Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    124s
  • max time network
    135s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    10/03/2025, 03:00

General

  • Target

    eb050d5609042b0b8171889b6a34aadccab431c389e2d33a8e57afd332f69ac8.exe

  • Size

    448KB

  • MD5

    69a831d62d8eb89c3327538d23ea3532

  • SHA1

    c0364914fffa90df86357489802599401b0712ec

  • SHA256

    eb050d5609042b0b8171889b6a34aadccab431c389e2d33a8e57afd332f69ac8

  • SHA512

    21c3ca6b26bad70dff7e8c6dd26cdf89d0e311bcb6315505fc7ba068625ba8b4452dcd9ba3c714f68de7de5ed369e27b25e82438ad66fb327f1839c34a2a3877

  • SSDEEP

    12288:tgmuiWCFstIScxuwu0iFsb9FYz6eEUFuYUgZ1jVDSFQx+:7uilFstIZMYiM923UgnDSFQx+

Malware Config

Extracted

Family

lumma

Extracted

Family

xworm

Version

3.1

Mutex

aC2Uqwxt1JZnqhmD

Attributes
  • Install_directory

    %Port%

  • install_file

    explorer.exe

  • pastebin_url

    https://pastebin.com/raw/jkeHBv0w

aes.plain

Signatures

  • Detect Xworm Payload 2 IoCs
  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

  • Lumma family
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Xworm family
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\eb050d5609042b0b8171889b6a34aadccab431c389e2d33a8e57afd332f69ac8.exe
    "C:\Users\Admin\AppData\Local\Temp\eb050d5609042b0b8171889b6a34aadccab431c389e2d33a8e57afd332f69ac8.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1964
    • C:\Users\Admin\AppData\Local\Temp\Rimess.exe
      "C:\Users\Admin\AppData\Local\Temp\Rimess.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:2548
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Rimess.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2644
      • C:\Windows\System32\Rimess.exe
        "C:\Windows\System32\Rimess.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:2160
    • C:\Users\Admin\AppData\Local\Temp\Nexol.exe
      "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2940
      • C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        3⤵
        • Executes dropped EXE
        PID:2868
      • C:\Users\Admin\AppData\Local\Temp\Nexol.exe
        "C:\Users\Admin\AppData\Local\Temp\Nexol.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2888
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2940 -s 524
        3⤵
        • Loads dropped DLL
        • Program crash
        PID:2736

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Nexol.exe

    Filesize

    386KB

    MD5

    43aea8e19d79356c18c710a09c4cf39c

    SHA1

    dc8e264847d5607fab57a0ba50c2f71dfd1276f0

    SHA256

    9e9b5607d547d627e16c25511e0538f1ceb5f1c9c3e819d5653f8bea1081b0b2

    SHA512

    a3f1a4c342bce7b344a1177217ce593e291cb0ae37c6371b2b45aab58ed301c555a9fac285119fdcc17c9087b6eec9dba0d9b5f7225757c4fcd19a20054d3e60

  • C:\Users\Admin\AppData\Local\Temp\Rimess.exe

    Filesize

    29KB

    MD5

    a9ea8b23eb527c0a03541d5f85ec8205

    SHA1

    49d3357d63f633dd3f85e0b651e230c9b3d496a1

    SHA256

    41ba6c9a22b82e964837b99b974f6be09009d6f0dfdf32733a1380657ff84e0a

    SHA512

    9aa39d7f53764080461142ab64c20d75e6a6f62f76c0acee9347341e45ef5217f4bf113671e088eca4dc312bef74b6278adea44fb590ad5abf98d1fa3b800d1a

  • C:\Windows\System32\Rimess.exe

    Filesize

    30KB

    MD5

    76cdbd5ca528f810989e4ccaf2f41a37

    SHA1

    5082ddba41cfebd186f246ce60b01d7c8a0ba469

    SHA256

    d33db6a622c58b135f7a7bc5308751687b656cc7006d6d289c8b55292212bde2

    SHA512

    0c94936a9140da807d20a4a6bfeb2778e7d72081427394a689a6c9140d49ce767044a174e99a686a6e54985028af6694b3489616cb799a04ef5b1c590ee68208

  • memory/1964-1-0x0000000000130000-0x00000000001A6000-memory.dmp

    Filesize

    472KB

  • memory/1964-14-0x000007FEF5900000-0x000007FEF62EC000-memory.dmp

    Filesize

    9.9MB

  • memory/1964-0-0x000007FEF5903000-0x000007FEF5904000-memory.dmp

    Filesize

    4KB

  • memory/2160-51-0x00000000002E0000-0x00000000002EE000-memory.dmp

    Filesize

    56KB

  • memory/2548-13-0x0000000000B10000-0x0000000000B1E000-memory.dmp

    Filesize

    56KB

  • memory/2548-50-0x000007FEF5900000-0x000007FEF62EC000-memory.dmp

    Filesize

    9.9MB

  • memory/2548-16-0x000007FEF5900000-0x000007FEF62EC000-memory.dmp

    Filesize

    9.9MB

  • memory/2644-43-0x0000000001F80000-0x0000000001F88000-memory.dmp

    Filesize

    32KB

  • memory/2644-42-0x000000001B780000-0x000000001BA62000-memory.dmp

    Filesize

    2.9MB

  • memory/2888-31-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

    Filesize

    4KB

  • memory/2888-23-0x0000000000400000-0x000000000045A000-memory.dmp

    Filesize

    360KB

  • memory/2888-32-0x0000000000400000-0x000000000045A000-memory.dmp

    Filesize

    360KB

  • memory/2888-21-0x0000000000400000-0x000000000045A000-memory.dmp

    Filesize

    360KB

  • memory/2888-27-0x0000000000400000-0x000000000045A000-memory.dmp

    Filesize

    360KB

  • memory/2888-29-0x0000000000400000-0x000000000045A000-memory.dmp

    Filesize

    360KB

  • memory/2888-34-0x0000000000400000-0x000000000045A000-memory.dmp

    Filesize

    360KB

  • memory/2888-25-0x0000000000400000-0x000000000045A000-memory.dmp

    Filesize

    360KB

  • memory/2940-15-0x0000000000CD0000-0x0000000000D32000-memory.dmp

    Filesize

    392KB