Analysis

  • max time kernel
    98s
  • max time network
    102s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/10/2023, 13:27

General

  • Target

    http://tria.ge

Score
7/10

Malware Config

Signatures

  • Obfuscated with Agile.Net obfuscator 8 IoCs

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 2 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 35 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://tria.ge
    1⤵
    • Enumerates system info in registry
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3504
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe84929758,0x7ffe84929768,0x7ffe84929778
      2⤵
        PID:4152
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1792 --field-trial-handle=1684,i,6183724766316115387,8835827071572518339,131072 /prefetch:2
        2⤵
          PID:2984
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 --field-trial-handle=1684,i,6183724766316115387,8835827071572518339,131072 /prefetch:8
          2⤵
            PID:3852
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2224 --field-trial-handle=1684,i,6183724766316115387,8835827071572518339,131072 /prefetch:8
            2⤵
              PID:3708
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3116 --field-trial-handle=1684,i,6183724766316115387,8835827071572518339,131072 /prefetch:1
              2⤵
                PID:3024
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3100 --field-trial-handle=1684,i,6183724766316115387,8835827071572518339,131072 /prefetch:1
                2⤵
                  PID:2768
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4464 --field-trial-handle=1684,i,6183724766316115387,8835827071572518339,131072 /prefetch:1
                  2⤵
                    PID:4320
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5096 --field-trial-handle=1684,i,6183724766316115387,8835827071572518339,131072 /prefetch:8
                    2⤵
                      PID:4440
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=5212 --field-trial-handle=1684,i,6183724766316115387,8835827071572518339,131072 /prefetch:1
                      2⤵
                        PID:940
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5480 --field-trial-handle=1684,i,6183724766316115387,8835827071572518339,131072 /prefetch:8
                        2⤵
                          PID:3928
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=5472 --field-trial-handle=1684,i,6183724766316115387,8835827071572518339,131072 /prefetch:1
                          2⤵
                            PID:2712
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3252 --field-trial-handle=1684,i,6183724766316115387,8835827071572518339,131072 /prefetch:8
                            2⤵
                              PID:4164
                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5896 --field-trial-handle=1684,i,6183724766316115387,8835827071572518339,131072 /prefetch:8
                              2⤵
                                PID:1928
                            • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
                              "C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
                              1⤵
                                PID:5084
                              • C:\Windows\System32\rundll32.exe
                                C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                1⤵
                                  PID:416
                                • C:\Users\Admin\Desktop\asd\Umbral.builder.exe
                                  "C:\Users\Admin\Desktop\asd\Umbral.builder.exe"
                                  1⤵
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of FindShellTrayWindow
                                  PID:2216
                                • C:\Windows\system32\rundll32.exe
                                  C:\Windows\system32\rundll32.exe C:\Windows\system32\PcaSvc.dll,PcaPatchSdbTask
                                  1⤵
                                    PID:1360

                                  Network

                                  MITRE ATT&CK Enterprise v15

                                  Replay Monitor

                                  Loading Replay Monitor...

                                  Downloads

                                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

                                    Filesize

                                    1KB

                                    MD5

                                    7f4ba3319ca96750fcf45ffdbfe44bf2

                                    SHA1

                                    13aad6a0ca80d3518d7632effd0a605e6448fb72

                                    SHA256

                                    428ac2d689dd5e8fffdef8eb98d32342c1837b9d51a7ed7d7520a4d3e1e10a89

                                    SHA512

                                    d47867cb3d23166b1b633921cef6b803e76c252ce7a85f535c337324bbae8e8cb21002f6ee07c48270993cb715e7edb0e0a33887d4999b97946b556c76f8b489

                                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

                                    Filesize

                                    264KB

                                    MD5

                                    a16479de436252b32cbd7cdb8b732c02

                                    SHA1

                                    d3ed76528ab3395ea614c1ee8d38999a90625f03

                                    SHA256

                                    a8633ff0b31b796725001a56093c7bd0461f7508db8c2602ce2ebbdce1a658af

                                    SHA512

                                    516d57da9b682207ddd53c90f40e3f2c35e7e601f00b349a9a296387151b77ca35a144d931fa628399b0cd2641743f9de23822502a125a5c6b9879f3fdf4a01d

                                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

                                    Filesize

                                    2KB

                                    MD5

                                    5620268f2aa32738fde251873f90a4fe

                                    SHA1

                                    38556b5b44868b8751eb256c7f9881a631eade4c

                                    SHA256

                                    31eb3d9fb80a3235650923f9874c5cd1055f77438c86da8f927a37f92f452f25

                                    SHA512

                                    ac70dc703ebbb995c2a964b6582e0559b8b4d15763e7750fd79c54b1ec69b5cfd34d64f76eacdaa9954c85d456e2b712b489e0b975df8ebdacb8fdad7fc41bac

                                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

                                    Filesize

                                    539B

                                    MD5

                                    df09487b2bea389fa37d21527b7e14c5

                                    SHA1

                                    1ae97ff3dc73e0e2626f7a43a9d3118c28c00fb6

                                    SHA256

                                    57d6a872f3a25816de3ea3d21486c06a8fdd1f2a9033ce9fb709f41747f0d8e6

                                    SHA512

                                    485129831699b3c9b03e84cf6702324bb7831a1f30a48cc79ba455dc4f79be1f4f9168784001187a8a61fb2fc4a26fb3788ded37a507fb8e89861b2caab5679e

                                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

                                    Filesize

                                    1KB

                                    MD5

                                    dcaa1b8892df0e7789f08834c0ab6beb

                                    SHA1

                                    435bddf320a49916a8ae2dd5e320e2c1b8fbaae2

                                    SHA256

                                    d5fc4e26629de36e5ccee1b8c805ac62559ac08792b0734362b7babe20adfc10

                                    SHA512

                                    2487b51f9c30e290544efb384a98ae3eea9e11263be83515225b7a6cede7aac94a9645db909aa095bf72f7150c33dae09d6d5b78ef35d578b99b5f0c7f5ecf28

                                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

                                    Filesize

                                    1KB

                                    MD5

                                    38a8d20e2d6b4b120156ee7d96a13c8f

                                    SHA1

                                    021329bfe7e9807c9f13f073626e07db839ae3cf

                                    SHA256

                                    160b10ac2254d63dd84ae169b468450442facae6684c0be58252049a79592df4

                                    SHA512

                                    b3226d1583892de898ba492eeb54407bdf8bcb8c0f39499a9c20786c23e25af45c96c778ab54b15e42b7b2b84606b63849f556c0bc7e499e1528342c127f4510

                                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                    Filesize

                                    7KB

                                    MD5

                                    910f519f7232087b1b3af3a54e22dc0a

                                    SHA1

                                    1f9754ac55f3a14ca901c9bfa327fc6b39ed1a67

                                    SHA256

                                    235b7f2d63c0fa4688478973f7117b97f66576aea585047dc8aa89697673b23f

                                    SHA512

                                    39bad1d0bd79a48135e6055ca7aea8f072f7744b837e5b3ffdb46895617c21eb1b08b785e33fe7817d0c356dd1d1b93acb70ac47712b1c4ba27fb8c4332ab191

                                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                    Filesize

                                    6KB

                                    MD5

                                    3f50d498f1c52d494ce51db8d8965802

                                    SHA1

                                    3c0e6d21225a09162fc3854254e67813d274800e

                                    SHA256

                                    ef4d33acae1e35e937c11764833cf4f2c07fdfa8d2152b8e52ce3b07c11f3413

                                    SHA512

                                    dd356a42144ba456d9a4f55eb98f1e110d15330113dd703b547af4799fac688323db538d0056910e61b7e547853ca519e23f3f0ca72c08bea21ab63c926b0c26

                                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                    Filesize

                                    6KB

                                    MD5

                                    1193528b642f2a4d0ae7e93fc983685f

                                    SHA1

                                    e90136b265df87ae1bc18b2af387f8bacab99bd4

                                    SHA256

                                    cfff1250c8ad47b218d74fbac03cc9ca0020deaf298b48c69d5e4f4816590576

                                    SHA512

                                    7a344b4d7691d14842a4f104639b79f8c88b4f8a065cbe4ce09f92e9abab873a0114dd55d1b60fe238b5125bf77253fbf12a9a5bb6c445738c804494cd2ac2dd

                                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                                    Filesize

                                    101KB

                                    MD5

                                    1464fa92cf86277e39703f1052b956cd

                                    SHA1

                                    ea98c79a39d8552f5e92ecd102fa08bdf3cd364e

                                    SHA256

                                    1ee64e580f25ac672cda710510f0d8833ee5400bc3e71cdb8fdbf652ea6f6a09

                                    SHA512

                                    f20e70651f05a3bed2135655ac3d074f35af652171a16c857b46d374e63965309460c6372f1e550008e6aa7e73aa9c3e6360c17094ac0ffe78c0468097256b97

                                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                                    Filesize

                                    101KB

                                    MD5

                                    9c522e26df1ff0f68f17a8db2f531fc3

                                    SHA1

                                    cfb2b8dfa28b2210be3c7eaa559f9dd6157bdcc5

                                    SHA256

                                    762901cd585ded5e5c251ab5cd64371ee3a83b0213783acf0e997aa3ee7f84e9

                                    SHA512

                                    e914ccc997d78c315186e2edeb5cf1f630ce335fc2f90cdec171d804c65045f7f08231c02e422ed6c36a22a5bb979c8204b23548a597c0737495ece4c768a64b

                                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

                                    Filesize

                                    2B

                                    MD5

                                    99914b932bd37a50b983c5e7c90ae93b

                                    SHA1

                                    bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

                                    SHA256

                                    44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

                                    SHA512

                                    27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

                                  • C:\Users\Admin\Downloads\Umbral.Stealer.zip

                                    Filesize

                                    3.3MB

                                    MD5

                                    f355889db3ff6bae624f80f41a52e619

                                    SHA1

                                    47f7916272a81d313e70808270c3c351207b890f

                                    SHA256

                                    8e95865efd39220dfc4abebc27141d9eae288a11981e43f09cbee6bf90347fe0

                                    SHA512

                                    bff7636f6cc0fadfd6f027e2ebda9e80fd5c64d551b2c666929b2d990509af73b082d739f14bb1497be292eafe703ebd5d7188493e2cc34b73d249fe901820eb

                                  • memory/2216-368-0x000001521D570000-0x000001521D580000-memory.dmp

                                    Filesize

                                    64KB

                                  • memory/2216-375-0x0000015235F50000-0x0000015235F6E000-memory.dmp

                                    Filesize

                                    120KB

                                  • memory/2216-366-0x000001521B8B0000-0x000001521B8D2000-memory.dmp

                                    Filesize

                                    136KB

                                  • memory/2216-369-0x0000015235DE0000-0x0000015235E00000-memory.dmp

                                    Filesize

                                    128KB

                                  • memory/2216-370-0x0000015235E00000-0x0000015235E20000-memory.dmp

                                    Filesize

                                    128KB

                                  • memory/2216-371-0x0000015235FC0000-0x000001523602E000-memory.dmp

                                    Filesize

                                    440KB

                                  • memory/2216-372-0x0000015235DC0000-0x0000015235DCE000-memory.dmp

                                    Filesize

                                    56KB

                                  • memory/2216-373-0x0000015236030000-0x000001523608A000-memory.dmp

                                    Filesize

                                    360KB

                                  • memory/2216-374-0x0000015235F20000-0x0000015235F30000-memory.dmp

                                    Filesize

                                    64KB

                                  • memory/2216-367-0x00007FFE73BF0000-0x00007FFE746B1000-memory.dmp

                                    Filesize

                                    10.8MB

                                  • memory/2216-376-0x00000152361E0000-0x000001523632A000-memory.dmp

                                    Filesize

                                    1.3MB

                                  • memory/2216-377-0x0000015236330000-0x0000015236446000-memory.dmp

                                    Filesize

                                    1.1MB

                                  • memory/2216-378-0x0000015235F70000-0x0000015235FA0000-memory.dmp

                                    Filesize

                                    192KB

                                  • memory/2216-379-0x000001521D570000-0x000001521D580000-memory.dmp

                                    Filesize

                                    64KB

                                  • memory/2216-380-0x000001521D570000-0x000001521D580000-memory.dmp

                                    Filesize

                                    64KB

                                  • memory/2216-381-0x00007FFE73BF0000-0x00007FFE746B1000-memory.dmp

                                    Filesize

                                    10.8MB

                                  • memory/2216-382-0x000001521D570000-0x000001521D580000-memory.dmp

                                    Filesize

                                    64KB

                                  • memory/2216-383-0x000001521D570000-0x000001521D580000-memory.dmp

                                    Filesize

                                    64KB

                                  • memory/2216-384-0x000001521D570000-0x000001521D580000-memory.dmp

                                    Filesize

                                    64KB