Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
3DBDownloader.exe
windows7-x64
10DBDownloader.exe
windows10-2004-x64
10Zip.dll
windows7-x64
3Zip.dll
windows10-2004-x64
3madBasic_.dll
windows7-x64
3madBasic_.dll
windows10-2004-x64
3madDisAsm_.dll
windows7-x64
3madDisAsm_.dll
windows10-2004-x64
3madExcept_.dll
windows7-x64
3madExcept_.dll
windows10-2004-x64
3rtl120.dll
windows7-x64
3rtl120.dll
windows10-2004-x64
3vcl120.dll
windows7-x64
3vcl120.dll
windows10-2004-x64
3Analysis
-
max time kernel
140s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19/01/2025, 17:30
Static task
static1
Behavioral task
behavioral1
Sample
DBDownloader.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
DBDownloader.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Zip.dll
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
Zip.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
madBasic_.dll
Resource
win7-20241010-en
Behavioral task
behavioral6
Sample
madBasic_.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
madDisAsm_.dll
Resource
win7-20240729-en
Behavioral task
behavioral8
Sample
madDisAsm_.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
madExcept_.dll
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
madExcept_.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
rtl120.dll
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
rtl120.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
vcl120.dll
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
vcl120.dll
Resource
win10v2004-20241007-en
General
-
Target
DBDownloader.exe
-
Size
823KB
-
MD5
a3ccc65ae7d39d213250443588731af9
-
SHA1
489b07237cf951faca46c6f525d9c436957347f2
-
SHA256
75542249fc08f4392189a0807595f18580aa17487530bc5527bf928a0b78146c
-
SHA512
c286e9aef914f008f31de8ce39c7861b8d26459a675d9a17dac80ab3db82e5d3edb04c4382c0c3ef2669a42a0c7867c7399d399d18d9cb154fa7f01111ef702f
-
SSDEEP
24576:zJDclNQn4W0luDOmFwhdDh2TK+uLfplhyEXwC:tDvTVT94Rrx
Malware Config
Extracted
lumma
https://joyoushammen.cyou/api
Signatures
-
Lumma family
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3108 set thread context of 3544 3108 DBDownloader.exe 84 -
Executes dropped EXE 1 IoCs
pid Process 3108 DBDownloader.exe -
Loads dropped DLL 11 IoCs
pid Process 3108 DBDownloader.exe 3108 DBDownloader.exe 3108 DBDownloader.exe 3108 DBDownloader.exe 3108 DBDownloader.exe 3108 DBDownloader.exe 3108 DBDownloader.exe 3108 DBDownloader.exe 3108 DBDownloader.exe 3108 DBDownloader.exe 3108 DBDownloader.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DBDownloader.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DBDownloader.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 1324 DBDownloader.exe 3108 DBDownloader.exe 3108 DBDownloader.exe 3544 cmd.exe 3544 cmd.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 3108 DBDownloader.exe 3544 cmd.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1324 wrote to memory of 3108 1324 DBDownloader.exe 83 PID 1324 wrote to memory of 3108 1324 DBDownloader.exe 83 PID 1324 wrote to memory of 3108 1324 DBDownloader.exe 83 PID 3108 wrote to memory of 3544 3108 DBDownloader.exe 84 PID 3108 wrote to memory of 3544 3108 DBDownloader.exe 84 PID 3108 wrote to memory of 3544 3108 DBDownloader.exe 84 PID 3108 wrote to memory of 3544 3108 DBDownloader.exe 84 PID 3544 wrote to memory of 2928 3544 cmd.exe 99 PID 3544 wrote to memory of 2928 3544 cmd.exe 99 PID 3544 wrote to memory of 2928 3544 cmd.exe 99 PID 3544 wrote to memory of 2928 3544 cmd.exe 99 PID 3544 wrote to memory of 2928 3544 cmd.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\DBDownloader.exe"C:\Users\Admin\AppData\Local\Temp\DBDownloader.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Users\Admin\AppData\Roaming\PatchDownload_debugv5\DBDownloader.exeC:\Users\Admin\AppData\Roaming\PatchDownload_debugv5\DBDownloader.exe2⤵
- Suspicious use of SetThreadContext
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3108 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3544 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe4⤵
- System Location Discovery: System Language Discovery
PID:2928
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD5849cd2d97437e34a9afd56edcac89c28
SHA1927469ae2e0ccc4aee845e36615e442199690ed1
SHA2563b5e2194c1c390cead750507a835c922f2746547d9d6544d23b63a58d68753aa
SHA5120c48ffe80bf39cf2948f6c060952bd8fb027ca0821e1ff405cc0df8472f86676d235c1b1a8d5c8655aafae10ac968b43e421f3d92a503a7c76c359134aee29b3
-
Filesize
823KB
MD5a3ccc65ae7d39d213250443588731af9
SHA1489b07237cf951faca46c6f525d9c436957347f2
SHA25675542249fc08f4392189a0807595f18580aa17487530bc5527bf928a0b78146c
SHA512c286e9aef914f008f31de8ce39c7861b8d26459a675d9a17dac80ab3db82e5d3edb04c4382c0c3ef2669a42a0c7867c7399d399d18d9cb154fa7f01111ef702f
-
Filesize
564KB
MD5f933a5dbb88488307bf51584c9944c90
SHA150dc230cf29248f143dc576895bb26c7f3cd421e
SHA2569bb311b6643500285049addb82fe2286dea34856a0b443af708335e286a44494
SHA51285f75c6ae4fe350854f8f1ebf70d6bcf277d9a62dbc9da8b618725a62d2c00256b4f067bd54b0269c5995f63c5212df99893731a0fb749ecc25852119bba2f7b
-
Filesize
211KB
MD5641c567225e18195bc3d2d04bde7440b
SHA120395a482d9726ad80820c08f3a698cf227afd10
SHA256c2df993943c87b1e0f07ddd7a807bb66c2ef518c7cf427f6aa4ba0f2543f1ea0
SHA5121e6023d221ba16a6374cfeb939f795133130b9a71f6f57b1bc6e13e3641f879d409783cf9b1ef4b8fd79b272793ba612d679a213ff97656b3a728567588ecfb9
-
Filesize
64KB
MD53936a92320f7d4cec5fa903c200911c7
SHA1a61602501ffebf8381e39015d1725f58938154ca
SHA2562aec41414aca38de5aba1cab7bda2030e1e2b347e0ae77079533722c85fe4566
SHA512747ea892f6e5e3b7500c363d40c5c2a62e9fcf898ade2648262a4277ad3b31e0bcd5f8672d79d176b4759790db688bf1a748b09cbcb1816288a44554016e46d3
-
Filesize
437KB
MD5e8818a6b32f06089d5b6187e658684ba
SHA17d4f34e3a309c04df8f60e667c058e84f92db27a
SHA25691ee84d5ab6d3b3de72a5cd74217700eb1309959095214bd2c77d12e6af81c8e
SHA512d00ecf234cb642c4d060d15f74e4780fc3834b489516f7925249df72747e1e668c4ac66c6cc2887efde5a9c6604b91a688ba37c2a3b13ee7cf29ed7adcfa666d
-
Filesize
799KB
MD59a5596e64ea7b45118f7158066465da2
SHA1688b9b2658019d0c7bfb83e53dc8aa8a53d9af62
SHA2567ef9fa337554ab75e851db480f42cba199fe2bc8f5bc88c2dad7ce7db537a206
SHA512e445bbac29bfcc55aa6a2cf7516d27a8b4dc1d227386ed4d7643cfdb01d8ac5a266a8da3fffc506f4f0f140aa0d474d44fcd83c37cf23a92c2612549854f787c
-
Filesize
1.1MB
MD5adf82ed333fb5567f8097c7235b0e17f
SHA1e6ccaf016fc45edcdadeb40da64c207ddb33859f
SHA256d6dd7a4f46f2cfde9c4eb9463b79d5ff90fc690da14672ba1da39708ee1b9b50
SHA5122253c7b51317a3b5734025b6c7639105dbc81c340703718d679a00c13d40dd74ccaba1f6d04b21ee440f19e82ba680aa4b2a6a75c618aed91bd85a132be9fc92
-
Filesize
57KB
MD5675a0a5e2f499c09d1f6f596957ad38a
SHA10143e96121a575da782a7efda3e1f49621435ba8
SHA256ede137fab2655320b0b62e5d789f1dc5f6d8c424b37f1efd76462346a430f6da
SHA51269a5d7e5abc717b8de539ab0c1e898396f73cd27bbe51d3c7e7605076fbac7fbf90149e247b9dad61f58ad1ff8e6b0514ccdf261ef4f7b3fc15e77c8096fed33
-
Filesize
1.9MB
MD5c594d746ff6c99d140b5e8da97f12fd4
SHA1f21742707c5f3fee776f98641f36bd755e24a7b0
SHA256572edb7d630e9b03f93bd15135d2ca360176c1232051293663ec5b75c2428aec
SHA51233b9902b2cf1154d850779cd012c0285882e158b9d1422c54ea9400ca348686773b6bacb760171060d1a0e620f8ff4a26ecd889dea3c454e8fc5fa59b173832b