Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
25/11/2023, 12:15
231125-pe82qsae24 1025/11/2023, 12:14
231125-pedwlaad98 1025/11/2023, 11:56
231125-n316csba21 10Analysis
-
max time kernel
142s -
max time network
269s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
25/11/2023, 11:56
Behavioral task
behavioral1
Sample
Zul Free.exe
Resource
win7-20231020-en
windows7-x64
8 signatures
300 seconds
General
-
Target
Zul Free.exe
-
Size
230KB
-
MD5
a47cffac2602038b4cfc070f8a05243a
-
SHA1
4111453f445d10ef516e98a000cc84845658dabe
-
SHA256
29456c78a229429c66b4ce8997c9bb6593ad9b4e8928e094eb25caf4a7ee0e40
-
SHA512
e390d7c96e2b5b2cad52b80c276787cb37d7ca3a171868037c1f1ef9e58177baa9e07f8866e0a95560ee9e0af0a38ba218f9feeaf1f19d77915f9e5c08d4070d
-
SSDEEP
6144:1loZM+rIkd8g+EtXHkv/iD4tT1FzQEbqCzFQMpxbztjFK8e1mOvi:XoZtL+EP8tT1FzQEbqCzFQMpVpjy0
Malware Config
Signatures
-
Detect Umbral payload 1 IoCs
resource yara_rule behavioral2/memory/1988-0-0x000001D705800000-0x000001D705840000-memory.dmp family_umbral -
Suspicious use of AdjustPrivilegeToken 43 IoCs
description pid Process Token: SeDebugPrivilege 1988 Zul Free.exe Token: SeIncreaseQuotaPrivilege 1952 wmic.exe Token: SeSecurityPrivilege 1952 wmic.exe Token: SeTakeOwnershipPrivilege 1952 wmic.exe Token: SeLoadDriverPrivilege 1952 wmic.exe Token: SeSystemProfilePrivilege 1952 wmic.exe Token: SeSystemtimePrivilege 1952 wmic.exe Token: SeProfSingleProcessPrivilege 1952 wmic.exe Token: SeIncBasePriorityPrivilege 1952 wmic.exe Token: SeCreatePagefilePrivilege 1952 wmic.exe Token: SeBackupPrivilege 1952 wmic.exe Token: SeRestorePrivilege 1952 wmic.exe Token: SeShutdownPrivilege 1952 wmic.exe Token: SeDebugPrivilege 1952 wmic.exe Token: SeSystemEnvironmentPrivilege 1952 wmic.exe Token: SeRemoteShutdownPrivilege 1952 wmic.exe Token: SeUndockPrivilege 1952 wmic.exe Token: SeManageVolumePrivilege 1952 wmic.exe Token: 33 1952 wmic.exe Token: 34 1952 wmic.exe Token: 35 1952 wmic.exe Token: 36 1952 wmic.exe Token: SeIncreaseQuotaPrivilege 1952 wmic.exe Token: SeSecurityPrivilege 1952 wmic.exe Token: SeTakeOwnershipPrivilege 1952 wmic.exe Token: SeLoadDriverPrivilege 1952 wmic.exe Token: SeSystemProfilePrivilege 1952 wmic.exe Token: SeSystemtimePrivilege 1952 wmic.exe Token: SeProfSingleProcessPrivilege 1952 wmic.exe Token: SeIncBasePriorityPrivilege 1952 wmic.exe Token: SeCreatePagefilePrivilege 1952 wmic.exe Token: SeBackupPrivilege 1952 wmic.exe Token: SeRestorePrivilege 1952 wmic.exe Token: SeShutdownPrivilege 1952 wmic.exe Token: SeDebugPrivilege 1952 wmic.exe Token: SeSystemEnvironmentPrivilege 1952 wmic.exe Token: SeRemoteShutdownPrivilege 1952 wmic.exe Token: SeUndockPrivilege 1952 wmic.exe Token: SeManageVolumePrivilege 1952 wmic.exe Token: 33 1952 wmic.exe Token: 34 1952 wmic.exe Token: 35 1952 wmic.exe Token: 36 1952 wmic.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 1988 wrote to memory of 1952 1988 Zul Free.exe 85 PID 1988 wrote to memory of 1952 1988 Zul Free.exe 85