Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
09/02/2024, 01:50
Behavioral task
behavioral1
Sample
33a73b48fbde2377819328b284eaf73a.exe
Resource
win7-20231215-en
windows7-x64
4 signatures
150 seconds
General
-
Target
33a73b48fbde2377819328b284eaf73a.exe
-
Size
229KB
-
MD5
33a73b48fbde2377819328b284eaf73a
-
SHA1
1ea5c34871101d51ece1d4e4f15e1aa5b092ef68
-
SHA256
93710f9d8ee999fa3adc45cf8770dfa953637726d7c4ad9cd7cc7eba6df23aa6
-
SHA512
6670f3c80f9f56e7a3550c7362d6d674452a01874258476405394afaaaaa854bf225f89ad9d365285b3adcbce2ed12ed9eec54b66890b2af00fb4810d946362e
-
SSDEEP
6144:lloZM+rIkd8g+EtXHkv/iD41xdClE8e1m1i:noZtL+EP8sYB
Malware Config
Signatures
-
Detect Umbral payload 2 IoCs
resource yara_rule behavioral1/memory/2240-0-0x0000000001220000-0x0000000001260000-memory.dmp family_umbral behavioral1/memory/2240-2-0x0000000000B90000-0x0000000000C10000-memory.dmp family_umbral -
Suspicious use of AdjustPrivilegeToken 41 IoCs
description pid Process Token: SeDebugPrivilege 2240 33a73b48fbde2377819328b284eaf73a.exe Token: SeIncreaseQuotaPrivilege 2860 wmic.exe Token: SeSecurityPrivilege 2860 wmic.exe Token: SeTakeOwnershipPrivilege 2860 wmic.exe Token: SeLoadDriverPrivilege 2860 wmic.exe Token: SeSystemProfilePrivilege 2860 wmic.exe Token: SeSystemtimePrivilege 2860 wmic.exe Token: SeProfSingleProcessPrivilege 2860 wmic.exe Token: SeIncBasePriorityPrivilege 2860 wmic.exe Token: SeCreatePagefilePrivilege 2860 wmic.exe Token: SeBackupPrivilege 2860 wmic.exe Token: SeRestorePrivilege 2860 wmic.exe Token: SeShutdownPrivilege 2860 wmic.exe Token: SeDebugPrivilege 2860 wmic.exe Token: SeSystemEnvironmentPrivilege 2860 wmic.exe Token: SeRemoteShutdownPrivilege 2860 wmic.exe Token: SeUndockPrivilege 2860 wmic.exe Token: SeManageVolumePrivilege 2860 wmic.exe Token: 33 2860 wmic.exe Token: 34 2860 wmic.exe Token: 35 2860 wmic.exe Token: SeIncreaseQuotaPrivilege 2860 wmic.exe Token: SeSecurityPrivilege 2860 wmic.exe Token: SeTakeOwnershipPrivilege 2860 wmic.exe Token: SeLoadDriverPrivilege 2860 wmic.exe Token: SeSystemProfilePrivilege 2860 wmic.exe Token: SeSystemtimePrivilege 2860 wmic.exe Token: SeProfSingleProcessPrivilege 2860 wmic.exe Token: SeIncBasePriorityPrivilege 2860 wmic.exe Token: SeCreatePagefilePrivilege 2860 wmic.exe Token: SeBackupPrivilege 2860 wmic.exe Token: SeRestorePrivilege 2860 wmic.exe Token: SeShutdownPrivilege 2860 wmic.exe Token: SeDebugPrivilege 2860 wmic.exe Token: SeSystemEnvironmentPrivilege 2860 wmic.exe Token: SeRemoteShutdownPrivilege 2860 wmic.exe Token: SeUndockPrivilege 2860 wmic.exe Token: SeManageVolumePrivilege 2860 wmic.exe Token: 33 2860 wmic.exe Token: 34 2860 wmic.exe Token: 35 2860 wmic.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2240 wrote to memory of 2860 2240 33a73b48fbde2377819328b284eaf73a.exe 28 PID 2240 wrote to memory of 2860 2240 33a73b48fbde2377819328b284eaf73a.exe 28 PID 2240 wrote to memory of 2860 2240 33a73b48fbde2377819328b284eaf73a.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\33a73b48fbde2377819328b284eaf73a.exe"C:\Users\Admin\AppData\Local\Temp\33a73b48fbde2377819328b284eaf73a.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2860
-