeb77fc0dd3d864d

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                            Filesize

                            152B

                            MD5

                            0a9dc42e4013fc47438e96d24beb8eff

                            SHA1

                            806ab26d7eae031a58484188a7eb1adab06457fc

                            SHA256

                            58d66151799526b3fa372552cd99b385415d9e9a119302b99aadc34dd51dd151

                            SHA512

                            868d6b421ae2501a519595d0c34ddef25b2a98b082c5203da8349035f1f6764ddf183197f1054e7e86a752c71eccbc0649e515b63c55bc18cf5f0592397e258f

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                            Filesize

                            180B

                            MD5

                            8f571752a0c4f3f6020966e96c85ef8b

                            SHA1

                            81fa9c853712e71e4b0a7da1f65a0979e90a1236

                            SHA256

                            d0b6f0f7769d5faf34595b539d766fe475ec0a2f7a14d2b8f874ea7edf71319d

                            SHA512

                            517efe07dc09ac97deca70371d45628e01758fdf5acb2809cab374e27bfc9b36caa9b5740b43f4d22fbee417f36156ee2034b02d3b823a51ca9a50b197fbfc26

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                            Filesize

                            6KB

                            MD5

                            553c0733321d7fd0d9e676c4374fac3f

                            SHA1

                            d3390d9f9fc92167c289686f878a8f0ddc622d93

                            SHA256

                            a8a965ac4d16fc4c0b96de2590316d484cd2574984a42622ec588f7c2c6902ea

                            SHA512

                            1efe1e71bedf12cffce1509e45e45d44133e1199ee986e1be30e168a00b3ba12bbee4f723bd1faa13f0c163831d664e970f99ac9d1e39512177947492f0cedb1

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                            Filesize

                            5KB

                            MD5

                            635f71a4cd6ae509f568ad6cef35df2c

                            SHA1

                            39c5dfbc183882037bb7723250390bfabcce597b

                            SHA256

                            9ab5eb38254453cc39724a4a6b096f583d7052a6e7854356e48c8808c404b529

                            SHA512

                            0cc07561c68166166c688cf774e6807cf187fe273c08b121e8c28b020a4db0855ee3f515484333348333ca3c0cde2c205068d542876a4df9a20ce731e054a845

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                            Filesize

                            16B

                            MD5

                            6752a1d65b201c13b62ea44016eb221f

                            SHA1

                            58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                            SHA256

                            0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                            SHA512

                            9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                            Filesize

                            10KB

                            MD5

                            cd8abdc1289aeb3cf9ae12439a6c602f

                            SHA1

                            40fa55c5333c2aae8a7f379e44e0be8fab75dcac

                            SHA256

                            bf0d2bdaa5e1ba011e658f80cc24180f3048757817427f60564a18271e026c53

                            SHA512

                            71173e925e411cb174c3d423716898537ba0d7edc901b2e513fdc9573a08be9761ac7ec7042a92d50ba3c41013791ce763855cb7d6967ba147eaff4d1794bee2

                          • C:\Users\Admin\AppData\Local\Temp\556c3791

                            Filesize

                            1.1MB

                            MD5

                            dc829df7baa6d6ea2d12618e862b737b

                            SHA1

                            022421ae7b594d542dc297c700cc5082f1f84eaf

                            SHA256

                            17ccc2bac73e1c26dd1da9a86cde352ac6f29a8d1a5c53cf1a57529212bb5d0c

                            SHA512

                            795ecf1b815548ef79e13ab6451e0a1606b6662feb7b47e84a7e1b5409f9bb29f04cb9d0e09f4260d0db91277e4857786f53f538e989808481027175bcdae627

                          • C:\Users\Admin\AppData\Local\Temp\5b27b392

                            Filesize

                            1018KB

                            MD5

                            934d841fa722222c02d94d1d43bb11ac

                            SHA1

                            63e652f0bcaee7be5ebbc9657ecc9492b01a3a43

                            SHA256

                            624275d355d54223f02bb1be66fc893b91080fb16e9819ecc4a8ced521c10f95

                            SHA512

                            9072597e1b69f098918858e44805ed5a8e186c76ba6b1fe4091e6b3985cf4a93e701b0ff3a0667963c33064fae3fe1a0202501d727a786dd9de4a9f7556d946f

                          • C:\Users\Admin\AppData\Local\Temp\RarSFX0\333.exe

                            Filesize

                            18.4MB

                            MD5

                            cbd9ae608afda66ba0d1df907fea0eaa

                            SHA1

                            e23af3a3a89ffdb363e887b60ff9d45f316445ba

                            SHA256

                            fe26511a6af7fe9c7c5ffe586b6bd2ce84e21d84bfa04d371f8e2db929b520af

                            SHA512

                            b3639fbb4352fad47eb867ed6b1d508d6c23f7e3d8e88fcda42ffa4885a7e7fab8347924ec55db2f6456c1425cba37be2a2103cb54b30cb199822ec549ee4adc

                          • memory/1592-90-0x00007FFFC3F70000-0x00007FFFC4165000-memory.dmp

                            Filesize

                            2.0MB

                          • memory/1592-92-0x0000000000C90000-0x0000000000CA2000-memory.dmp

                            Filesize

                            72KB

                          • memory/1592-91-0x00000000000A0000-0x00000000000FA000-memory.dmp

                            Filesize

                            360KB

                          • memory/3456-85-0x0000000075180000-0x00000000752FB000-memory.dmp

                            Filesize

                            1.5MB

                          • memory/3456-62-0x00007FFFC3F70000-0x00007FFFC4165000-memory.dmp

                            Filesize

                            2.0MB

                          • memory/3456-26-0x0000000075180000-0x00000000752FB000-memory.dmp

                            Filesize

                            1.5MB

                          • memory/3456-89-0x0000000075180000-0x00000000752FB000-memory.dmp

                            Filesize

                            1.5MB

                          • memory/4456-24-0x0000000075180000-0x00000000752FB000-memory.dmp

                            Filesize

                            1.5MB

                          • memory/4456-22-0x0000000075193000-0x0000000075195000-memory.dmp

                            Filesize

                            8KB

                          • memory/4456-23-0x0000000075180000-0x00000000752FB000-memory.dmp

                            Filesize

                            1.5MB

                          • memory/4456-21-0x00007FFFC3F70000-0x00007FFFC4165000-memory.dmp

                            Filesize

                            2.0MB

                          • memory/4456-20-0x0000000075180000-0x00000000752FB000-memory.dmp

                            Filesize

                            1.5MB

                          • memory/4456-14-0x0000000000400000-0x0000000000CB0000-memory.dmp

                            Filesize

                            8.7MB