Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
06/02/2024, 19:54
Behavioral task
behavioral1
Sample
ExumNOVA (1).exe
Resource
win7-20231215-en
4 signatures
150 seconds
General
-
Target
ExumNOVA (1).exe
-
Size
228KB
-
MD5
f3d936c9efade8ccd0a43ba19ee3ad80
-
SHA1
5aafc1994763497e589203d08c727cdbf481a474
-
SHA256
685aea80db0fd039accee42b17bb7110e3c26529f361dac85f2a6d751982ce89
-
SHA512
b81fa072dc5c0ad1cf08dfcf4d81984d1430f0dbf595d736d0b51249fb302229f116feb908f78e329d0cff5b81b0d517457f4b92c46dcdb0d552a78143c24f55
-
SSDEEP
6144:uloZMzrIkd8g+EtXHkv/iD4Nhi9fVeGJlMFXSy3g2b8e1mWi:4oZcL+EP8Nhi9fVeGJlMFXSy3/o
Malware Config
Signatures
-
Detect Umbral payload 1 IoCs
resource yara_rule behavioral1/memory/3004-0-0x0000000000390000-0x00000000003D0000-memory.dmp family_umbral -
Suspicious use of AdjustPrivilegeToken 41 IoCs
description pid Process Token: SeDebugPrivilege 3004 ExumNOVA (1).exe Token: SeIncreaseQuotaPrivilege 3064 wmic.exe Token: SeSecurityPrivilege 3064 wmic.exe Token: SeTakeOwnershipPrivilege 3064 wmic.exe Token: SeLoadDriverPrivilege 3064 wmic.exe Token: SeSystemProfilePrivilege 3064 wmic.exe Token: SeSystemtimePrivilege 3064 wmic.exe Token: SeProfSingleProcessPrivilege 3064 wmic.exe Token: SeIncBasePriorityPrivilege 3064 wmic.exe Token: SeCreatePagefilePrivilege 3064 wmic.exe Token: SeBackupPrivilege 3064 wmic.exe Token: SeRestorePrivilege 3064 wmic.exe Token: SeShutdownPrivilege 3064 wmic.exe Token: SeDebugPrivilege 3064 wmic.exe Token: SeSystemEnvironmentPrivilege 3064 wmic.exe Token: SeRemoteShutdownPrivilege 3064 wmic.exe Token: SeUndockPrivilege 3064 wmic.exe Token: SeManageVolumePrivilege 3064 wmic.exe Token: 33 3064 wmic.exe Token: 34 3064 wmic.exe Token: 35 3064 wmic.exe Token: SeIncreaseQuotaPrivilege 3064 wmic.exe Token: SeSecurityPrivilege 3064 wmic.exe Token: SeTakeOwnershipPrivilege 3064 wmic.exe Token: SeLoadDriverPrivilege 3064 wmic.exe Token: SeSystemProfilePrivilege 3064 wmic.exe Token: SeSystemtimePrivilege 3064 wmic.exe Token: SeProfSingleProcessPrivilege 3064 wmic.exe Token: SeIncBasePriorityPrivilege 3064 wmic.exe Token: SeCreatePagefilePrivilege 3064 wmic.exe Token: SeBackupPrivilege 3064 wmic.exe Token: SeRestorePrivilege 3064 wmic.exe Token: SeShutdownPrivilege 3064 wmic.exe Token: SeDebugPrivilege 3064 wmic.exe Token: SeSystemEnvironmentPrivilege 3064 wmic.exe Token: SeRemoteShutdownPrivilege 3064 wmic.exe Token: SeUndockPrivilege 3064 wmic.exe Token: SeManageVolumePrivilege 3064 wmic.exe Token: 33 3064 wmic.exe Token: 34 3064 wmic.exe Token: 35 3064 wmic.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3004 wrote to memory of 3064 3004 ExumNOVA (1).exe 28 PID 3004 wrote to memory of 3064 3004 ExumNOVA (1).exe 28 PID 3004 wrote to memory of 3064 3004 ExumNOVA (1).exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\ExumNOVA (1).exe"C:\Users\Admin\AppData\Local\Temp\ExumNOVA (1).exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3064
-