Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
126s -
max time network
139s -
platform
windows10-1703_x64 -
resource
win10-20231020-en -
resource tags
-
submitted
07/12/2023, 03:22
General
-
Target
RC7/RC7.exe
-
Size
160KB
-
MD5
40e89aaf41d4ebda079572167d4665e7
-
SHA1
c14a019a862aa3f595da7d15cc993f4f894d10a5
-
SHA256
95388dfe045e7e976186c3ab0286ed8aa77bdb299c867f8c3e46f23ff7624a4d
-
SHA512
035996ef789c0dc972265ec04652d01e1a530e61d4dfdd3fadc6e502a46b054e2b88fd5347d63deba491924b67c466996208f33f9a5019eb60923445551ce554
-
SSDEEP
3072:Vjt4sK0uoEz8jh6oKyIPw+lV59i/XvGO0EFA0K+ymEN4NI:VjysKJ8cNP779Wvwc19yx
Malware Config
Extracted
xworm
owner-cc.gl.at.ply.gg:32281
-
install_file
USB.exe
Extracted
umbral
https://discord.com/api/webhooks/1179573880306806895/9PPafRuKqunRXMBgRp7lwh-lO7PV6gpu6bih39np__mk8ZAghkJ95dBDKUvofe3l-iRe
Signatures
-
Detect Umbral payload 3 IoCs
-
Detect Xworm Payload 3 IoCs
-
Umbral
Umbral stealer is an opensource moduler stealer written in C#.
-
Xworm
Xworm is a remote access trojan written in C#.
-
Executes dropped EXE 2 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 45 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\RC7\RC7.exe"C:\Users\Admin\AppData\Local\Temp\RC7\RC7.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\XClient.exe"C:\Users\Admin\AppData\Local\Temp\XClient.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
231KB
MD55c04d1b604c881ae86da044c2d16b8b2
SHA1c9f98d064e8284a51d43d72c15211fdd6edee1c8
SHA2565b0ae3b59dcfbdf94878f652d328c12b61b0783082046815bc6d01fecd8fd769
SHA512d156d5cab74668e2899aaced344d6d4e8e89eaaa6936c8378f89126747543f063066dd6c91e39203cbad0dfc9027aef5853775cef47751b669de6336d97223d6
-
Filesize
231KB
MD55c04d1b604c881ae86da044c2d16b8b2
SHA1c9f98d064e8284a51d43d72c15211fdd6edee1c8
SHA2565b0ae3b59dcfbdf94878f652d328c12b61b0783082046815bc6d01fecd8fd769
SHA512d156d5cab74668e2899aaced344d6d4e8e89eaaa6936c8378f89126747543f063066dd6c91e39203cbad0dfc9027aef5853775cef47751b669de6336d97223d6
-
Filesize
60KB
MD5fd41a98611978677f1adc60f86383ea0
SHA1200cfd48d7f7d28cff9c177cdd804e6fd578c015
SHA256ffc549f9e84b6ecaa96e1cb49c18a8bdd89d536e0556962c88995967009cdc3d
SHA51287a0d544d9b1dd2b53d40cd54d2c6955927dc287d2cf557eb50f408c3e6002efdac3ecbe908b49bf153bb9276d23e3e459bbaa502167cc52a63ae08a40251270
-
Filesize
60KB
MD5fd41a98611978677f1adc60f86383ea0
SHA1200cfd48d7f7d28cff9c177cdd804e6fd578c015
SHA256ffc549f9e84b6ecaa96e1cb49c18a8bdd89d536e0556962c88995967009cdc3d
SHA51287a0d544d9b1dd2b53d40cd54d2c6955927dc287d2cf557eb50f408c3e6002efdac3ecbe908b49bf153bb9276d23e3e459bbaa502167cc52a63ae08a40251270
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
256KB
-
Filesize
64KB
-
Filesize
88KB
-
Filesize
9.9MB
-
Filesize
64KB
-
Filesize
9.9MB
-
Filesize
64KB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
184KB
-
Filesize
64KB