Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
74s -
max time network
65s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
01/02/2024, 02:11
Behavioral task
behavioral1
Sample
radmin.exe
Resource
win7-20231215-en
8 signatures
150 seconds
General
-
Target
radmin.exe
-
Size
232KB
-
MD5
6b23b65c77bba099dde4dc05b1c13edf
-
SHA1
a741b264e94873f3ce18cec6aefc3250aa87b7ac
-
SHA256
a6c26b7a10e97636547172d24d97605eb3115d7df32fcc824501d3b483bd03f5
-
SHA512
179debf3b2e43cbc059d597ea3db8583d21f2fd44920329e04b452071bac6fcb513fe77bb2c1554e7f6508dcb3c4e1e0773f2e756d824cd1fbead5ac90b9759d
-
SSDEEP
6144:aloZMmrIkd8g+EtXHkv/iD4saBTbhS6FuAxDeebdTb8e1mJi:koZ1L+EP8saBTbhS6FuAxDeebtT
Malware Config
Signatures
-
Detect Umbral payload 1 IoCs
resource yara_rule behavioral2/memory/1984-0-0x00000297AE740000-0x00000297AE780000-memory.dmp family_umbral -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 36 IoCs
pid Process 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeDebugPrivilege 1984 radmin.exe Token: SeIncreaseQuotaPrivilege 4236 wmic.exe Token: SeSecurityPrivilege 4236 wmic.exe Token: SeTakeOwnershipPrivilege 4236 wmic.exe Token: SeLoadDriverPrivilege 4236 wmic.exe Token: SeSystemProfilePrivilege 4236 wmic.exe Token: SeSystemtimePrivilege 4236 wmic.exe Token: SeProfSingleProcessPrivilege 4236 wmic.exe Token: SeIncBasePriorityPrivilege 4236 wmic.exe Token: SeCreatePagefilePrivilege 4236 wmic.exe Token: SeBackupPrivilege 4236 wmic.exe Token: SeRestorePrivilege 4236 wmic.exe Token: SeShutdownPrivilege 4236 wmic.exe Token: SeDebugPrivilege 4236 wmic.exe Token: SeSystemEnvironmentPrivilege 4236 wmic.exe Token: SeRemoteShutdownPrivilege 4236 wmic.exe Token: SeUndockPrivilege 4236 wmic.exe Token: SeManageVolumePrivilege 4236 wmic.exe Token: 33 4236 wmic.exe Token: 34 4236 wmic.exe Token: 35 4236 wmic.exe Token: 36 4236 wmic.exe Token: SeIncreaseQuotaPrivilege 4236 wmic.exe Token: SeSecurityPrivilege 4236 wmic.exe Token: SeTakeOwnershipPrivilege 4236 wmic.exe Token: SeLoadDriverPrivilege 4236 wmic.exe Token: SeSystemProfilePrivilege 4236 wmic.exe Token: SeSystemtimePrivilege 4236 wmic.exe Token: SeProfSingleProcessPrivilege 4236 wmic.exe Token: SeIncBasePriorityPrivilege 4236 wmic.exe Token: SeCreatePagefilePrivilege 4236 wmic.exe Token: SeBackupPrivilege 4236 wmic.exe Token: SeRestorePrivilege 4236 wmic.exe Token: SeShutdownPrivilege 4236 wmic.exe Token: SeDebugPrivilege 4236 wmic.exe Token: SeSystemEnvironmentPrivilege 4236 wmic.exe Token: SeRemoteShutdownPrivilege 4236 wmic.exe Token: SeUndockPrivilege 4236 wmic.exe Token: SeManageVolumePrivilege 4236 wmic.exe Token: 33 4236 wmic.exe Token: 34 4236 wmic.exe Token: 35 4236 wmic.exe Token: 36 4236 wmic.exe Token: SeDebugPrivilege 3080 taskmgr.exe Token: SeSystemProfilePrivilege 3080 taskmgr.exe Token: SeCreateGlobalPrivilege 3080 taskmgr.exe -
Suspicious use of FindShellTrayWindow 47 IoCs
pid Process 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe -
Suspicious use of SendNotifyMessage 47 IoCs
pid Process 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe 3080 taskmgr.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 1984 wrote to memory of 4236 1984 radmin.exe 91 PID 1984 wrote to memory of 4236 1984 radmin.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\radmin.exe"C:\Users\Admin\AppData\Local\Temp\radmin.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4236
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3080
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3100