Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
-
submitted
09/03/2025, 12:56
General
-
Target
4296ecd38d9a8cd65807f5ce1b0637d0.exe
-
Size
3.0MB
-
MD5
4296ecd38d9a8cd65807f5ce1b0637d0
-
SHA1
83533f192f4f7a5b68729740c1684bd1358a31c6
-
SHA256
ac44c708da11f10caa75d4e0803b81a9e54ccb1cd503fbbda7a0f14355e968a6
-
SHA512
50489b9c5c9c6382c20304dd0c84316272ec714f8dbefc46313ceeb17f7e69158bf57c86aab3c2f51e9f87f8fd63a4b0adb61f59f97953a97c76555ba59eaa12
-
SSDEEP
49152:HOEByL0h2RyIwsl4hjwbX5euQIa2P6JHs6P:zByL0h2RyIwslqjwbX5euQIa2P0M
Malware Config
Extracted
lumma
https://0defaulemot.run/api
https://begindecafer.world/api
https://garagedrootz.top/api
https://modelshiverd.icu/api
https://arisechairedd.shop/api
https://catterjur.run/api
https://morangemyther.live/api
https://fostinjec.today/api
https://sterpickced.digital/api
Signatures
-
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
-
Lumma family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\4296ecd38d9a8cd65807f5ce1b0637d0.exe"C:\Users\Admin\AppData\Local\Temp\4296ecd38d9a8cd65807f5ce1b0637d0.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2384 -s 12082⤵
- Program crash
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.0MB
-
Filesize
8KB
-
Filesize
3.0MB
-
Filesize
380KB
-
Filesize
3.0MB
-
Filesize
3.0MB
-
Filesize
3.0MB
-
Filesize
380KB