Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

09/02/2024, 20:44

240209-zjjbzsed4y 10

09/02/2024, 20:43

240209-zhst2aed4t 10

Analysis

  • max time kernel
    190s
  • max time network
    258s
  • platform
    windows10-1703_x64
  • resource
    win10-20231220-en
  • resource tags

    arch:x64arch:x86image:win10-20231220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    09/02/2024, 20:44

General

  • Target

    Celestial.exe

  • Size

    266KB

  • MD5

    deb95e476943219d9fccc87505cc740e

  • SHA1

    be4325870bc9e8fe0e8233487287dd3569124bd5

  • SHA256

    626e632e710f71661c007726e0195c4e60e1c7366f474c3d22a11e6b9fbfa1d8

  • SHA512

    61eb326732efdc2ac4f417ee38153872d9a7afe21b8768f18262cc37ad48018d5d730dfd3c5db84d5b500513bc2e0f9b96c065eb7967adb74c0753c3ee4e42f8

  • SSDEEP

    6144:4loZM+rIkd8g+EtXHkv/iD4RwFBJNbYMTnqL9Y0hZ67qb8e1m2iiV8vpFNEvt:moZtL+EP8RwFBJNbYMTnqL9Y0hZgWMiS

Score
10/10

Malware Config

Signatures

  • Detect Umbral payload 1 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

  • Suspicious use of AdjustPrivilegeToken 43 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Celestial.exe
    "C:\Users\Admin\AppData\Local\Temp\Celestial.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:312
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4668

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/312-0-0x0000028A62DE0000-0x0000028A62E28000-memory.dmp

    Filesize

    288KB

  • memory/312-2-0x0000028A7D3A0000-0x0000028A7D3B0000-memory.dmp

    Filesize

    64KB

  • memory/312-1-0x00007FFB779E0000-0x00007FFB783CC000-memory.dmp

    Filesize

    9.9MB

  • memory/312-4-0x00007FFB779E0000-0x00007FFB783CC000-memory.dmp

    Filesize

    9.9MB