Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    74s
  • max time network
    65s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/02/2024, 02:11

General

  • Target

    radmin.exe

  • Size

    232KB

  • MD5

    6b23b65c77bba099dde4dc05b1c13edf

  • SHA1

    a741b264e94873f3ce18cec6aefc3250aa87b7ac

  • SHA256

    a6c26b7a10e97636547172d24d97605eb3115d7df32fcc824501d3b483bd03f5

  • SHA512

    179debf3b2e43cbc059d597ea3db8583d21f2fd44920329e04b452071bac6fcb513fe77bb2c1554e7f6508dcb3c4e1e0773f2e756d824cd1fbead5ac90b9759d

  • SSDEEP

    6144:aloZMmrIkd8g+EtXHkv/iD4saBTbhS6FuAxDeebdTb8e1mJi:koZ1L+EP8saBTbhS6FuAxDeebtT

Score
10/10

Malware Config

Signatures

  • Detect Umbral payload 1 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 36 IoCs
  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of FindShellTrayWindow 47 IoCs
  • Suspicious use of SendNotifyMessage 47 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\radmin.exe
    "C:\Users\Admin\AppData\Local\Temp\radmin.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1984
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4236
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Checks SCSI registry key(s)
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:3080
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:3100

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1984-0-0x00000297AE740000-0x00000297AE780000-memory.dmp

      Filesize

      256KB

    • memory/1984-2-0x00000297C8CF0000-0x00000297C8D00000-memory.dmp

      Filesize

      64KB

    • memory/1984-1-0x00007FF9FED20000-0x00007FF9FF7E1000-memory.dmp

      Filesize

      10.8MB

    • memory/1984-4-0x00007FF9FED20000-0x00007FF9FF7E1000-memory.dmp

      Filesize

      10.8MB

    • memory/3080-5-0x0000020FB71B0000-0x0000020FB71B1000-memory.dmp

      Filesize

      4KB

    • memory/3080-6-0x0000020FB71B0000-0x0000020FB71B1000-memory.dmp

      Filesize

      4KB

    • memory/3080-7-0x0000020FB71B0000-0x0000020FB71B1000-memory.dmp

      Filesize

      4KB

    • memory/3080-11-0x0000020FB71B0000-0x0000020FB71B1000-memory.dmp

      Filesize

      4KB

    • memory/3080-12-0x0000020FB71B0000-0x0000020FB71B1000-memory.dmp

      Filesize

      4KB

    • memory/3080-13-0x0000020FB71B0000-0x0000020FB71B1000-memory.dmp

      Filesize

      4KB

    • memory/3080-15-0x0000020FB71B0000-0x0000020FB71B1000-memory.dmp

      Filesize

      4KB

    • memory/3080-14-0x0000020FB71B0000-0x0000020FB71B1000-memory.dmp

      Filesize

      4KB

    • memory/3080-17-0x0000020FB71B0000-0x0000020FB71B1000-memory.dmp

      Filesize

      4KB

    • memory/3080-16-0x0000020FB71B0000-0x0000020FB71B1000-memory.dmp

      Filesize

      4KB