Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
09/03/2025, 12:56
Static task
static1
Behavioral task
behavioral1
Sample
4296ecd38d9a8cd65807f5ce1b0637d0.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
4296ecd38d9a8cd65807f5ce1b0637d0.exe
Resource
win10v2004-20250217-en
General
-
Target
4296ecd38d9a8cd65807f5ce1b0637d0.exe
-
Size
3.0MB
-
MD5
4296ecd38d9a8cd65807f5ce1b0637d0
-
SHA1
83533f192f4f7a5b68729740c1684bd1358a31c6
-
SHA256
ac44c708da11f10caa75d4e0803b81a9e54ccb1cd503fbbda7a0f14355e968a6
-
SHA512
50489b9c5c9c6382c20304dd0c84316272ec714f8dbefc46313ceeb17f7e69158bf57c86aab3c2f51e9f87f8fd63a4b0adb61f59f97953a97c76555ba59eaa12
-
SSDEEP
49152:HOEByL0h2RyIwsl4hjwbX5euQIa2P6JHs6P:zByL0h2RyIwslqjwbX5euQIa2P0M
Malware Config
Extracted
lumma
https://0defaulemot.run/api
https://begindecafer.world/api
https://garagedrootz.top/api
https://modelshiverd.icu/api
https://arisechairedd.shop/api
https://catterjur.run/api
https://morangemyther.live/api
https://fostinjec.today/api
https://sterpickced.digital/api
Signatures
-
Lumma family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 4296ecd38d9a8cd65807f5ce1b0637d0.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 4296ecd38d9a8cd65807f5ce1b0637d0.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 4296ecd38d9a8cd65807f5ce1b0637d0.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Wine 4296ecd38d9a8cd65807f5ce1b0637d0.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2384 4296ecd38d9a8cd65807f5ce1b0637d0.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2848 2384 WerFault.exe 29 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4296ecd38d9a8cd65807f5ce1b0637d0.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2384 4296ecd38d9a8cd65807f5ce1b0637d0.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2384 wrote to memory of 2848 2384 4296ecd38d9a8cd65807f5ce1b0637d0.exe 31 PID 2384 wrote to memory of 2848 2384 4296ecd38d9a8cd65807f5ce1b0637d0.exe 31 PID 2384 wrote to memory of 2848 2384 4296ecd38d9a8cd65807f5ce1b0637d0.exe 31 PID 2384 wrote to memory of 2848 2384 4296ecd38d9a8cd65807f5ce1b0637d0.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\4296ecd38d9a8cd65807f5ce1b0637d0.exe"C:\Users\Admin\AppData\Local\Temp\4296ecd38d9a8cd65807f5ce1b0637d0.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2384 -s 12082⤵
- Program crash
PID:2848
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2