Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
1s -
max time network
14s -
platform
windows11-21h2_x64 -
resource
win11-20231215-en -
resource tags
arch:x64arch:x86image:win11-20231215-enlocale:en-usos:windows11-21h2-x64system -
submitted
05/02/2024, 10:00 UTC
Behavioral task
behavioral1
Sample
Umbral.exe
Resource
win7-20231215-en
4 signatures
300 seconds
Behavioral task
behavioral2
Sample
Umbral.exe
Resource
win10-20231215-en
4 signatures
300 seconds
Behavioral task
behavioral3
Sample
Umbral.exe
Resource
win10v2004-20231215-en
4 signatures
300 seconds
General
-
Target
Umbral.exe
-
Size
231KB
-
MD5
2bd5664afed4d5821041e61b19f55a30
-
SHA1
8d0f1ea431c0e00b39898a05f4ae37ac55800703
-
SHA256
5e0dce9978369a90f9380c4630f79b2801dd0251f699bee7d7b85f43c51f027e
-
SHA512
991066a886a2fd36246d1fe88a7c62cb6672a7c8821c94a4b1c8df650968a39aa0f1519451d569b9b478a30cd3465fda32da69816b5ce86bd95ccd9a7d781fe7
-
SSDEEP
6144:RloZM+rIkd8g+EtXHkv/iD4+B/RkqNlOcLWU1pAN8b8e1mKi:joZtL+EP8+B/RkqNlOcLWU1pAa4
Malware Config
Signatures
-
Detect Umbral payload 1 IoCs
resource yara_rule behavioral4/memory/2792-0-0x00000148FBCE0000-0x00000148FBD20000-memory.dmp family_umbral -
Suspicious use of AdjustPrivilegeToken 43 IoCs
description pid Process Token: SeDebugPrivilege 2792 Umbral.exe Token: SeIncreaseQuotaPrivilege 1784 wmic.exe Token: SeSecurityPrivilege 1784 wmic.exe Token: SeTakeOwnershipPrivilege 1784 wmic.exe Token: SeLoadDriverPrivilege 1784 wmic.exe Token: SeSystemProfilePrivilege 1784 wmic.exe Token: SeSystemtimePrivilege 1784 wmic.exe Token: SeProfSingleProcessPrivilege 1784 wmic.exe Token: SeIncBasePriorityPrivilege 1784 wmic.exe Token: SeCreatePagefilePrivilege 1784 wmic.exe Token: SeBackupPrivilege 1784 wmic.exe Token: SeRestorePrivilege 1784 wmic.exe Token: SeShutdownPrivilege 1784 wmic.exe Token: SeDebugPrivilege 1784 wmic.exe Token: SeSystemEnvironmentPrivilege 1784 wmic.exe Token: SeRemoteShutdownPrivilege 1784 wmic.exe Token: SeUndockPrivilege 1784 wmic.exe Token: SeManageVolumePrivilege 1784 wmic.exe Token: 33 1784 wmic.exe Token: 34 1784 wmic.exe Token: 35 1784 wmic.exe Token: 36 1784 wmic.exe Token: SeIncreaseQuotaPrivilege 1784 wmic.exe Token: SeSecurityPrivilege 1784 wmic.exe Token: SeTakeOwnershipPrivilege 1784 wmic.exe Token: SeLoadDriverPrivilege 1784 wmic.exe Token: SeSystemProfilePrivilege 1784 wmic.exe Token: SeSystemtimePrivilege 1784 wmic.exe Token: SeProfSingleProcessPrivilege 1784 wmic.exe Token: SeIncBasePriorityPrivilege 1784 wmic.exe Token: SeCreatePagefilePrivilege 1784 wmic.exe Token: SeBackupPrivilege 1784 wmic.exe Token: SeRestorePrivilege 1784 wmic.exe Token: SeShutdownPrivilege 1784 wmic.exe Token: SeDebugPrivilege 1784 wmic.exe Token: SeSystemEnvironmentPrivilege 1784 wmic.exe Token: SeRemoteShutdownPrivilege 1784 wmic.exe Token: SeUndockPrivilege 1784 wmic.exe Token: SeManageVolumePrivilege 1784 wmic.exe Token: 33 1784 wmic.exe Token: 34 1784 wmic.exe Token: 35 1784 wmic.exe Token: 36 1784 wmic.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 2792 wrote to memory of 1784 2792 Umbral.exe 78 PID 2792 wrote to memory of 1784 2792 Umbral.exe 78
Processes
Network
-
Remote address:8.8.8.8:53Requestgstatic.comIN AResponsegstatic.comIN A142.250.200.35
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTRResponse8.8.8.8.in-addr.arpaIN PTRdnsgoogle
-
Remote address:8.8.8.8:53Request35.200.250.142.in-addr.arpaIN PTRResponse35.200.250.142.in-addr.arpaIN PTRlhr48s30-in-f31e100net